GPO not working as intended

Question

First of all. My English is not at good level when I need to write something so I used ChatGPT.

Here is my first problem:

I will set up a GPO on the server: For example, Enable logon using a practical PIN code. Then, execute gpupdate /force. The policy is applied and functioning. However, when I navigate to the Local Group Policy Editor, no matter what I configure, it always displays: "Not Configured," even when it is configured. Of course, I can switch it to "Enabled" or "Disabled," but it doesn't make any difference. This is fine because I don't want anyone to be able to turn off the policy. Please fix it so that the correct state of the policy is displayed and cannot be changed.

And second problem:

GPO - Interactive logon: Display user information when session is locked: User Display Name behaves exactly the same as Do not display user information, when

policy: Dont display last signed-in is enabled.

When I lock the computer, I want to see my username. And when I log out, I want it not to be displayed, but neither of these is working simultaneously.

Tested on W10/11

And last:

GPO - Don't require CTRL+ALT+DELETE - Windows 11(Maybe 10 also) > After locking, it's not possible to switch to another user. Upon entering the login, it shows the wrong username or password. Then it locks and only allows login by the user who locked the PC. When changing the policy, users who have taken the computer off the domain, lock it, and then reconnect to the network, cannot log in. It displays the wrong username and password. The computer needs to be forcibly restarted, and then logging in becomes possible. When a person has ongoing unsaved work and cannot save it due to the inability to log in, it's quite frustrating.

Answer 1

Hello Daniel Růžička,

Thank you for posting in our Q&A forum.

The principle of the forum is one thread one question, in order to avoid confusion of questions and efficiency of replies, we recommend that you post only one question in one thread, if you have multiple questions, it is recommended to post different questions in different threads.

On this one answer, I will try my best to reply your first question, you can post your second question and third question in other two new threads.

Thank you for your understanding and time.

Did you configure GPO setting (such as Enable logon using a practical PIN code) on Domain Controller and apply this setting to clients?

If so, we can check group policy result by following steps below.

If it is Computer Configuration:
1.Logon the client with Administrator account.
2.Open CMD (run as Administrator).
3.Type gpresult /h C:\gpo.html and Click Enter.
4.Check the gpo setting under "Computer Details".

If it is User Configuration:
1.Logon the client with one domain account that apply the gpo setting.
2.Open CMD (do not run as Administrator).
3.Type gpresult /h C:\test\gpo.html and Click Enter (create a folder name test in C drive in advance).
4.Check the gpo setting under "User Details".

For the same gpo setting on clients within Local Group Policy Editor.
Even if we can change it to other option, it will sync with Domain GPO setting when refreshing GPO on clients.

*Please fix it so that the correct state of the policy is displayed and cannot be changed.
A: GPO configurations for the same setting on local group policy editor are not necessarily the same as domain gpo setting on DC.
*

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.