Windows 10 20H2 and Server Essentials 2016 (1607) GPO no longer applying

Question

So this is my home setup, WIn 10 pro, with Server Essentials 2016 and yes I am using the essentials role, I love the client backup aspect here at home.

I allowed our computers to go from Win10 1909 to 20H2. So after upgrading I noticed my computer desktop was not timing out after 20mins and locking the screen. This was of course after jumping through hoops to get it reconnected to the essentials setup. My wife's computer went fine, don't even recall having to redo the connector aspect that or it did not give me fits like on my computer. Anyways hers seems to be working well and holding the GPOs I have on the Server, mostly Security related stuff, a drive mapping and one a few user related settings. The bulk of it is security related items and mostly only applies to the computer config. The first thing I noticed after running a forced GPO update was that the computer settings were not taking, the results showed only user settings applying. I thought that's odd, went and ran a gpresult on my wife's computer it showed it still had the computer configs in from the domain GPO applied to include the computer config.

Thought ok this is something with just my computer. So after bouncing between different recovery options and a backup restore on my PC I decided today I would do an OS reset on my PC letting it only keep my personal files, and had it download the OS from the cloud during the reset process. Still working on getting it all set back up. Well ignore my PC for the moment.

So I decide to take another look at my wife's computer, ran a gresult /r.

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

c 2020 Microsoft Corporation. All rights reserved.

Created on ?3/?28/?2021 at 6:51:20 PM

RSOP data for <domain-ad>\xxx on XXXX : Logging Mode

---

OS Configuration: Member Workstation

OS Version: 10.0.19042

Site Name: N/A

Roaming Profile: N/A

Local Profile: C:\Users\xxx

Connected over a slow link?: No

USER SETTINGS

---

CN=xxx,CN=Users,DC=xxx,DC=xxx,DC=org

Last time Group Policy was applied: 3/28/2021 at 6:48:45 PM

Group Policy was applied from:      xx.xx.org

Group Policy slow link threshold:   500 kbps

Domain Name:                        haplo-ad

Domain Type:                        Windows 2008 or later

Applied Group Policy Objects

-----------------------------

    DriveMapping

    New Default Domain Policy



The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

    Local Group Policy

        Filtering:  Not Applied (Empty)



The user is a part of the following security groups

---------------------------------------------------

    Domain Users

    Everyone

    BUILTIN\Administrators

    Remote Desktop Users

    BUILTIN\Users

    NT AUTHORITY\INTERACTIVE

    CONSOLE LOGON

    NT AUTHORITY\Authenticated Users

    This Organization

    LOCAL

    Family

    Authentication authority asserted identity

    High Mandatory Level

This implies all is well but when I run the gpresult /h c:\tech\filen.html the resulting report shows it nothing in the computer config applied even though it says success in the headers. User config looks fine I can show a report for Marc 22 post upgrade where all looks fine. and several from this weekend showing other wise. So no I n the local group policy editor on my wifes computer and start review settings between it and the server. and bingo it is not taking any of the computer config settings. Originally I was running 3 gpos, I added another for allowing RSAT to be installed. Those settings don't appear.

So keeping in mind prior to march I had not made any changes in GPO in awhile so everything appeared to be working fine. All my GPO changes came about after the upgrade to WIn10 20H2 because I noticed things were not being processed correctly on my PC. So I thought I wonder if i need to update the admin templates for this version of Win10. So I downloaded them 20H2 versions and installed in them central store. doubled check my scopes and filters, I don't use wmi filtering. Everything correct. In the end I added domain users and computers to my policies, made no difference.

So now I decided to build a new default domain GPO. So since there was some redundancy in my LDAP binding and defaults I merged them and my rsat ones together into this new policy, and added a couple of tweaks security settings for ctrl-alt-del and signed on user name as I did not see the same setting from my old policy in the templates. So now I only have 2 policies that effect computers they are linked and enforced at the domain level (yes there is a separate DC policy-did not touch it), this new default and my drive mapping. All this made no difference on my PC so today I opted for a fresh reset.

I decided not to do anything yet to my wife's PC happy wife happy life. But like I said now hers is not taking the new configs. I have now hit a wall on what could be causing this. All my previous research pointed at UNC Path Hardening. I did try it, and it made no differences so I removed it. Keep in mind the clients are all Win10Pro, and the server is 2016(1607) a from of Win10 so UNC path hardening should be a mute point.

