Author Topic: SOLVED Windows 10 not applying group policy on standard users  (Read 16279 times)

acs

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +2/-0
    • View Profile
SOLVED Windows 10 not applying group policy on standard users
« on: February 25, 2018, 12:14:19 am »
I have three Zentyal 5.1 servers in the field as it were all functioning as DC's. I use the default domain policy with roaming profiles (the roaming profiles was set in the zentyal admin webpage) and a couple of drive maps.

All the PC's are 'joined to the domain'

On windows 7 PC's when regular users log in the roaming profiles and drive maps work perfectly.

However on windows 10 PC's unless the users are administrators (members of the admin and schema admin group) neither the roaming profiles or drive maps work and often it logs in with a temp profile.
A check of the system events shows the following error;
The processing of Group Policy failed. Windows attempted to read the file \\test.local\sysvol\test.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
I can browse to and open the gpt.ini with no problems as a standard user.

If I then add the user to the admin group the issue goes away.
This issue affects all the zentyal 5 setups I have in exactly the same way including a test one. The windows 10 version is the latest creators edition.

I am certain anyone else using the win 10 creators version and zentyal 5 will be hitting the same issue!

Has anyone solved it?


« Last Edit: February 25, 2018, 01:09:32 pm by acs »

acs

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +2/-0
    • View Profile
Re: Windows 10 not applying group policy on standard users
« Reply #1 on: February 25, 2018, 01:05:14 pm »
Many thanks for all the replies and pointers chaps!

Hopefully this may help another newbie like me.

Just a quick update;

The issue was caused by UNC hardening which by default is off on win 7 and 8/8.1 but enabled by default on Windows 10.
Once disabled on my win 10 clients the fault went away- However this raises two questions in my mind;

1, It looks like UNC hardening is a security feature so disabling it may not be the best idea.

2, I run quite a few MS domain controllers (Server 2008/sbs2011/server2012) and Win 10 clients with the UNC hardening enabled and have no group policy issues at all. I'm thinking this is maybe a bug in Samba?


Main thing for now is its working.

acs

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +2/-0
    • View Profile
Re: Windows 10 not applying group policy on standard users
« Reply #2 on: February 25, 2018, 01:08:13 pm »
Maybe some help to disable UNC hardening;

Knock up a powershell script with;

New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\SYSVOL" -Value "RequireMutualAuthentication=0" -Property "String"
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\NETLOGON" -Value "RequireMutualAuthentication=0" -Property "String"

enable powershell in settings-update and security-for developers-powershell click allow execution.

run and reboot.

Hope this helps some one.

« Last Edit: February 25, 2018, 01:11:11 pm by acs »

xelander

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: SOLVED Windows 10 not applying group policy on standard users
« Reply #3 on: August 18, 2019, 01:51:29 pm »
Hello,
I just installed Zenytal 6.0 as a standalone Domain Controller (hostname master, domain insieme.lan) and I had the same problem with roaming profiles.

I successfully joined a Windows 10 Pro (version 1903) VM to the domain (INSIEME), I created a new domain user (alex) with romaing profile (\\master.INSIEME.LAN\profiles\alex) and I followed your suggestion and created the above registry keys.

It works, but only until I try to change the default domain policy (or apply a new domain policy) with the Group Policy Editor (I tried setting password expiration to 42 days): then the errors with the roaming profiles show up again.

I also created a "\\*\PROFILES" key similar to "\\*\SYSVOL" and "\\*\NETLOGON" above, but again with no result.

I also appended ",RequireIntegrity=0,RequirePrivacy=0" (as per this post https://blogs.technet.microsoft.com/leesteve/2017/08/09/demystifying-the-unc-hardening-dilemma/) to the keys value, but nothing helped.

Has anyone you experienced similar problems?

Thanks,
Alessandro

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: SOLVED Windows 10 not applying group policy on standard users
« Reply #4 on: August 22, 2019, 03:13:28 pm »
 :)

In addition, you should use the samba-tool domain passwordsettings tool in order to work with password policies.

https://forum.zentyal.org/index.php/topic,34194.msg112340.html#msg112340

Cheers!
« Last Edit: August 22, 2019, 03:16:24 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

xelander

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: SOLVED Windows 10 not applying group policy on standard users
« Reply #5 on: August 22, 2019, 09:50:21 pm »
Thank you doncamilo, I do used samba-tool to set password polices and it worked flawlessly.