Azure Active Directory Domain Services GPO is not deploying to PCs


  • GPO is not deploying to PC joined to AADDS?

    I have recently configured AADDS ( Cloud Only Directory Services with a certificate from a certification authority.

    I have configured the default User (AADDS Users GPO) and Default Computer GPO (AADDS Computer GPO) to test if the GPO deploys to a new PC which has joined the domain. I can see from Users > Devices the PC is ENABLED and the TRUST TYPE is AAD Joined.

    When I check the PC, it's still connected to WORKGROUP > Workgroup. I can see from SYSTEM > Settings > Accounts > Access work or School the PC has joined AADDS.

    One of the changes in the GPO is to change the wallpaper on the PC. Why does the GPO not deploy to the PC? Do I need to configure any DNS settings on the PC?

    Should I see the PC in Users & Computers > AADDS Computers?

    • Edited by Norbs21 Sunday, April 9, 2017 10:29 AM
    Sunday, April 9, 2017 10:20 AM

All replies

  • I think there is a confusion between AAD Join and AD Domain join with AAD Domain Services.

    When you do AAD Join, the process and controls that are available to you are different from AD Domain join.

    When you do AAD Join
    1. You are able to do fine grained conditional access to office 365 and other modern applications that depend on Azure AD for authentication
    2. You are able to manage your client machine using MDM software like Microsoft Intune

    When you do AD domain join, as with AAD Domain Services
    1. You do a traditional domain join to the AAD DS domain
    2. You are able to authenticate to traditional applications that depend on authenticating against AAD DS using Kerberos/NTLM protocols.
    3. You manage your client machines through traditional AD tools like “GPMC.msc”

    Mixing and matching of capabilities above between AAD Join and joining to AAD Domain Services is not possible.
    Monday, April 10, 2017 5:58 PM