1

I created a new GPO to apply to a specific AD security group. This was created on a top-level OU "Org Users". There are 4 existing GPOs on this OU, so creating this was the 5th one. This new GPO "S_Pilot_GPO" was adjusted to be 1 in the link order.

This GPO sets: User Configuration->Administrative Templates->DP AD Client->Managed applications->PWM, "Managed logons" to Enabled.

(One of the existing GPOs, "DPKioskSettings", also applies the above User Configuration. Thus why I made the link order 1 for the new GPO)

The scope is applied to an AD security group "S_Pilot".

I have a user within "S_Pilot", but when they login to a device with said user this new GPO does not get applied. It is stuck getting applied with the original GPOs. rsop.msc indicates that "DPKioskSetting" is still being applied instead.

S_Pilot_GPO is linked to the OUs "Org Computers", and "Org Users". And "DPKioskSetting" is linked to "Org Computers", "Org Users", "Students", "Training Servers", and "View Desktops".

None of these GPOs are enforced.

What am I missing? Shouldn't the link order force this new GPO to override "DPKioskSetting"?

I attempted to make the new GPO Enforced, no difference.

Zeno
  • 211
  • 1
  • 3
  • 17
  • If a GPO has only user settings (or only computer settings), it should only be linked to an OU containing users (or computers, as the case may be). Generally it's helpful for each GPO to only apply user **or** computer settings to keep things from getting confusing. – Todd Wilcox Feb 06 '18 at 18:38
  • @ToddWilcox It started off linked to just "Org Users" (a user OU) and was still not being applied. – Zeno Feb 06 '18 at 18:40
  • Is the user who is in the **S_Pilot** group also inside the **Org Users** OU? – Todd Wilcox Feb 06 '18 at 18:41
  • @ToddWilcox Yes, they are part of that. – Zeno Feb 06 '18 at 18:42
  • Is **S_Pilot** the only entity listed in the security filtering? You probably have to allow read permissions for **Authenticated Users** or the computer account cannot read the GPO for the user. You can grant read permissions without giving permission to apply the GPO. – Todd Wilcox Feb 06 '18 at 18:48
  • @ToddWilcox That might be it! – Zeno Feb 06 '18 at 18:59
  • Any errors in: Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> GroupPolicy/Operational ? Get-WinEvent -ProviderName Microsoft-Windows-GroupPolicy -MaxEvents 100 | FL – IT TC Feb 06 '18 at 18:49

2 Answers2

3

Did you added the 'computer' read access to your GPO in the delegation tab ? As having a filter with a security group for the GPO without the everyone's user on it break the GPO from working, as the computer can't read that filtering before it's applied or not to the user.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Yes, the delegation tab is set up just like all the other GPOs that are functioning just fine. – Zeno Feb 06 '18 at 18:41
  • @Zeno You dont answer me if comuputer is there in read. As other GPO can be cached on the computer if they were working before the MS hotfix that changed that way of working with the GPO. – yagmoth555 Feb 06 '18 at 18:50
  • 1
    Are you talking about say adding Authenticated Users in there? – Zeno Feb 06 '18 at 18:59
  • @Zeno Yes, or adding computer read only in the delegation tab, as you applied the GPO to a group only, and that block the gpo to be read when the computer check it – yagmoth555 Feb 06 '18 at 19:01
  • @Zeno You don't have to use **Authenticated Users** specifically, but when you create a new GPO, **Authenticated Users** is there by default, and it's usually easiest to leave it there and perhaps remove the rights to apply the GPO but leave the rights to read the GPO. – Todd Wilcox Feb 06 '18 at 19:01
  • 1
    @Zeno Technically, you can check my answer there for a full detail, same thing; https://serverfault.com/questions/784615/gpos-fail-to-apply-reason-inaccessible-empty-or-disabled-server-2012-r2-and/784630#784630 – yagmoth555 Feb 06 '18 at 19:04
1

If any of these are set to enforced, they will take precedence regardless of order. Set the one you want to override defaults to enforced and make sure it's actually applied to the host they are logging into.

Anthony Kolka
  • 64
  • 3