Policy not fully applying

Ranko Bakker 1 Reputation point

Since recently I've run into an issue with Windows server 2016 Standard and GPO's, I've used a template to provide details. Does anyone have some tips for me about how to proceed?

Please describe the issue in 2-3 sentences. Include what you're trying to accomplish when the issue occurs.
Policy is not applied at logon, when a gpupdate /force is executed and the user is logged off, the policy works well for two logons. The third logon the policy is applied partially, when a gpupdate /force is done, it will work well for a few logons, until the third logon. The issue occurs for multiple users. GPResult shows that the policy is applied.

When did it begin and how often does it occur?
The issue began on Friday 7-5-2021 and occurs every third logon for every user.

What errors do you see?

What's the environment and are there recent changes?
Windows ADDC + RDS, no recent changes were made

What have you tried to troubleshoot this?
gpupdate /force, logoff + logon, checked scope and permissions, checked access to sysvol and netlogon, checked DNS, altered default domain policy. None of these steps resolved the issue, the default domain policy shows similar behaviour to other policies

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,536 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,276 Reputation points Microsoft Vendor

    Welcome to ask here!
    To know the issue more clearly, would you please confirm the following information?
    1, The policy not fully applied was a user policy, right?
    Was the issue for one GPO or all the GPOs?
    2, Which policy did you deployed?
    3, If the policy didn't work when logon every third logon, Will the problem continue?
    4, How many DCs do you have? Did everything work well? You can check if there are any errors in the output of the following command:
    Dcdiag /v >c:\dcdiag1.log
    Repadmin /showrepl >C:\repl.txt
    Repadmin /showreps *
    5, If possible, would you please share a screenshot of the gpresult. You can check the result by the command: gpresult /h report.html.

    Best Regards,

    0 comments No comments

  2. Ranko Bakker 1 Reputation point

    Thank you for your reply. I've done some more digging based on the provided steps and narrowed it down to the exact settings that aren't successfully being applied. The setting is regarding the Control panel and computer settings access. Control panel/Settings are not accessible at first, but become accessible after several logons. Also the Task manager option is greyed out at first and becomes available after about 5 minutes. It seems that the policy is applied at logon, but stops being enforced/applied after several logons, or after about 5 minutes of an active session.



    EDIT: Included gpresult file file96716-gpresult.txt

    0 comments No comments

  3. Fan Fan 15,276 Reputation points Microsoft Vendor


    What's the result if you run gpupdate /force? Will the policy apply again?
    Did you check the policies deployed for the users? Are there any conflicts? You can check that by run command:
    Gpresult /h report.html
    Also, check if there are any related computer policy?
    Run CMD as administrator and run command: gpresult /h c:\report1.html.

    Best Regards,