Win7 Computer Config group policy not applying

Hi all: I am having a bit of trouble getting a Computer Configuration group policy to apply in Windows 7 using ZCM 11.2.3. I have two group policies, one for User Configuration settings and the other for Computer Configuration settings. User Config GP is associated with users and Computer Config GP is associated with Workstations. ZCM shows both policies as being successfully applied. Yet, if I run rsop.msc to generate a resultant GP set, all Computer Config settings show up as undefined.
I have used this same technique in XP for many years without issue. I suspect the User Config GP is overwriting all GP settings as it is the last to be applied, but since that policy is ONLY for User Config settings I do not see how. Can someone show me the "errors of my ways"?
Thanks a bunch, Chris.

I have an identical policy setup - a policy wherein "Computer configuration" is checked and configured (I don't even touch the User related settings) and is applied to workstations as well as a second policy with "User configuration" checked and configured (as with the computer policy, I don't touch the Computer related policy in this User policy) and applied to users. I set it up that way because I want general settings specific to our environment to exist and be effective for all users including IT staff in the Computer policy. I then want to restrict users within the User Policy. I have no Active Directory.
The computer settings apply intermittently with no rhyme or reason, which makes it difficult to troubleshoot. I have Internet Zone Assignments configured in the Computer policy, so specific users have problems when this policy is not effective which is how I became aware of the problem. I found that I can run "gpudate /force" as the user and the computer policy becomes effective, which is what I do most of the time since it's a quick fix and I can move on to other things. I've tried changing the order the policies are applied. I am considering creating a single policy with both computer and user settings and associating it with users in hopes that it will always apply, but thought I'd check out the forum before doing so. ZCM 11.2.3 and Windows 7.

Similar Messages

  • Group Policy not Applying

    Currently we are running ZfD 7 and Netware 6.5 and have recently upgraded all our workstations to Windows XP Service Pack 2. Our tree structure consists of an OU for each school level, elementary, middle, and high, and an OU for each school in that respective level. Example:
    Elementary
    West Main
    South Main
    Middle
    Brown Middle
    The current contents in each School OU have users, groups, policies, ect. Previously policy was applied by a workstation policy package that distributed all policies: user, machine, and security which were associated with the School OU. Now we split the policy into workstation packages and a user packages. The goal was to have the workstation apply the machine and security policy and the user policy to apply user settings and create dynamic the local user account.
    The workstation policy remains persistent on the workstation while the user policy creates a local user (non-volatile) and applies the user policy from a server path depending on group membership. We have four different user policy packages: Student, Teacher, Specialist and Technology. Each with there own group policy user configuration. Everyone in our Tree has the appropriate permissions to access the policies. We configure the user policy package as follows:
    Policies  Windows XP
    Enabled Dynamic Local User
    Enabled Windows Group Policy
    Workstation Manager
    Network Location
    \\serverpath
    Checked User Configuration
    Policy Schedule
    User Desktop is active
    Advanced Schedule
    Impersonation
    Interactive User
    Associations
    Groups (Teachers, Students)
    I can get the workstation policy to apply with no problem. The problem comes when a users logs on. It doesnt matter if a new user is being created or if they are simply just switching users. User group policy doesnt apply randomly. The strange thing is it does copy down to the machine. If I connect to the admin share on a newly imaged workstation (with no policy applied) and open c:\windows\system32\ you see the creation of GroupPolicy.Usercache Folder and it copies to the GroupPolicy Folder which is were it applies policy from. Also you can see policy dynamically changing if different users logs on. The Registry.pol updates in the c:\windows\system32\ GroupPolicy.Usercache\User folder and c:\windows\system32\ GroupPolicy \User Sometimes group policy applies and sometimes it does not. When a user logs on you see the policy that was copied down apply. For example the run option is taken away from the start menu. During the log on process this remains in effect but when the process completes its almost like policy is take away. When this occurs I can run WMSCHED.Exe and reapply the user policy and it will apply sometimes. I tried applying group policy through both groups and organizational units. Both with the same results. I was wondering if anyone has had issues with applying group policy with ZEN or if I am doing this incorrectly. Any help would be much appreciated. Thanks.

    rscurr,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Windows 2008 R2 group policy not applied to windows 8 Workstations, but applied to XP and Win 7

