1

Domain Controllers (2): Samba 4

Client: Windows 10 1909 x64

After joining a computer to the domain, when I run gpupdate /force for the first time, the values under these keys are deleted:

HKLM\SOFTWARE\Policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

This doesn't seem to happen if I re-import the keys and run the update again (need to test this more). It also doesn't happen in a test domain (with only a few GP settings configured), so there must be some GPO setting that's causing this.

I noticed because the Secure Desktop wasn't coming up when requiring elevation, which is controlled by the policy User Account Control: Switch to the secure desktop when prompting for elevation (key located at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop). This is set by default on new Windows installations.

I pasted gpsvc.log here: https://pastebin.com/CkcPkCCA (15:26 is when I ran the command)

Does anyone know what could be causing this behavior?

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Bangaio
  • 160
  • 1
  • 8

1 Answers1

0

That is the expected behavior. If a registry policy hasn't changed since it was last applied, it isn't re-applied. It isn't occurring on subsequent applications of group policy due to you do not have the registry policy processing setting enabled to "Process even if the Group Policy objects have not changed".

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • `gpupdate /force` does process the complete policy, even if it didn't change. – Daniel Sep 27 '20 at 13:44
  • I narrowed it down to one GPO that causes this. I deployed a new vm, added it to a test OU (with 3 GPOs linked), made a snapshot before running `gpupdate` (`/force` doesn't change anything). Removed one by one and it only deletes the existing keys when the one called `Windows10` is applied. I may be misunderstanding how GP works but I thought it wasn't supposed to delete existing keys, only add/change the ones you configure on the GPO. – Bangaio Sep 28 '20 at 11:34