C
Cyber(Joe)
So this is my home setup, WIn 10 pro, with Server Essentials 2016 and yes I am using the essentials role, I love the client backup aspect here at home.
I allowed our computers to go from Win10 1909 to 20H2. So after upgrading I noticed my computer desktop was not timing out after 20mins and locking the screen. This was of course after jumping through hoops to get it reconnected to the essentials setup. My wife's computer went fine, don't even recall having to redo the connector aspect that or it did not give me fits like on my computer. Anyways hers seems to be working well and holding the GPOs I have on the Server, mostly Security related stuff, a drive mapping and one a few user related settings. The bulk of it is security related items and mostly only applies to the computer config. The first thing I noticed after running a forced GPO update was that the computer settings were not taking, the results showed only user settings applying. I thought that's odd, went and ran a gpresult on my wife's computer it showed it still had the computer configs in from the domain GPO applied to include the computer config.
Thought ok this is something with just my computer. So after bouncing between different recovery options and a backup restore on my PC I decided today I would do an OS reset on my PC letting it only keep my personal files, and had it download the OS from the cloud during the reset process. Still working on getting it all set back up. Well ignore my PC for the moment.
So I decide to take another look at my wife's computer, ran a gresult /r.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2020 Microsoft Corporation. All rights reserved.
Created on ?3/?28/?2021 at 6:51:20 PM
RSOP data for <domain-ad>\xxx on XXXX : Logging Mode
---------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.19042
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\xxx
Connected over a slow link?: No
USER SETTINGS
--------------
CN=xxx,CN=Users,DC=xxx,DC=xxx,DC=org
Last time Group Policy was applied: 3/28/2021 at 6:48:45 PM
Group Policy was applied from: xx.xx.org
Group Policy slow link threshold: 500 kbps
Domain Name: haplo-ad
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
DriveMapping
New Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
Remote Desktop Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Family
Authentication authority asserted identity
High Mandatory Level
This implies all is well but when I run the gpresult /h c:\tech\filen.html the resulting report shows it nothing in the computer config applied even though it says success in the headers. User config looks fine I can show a report for Marc 22 post upgrade where all looks fine. and several from this weekend showing other wise. So no I n the local group policy editor on my wifes computer and start review settings between it and the server. and bingo it is not taking any of the computer config settings. Originally I was running 3 gpos, I added another for allowing RSAT to be installed. Those settings don't appear.
So keeping in mind prior to march I had not made any changes in GPO in awhile so everything appeared to be working fine. All my GPO changes came about after the upgrade to WIn10 20H2 because I noticed things were not being processed correctly on my PC. So I thought I wonder if i need to update the admin templates for this version of Win10. So I downloaded them 20H2 versions and installed in them central store. doubled check my scopes and filters, I don't use wmi filtering. Everything correct. In the end I added domain users and computers to my policies, made no difference.
So now I decided to build a new default domain GPO. So since there was some redundancy in my LDAP binding and defaults I merged them and my rsat ones together into this new policy, and added a couple of tweaks security settings for ctrl-alt-del and signed on user name as I did not see the same setting from my old policy in the templates. So now I only have 2 policies that effect computers they are linked and enforced at the domain level (yes there is a separate DC policy-did not touch it), this new default and my drive mapping. All this made no difference on my PC so today I opted for a fresh reset.
I decided not to do anything yet to my wife's PC happy wife happy life. But like I said now hers is not taking the new configs. I have now hit a wall on what could be causing this. All my previous research pointed at UNC Path Hardening. I did try it, and it made no differences so I removed it. Keep in mind the clients are all Win10Pro, and the server is 2016(1607) a from of Win10 so UNC path hardening should be a mute point.
I have not found any errors in the logs to point to a GPO issue, and forcing a GPO update does not trigger an error. the computer configurations from the GPOs are not being set.
Here is a sanitized GPRESULT output of of my wife's PC:
**Sorry the output is not easy too look at after coping and pasting.
Group Policy Results
domain-ad\userx
Data collected on: 3/28/2021 6:52:15 PM
Summary hide
No data available.
During last user policy refresh on 3/28/2021 6:48:46 PM
A fast link was detected More information...
The following GPOs have special alerts
GPO Name Alert
DriveMapping Enforced
New Default Domain Policy Enforced
Computer Details hide
No data available.