    I have a Windows 2008 R2 Domain Controllers and have a Policy to put a specify wallpaper, eventuality i have to change the Wallpaper, this setting applied sucesfully in Windows xp and Windows 7 workstations, but not applied in Windows 8 workstations even
    if i run gpupdate /forcé,
    Best Regards,
    Thank you

    Hi,
    Thanks for posting in the forum.
    Before going further, would you please let me know how did you configure the Group Policy setting to deploy the wallpaper? Have you configured some settings to limit the scope the GPO applying?
    If all Windows 8 machines failed to receive the GPO settings? In order to narrow down the cause of the issue, I suggest we could try to collect the following information for troubleshooting.
    GPMC.log
    ==================
    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
    user in the wizard)
    c. Right click 
    the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
    Once we get the report, please check if the settings have been applied to the target correctly.
    In addition, would you please let me know whether you have imported the latest Windows 8 Administrative Templates to the Windows Server 2008 DC? If not, please try to download and import it.
    Then try to configure the wallpaper GPO settings again to see if it could help.
    For details, please refer to the following articles.
    Administrative Templates (.admx) for Windows 8 and Windows Server 2012
    http://www.microsoft.com/en-us/download/details.aspx?id=36991
    Set Desktop Background via Group Policy in Windows 7, Windows 8 in a Server 2008 or Server 2012 Domain
    http://dizzyit.com/2013/04/14/set-desktop-background-group-policy-windows-7-windows-8-server-2008-server-2012-domain/
    Hope this helps.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • Group Policy not applying after logoff \ logon

    We've noticed during testing an issue around Local Group Policy applied via ZCM...
    - user A logs in, policy applies correctly (folder redirection, taskbar settings etc)
    - user A logs off
    - user B logs in, policy applies correctly
    - user B logs off
    - user A logs in again, policy does not apply
    The only way to get policy to apply again for user A is to either reboot or delete the local profile for the user manually
    A few other details...
    - Windows 7 SP1 Enterprise x86
    - DLU Policy applied (non volatile user)
    - user does not have admin rights (in the Users+ group)

    gshaw0,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://forums.novell.com/

  • Power Manager - no new profiles, group policy not applying

    Hi there!
    Having an issue with power manager (latest version, downloaded today) on Vista on a T61.  The first problem is that I cannot create a power profile.  If I hit New on the advanced page and fill all the stuff out, the named power plan does not show up.  It's like I never did it.
    The second issue is that group policy doesn't seem to apply, either.  I tried to create a new power policy through AD using the GPO available for download.  All the settings are filled out, it's named, and it doesn't show up.
    For those concerned that the group policy is mucking up the ability to create a new one through the UI, that was the behavior before the group policy was set up.
    rsop.msc shows definitively that the policy is applying to this machine.
    Does anyone have any hints?
    Thank you!

    rscurr,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Windows 2008 R2 group policy not applied on some of the computers

    Dear All,
    I have windows 2008 r2 as domain controller and configured group policy. when I am changing existing group policy most of the computers not affecting with update policy.
    is there any server or any other method required to configure?
    every time i need to update group policy manually on computers.
    pls help
    SUNIL PATEL SYSTEM ADMINISTRATOR

    You have an issue with AD DS replication.Ensure all domain controllers are in sync

  • GPO under user config - but to apply to computer config - Group Policy

    Hi, I would like to create a GPO in User Config, but would like to filter it only to Windows 7 machines (WMI). I have the WMI created, do i apply a loopback (merge) to the GPO Settings to get this to work? I dont want this to push onto servers only Windows
    7 machines, and the GPO is at the top level.
    GPO - 2008 R2
    Windows 7
    Thanks in advance,

    Yes, loopback merge with Windows 7 WMI filter but still suggest linking it to testing OU with Windows 7 and other OS to test

