question

Goofoff avatar image
Goofoff asked ·

Are there protected / unchangeable settings in Azure VMs? I have an issue

Ok simply put, we. have an environment that the customer RDPs into a few servers.
We have one of our gpo security policies that disables certain things ( Powershell, cmd line, restricts browsers, no control panel, etc..) that is refusing to apply. I don't know why.
On Prem servers are working perfect but the azure ones, same domain, ad replication is fine, networking is up.

Any ideas why or some direction to point me in?

azure-virtual-machinesazure-ad-domain-services
4 comments
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What GPO isn't being applied? What exactly are you disabling?

Can you enforce the policies if you remote into the machine and manually disable those items? This is a test to see if they are in fact disableable.

Please list the policies that cannot be manually enabled,

Also please note, per the docs : https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define configuration settings for users or computers in Azure AD DS, edit one of the default GPOs or create a custom GPO.

0 Votes 0 · ·

Its not AD DS its a hybrid environment with the domain controllers on prem and in azure. Vms are joined to on prem AD.

We also just narrowed it down to a specific OU that for whatever reason was just refusing to read certain GPOs. We moved a non working user into another OU and same GPO's and it worked exactly how it should....not sure why or what was wrong but it was that OU.

1 Vote 1 · ·

Good day :-)
You mentioned too many features which you disabled o the same time. If you want to monitor the issue then you should start by testing one action and a time.

Once you find specific action which is not working, then we can focus on that

0 Votes 0 · ·

If the response did help in answering your query, please mark the response as "Answered", so that it helps other users visiting the forum.

0 Votes 0 · ·

1 Answer

FrankHuMSFT-3200 avatar image
FrankHuMSFT-3200 answered ·

It sounds like you were able to resolve the issue as it's an issue in your environment's GPOs and OUs, and not related to Azure services.

For more information on how gpos, ous, and gplinks I suggest taking a look at this article : https://wald0.com/?p=179

And check to see if your gpos are linked to specific ous or how you've setup your gpos to properly sync as it seems to be an issue with a specific OU in your org, and there must be some sort of configuration that is overriding your GPOs. For more information on this see : https://serverfault.com/questions/373958/how-do-you-override-a-gpo-with-another-gpo

If you continue to experience issues with this I suggest posting this on the Windows Server forums here : https://social.msdn.microsoft.com/Forums/ie/en-US/home?category=windowsserver as the docs.microsoft.com/answers forum is currently handling Azure AD related issues.

If you continue to experience issues I suggest filing a support ticket with Microsoft and a support engineer will engage to help resolve your issue.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.