A couple of months ago I was assisting a customer with a very strange Group Policy problem. The first sign of the problem was when some users complained that they weren’t notified of upcoming password expiries.
My initial thought was that it could probably be that the Default Domain Policy was not being applied properly as this is the only area where the password policies were being set for this customer (the settings in the Password Policy settings were correct).
Trying to recreate the issue we started up a test box and executed GPRESULT /R, but didn’t notice anything out of the ordinary.
I then suggested we get one of the affected machines to determine what the cause is, maybe this way we can replicate the issue on a clean machine.
These were my troubleshooting steps:
The question now is why the entry was enabled on a few machines.
I found some blog articles around automated OS deployment where the deployment process would get stuck on the Interactive Logon text which would cause the process to stop. Disabling the security client side extension by adding the NoMachinePolicy=1 entry would disable this and the process would then be able to continue.The deployment team at this customer confirmed that this was not the case during their deployment process, so the only other explanation could be malware/virus, but I'm still not sure.
Luckily the amount of affected machines were very small in this case.
Hopefully someone else out there will come across this article if they experience this very interesting issue.
Until next time......