  • 11.2.3 security policy not applying

    This was in another post felt it need its on post and subject.
    11.2.3 has help, but now on device that have 11.2.3 the security policy is
    not applying. I have 4 device I'm testing on one was a clean instill of
    11.2.3 the other 3 were upgraded, out of all 4 only one the security policy
    is applying right. Where would the security policy be store when it is
    applied to a device. Is their a better way to apply security policy.
    I found that the gpttmpl.inf file is not being copy to the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    folder and did confirm that it is in the zcm meachine cache folder
    [C:\Program Files
    (x86)\Novell\ZENworks\bin\handlers\CacheFiles\Work stationCache\GroupPolicy\M
    achine\Microsoft\Windows NT\SecEdit]. I manual copy it to the SecEdit
    folder
    logged off back on and then did get the Security Options Settings set
    properly.
    So why is it not copying it over, the Registry.pol file is and all other
    group policy are working (so far). And on the one computer that Security
    Options is working right on and running 11.2.3 the gpttmpl.inf is not in
    the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    folder ether and I have checked computers that are still on 11.2.0 and the
    Security Settings are applied but the gpttmpl.inf file in not in the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]. Is
    ZEN suppose to copy gpttmpl.inf to the system32 group policy folder and if
    so can this be fix? I really need Security Settings to apply.
    Hope this makes sense.
    And I have this problem on both 32 & 64 bit windows 7
    I don't know if this affects Windows XP because I don't have any Security
    Settings for XP set.
    Thanks
    Scott

    Well I found this in the ZCM troubleshooting guide with the help of google
    [When more than one Windows Group policy is applied to a device, the
    security settings of the last applied policy are effective on the device.].
    I have all ways had device first user last sense 10.3.3 - 11.2.0 and the
    security policy did apply, at lease with WIN7. So on my test machines I
    change it to user fist device last and now the security policy now works
    with 11.2.3, but I still have to have a bundle to run gpupdate /force at
    user login. If I done have the bundle to run the device group policy does
    not apply sometime, I don't mine to have the bundle to run just why with
    win7 is does not apply with out it and XP does with out it.
    Also why does it not copy the gpttmpl.inf to
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    directory?
    >>> On Friday, March 15, 2013 at 12:34 PM, in message
    <[email protected]>, Scott Malugin<[email protected]> wrote:
    > This was in another post felt it need its on post and subject.
    >
    >
    > 11.2.3 has help, but now on device that have 11.2.3 the security policy
    > is
    > not applying. I have 4 device I'm testing on one was a clean instill of
    > 11.2.3 the other 3 were upgraded, out of all 4 only one the security
    > policy
    > is applying right. Where would the security policy be store when it is
    > applied to a device. Is their a better way to apply security policy.
    >
    >
    > I found that the gpttmpl.inf file is not being copy to the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    > folder and did confirm that it is in the zcm meachine cache folder
    > [C:\Program Files
    > (x86)\Novell\ZENworks\bin\handlers\CacheFiles\Work stationCache\GroupPoli
    > cy\M
    >
    > achine\Microsoft\Windows NT\SecEdit]. I manual copy it to the SecEdit
    > folder
    > logged off back on and then did get the Security Options Settings set
    > properly.
    >
    > So why is it not copying it over, the Registry.pol file is and all other
    > group policy are working (so far). And on the one computer that Security
    > Options is working right on and running 11.2.3 the gpttmpl.inf is not in
    > the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    > folder ether and I have checked computers that are still on 11.2.0 and
    > the
    > Security Settings are applied but the gpttmpl.inf file in not in the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit].
    > Is
    > ZEN suppose to copy gpttmpl.inf to the system32 group policy folder and
    > if
    > so can this be fix? I really need Security Settings to apply.
    >
    > Hope this makes sense.
    >
    > And I have this problem on both 32 & 64 bit windows 7
    > I don't know if this affects Windows XP because I don't have any
    > Security
    > Settings for XP set.
    >
    >
    > Thanks
    > Scott