User Details hide
General hide
User name domain-ad\userx
Domain domain-ad.domain.org
Security Group Membership show
Component Status hide
Component Name Status Time Taken Last Process Time Event Log
Group Policy Success 3/28/2021 6:48:46
Infrastructure PM
Group Policy Drive Success 3/28/2021 6:20:15
Maps PM
Registry Success 3/28/2021 6:20:15
PM
Settings hide
Policies hide
Administrative Templates hide
Policy definitions (ADMX files) retrieved from the central store.
Start Menu and Taskbar hide
Policy Setting Winning GPO
Show "Run as different user" Enabled New Default Domain Policy command on Start
Preferences hide
Windows Settings hide
Drive Maps hide
Drive Map (Drive: I) hide
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.
I: hide
Winning GPO DriveMapping
Result: Success
General hide
Action Update
Properties
Letter I
Location \\DOMAINAD\Shares
Reconnect Enabled
Label as Server Shares
Use first available Disabled
Hide/Show this drive Show
Hide/Show all drives No change
Group Policy Objects hide
Applied GPOs hide
DriveMapping [{07B88E38-97FE-40A2-A406-3FD0576F4A59}] hide
Link Location domain-ad.domain.org
Extensions Configured Group Policy Drive Maps
Group Policy Infrastructure
Enforced Yes
Disabled None
Security Filters NT AUTHORITY\Authenticated Users
domain-ad\Family domain-ad\Domain Users
Revision AD (24), SYSVOL (24)
WMI Filter
New Default Domain Policy [{1659BC8C-B054-4E8E-9963-690EA366609C}] hide
Link Location domain-ad.domain.org
Extensions Configured Registry
Enforced Yes
Disabled None
Security Filters
NT AUTHORITY\Authenticated Users domain-ad\Family domain-ad\Domain Computers domain-ad\Domain Users
Revision AD (1), SYSVOL (1)
WMI Filter
Denied GPOs hide
Local Group Policy [LocalGPO] hide
Link Location Local
Extensions Configured
Enforced No
Disabled None
Security Filters
Revision AD (0), SYSVOL (0)
WMI Filter
Reason Denied Empty
WMI Filters hide
Name Value Reference GPO(s)
None
Continue reading...
I allowed our computers to go from Win10 1909 to 20H2. So after upgrading I noticed my computer desktop was not timing out after 20mins and locking the screen. This was of course after jumping through hoops to get it reconnected to the essentials setup. My wife's computer went fine, don't even recall having to redo the connector aspect that or it did not give me fits like on my computer. Anyways hers seems to be working well and holding the GPOs I have on the Server, mostly Security related stuff, a drive mapping and one a few user related settings. The bulk of it is security related items and mostly only applies to the computer config. The first thing I noticed after running a forced GPO update was that the computer settings were not taking, the results showed only user settings applying. I thought that's odd, went and ran a gpresult on my wife's computer it showed it still had the computer configs in from the domain GPO applied to include the computer config.
Thought ok this is something with just my computer. So after bouncing between different recovery options and a backup restore on my PC I decided today I would do an OS reset on my PC letting it only keep my personal files, and had it download the OS from the cloud during the reset process. Still working on getting it all set back up. Well ignore my PC for the moment.
So I decide to take another look at my wife's computer, ran a gresult /r.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2020 Microsoft Corporation. All rights reserved.
Created on ?3/?28/?2021 at 6:51:20 PM
RSOP data for <domain-ad>\xxx on XXXX : Logging Mode
---------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.19042
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\xxx
Connected over a slow link?: No
USER SETTINGS
--------------
CN=xxx,CN=Users,DC=xxx,DC=xxx,DC=org
Last time Group Policy was applied: 3/28/2021 at 6:48:45 PM
Group Policy was applied from: xx.xx.org
Group Policy slow link threshold: 500 kbps
Domain Name: haplo-ad
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
DriveMapping
New Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
Remote Desktop Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Family
Authentication authority asserted identity
High Mandatory Level
This implies all is well but when I run the gpresult /h c:\tech\filen.html the resulting report shows it nothing in the computer config applied even though it says success in the headers. User config looks fine I can show a report for Marc 22 post upgrade where all looks fine. and several from this weekend showing other wise. So no I n the local group policy editor on my wifes computer and start review settings between it and the server. and bingo it is not taking any of the computer config settings. Originally I was running 3 gpos, I added another for allowing RSAT to be installed. Those settings don't appear.
