No User Policies applied, only Computer Policies

burgundiancyber · 2022-05-16T14:36:58.000Z

Hi everyone! First time poster, though I’ve been occasionally perusing Spiceworks from time to time. I’ve got a Group Policy issue I’ve recently discovered, and could use some extra brains and eyeballs to help.

I recently replaced my employer’s lone IT person who recently retired, and am trying to both fix discovered issues and go back and fix old forgotten ones. I believe this issue may fall into the latter category. Some of the department managers have to do a lot of repetitive steps for their employees whenever they change computers or get promoted (set default programs, install certain programs, add a list of websites to a list for Java, etc) which I know for a fact is both a nuisance and a source of mistakes. I created a GPO to automate these changes for specific users to make their lives easier, and I know it can be done because I’ve done precisely this at a previous job before. The GPO policy, applied to a new OU containing only 2 test users, is comprised of only User Configuration settings and preferences. The security filtering was originally set to Authenticated Users, though I’ve since added Domain Computers and Domain Users as well during troubleshooting. I also set the GPO to Enforced on the OU, though this also failed to apply the GPO. The settings are simply to connect a specific printer, deploy a file to a specific folder in the user’s AppData, and set their default program for .pdf to Adobe Acrobat.

I’ve also tried investigating if Loopback Processing was enabled anywhere in the environment. I noticed all Computer Configuration policies would work flawlessly, and yet not a single User Configuration policy would ever be applied. Loopback Processing was specifically set to “Not Configured” while this was occuring. When I set Loopback Processing to explicitly “Disabled”, a few User Configuration policies were shown to be applied via Cmd → gpresult. HOWEVER, when I went to confirm the actual effects of the GPOs, none of the actual settings were applied. I also noticed this would prevent certain key Computer Config policies from applying, like our USB Block policy, so I had to reset Loopback Processing to “Not Configured”.

I know what I want to do can be done, I just don’t know what is going wrong in this environment specifically. Without going into too much detail, I’ve since discovered that the previous administration may not have been as dutiful or qualified as I was led to believe. I believe this issue has, secretly, been the reason why the previous It person adopted 1 big Startup Script for all computers, and would just keep appending lines and conditions whenever a new change was requested.It’s not a bad system and it functions, but I do want to fix whatever’s going wrong so that I can make future improvements. There’s a lot of inconveniences and blocks to productivity caused by IT, and even though it’s not my doing it is still a source of embarrassment for me. Let me know what other information I can provide, and I’d be happy to provide it within reason! I appreciate any and all help, ideas, direction, and suggestions that may put me on the right path!

dbeato · 2022-05-16T15:04:24.000Z

BurgundianCyber:

Hi everyone! First time poster, though I’ve been occasionally perusing Spiceworks from time to time. I’ve got a Group Policy issue I’ve recently discovered, and could use some extra brains and eyeballs to help.

I recently replaced my employer’s lone IT person who recently retired, and am trying to both fix discovered issues and go back and fix old forgotten ones. I believe this issue may fall into the latter category. Some of the department managers have to do a lot of repetitive steps for their employees whenever they change computers or get promoted (set default programs, install certain programs, add a list of websites to a list for Java, etc) which I know for a fact is both a nuisance and a source of mistakes. I created a GPO to automate these changes for specific users to make their lives easier, and I know it can be done because I’ve done precisely this at a previous job before. The GPO policy, applied to a new OU containing only 2 test users, is comprised of only User Configuration settings and preferences. The security filtering was originally set to Authenticated Users, though I’ve since added Domain Computers and Domain Users as well during troubleshooting. I also set the GPO to Enforced on the OU, though this also failed to apply the GPO. The settings are simply to connect a specific printer, deploy a file to a specific folder in the user’s AppData, and set their default program for .pdf to Adobe Acrobat.

I’ve also tried investigating if Loopback Processing was enabled anywhere in the environment. I noticed all Computer Configuration policies would work flawlessly, and yet not a single User Configuration policy would ever be applied. Loopback Processing was specifically set to “Not Configured” while this was occuring. When I set Loopback Processing to explicitly “Disabled”, a few User Configuration policies were shown to be applied via Cmd → gpresult. HOWEVER, when I went to confirm the actual effects of the GPOs, none of the actual settings were applied. I also noticed this would prevent certain key Computer Config policies from applying, like our USB Block policy, so I had to reset Loopback Processing to “Not Configured”.

I know what I want to do can be done, I just don’t know what is going wrong in this environment specifically. Without going into too much detail, I’ve since discovered that the previous administration may not have been as dutiful or qualified as I was led to believe. I believe this issue has, secretly, been the reason why the previous It person adopted 1 big Startup Script for all computers, and would just keep appending lines and conditions whenever a new change was requested.It’s not a bad system and it functions, but I do want to fix whatever’s going wrong so that I can make future improvements. There’s a lot of inconveniences and blocks to productivity caused by IT, and even though it’s not my doing it is still a source of embarrassment for me. Let me know what other information I can provide, and I’d be happy to provide it within reason! I appreciate any and all help, ideas, direction, and suggestions that may put me on the right path!

You should have the Loopback Processing to Enable so the settings apply to both computers and users. Can you try that?

burgundiancyber · 2022-05-16T15:14:52.000Z

I sure can, now I see there are two options for Enable - “Merge” & “Replacement”. “Merge” seems like the best option for my use here. Do you happen to know how either option might behave?

dbeato · 2022-05-16T15:26:51.000Z

BurgundianCyber:

I sure can, now I see there are two options for Enable - “Merge” & “Replacement”. “Merge” seems like the best option for my use here. Do you happen to know how either option might behave?

Check this, merge is best.

learn.microsoft.com

Loopback processing of Group Policy - Windows Server

This article describes why you need to enable loopback processing for Group Policy.