  • ZCM 11 Group Policies not applying to satellite servers

    Hi there
    We are running 2 Windows 2012 Primary Servers and a SQL 2012 Database server at our main site, all remote sites have SLES11 SP2/OES11 SP1 as satellite servers. We upgraded all servers last weekend to 11.3.1 and now have an issue with Group Policies applying to the satellites. The satellites are all set up the same with Authentication, Collection, Content and Imaging roles.
    Since we upgraded Group Policies are (99% of the time) not applying on satellite sites. I have tried manually replicating content (I assume policies will come from content replication?) to the satellites - I've done this with a zac cdp replicate and zac cvc and everything seems to replicate over however I tried highlighting a satellite server and clicking on Action, Specify Content - select the Policy that is not applying and move it into the selected Content to update column and when I click finish I get the error "The Wizard cannot continue for the following reason(s): Unable to complete your request for the following reason: Error updating content"
    On a managed device at the satellite site if you look at the properties of the Zenworks agent and click on Policies it has applied 4 device assigned policies successfully - Remote Management, Power Management, Application Launcher Config and Application Control Policy, also has successfully applied 3 out of the 4 User Assigned Policies - Mandatory Profile, Dynamic Local User, Application Control - but not the Windows Group Policy.
    Our PCs are on Windows 8.1 and all policies were applying fine before the weekend upgrade......
    Has anyone else had any experience of Group Policies not applying that could point me where to look? I have logged an SR with Novell through our reseller but as yet I am getting no response back at all, not even asking me for more information.
    Many thanks
    Sharon

    Sounds like you have a content replication issue more than a GPO issue.
    Especially if the GPO works for locations that point to the Primaries
    for Content.
    Do you have throttling configured anywhere in any fashion?
    You may need to increase the Replication Timeout to make sure content is
    getting over to the Sats. Often increasing from 60 to 240 helps, but
    watch out for throttling preventing content replication.
    It is possible things are backing up.
    On 7/31/2014 8:26 AM, shazzypoos wrote:
    >
    > I should add that when you looked at the "Click for Details" to the
    > right of the Effective "Failed" status the message is "Policy
    > Enforcement Failed : The action (0) threw an exception. Message (1).
    > Exception (2) (grouppolicy, "None of the source locations could be
    > found"
    >
    > Hmmmm! Currently in closest server rules there is only the server for
    > the site it's on set - we do not want it to come back to the Primary for
    > policies. As I say, this was working before the weekend upgrade. Thanks!
    >
    >
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Technical Support Engineer
    Novell does not officially monitor these forums.
    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.

  • Group Policy not populating IE11's compatibility sites.

    We normally do not allow IE updates, but we got a pallet of new computers with IE11 preinstalled on them from Dell.  I figured now is a good time to get this working in our environment.
    The issue is that under our group policy settings are not putting the websites we need in compatibility mode.  I have verified the group policy is applied to my computer using rsop.msc and I verified the settings in there.  However when
    I try to visit our loan application which runs at http://192.168.1.9 it shows a browser not supported message and says to use IE 5.5 or later.  Well if one were to manually add the site in compatibility mode, then it would work.  So we want to avoid
    the calls to IT Support on how to add sites to compatibility mode and just control it from our end via Group Policy.
    So under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View : we have these set:
    Include updated Web site lists from Microsoft - Enabled
    Use Policy List of Internet Explorer 7 sites - Enabled
      Show:
       http://192.168.1.9    (our lending application)
       https://another website
       http://192.168.1.15   (our lending application test site for new upcoming releases)

    Hi,
    The site list deployed using administrative template might not be visible in IE user interface. We could see the sites loading in the compatibility mode by opening the developer tool bar (press F12) and checking the browser mode.
    Also, we can verify the setting in the client machine registry. The configuration is written to registry under HKCU(HKLM)\Software\[Wow6432Node]\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList. More information, please see
    this blog:
    How to add web site to Compatibility View List via GPO
    In addition, we need to configure the "Turn on Internet Explorer Standards
    mode for Local Intranet" policy and set it to disable.
    For the “Use
    Policy List of Internet Explorer 7 sites”
    policy: We need to add Top level domain names in the
    policy settings.  Reference: Compatibility List FAQ
    Some more information:
    Missing the Compatibility View Button
    Hope this helps
    Best regards
    Michael Shao
    TechNet Community Support