So keeping in mind prior to march I had not made any changes in GPO in awhile so everything appeared to be working fine. All my GPO changes came about after the upgrade to WIn10 20H2 because I noticed things were not being processed correctly on my PC. So I thought I wonder if i need to update the admin templates for this version of Win10. So I downloaded them 20H2 versions and installed in them central store. doubled check my scopes and filters, I don't use wmi filtering. Everything correct. In the end I added domain users and computers to my policies, made no difference.
So now I decided to build a new default domain GPO. So since there was some redundancy in my LDAP binding and defaults I merged them and my rsat ones together into this new policy, and added a couple of tweaks security settings for ctrl-alt-del and signed on user name as I did not see the same setting from my old policy in the templates. So now I only have 2 policies that effect computers they are linked and enforced at the domain level (yes there is a separate DC policy-did not touch it), this new default and my drive mapping. All this made no difference on my PC so today I opted for a fresh reset.
I decided not to do anything yet to my wife's PC happy wife happy life. But like I said now hers is not taking the new configs. I have now hit a wall on what could be causing this. All my previous research pointed at UNC Path Hardening. I did try it, and it made no differences so I removed it. Keep in mind the clients are all Win10Pro, and the server is 2016(1607) a from of Win10 so UNC path hardening should be a mute point.
I have not found any errors in the logs to point to a GPO issue, and forcing a GPO update does not trigger an error. the computer configurations from the GPOs are not being set.
Here is a sanitized GPRESULT output of of my wife's PC:
**Sorry the output is not easy too look at after coping and pasting.
Group Policy Results
domain-ad\userx
Data collected on: 3/28/2021 6:52:15 PM
Summary hide
No data available.
During last user policy refresh on 3/28/2021 6:48:46 PM
A fast link was detected More information...
The following GPOs have special alerts
GPO Name Alert
DriveMapping Enforced
New Default Domain Policy Enforced
Computer Details hide
No data available.
User Details hide
General hide
User name domain-ad\userx
Domain domain-ad.domain.org
Security Group Membership show
Component Status hide
Component Name Status Time Taken Last Process Time Event Log
Group Policy Success 3/28/2021 6:48:46
Infrastructure PM
Group Policy Drive Success 3/28/2021 6:20:15
Maps PM
Registry Success 3/28/2021 6:20:15
PM
Settings hide
Policies hide
Administrative Templates hide
Policy definitions (ADMX files) retrieved from the central store.
Start Menu and Taskbar hide
Policy Setting Winning GPO
Show "Run as different user" Enabled New Default Domain Policy command on Start
Preferences hide
Windows Settings hide
Drive Maps hide
Drive Map (Drive: I) hide
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.
I: hide
Winning GPO DriveMapping
Result: Success
General hide
Action Update
Properties
Letter I
Location \\DOMAINAD\Shares
Reconnect Enabled
Label as Server Shares
Use first available Disabled
Hide/Show this drive Show
Hide/Show all drives No change
Group Policy Objects hide
Applied GPOs hide
DriveMapping [{07B88E38-97FE-40A2-A406-3FD0576F4A59}] hide
Link Location domain-ad.domain.org
Extensions Configured Group Policy Drive Maps
Group Policy Infrastructure
Enforced Yes
Disabled None
Security Filters NT AUTHORITY\Authenticated Users
domain-ad\Family domain-ad\Domain Users
Revision AD (24), SYSVOL (24)
WMI Filter
New Default Domain Policy [{1659BC8C-B054-4E8E-9963-690EA366609C}] hide
Link Location domain-ad.domain.org
Extensions Configured Registry
Enforced Yes
Disabled None
Security Filters
NT AUTHORITY\Authenticated Users domain-ad\Family domain-ad\Domain Computers domain-ad\Domain Users
Revision AD (1), SYSVOL (1)
WMI Filter
Denied GPOs hide
Local Group Policy [LocalGPO] hide
Link Location Local
Extensions Configured
Enforced No
Disabled None
Security Filters
Revision AD (0), SYSVOL (0)
WMI Filter
Reason Denied Empty
WMI Filters hide
Name Value Reference GPO(s)
None
Continue reading...