Group Policy application on Domain Controllers
I am building a test Active Directory forest in a virtual environment. I will be part of a team in the future that will build a new Forest for our organization. I don't have experience managing a forest or domain in a production environment, but I am familiar with GPOs and working with them as a Sys Admin. I'm using Server 2019 and the Forest and Domain Functional levels are at Windows Server 2016 (that's the highest version available). I created a new GPO to add our security settings, linked the new GPO to the Domain Controllers OU, did gpupdate /force (this indicates it completes successfully), rebooted, its been a day or so and I go to verify some settings have been applied. gpresult shows the GPO is applied, but numerous settings that are set in the GPO, are not set in the gpresult output. Here are two examples: I have "Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" set in the GPO to audit success and failure. I also have the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" enabled. But this isn't applied to the server at all. Running "AuditPol /get /category:*" and looking at the output confirms this. The second example is "Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy". I have it set to three, but it is not applied in the gpresult output.
In both of those examples, gpresult indicates that local policy is the winning gpo.
There are other settings that are missing. There are also settings in the gpresult that have applied from the GPO. Anything I could be missing? Thanks in advance.
Solution 1:
You should read this piece of Microsoft documentation
Certain policies only apply to domain controllers when they are linked at the root of the domain, this includes policies in the following nodes:
- Computer Configuration/Windows Settings/Security Settings/Account Policies
- Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
Solution 2:
Domain controllers have several built-in security settings which makes applying GPOs to them somewhat complex, especially when those GPOs are trying to manage security settings.
You should have a look at the "Default Domain Controllers Policy" which is linked to the "Domain Controllers" OU; this is likely conflicting with your GPO.
As a side note, you should avoid thinkering with domain controllers and the "Default Domain Controllers Policy" GPO, unless you really know what you are doing; if you need to test something, use different servers (or workstations), OUs and GPOs.