  • ZCM DLU Policy Not Applying To Win7 Computer

    I am running ZCM v10.3 and am preparing to migrate over to Active Directory. When I first setup ZCM, I created a DLU policy for my Windows 7 computers and its been working fine. However, its time to join my Windows 7 computers (running ZCM v10.3) to the AD Domain and I need to disable the DLU for the machines prior to joining the domain.
    To do this I tried to exclude my test workstations from the DLU by adding the workstations to the exclusion list for the DLU Policy. My DLU policy is assigned to my Users so I used the "Excluded Workstation List" to attempt to prevent the DLU from applying to the workstation. This didn't work. I also tried the reverse by applying the DLU to the test workstation and adding users to the Exclusion list, but that didn't work either. I updated the version, ran "zac cc" and ran "zac ref bypasscache" but it didnt work.
    I reassigned the DLU to all my Users and tried to use the registry to check for the existence and value of hklm\software\novell\zcm\zenlgn\domainlogin=1, but that didnt work either. I updated the version, ran "zac cc" and ran "zac ref bypasscache" but it didnt work.
    Actually, the registry keys (DomainLogin and eDIRLogin) didn't exist so i had to manually add it using an AD GPO. I added DomainLogin and eDIRLogin and assign hexadecimal value of 1 to each DWORD via GPO (FYI). At this point I'm not even sure if the values of these keys are supposed to be set automatically upon login or if the admins manually control the values. Its not clear to me from the documentation on the Novell site. (http://www.novell.com/documentation/...stem_admin.pdf, pg 274)
    (DLU Policy Filters not working)
    I turned on debug by issuing the command: "zac log level debug", and would've attached the log here, but I don't know how. If anyone needs to see the log, please send me a link on how to attach a log and I'll do so.
    I've tried so many different settings and combinations but i'm still unable to get consistent results. At some point I was able to get the DLU Policy to show up in the ZCM Agent properties with the status of "Not Applied" or "Not Effective" or something to that effect. That was the first time I was able to log in without the DLU applying. However it wasn't consistent among other machines so i kept testing. As it stands now, I have removed any filters and exclusions and now my test machine is not receiving any DLU policy and it should because I assigned the DLU Policy to my entire user base. I am totally lost.
    Any help is appreciated.

    wanman,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://forums.novell.com/

  • Default Domain Policy Not Applying Settings to Servers or Clients

    I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
    I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
    For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
    The change was to enable DES because of a specific need that I have with an application that I work with but enabling DES and leaving the other options such AES unselected caused other applications to not work right.  I decided to revert the changes
    back to "Not Defined" but those changes did not reflect on the servers even after running the gpupdate /force command.
    In order to keep the application working that broke, we enabled all of the encryption levels such as DES, AES, etc. on the server that's running the application via it's Local Security Policy as a temporary fix.
    Now, I want to make sure all servers receive the settings from the Default Domain Policy and have their Local Security Policies reflect the "Not Defined" setting but it's not applying.  It seems like they worked when I first applied them but
    when I try to remove them it does not work.
    If I change the setting directly on the Local Security Policy on the server or clients it shows "No minimum" instead of "Not Defined" which I've heard can be fixed by identifying the registry entry for that setting and deleting it...so
    help with the location and how to identify that key would also be helpful.
    My goal is not to manually have to change servers and clients to revert back to their default settings...I want the Domain policy to apply and override the servers and client's Local Security Policy.
    Any help with this would be greatly appreciated and thank you in advance.

    I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
    I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
    For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
    refer:
    http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
    We needed to implement a similar scenario a few years ago (when we introduced Windows7 into our estate).
    We had an SAP/NetWeaver implementation which always worked on WinXP, but failed on Win7.
    We had to enable the DES ciphers, since those were disabled by default in Win7. We discovered that we also needed to enable all the other ciphers (those which are enabled by default[not configured]).
    i.e., when we changed the setting from "Not Configured", enabled DES, and left the RC4/AES stuff untouched by us, the RC4/AES stuff attracted a status of disabled.
    So, we had to set the DES ciphers to Enabled, and, also set the RC4/AES ciphers to Enabled - this gave us the "resultant" enablement of the default stuff and the needed change/addition of DES.
    When you set a GP setting "back to Not Configured", depending upon the setting *AND* the individual Windows feature itself - one of two things will happen:
    a) the feature will "revert" to default behaviour
    b) the feature will retain the current configured behaviour but becomes un-managed
    In classic Group Policy terms, condition (b) above is often referred to as "tattooing", i.e., the last GP setting remains in effect even though GPMC/RSOP/etc does not reveal that to be the case.
    (This is also a really good example of not doing this sort of stuff in the DDP. It could have borked your whole domain :)
    What I'd suggest, is that you re-enable your ciphers for KRB settings again - this time, enable all the ciphers that would normally be "default", let that replicate around, and allow time for domain members to action it.
    Then, set the setting back to Not Configured. This way, the "last" settings issued by GP will be those you want to remain as the "legacy".
    Note: the GP settings reference s/sheet, has this to say:
    Network security: Configure encryption types allowed for Kerberos
    This policy setting allows you to set the encryption types that Kerberos is allowed to use.
    If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
    This policy is supported on at least Windows 7 or Windows Server 2008 R2.
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • Group Policy not work in some client machine.

