I'm testing out upgrading to Windows 10 on our domain, which is currently based on a Windows Server 2012 DC and all Windows 7 workstations. I was never able to make it work on Windows 7 so I gave up since I didn't really need it, but with Windows 10, I do need it. I've spent hours and days trying to figure it out, but I'm out of ideas. Here's my current GPO setup, in order of inheritance (abbreviating names to keep the post shorter):
Forest Computers (Computer Configuration)
- Policies > Windows > Security > Windows Firewall
- Domain = Off
- Private = Off
- Public = Off
- Policies > Admin Templates > Network/Network Connections/Windows Firewall
- Domain Profile > Protect all network connections = Disabled
- Standard Profile > Protect all network connections = Disabled
- Policies > Admin Templates > System/Group Policy
- Slow link detection = Disabled
- Logon script delay = Disabled
- Scripts policy processing = Enabled, allow across slow network = Enabled
- Startup policy processing wait time = Disabled
- Policies > Admin Templates > System/Logon
- Always wait for the network at computer startup and logon = Enabled
- Policies > Admin Templates > System/Scripts
- Allow logon scripts when NetBIOS or WINS is disabled = Enabled
- Run logon scripts synchronously = Enabled
- Run startup scripts asynchronously = Disabled
- Run Windows PowerShell scripts first at computer startup, shutdown = Enabled
- Run Windows PowerShell scripts first at user logon, logoff = Enabled
- Maximum wait time for GP scripts = Enabled, seconds = 0
Forest Workstations (Computer Configuration)
- Policies > Windows > Scripts
- Startup = %SystemDrive%\Tools\Configuration.ps1 -WorkstationStartup
- Policies > Admin Templates > Windows Components/Windows PowerShell
- Turn on Script Execution = Enabled, Allow all scripts
- Preferences > Windows Settings > Registry
- DisableDHCPMediaSense = 1
- DependOnService = LanmanWorkstation, LanmanServer, Netman
Forest Users (User Configuration)
- Policies > Scripts
- Logon = %SystemDrive%\Tools\Configuration.ps1 -UserLogon
- Logoff = %SystemDrive%\Tools\Configuration.ps1 -UserLogoff
The workstation specific portion of the script runs perfectly fine, but the user portion doesn't. As far as I can tell from the event log (the script writes to a custom event log), the user's portion isn't being called at all. I thought that it may have been because it was on a share, so I copied it to the local system drive, but that did nothing. As you can see all firewalls are disabled, but it has no effect.
The domain and forest functional level is Windows Server 2012, if it matters. I should also note that the PowerShell execution policy is set to Unrestricted.
I don't know what else to do to make the logon (and by extension logoff) scripts to run when they're supposed to. I ask for you help.
UPDATE
So, digging around more and I ran RSoP on the client where I found something peculiar, or rather, I didn't find it. There were no Logon/Logoff settings defined for the User Configuration. In fact a lot of the settings I expected to be there weren't. Instead the settings that are applied are the one's specific for the domain admins only. So it looks like the GPO inheritance is not working? The domain/OUs are configured like this:
And here's the GP inheritance:
So, for whatever reason the Forest Users policy is not being applied? I thought the GPs were applied in cascading order?
Are the user accounts in the Windows 10 OU? If not, then that's the problem. The user accounts are outside of the Scope of Management (SOM) of the GPO if they're not in the Windows 10 OU.