We've recently been cleaning up our domain, active directory, group policies, etc. Our MCSDCS DNS zone was in the wrong place, our SYSVOL was not replicating because it had been locked in a journal wrap error for over a year, and our central repository of Policy Definitions had nuked itself at some point. So overall our domain has suffered from years of going through too many different system admins with varying levels of experience, and has also been upgraded from 2000 - 2003 and then 2003 - 2008 and we're prepping to do another upgrade within the next year.
In any case one issue we seemed to have was a very bloated Default Domain Policy, all sorts of random settings had been added to it. Some settings I guess had been deprecated at some point and I couldn't seem to find them to turn them off in the editor. I pulled out a lot of stuff into more topic-related GPOs, made sure they were still consolidated etc. Once we did that, all of our RDP settings went back to default on just about all the machines in the building - not everything though, but not obvious other pattern based on OU of the user or PC, or Win 7 vs Win 10, etc. We don't use the Windows firewall, so its not the firewall related settings. Its the specific settings in the System Properties > Remote tab.
This is the point where I realized our Admin Templates in the central repository had been nuked (I'm a bit new to Windows Domain Administration myself). My guess was that either the Default Domain Policy or one of the other policies I'd been fixing or removing had included some setting I couldn't see in the editor in the GPO because we didn't even have that policy template loaded. So after loading in the default templates I edited the correct setting, applied the GPO, forced the update...and nothing. I make sore enforcement was forced, I made sure it was going to hit my user, confirmed in GPRESULT, and then I even linked it in the USER and PC OU's closest to my AD objects... and still nothing.
I manually added the two registry keys to the GPO for allow remote desktop and don't require NLA. Still nothing. I can toggle those registry keys manually, and changing the settings back in the system properties panel changes the keys back to confirm, but they GPO does not change the keys.
I've run GPRESULT on the scope:computer setting I see the following:
The settings from that GPO show up in 'settings'
The policy shows up under 'Applied GPOs' and says 'Enforced = Yes'
The correct winning GPO is listed on the individual settings, the registry key ones say 'result:success'.
Yes those settings don't change on my PC after multiple GPUPDATE /FORCE, reboots, waiting for the GPO refresh cycle (plus the max offset value) and no change!
Can anyone point me in the right direction here? Any help would be much appreciated!
EDIT:
Specific settings: Admin Template Approach: Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections Allow users to connect remotely using Remote Desktop Services - Enabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security Require user authentication for remote connections by using Network Level Authentication - Disabled
Registry Key Approach: HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Terminal Server fDenyTSConnections REG_DWORD 0x0 (0)
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp UserAuthentication REG_DWORD 0x0 (0)
They are BOTH Computer changes.
I have tried this with the GPO in the scope of the PC OU, and have also tried to put the GPO in the scope of both the User and the PC.