    Hello All,
    Existing environment is AD 2012. gpupdate /force command does not working in some client machine. And it's occur randomly. Error shown about 15-20% of client machine. Please suggest. Hopefully this time get reply from community.
    The Error:
    User policy could not be updated successfully. The following errors were encount
    ered:
    The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
    984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
    tings may not be applied until this event is resolved. This issue may be transie
    nt and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller
     has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:
    The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
    984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
    tings may not be applied until this event is resolved. This issue may be transie
    nt and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.

    Thanks for your reply. basically this error occurs with in same location as well as branch location. i have check event log in AD but not got any specific error. AD health status is ok. AD to AD synchronization also working well. All the client machine running
    on windows 7 64 bit and few of them are windows 8. 
    Please suggest. if you need any event log for analysis i can send you.
    Thanks
    I recommend you examine the event logs upon an affected client machine. Specifically, look for the surrounding events on that machine (both System, and Application logs), for the hours previous and the hour after.
    The time period may vary according to your environment (e.g. what is expected/normal for your environment, your configured GP refresh cycle-time).
    e.g., are there network drops, or power drops, or system crashes, restarts at the similar time.
    if it's a laptop, is it wireless? Was there a transition from wireless to wired operation?
    Is there VPN in use?
    If you are able to compare with another machine (I would encourage that), to understand what "normal" looks like in the logs, so that you have some kind of baseline data for comparison.
    Other checks, maybe confirm that the machines are updating as required (have the relevant WindowsUpdates etc), and consider if some security/protection/firewall software might be interfering with normal Windows operations.
    Also the potential for malware or virus, which can disturb many basic services (ensure a scan is performed and returns clean).
    If you have the opportunity for an affected user to contact you urgently when the symptom occurs, check that the gpt.ini file is accessible from their PC.
    e.g.: \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
    984F9}\gpt.ini
    This file is hosted within the replicated SYSVOL share on your DC's, so check that it is accessible.
    You might also validate the particular GPO this refers to, and check each of your DC's holds the correct copy of the files for that GPO GUID.
    If you open that GPO, and perform a minor change to it (e.g. add a comment), then click Apply, OK, this should cause the GPO contents to replicate an updated version (be cautious, depending upon the nature of that GPO !!!)
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

    We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
    2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
    including any Domain Admins.
    So far we have done these steps:
    On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
    Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
    Linked the Policy to the OU.
    Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
    Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
    We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
    We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
    We ran the Group Policy force update from within GP Management - ran successfully.
    We did not reboot the RDS.
    Neither of the settings we tried in Step 7 worked.  Why Not?
    Here are images from the Security Filtering:

    Ok--Do I reboot the RDS or the DC?  or both?
    Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?

  • W7 Group Policies not applying

    We are planning on deploying Windows 7 Pro in our offices this coming year and I have been in the process of building my Windows 7 group policies from scratch by using the XP policies as a template. I have 3 policies that I create the standard lockdown, administrative mode, and IT. As I'm building the policies and the have the Group Policy editor open, whatever changes that I make do apply on my local machine, but after I save and upload the policies and apply them to machines the policy status in the Zen Notify Icon says that they have applied, but in function no policies have applied. I'm getting ready to start adding my Allow These Executables list but don't want to waste the time if the desktop look and feel and general access features aren't being applied correctly to the machines. Is there anything that I can check to see why this isn't working correctly?

    I am making the policies from scratch on a Win7 Pro machine. When I use the GP Editor from ZCM to create and reopen the policies all of my policy details are applying correctly to my local machine which I am working on the policy with. When I apply them to Win7 systems the policy status under the ZCM desktop icon shows that they were applied successfully, but when trying do do anything prohibited by policy or checking the gpedit.msc everything says Not Configured. This is only happening to "Windows Group Policy" objects, DLU and Remote Control are working correctly.

Maybe you are looking for