Suspicious Group Policy Behaviour

1

I am running Windows 8.1 x64.

I should start by stating that I am not part of a domain and that computer is only used by myself.

I have two accounts on the machine. My standard user account which is pretty much all I use, and an Admin account that I have in an attempt to make sure software does not install without my approval and to add extra security and troubleshooting capabilities.

Twice recently when I have gone to log in to my standard user account I have been given then error

Windows couldn't connect to the group policy client service

I havent been able to access the user account but have been able to login through my Admin account. I have searched online and found various resources in attempting to fix the issue. So far I have:

  • Checked to see if Group Policy Services is running
  • Launched Regedit and checked that the keys under HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES are correct and contain the "gpsvc" folder
  • I have also checked other local machine registry entries as per online instruction such as netsvc

After following the instructions like https://social.technet.microsoft.com/Forums/windowsserver/en-us/86ff5743-c0f6-4731-a6c2-ae08686e70e8/windows-could-not-connect-to-the-group-policy-client-service?forum=winserverGP this link details I did fix the error.

I am aware that this issue is often caused by problems during windows update. I am not aware that I have had any as such, but the last update did cause the laptop to hang on shutdown for quite a while but there was no error on startup, I suspect something is corrupt.

Is there a way to check and to prevent this issue from persisting.

Phill

Posted 2015-02-12T20:19:15.140

Reputation: 11

As in "spooky" Suspicious or "scary" Suspicious? – Pimp Juice IT – 2017-01-30T21:47:55.320

Answers

0

I consider the group policy mechanism to be fairly well-behaved and harmless, and in fact quite useful on non domain-joined machines, especially in comparison to the bevy of other unwanted OS-ware. Yes, gpupdate(.exe) will occasionally run in order to propagate into the registry any local machine policy settings that you've configured. Because this is a one-way operation (i.e., modifying the corresponding registry settings doesn't change local machine policy) periodic checking ensures that previously propagated changes haven't been manually altered in the registry. When GP update runs, any conflicting registry values will be summarily reset back to the policy-defined values.

For a few reasons, I don't recommend disabling the GP updating mechanism. First, and following from the above, if you do, and then a GP update gets accidentally triggered somehow, Group Policy will always "win" over any associated registry settings, possibly overwriting a swath of your manual registry entries without consent. When gpupdate doesn't get a chance to run for a long time, manual edits of the registry that have drifted into conflict with GP are increasingly jeopardized by their overall accumulation: an overdue gpupdate would eliminate the backlog all at once, possibly with complex results, since the affected settings are likely to be logically diverse.

You might argue that this can't happen if you never touch the policy selections, thus leaving them all "Not Configured." Now, however, you'll need to be forever vigilant for any automated activity, agent or installer that might, presumably after having obtained (i.e installation) permission, change either the policy (expecting GP update to be enabled) or the registry, such that they drift apart.

Note also that there are special policy entries related to user permissions and security which don't have a "Not Configured" option, so these will overwrite corresponding parts of the registry when gpupdate runs no matter what. All-in-all, I'd rather rest assured that a GP update at any time, for any reason, will be harmless.

Indeed I suggest using gpedit.msc--preferentially over regedit--for those settings which are available in the former. The policy editor has nice help messages, is perhaps less fragile than REG_DWORD, REG_MULTI_SZ etc., and with the one-way nature of updating mentioned above, you won't have to worry about the policy propagation overwriting your registry changes. All-in-all, in my experience, gpupdate is lightweight and unobtrusive on a non domain-joined machine. Although it runs automatically from time to time, the only time I've actually noticed it running is when I've explicitly invoked it myself.

Glenn Slayden

Posted 2015-02-12T20:19:15.140

Reputation: 803

Asked: 2015-02-12T20:19:15.140

Viewed: 615 times

Active: 2017-01-30T21:46:25.017