Local vs Domain Group Policy Win10

nickdaszkiewicz2 · 2018-12-21T13:57:11.000Z

Rookie to Group Policy here, so please forgive any shortcomings.

I have been trying to build out a domain side GPO to simplify changes in the future… Currently everything is local policy driven.

One recurring issue i keep running into on a fresh win10 install, is getting the domain policy to work properly. For example, i have set

User > Policies > Start Menu & Taskbar > Remove Notifications and Action Center

I do gpupdate / force, log off, reboot - non of it matters the policy does not apply. The policy can be seen in gpresults but not the specific object.

If i change the same policy object in the local policy and log off / on - it applies and works as expected…

i am at a loss, any ideas?

dimforest · 2018-12-21T13:59:48.000Z

On the targeted device, run rsop.msc and see what is actually being applied.

Denis-Kelley · 2018-12-21T14:08:40.000Z

Some group policies require the enterprise edition. Not sure if so here, but worth a lookie.

Evan7191 · 2018-12-21T14:21:58.000Z

How much time passed between changing the domain GPO and running gpupdate /force? Domain GPOs need time for the changes to replicate across the domain controllers.

Internet_Schneider · 2018-12-21T14:34:02.000Z

please put the output of gpresult /h command in here. I guess your GPO should be applied on computers not users, check this case. By the way on the OU that you applied GPO enable “block inheritance” and “enforcement” for GPO. And surly check that GPO has “read” and “apply group policy” permission.

nickdaszkiewicz2 · 2018-12-21T15:17:01.000Z

Nevermind, i am a bonehead and did not have the Group Policy linked to the OU with the user, just the computer

All set

Internet_Schneider · 2018-12-21T15:21:20.000Z

I’m glad that your problem was solved. If your GPO applied to the computer object for now please mark my post as answer. Thanks

justin1250 · 2018-12-21T15:22:59.000Z

Eminent2021:

I guess your GPO should be applied on computers not users, check this case.

You have that backward.

Anything in the User Node should be applied to user objects.

Anything in the Computers node should be applied to computer objects.

Also, remember that group policy does not apply to groups. It can, however, be filtered by group.

A few questions to the OP.

Do you have an OU structure? As noted you should be applying this to user objects as it is a user policy. Note that you cannot apply GPOs to containers. These are special places in AD. The default Users in AD is a container, not an OU. Something to be aware of.

Are you doing security filtering?

nickdaszkiewicz2 · 2018-12-21T16:37:12.000Z

First of all thanks everyone for the help, it really did kick my mind out of overthinking the problem and getting back to basics to find the problem

Justin1250:

Eminent2021:

I guess your GPO should be applied on computers not users, check this case.

You have that backward.

Anything in the User Node should be applied to user objects.

Anything in the Computers node should be applied to computer objects.

Also, remember that group policy does not apply to groups. It can, however, be filtered by group.

A few questions to the OP.

Do you have an OU structure? As noted you should be applying this to user objects as it is a user policy. Note that you cannot apply GPOs to containers. These are special places in AD. The default Users in AD is a container, not an OU. Something to be aware of.

Are you doing security filtering?

@Justin:

This policy is our first attempt at securing Windows 10 machines. We are starting our 7 to 10 migration early Jan and i wanted to get a jumpstart on the lockdown policy. As such, this GPO includes both User and Computer configurations. We do have an (almost) proper OU structure, segregating machines into logical OUs and users into department based OUs. For things like this, I have a “Test OU” at the top level and i moved the computer object to the OU but neglected to move the user object.

The domain policy was being applied perfectly fine at the endpoint, for what was configured, as i said, boneheaded move on my part missing the user object.

Thanks again everyone for the assist, Happy Holidays!

justin1250 · 2018-12-21T17:10:35.000Z

NDaszkie:

First of all thanks everyone for the help, it really did kick my mind out of overthinking the problem and getting back to basics to find the problem

Justin1250:

Eminent2021:

I guess your GPO should be applied on computers not users, check this case.

You have that backward.

Anything in the User Node should be applied to user objects.

Anything in the Computers node should be applied to computer objects.

Also, remember that group policy does not apply to groups. It can, however, be filtered by group.

A few questions to the OP.

Do you have an OU structure? As noted you should be applying this to user objects as it is a user policy. Note that you cannot apply GPOs to containers. These are special places in AD. The default Users in AD is a container, not an OU. Something to be aware of.

Are you doing security filtering?

@Justin:

This policy is our first attempt at securing Windows 10 machines. We are starting our 7 to 10 migration early Jan and i wanted to get a jumpstart on the lockdown policy. As such, this GPO includes both User and Computer configurations. We do have an (almost) proper OU structure, segregating machines into logical OUs and users into department based OUs. For things like this, I have a “Test OU” at the top level and i moved the computer object to the OU but neglected to move the user object.

The domain policy was being applied perfectly fine at the endpoint, for what was configured, as i said, boneheaded move on my part missing the user object.

Thanks again everyone for the assist, Happy Holidays!

Nicholas,

I am glad everything is working for you.

A few things for you to consider as you go forward into your Group Policy adventure.

Depending on your OU and Company structure, it sounds similar to mine, I break down per location and then per department. I can tell you that it is typically a good idea to keep your user and computer policies separate.

Don’t be afraid to have multiple GPOs either. As your environment can change and be somewhat fluid. Typically Each GPO should achieve a central purpose. User GPO settings should apply to your Users OU. You would disable the computer settings portion as to increase processing speed.

Do the same for your Computers OU apply the computer settings GPO and disable the User Settings.

This will make troubleshooting easier in the event of conflicts or if you need to exclude a user or group from certain settings. Excluding groups can be very difficult if you have all your settings in a giant monolithic GPO that covers all systems and all users for all settings.

I also try to name the GPO with its purpose, for example, my Software Restriction Policy is CP-SRP-Whitelist. Then in the comments section, I detail what it blocks and what it allows.

For Users, I have UP-Shortcuts as an example and in the comments, I describe all the shortcuts and files it creates on the user’s profile.

nickdaszkiewicz2 · 2018-12-24T14:12:15.000Z

@Justin This is all excellent advice, Thank you

This is what i am striving to convert our current structure into. I also like your naming convention and will likely adopt something similar. For this specific case, we were just testing what policies would work best to get the lock down results we want in win10. With that in mind i created a test OU creatively named “Test OU” where the machine and the user SHOULD have been placed. I neglected the moving of the user part, and banged my head against the wall for a couple hours before reaching out to this community. It was my intention to break out the test policy into smaller policies to apply more granularly, but did not take into consideration things such as your recommendations until now.

It seems now is a good time to define some prefixes, restructure AD a bit and document. Thanks again for the helpful info!

EDIT: Spelling/Grammar