Avatar of SupermanTB
SupermanTB
 asked on

Force local Group Policy instead of getting GP from domain for remote computers

I've got about a dozen remote computers (Win 10) that just do not want to connect to the domain over a VPN.  I've got a question open about there here
https://www.experts-exchange.com/questions/29007526/Updating-Group-Policy-over-a-PPTP-VPN.html

I don't appear to have a solution in site for this issue, so I am opening a separate question to see about another way to work around it.

I've got about a dozen or so remote computers that will never come back into the office with the domain controller.  I need to implement BitLocker without a TPM and to do that, I've made an edit to the local Group Policy.  When I go to BitLocker, it's as I never made the GP change and it gives me an error regarding requiring a TPM.  When I go to a command prompt and do an RSOP.msc, I get an error message (attached) saying

Unable to generate RSoP data.  In logging mode.  Likely causes are Group Policy has never successfully process for the computer or users.  RSoP logging was never enabled, or data is corrupt.  In planning mode.  Verify that the selected domain controller suports RSoP.

I've given up on getting these computers to try and communicate with the domain controller.  What I'm asking is there any way I can get it to look at the local GP instead of trying to get GP from the DC?  

Thanks very much
rsopresults.JPG
Windows 10* BitLockerWindows Server 2008Active Directory

Avatar of undefined
Last Comment
SupermanTB

8/22/2022 - Mon
McKnife

Hi again.

My win10 machines will not need a domain connection to apply local policies. Please confirm that you have the latest win10 build installed: 14393.693
SupermanTB

ASKER
I have the latest build.  Also 14393.693
Sean Plemons Kelly, CISSP

SupermanTB,

Consider moving these systems to a separate OU, block inheritance on that OU, then configure local policies.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
McKnife

SupermanTB

ASKER
Do you mean to check to see if the Group Policy service is running?  If so I have verified that the Group Policy Client service is running.  

I also put the computer in a different OU, with inheritence blocked.  That did not help.
McKnife

and the 2nd question?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SupermanTB

ASKER
I made an additional local GP change and it did not apply.  it seems to not be processing the local GP at all
McKnife

Since you switched over to your older thread and I answered there, I will paste it here:
--
So if you are perfectly sure that you set something, did run gpupdate and the change did not show, AND this happens on multiple machines as well, then you should take a clean win10 system, verify that it works there (of course it will) and then step by step add the software that your other machines run and check if changing the local GPO still works. If it breaks at one point, you have found the culprit.

I like to add that this is very very odd and never in my admin life have I seen a machine that had such a defect.
SupermanTB

ASKER
Thank you McKnife.  Sorry about accidentally posting to that older thread.  

I'm sure that I updated something and it did not get applied.  However, the problem is when I run the gpupdate, it fails not being able to contact the domain controller.  I don't know if that failure is causing some sort of problem that doesn't allow it to process the local GP.

I've got about 12 machines (out of ~35) experiencing this issue.  I'm sure if i had a clean Windows 10 system in the office with the DC, it would definitely work.  If i took it out of the office and tried again, maybe it would work, maybe it wouldn't.  I don't know that is a relevant test here because all these laptops will likely have been inside the office with the DC for a year or two.  In case, I don't have a clean Windows 10 machine available to do this and the office is quite far away.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
McKnife

Install a test VM. It does not need to be connected to the domain.
SupermanTB

ASKER
Ok, so when i do that, I fully expect the GP to work.  Then what?
McKnife

As I wrote: to find the culprit, install your software one by one until the new gpupdates don't apply anymore.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SupermanTB

ASKER
There is no unusual software on these computers.  Just office, Microsoft Security Essentials, Java, standard stuff.  These laptops all have the same footprint, same software, etc.  I appreciate the suggestion, but that is a tremendous amount of effort to go through for something i do not anticipate resulting in useful information.
McKnife

The mentioned softwares will not interfere with GPO processing, I agree. But if it happens on multiple machines, hat could it be but software that you add?
SupermanTB

ASKER
i honestly have no clue what is causing this.  Very unusual.  I have 35 computers all with the same software (within reason).  12 are experiencing this issue.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SupermanTB

ASKER
I was able to solve this problem myself and will award points for effort.  I really do appreciate the assistance.

I solved this problem by making sure the security was set correctly on the client VPN.  Specifically, I right-clicked on the VPN virtual adapter and selected Properties, clicked on the Security tab and made sure it was set to "Require encryption (disconnect if server declines)" under the Data encryption section.  It was previously set to "Optional encryption (connect even if no encryption)".  I don't know why some worked with this selection selected and others did not.  I've spent too much time on this issue to try and figure that one out.
https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html#
I hope this helps someone that runs into this issue!  Thanks again for the assistance.
McKnife

You have to be aware that having a network (any network) does not influence the local GPO processing - so your VPN setting cannot be the reason, although it might seem so. Even computers that don't have a network card will process the local GPOs - normally.
SupermanTB

ASKER
I hear you, but that was definitely the fix.  As soon as I changed it on all those computers that didn't work, i was able to process everything without any problems.  Thanks again for your assistance.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.