Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problems with policies and GPMC in Win2K3 server

Posted on 2006-03-28
13
Medium Priority
?
559 Views
Last Modified: 2008-11-11
I had a tenuous grip on the ways and means of GPOs on Win2K. We have a very limited number of policies in effect and it seemed to do what I wanted it to do. Several months ago I had the bright idea to install the new GPMC on our new win2K3 server (DC) and it's actually quite impressive looking.  Gradually I began to run into some problems with some users being unable to update their PCs through the Windows Update site so I downloaded the updates and put them into a directory on a NAS and logged into their machines as administrator to run the updates. I get the same message that they do when they try to update, "you do not have permission to update windows".  So, I meticuously went through the Domain policy looking for that control and found reference to "windows Update" but it was not configured. I did the same with the other GPOs as well and found the same thing that I did on the Domain policy..."not configured". I then blocked inheritance of GP for the groups of which the user was a member. Still no appreciable change in the ability, or lack of, to update windows, logged in as the user or as the admin. I guess I'm not very comfortable with the new GPO interface, GPMC, and wish that I had not installed it. I've looked on the MS website for any mention of removing it without having found any mention of removing it and returning to the simple screen that it used to be like on Win2K server.  I want to know if anyone has ever removed it and returned to the simple interface and which approach to use to do that. Is it possible to just delete all of the GPOs and start over?   I tested the update problem with the user's login. I logged into my PC with his credentials and got the same message that I had gotten on his PC. My PC, when I am logged in, can access and download just about anything so therefore the issue must be with his login credentials. He is a member of 3 groups, Domain Users -a mail distribution List group - and a security group that has access permissions to a secure NAS. I have moved him into the same group that I'm a member of and his login still cannot update windows. Does anyone have any ideas?
0
Comment
Question by:dwielgosz
  • 6
  • 4
  • 3
13 Comments
 
LVL 12

Accepted Solution

by:
Rant32 earned 2000 total points
ID: 16314168
The GPMC SP1 installation is in the Software control panel. If it's not, try re-installing GPMC and then removing it again. If you really want the old interface, you can use another XP Pro withouth GPMC to do that. Just install the Adminpak.msi from the 2003 server on the client.

Best practices:
- always make backups of Group Policy objects before modifying the contents. GPMC is ideal for that, and it's a great program if you know how to use it.
- Never change the contents of the Default Domain Policy and the Domain Controllers policy, EXCEPT for the password policy which should always be defined at the Domain level.
- use separate Organizational Units for testing purposes and do not change production group policies without *exactly* knowing what it does. So, if you want to know if it's security or policy related, create a copy of the user account you're testing and move that copy to an OU that has no policies applied.

Before using these, read http://technet2.microsoft.com/WindowsServer/en/Library/b9db0ae7-3d25-4e5e-9320-e5db0b0c9f8a1033.mspx

To reset the Domain GPO, type
dcgpofix /target:Domain

To reset the Default DC GPO, type
dcgpofix /target:DC

To reset both the Domain and Default DC GPOs, type
dcgpofix /target:both
0
 

Author Comment

by:dwielgosz
ID: 16314688
what do you mean by this:

If you really want the old interface, you can use another XP Pro withouth GPMC to do that

I'm working on a server 2003 DC
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16314957
I mention it because you say you're not happy with the interface of GPMC, and are not able to uninstall it. So that's an alternative until you are. I've never uninstalled GPMC, by the way.

It's better to solve the issue (whatever it is) on the 2003 DC, but Windows XP Pro SP2 can edit GPO's just fine, you need the AD Users and Computer snap in for it without GPMC. Your Windows 2000 DC will do as well, but it requires a few updates to get rid of the "string too long - truncated" messages.

Also, the topic is "problems with policies and GPMC" but your question revolves all about running Windows Update as a user. We need to assume all kinds of things here, for example

- that regular users are a local Administrator at the client, because they've always been able to run WU, but not anymore.
- after making changes, you're using AD sites and services or repadmin/replmon to force synchronization, OR wait five minutes before replication is done
- you run gpupdate on the client or reboot it

My advice is: get the default domain policy sorted (= back to default). If that has all kinds of settings it's more difficult to isolate GP issues. See if that solves your Windows Update problem, if it does, build up the policies again carefully (either with or without GPMC, but the tool's a godsend).
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:dwielgosz
ID: 16315578
Like I said, I've gone through the GPOs, line by line and don't see anything in them that should be interfereing with the ability to update windows. (I just did it agin between posts). It is effecting a certain number of workstations, but not all. It definately is user specific and not PC specific. I have copied users and placed the copied user in the same group that I'm in and tried both logins, mine and theirs, on my workstation with opposite results. I think it is a permissions problem more than I do a GPO problem though, but where would those settings be? I have looked at the Domain Security Policy and the Domain Controller policy without seeing anything either. I will probably end up doing the GPO redo that you posted, however I know better than to try anything drastic late in the day. I've been down that road before. I'll probably try that in the AM as that will give me eight hours to straighten things out afterwards.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16315710
You're right there.

If there are any important policies (like Favorites/Links, proxy settings, Office settings, other things users are going to notice) in the default domain policy, prepare them beforehand, nothing happens to other policies than the GPOs being restored.
0
 

Author Comment

by:dwielgosz
ID: 16315791
It's mostly proxy settings(we force users through a proxy) for the web filtering software and a couple of other minor things as well. I'll post a followup on this.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16315804
Great, thanks. Take it easy, and good luck.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16316572
My guess is that the Administrator's group is not in this policy on the local PC:

Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment ::

>> Manage Auditing and Security Log.


0
 

Author Comment

by:dwielgosz
ID: 16322120
Another aspect of the problem:

on the user's PC he got the error message when he tried running the updates, I then logged on as the administrator(Domain Admin) and I got the same error when I tried running the updates.

I logged onto my PC with his credentials and could not run the updates
I logged onto my PC with admin credentials and was able to run the updates
I logged onto my PC with my credentials and was able to run the updates.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16322433
Have you checked that Group Policy element on the local machine?

0
 

Author Comment

by:dwielgosz
ID: 16322543
How do I do that? I can "connect" to that from the DC, can't I?

I just ran a "modeling" of GPO with the user and it gave me a "Resultant Set Of Policy" in which, near the bottom under "User Configuration">"Windows Settings">"Software Restriction Policy" are two items that are listed under "Software Restriction Policy">"Security Levels". They are "Unrestricted" and "Disallowed". It appears as if the "unrestricted" has a default check mark in it.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16325707
On the local PC (or from a Remote Desktop Session) run GPEDIT.MSC

Drill down and check that setting.

I'm not saying this is definite, but I've seen it many times - personally.

0
 

Author Comment

by:dwielgosz
ID: 16807260
Thanks for the help. very helpfull answer.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question