Avatar of SupermanTB
SupermanTB

asked on 

Force local Group Policy instead of getting GP from domain for remote computers

I've got about a dozen remote computers (Win 10) that just do not want to connect to the domain over a VPN.  I've got a question open about there here
https://www.experts-exchange.com/questions/29007526/Updating-Group-Policy-over-a-PPTP-VPN.html

I don't appear to have a solution in site for this issue, so I am opening a separate question to see about another way to work around it.

I've got about a dozen or so remote computers that will never come back into the office with the domain controller.  I need to implement BitLocker without a TPM and to do that, I've made an edit to the local Group Policy.  When I go to BitLocker, it's as I never made the GP change and it gives me an error regarding requiring a TPM.  When I go to a command prompt and do an RSOP.msc, I get an error message (attached) saying

Unable to generate RSoP data.  In logging mode.  Likely causes are Group Policy has never successfully process for the computer or users.  RSoP logging was never enabled, or data is corrupt.  In planning mode.  Verify that the selected domain controller suports RSoP.

I've given up on getting these computers to try and communicate with the domain controller.  What I'm asking is there any way I can get it to look at the local GP instead of trying to get GP from the DC?  

Thanks very much
rsopresults.JPG
Windows 10* BitLockerWindows Server 2008Active Directory

Avatar of undefined
Last Comment
SupermanTB
Avatar of McKnife
McKnife
Flag of Germany image

Hi again.

My win10 machines will not need a domain connection to apply local policies. Please confirm that you have the latest win10 build installed: 14393.693
Avatar of SupermanTB
SupermanTB

ASKER

I have the latest build.  Also 14393.693
SupermanTB,

Consider moving these systems to a separate OU, block inheritance on that OU, then configure local policies.
Avatar of SupermanTB
SupermanTB

ASKER

Do you mean to check to see if the Group Policy service is running?  If so I have verified that the Group Policy Client service is running.  

I also put the computer in a different OU, with inheritence blocked.  That did not help.
Avatar of McKnife
McKnife
Flag of Germany image

and the 2nd question?
Avatar of SupermanTB
SupermanTB

ASKER

I made an additional local GP change and it did not apply.  it seems to not be processing the local GP at all
Avatar of McKnife
McKnife
Flag of Germany image

Since you switched over to your older thread and I answered there, I will paste it here:
--
So if you are perfectly sure that you set something, did run gpupdate and the change did not show, AND this happens on multiple machines as well, then you should take a clean win10 system, verify that it works there (of course it will) and then step by step add the software that your other machines run and check if changing the local GPO still works. If it breaks at one point, you have found the culprit.

I like to add that this is very very odd and never in my admin life have I seen a machine that had such a defect.
Avatar of SupermanTB
SupermanTB

ASKER

Thank you McKnife.  Sorry about accidentally posting to that older thread.  

I'm sure that I updated something and it did not get applied.  However, the problem is when I run the gpupdate, it fails not being able to contact the domain controller.  I don't know if that failure is causing some sort of problem that doesn't allow it to process the local GP.

I've got about 12 machines (out of ~35) experiencing this issue.  I'm sure if i had a clean Windows 10 system in the office with the DC, it would definitely work.  If i took it out of the office and tried again, maybe it would work, maybe it wouldn't.  I don't know that is a relevant test here because all these laptops will likely have been inside the office with the DC for a year or two.  In case, I don't have a clean Windows 10 machine available to do this and the office is quite far away.
Avatar of McKnife
McKnife
Flag of Germany image

Install a test VM. It does not need to be connected to the domain.
Avatar of SupermanTB
SupermanTB

ASKER

Ok, so when i do that, I fully expect the GP to work.  Then what?
Avatar of McKnife
McKnife
Flag of Germany image

As I wrote: to find the culprit, install your software one by one until the new gpupdates don't apply anymore.
Avatar of SupermanTB
SupermanTB

ASKER

There is no unusual software on these computers.  Just office, Microsoft Security Essentials, Java, standard stuff.  These laptops all have the same footprint, same software, etc.  I appreciate the suggestion, but that is a tremendous amount of effort to go through for something i do not anticipate resulting in useful information.
Avatar of McKnife
McKnife
Flag of Germany image

The mentioned softwares will not interfere with GPO processing, I agree. But if it happens on multiple machines, hat could it be but software that you add?
Avatar of SupermanTB
SupermanTB

ASKER

i honestly have no clue what is causing this.  Very unusual.  I have 35 computers all with the same software (within reason).  12 are experiencing this issue.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of SupermanTB
SupermanTB

ASKER

I was able to solve this problem myself and will award points for effort.  I really do appreciate the assistance.

I solved this problem by making sure the security was set correctly on the client VPN.  Specifically, I right-clicked on the VPN virtual adapter and selected Properties, clicked on the Security tab and made sure it was set to "Require encryption (disconnect if server declines)" under the Data encryption section.  It was previously set to "Optional encryption (connect even if no encryption)".  I don't know why some worked with this selection selected and others did not.  I've spent too much time on this issue to try and figure that one out.
https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html#
I hope this helps someone that runs into this issue!  Thanks again for the assistance.
Avatar of McKnife
McKnife
Flag of Germany image

You have to be aware that having a network (any network) does not influence the local GPO processing - so your VPN setting cannot be the reason, although it might seem so. Even computers that don't have a network card will process the local GPOs - normally.
Avatar of SupermanTB
SupermanTB

ASKER

I hear you, but that was definitely the fix.  As soon as I changed it on all those computers that didn't work, i was able to process everything without any problems.  Thanks again for your assistance.
Windows Server 2008
Windows Server 2008

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo