This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 51%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Since recently I've run into an issue with Windows server 2016 Standard and GPO's, I've used a template to provide details. Does anyone have some tips for me about how to proceed?
Please describe the issue in 2-3 sentences. Include what you're trying to accomplish when the issue occurs.
Policy is not applied at logon, when a gpupdate /force is executed and the user is logged off, the policy works well for two logons. The third logon the policy is applied partially, when a gpupdate /force is done, it will work well for a few logons, until the third logon. The issue occurs for multiple users. GPResult shows that the policy is applied.
When did it begin and how often does it occur?
The issue began on Friday 7-5-2021 and occurs every third logon for every user.
What errors do you see?
None
What's the environment and are there recent changes?
Windows ADDC + RDS, no recent changes were made
What have you tried to troubleshoot this?
gpupdate /force, logoff + logon, checked scope and permissions, checked access to sysvol and netlogon, checked DNS, altered default domain policy. None of these steps resolved the issue, the default domain policy shows similar behaviour to other policies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Hi,
Welcome to ask here!
To know the issue more clearly, would you please confirm the following information?
1, The policy not fully applied was a user policy, right?
Was the issue for one GPO or all the GPOs?
2, Which policy did you deployed?
3, If the policy didn't work when logon every third logon, Will the problem continue?
4, How many DCs do you have? Did everything work well? You can check if there are any errors in the output of the following command:
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps *
5, If possible, would you please share a screenshot of the gpresult. You can check the result by the command: gpresult /h report.html.
Best Regards,
Thank you for your reply. I've done some more digging based on the provided steps and narrowed it down to the exact settings that aren't successfully being applied. The setting is regarding the Control panel and computer settings access. Control panel/Settings are not accessible at first, but become accessible after several logons. Also the Task manager option is greyed out at first and becomes available after about 5 minutes. It seems that the policy is applied at logon, but stops being enforced/applied after several logons, or after about 5 minutes of an active session.
EDIT: Included gpresult file file96716-gpresult.txt
Hi,
What's the result if you run gpupdate /force? Will the policy apply again?
Did you check the policies deployed for the users? Are there any conflicts? You can check that by run command:
Gpresult /h report.html
Also, check if there are any related computer policy?
Run CMD as administrator and run command: gpresult /h c:\report1.html.
Best Regards,
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,