I have not found any errors in the logs to point to a GPO issue, and forcing a GPO update does not trigger an error. the computer configurations from the GPOs are not being set.

Here is a sanitized GPRESULT output of of my wife's PC:

**Sorry the output is not easy too look at after coping and pasting.

Group Policy Results

domain-ad\userx

Data collected on: 3/28/2021 6:52:15 PM

Summary hide

No data available.

During last user policy refresh on 3/28/2021 6:48:46 PM

A fast link was detected More information...

The following GPOs have special alerts

GPO Name Alert

DriveMapping Enforced

New Default Domain Policy Enforced

Computer Details hide

No data available.

User Details hide

General hide

User name domain-ad\userx

Domain domain-ad.domain.org

Security Group Membership show

Component Status hide

Component Name Status Time Taken Last Process Time Event Log

Group Policy Success 3/28/2021 6:48:46

Infrastructure PM

Group Policy Drive Success 3/28/2021 6:20:15

Maps PM

Registry Success 3/28/2021 6:20:15

PM

Settings hide

Policies hide

Administrative Templates hide

Policy definitions (ADMX files) retrieved from the central store.

Start Menu and Taskbar hide

Policy Setting Winning GPO

Show "Run as different user" Enabled New Default Domain Policy command on Start

Preferences hide

Windows Settings hide

Drive Maps hide

Drive Map (Drive: I) hide

The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.

I: hide

Winning GPO DriveMapping

Result: Success

General hide

Action Update

Properties

Letter I

Location \DOMAINAD\Shares

Reconnect Enabled

Label as Server Shares

Use first available Disabled

Hide/Show this drive Show

Hide/Show all drives No change

Group Policy Objects hide

Applied GPOs hide

DriveMapping [{07B88E38-97FE-40A2-A406-3FD0576F4A59}] hide

Link Location domain-ad.domain.org

Extensions Configured Group Policy Drive Maps

Group Policy Infrastructure

Enforced Yes

Disabled None

Security Filters NT AUTHORITY\Authenticated Users

domain-ad\Family domain-ad\Domain Users

Revision AD (24), SYSVOL (24)

WMI Filter

New Default Domain Policy [{1659BC8C-B054-4E8E-9963-690EA366609C}] hide

Link Location domain-ad.domain.org

Extensions Configured Registry

Enforced Yes

Disabled None

Security Filters

NT AUTHORITY\Authenticated Users domain-ad\Family domain-ad\Domain Computers domain-ad\Domain Users

Revision AD (1), SYSVOL (1)

WMI Filter

Denied GPOs hide

Local Group Policy [LocalGPO] hide

Link Location Local

Extensions Configured

Enforced No

Disabled None

Security Filters

Revision AD (0), SYSVOL (0)

WMI Filter

Reason Denied Empty

WMI Filters hide

Name Value Reference GPO(s)

None

Answer 1

Hello @Cyber(Joe) ,

Thank you for posting here.

If we want to check Computer Configuration, we can check with gpresult /r or gpresult /h.

gpresult /r command

1. We can logon the PC with domain Administrator.
2. And open CMD (run as Administrator).
3. Type gpresult /r and click Enter.
4. Check GPO under Computer Settings.

For example:

gpresult /h command

1. We can logon the PC with domain Administrator.
2. And open CMD (run as Administrator).
3. Type gpresult /h C:\GPO.html and click Enter.
4. Check Check GPO settings under Computer Details.

If you still can not see any computer settings through gpresult /r or gpresult /h, we need to check how you configure the GPO.

Usually, if you want to apply a GPO setting to one or more machines, we can configure as below:

1. Create an OU and put this machine to this OU.
2. Create a GPO and link this GPO to this OU above.
3. Edit the GPO with Computer Configuration.
4. Run gpupdate /force or restart the machine to check GPO setting.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

I have done all that except create a new ou for the computers. instead I added the domain computers to the group security. I might get a chance to try the new workstation ou tonight.

Answer 3

Just an FYI on this the gpo issue was not an issue it turned out you had to run the results in elevated command window to see the computer config results. Never occurred to me because when I am at work I on a domain admin account most of the day, while when I am at home its normal account, with local admin prevs, but I was just opening a command prompt without thinking.