I've noticed that a couple of our Server 2008 R2 DCs are saying that Computer Settings in the Local Group Policy are being applied when I run gpresult /r. We haven't intentionally made changes to the Local Group Policy so I ran gpresult /z to see all of the settings being applied and compared this to a server where the Local Group Policy was filtered because it is empty and I'm unable to determine difference. Below are the outputs from both servers, does anyone see which Computer Settings are being applied by Local Group Policy :
RSOP data for <Domain>\administrator on <Server01> : Logging Mode
---------------------------------------------------------
OS Configuration: Additional/Backup Domain Controller
OS Version: 6.1.7601
Site Name: FHS-First-Site
Roaming Profile: N/A
Local Profile: C:\Users\Administrator.<Domain>
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<Server01>,OU=Domain Controllers,DC=<Domain>,DC=com
Last time Group Policy was applied: 8/12/2013 at 10:42:25 AM
Group Policy was applied from: <Server01>.<Domain>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <Domain>
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
WSUS-SunUpdates
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
WSUS-WedsUpdates
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
<Server01>$
WSUS-SunUpdates
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Denied RODC Password Replication Group
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaxRenewAge
Computer Setting: 7
GPO: Default Domain Policy
Policy: MaxServiceAge
Computer Setting: 600
GPO: Default Domain Policy
Policy: MaxClockSkew
Computer Setting: 75
GPO: Default Domain Policy
Policy: MaxTicketAge
Computer Setting: 10
Audit Policy
------------
N/A
User Rights
-----------
GPO: Default Domain Controllers Policy
Policy: MachineAccountPrivilege
Computer Setting: Authenticated Users
GPO: Default Domain Controllers Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Pre-Windows 2000 Compatible Access
Authenticated Users
Administrators
NETWORK SERVICE
LOCAL SERVICE
Everyone
GPO: Default Domain Controllers Policy
Policy: IncreaseBasePriorityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: TakeOwnershipPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: RestorePrivilege
Computer Setting: Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: DebugPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemTimePrivilege
Computer Setting: Server Operators
Administrators
LOCAL SERVICE
GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Print Operators
Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: NETWORK SERVICE
LOCAL SERVICE
*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: Print Operators
Server Operators
Account Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: Performance Log Users
Backup Operators
Administrators
IIS_IUSRS
GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: Pre-Windows 2000 Compatible Access
ENTERPRISE DOMAIN CONTROLLERS
Authenticated Users
Administrators
Everyone
GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: NT SERVICE\WdiServiceHost
Administrators
GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Server Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Print Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Administrators
NETWORK SERVICE
LOCAL SERVICE
GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivilege
Computer Setting: *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
NETWORK SERVICE
LOCAL SERVICE
Security Options
----------------
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59013
ValueName: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59043
ValueName: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59017
ValueName: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
Computer Setting: 550
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59018
ValueName: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCpm
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 97, 0, 112, 0, 112, 0, 115, 0, 117, 0, 112, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
Value: 6, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Value: 0, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 97, 0, 112, 0, 112, 0, 115, 0, 117, 0, 112, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
Value: 4, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency
Value: 1, 0, 0, 0
State: EnabledRSOP data for <Domain>\administrator on <Server02> : Logging Mode
---------------------------------------------------------
OS Configuration: Additional/Backup Domain Controller
OS Version: 6.1.7601
Site Name: JWS-First-Site
Roaming Profile: N/A
Local Profile: C:\Users\Administrator.<Domain>
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<Server02>,OU=Domain Controllers,DC=<Domain>,DC=com
Last time Group Policy was applied: 8/12/2013 at 10:42:35 AM
Group Policy was applied from: <Server02>.<Domain>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <Domain>
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
WSUS-SunUpdates
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
WSUS-WedsUpdates
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
<Server02>$
WSUS-SunUpdates
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Denied RODC Password Replication Group
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaxRenewAge
Computer Setting: 7
GPO: Default Domain Policy
Policy: MaxServiceAge
Computer Setting: 600
GPO: Default Domain Policy
Policy: MaxClockSkew
Computer Setting: 75
GPO: Default Domain Policy
Policy: MaxTicketAge
Computer Setting: 10
Audit Policy
------------
N/A
User Rights
-----------
GPO: Default Domain Controllers Policy
Policy: MachineAccountPrivilege
Computer Setting: Authenticated Users
GPO: Default Domain Controllers Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Pre-Windows 2000 Compatible Access
Authenticated Users
Administrators
NETWORK SERVICE
LOCAL SERVICE
Everyone
GPO: Default Domain Controllers Policy
Policy: IncreaseBasePriorityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: TakeOwnershipPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: RestorePrivilege
Computer Setting: Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: DebugPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemTimePrivilege
Computer Setting: Server Operators
Administrators
LOCAL SERVICE
GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Print Operators
Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: NETWORK SERVICE
LOCAL SERVICE
*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: Print Operators
Server Operators
Account Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: Performance Log Users
Backup Operators
Administrators
IIS_IUSRS
GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: Pre-Windows 2000 Compatible Access
ENTERPRISE DOMAIN CONTROLLERS
Authenticated Users
Administrators
Everyone
GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: NT SERVICE\WdiServiceHost
Administrators
GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Server Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Server Operators
Backup Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Print Operators
Administrators
GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Administrators
NETWORK SERVICE
LOCAL SERVICE
GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivilege
Computer Setting: *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
NETWORK SERVICE
LOCAL SERVICE
Security Options
----------------
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59013
ValueName: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59043
ValueName: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59017
ValueName: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
Computer Setting: 550
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59018
ValueName: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 97, 0, 112, 0, 112, 0, 115, 0, 117, 0, 112, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
Value: 6, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 97, 0, 112, 0, 112, 0, 115, 0, 117, 0, 112, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCpm
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Value: 0, 0, 0, 0
State: Enabled
GPO: WSUS-SunUpdates
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
Value: 4, 0, 0, 0
State: Enabled
You can see in the first code block that the Local Group Policy was filtered out because it was empty where on the second code block Local Group Policy was applied, but how do I know which settings are in there or how can I reset Local Group Policy?