Solved

GPO not applying properly to new systems in different OUs.

Posted on 2006-11-14
19
776 Views
Last Modified: 2008-02-01
Note:  I am a Junior Sys Admin and this is URGENT, so please go easy on me!

I have one single AD server (W23K Enterprise).  Several OUs have been defined.  What I am trying to use the "Restricted Groups" to push "Local Administrators" and "Network Operators" to the PCs so I don't have to define each individually in every new PC.  This is already working for one of the OUs where I am pushing local admins and network operators, but over the last 14 hrs I have been attempting the same in a new group of PCs in a new OU and have had no luck.
All 17 PCs where this is working were cloned from the first PC in that working OU.  Additional PCs in the new OU were also cloned from the same image, so they all have the same base configuration (and they all are exactly the same hardware).  
I have redone the GPO, block inheritance, disabled firewall(s), etc.  What's even worse is that if I do a "gpresult /v" in one of the new PCs in the new OU, I can see the GPO went through (see partial output below), but when I see the local users by typing "nusrmgr.cpl" I don't have those users there and their privilege isn't working (see output below, and if I log in with jfarrance account that it's supposed to be an admin, she really can't do nothing).  THIS IS URGENT!!! I have 96 more PCs to implement in the next few hours and resolving this is critical.

C:\Documents and Settings\barnys>gpresult /v

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/14/2006 at 7:24:41 AM


RSOP results for SUNNYVALE\barnys on PC51DW1 : Logging Mode
------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 SUNNYVALE
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\barnys
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PC51DW1,OU=Sunnyvale-PCs-DW1,DC=sv,DC=edu,DC=juniper,DC=net
    Last time Group Policy was applied: 11/14/2006 at 5:54:16 AM
    Group Policy was applied from:      ad1.sv.edu.juniper.net
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        GPO-DW1
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PC51DW1$
        Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  4

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: GPO-DW1
                Groupname: Administrators
                Members:   SUNNYVALE\barnys
                           SUNNYVALE\fairchild
                           SUNNYVALE\jfarrance

            GPO: GPO-DW1
                Groupname: Network Configuration Operators
                Members:   SUNNYVALE\student01dw1

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


0
Comment
Question by:barnysanchez
  • 7
  • 4
  • 3
  • +3
19 Comments
 
LVL 5

Expert Comment

by:trarthur
ID: 17939019
What happens when you apply the known good GPO to the OU that is giving you problems?  

Couple things to verify if you haven't already:

Use the Group Policy Management Console to manage your GPOs

Make sure the security filtering has Authenticated Users as a member (default unless you have changed it)

Create a GPO specifically for changing the local group membership.  Don't apply any other policies with it.



Let us know.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17939341
Strange, RSoP is showing ht restricted groups.  I presume gpresult isn't showing a conflicting policy that is overriding the restricted groups from elsewhere?

presumably then also

net localgroup Administrators
and
net localgroup "Network Configuration Operators"
or even
net localgroup

doesn't show them either?

Any different after a reboot of the workstation?

Steve
0
 

Author Comment

by:barnysanchez
ID: 17939368
OK, two sets of tests were running.

Test 1:
In working PCs under working OU I made a change to add additional Admins, logged in to one of the PCs in that OU, did "gpupdate" and voila!  everything worked as expected.  I did this just to reassure that my GPO itself is working properly and that it hasn't broken.

Test 2:  
I unlinked the GPO that I was applying to the second OU and linked the GPO used in the PCs from test 1 (so now we have two OUs using the exact same GPO), did "gpupdate" in a computer for the new OU, rebooted, did "gpudate /Force" and the problem for which I originally wrote persists.  Doing "gpresult /v" shows me the whole list of Admins that I am pushing via the GPO, but none show under nusrmgr.cpl and logging in as one of those administrators proves indeed that they don't have admin rights.

Also, I am using Group Policy Management Console to manage my GPOs, and yes! the security filtering has Authenticated Users as a member.
As per applying a GPO specifically for changing local group membership, this is something I've done and obtained the same results, however the working GPO has not only this but a whole bunch of other settings and everything seems to work fine. Even when I log in as "student01n1" -notice from below output that I am trying to make part of the Network Operator Group", I can log in and the rest of restrictions are being enforced (like not being able to change the desktop background), but the capacity of changing the NIC settings is not there.  So the GPO is partially working except for whatever I am pushing for the "Restricted Groups".   Again, all of this works like a charm in PCs under the other OU.

The partial output of "gpresult /v":
C:\Documents and Settings\barnys>gpresult /v

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/14/2006 at 8:33:48 AM


RSOP results for SUNNYVALE\barnys on PC51DW1 : Logging Mode
------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 SUNNYVALE
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\barnys
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PC51DW1,OU=Sunnyvale-PCs-DW1,DC=sv,DC=edu,DC=juniper,DC=net
    Last time Group Policy was applied: 11/14/2006 at 8:33:24 AM
    Group Policy was applied from:      ad1.sv.edu.juniper.net
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Computer Locks
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PC51DW1$
        Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  4

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: Computer Locks
                Groupname: Administrators
                Members:   SUNNYVALE\barnys
                           SUNNYVALE\fairchild
                           SUNNYVALE\instructorn1
                           SUNNYVALE\jfarrance
                           SUNNYVALE\studenttest

            GPO: Computer Locks
                Groupname: Network Configuration Operators
                Members:   SUNNYVALE\instructorn1
                           SUNNYVALE\student01n1
                           SUNNYVALE\student02n1
                           SUNNYVALE\student03n1
                           SUNNYVALE\student04n1
                           SUNNYVALE\student05n1
                           SUNNYVALE\student06n1
                           SUNNYVALE\student07n1
                           SUNNYVALE\student08n1
                           SUNNYVALE\student09n1
                           SUNNYVALE\student10n1
                           SUNNYVALE\student11n1
                           SUNNYVALE\student12n1
                           SUNNYVALE\student13n1
                           SUNNYVALE\student14n1
                           SUNNYVALE\student15n1
                           SUNNYVALE\student16n1

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Computer Locks
                Setting: Software\Policies\Microsoft\Windows NT\CurrentVersion\W
inlogon
                State:   Enabled


0
 

Author Comment

by:barnysanchez
ID: 17939458
To dragon-it:
Correct!  the ouput of the commands you indicated "net localgroup XXX" is consistent with what I see when launching nusrmgr.cpl, but not so with the "gpresult /v" output which displays the entire list of Admins and Network Operators that I am trying to push.

No difference if I reboot the PC (which is what I've been doing all along really) or if I do "gpupdate /Force".  Now doing "gpupdate /Force" and displaying the results again I can see changes when I add or remove users in the GPO definition, but they just simply don't want to come up in the PC at nusrmgr.cpl.

Bizarre, huh?
0
 

Author Comment

by:barnysanchez
ID: 17939502
By the way, worth mentioning two things (just in case).
1)  All of the PCs (including the AD) I am accessing remotely.  Don't think this has anything to do with the problem at all, but just in case.
2)  I have removed and rejoined 3 of the affected PCs in the new OU to the AD just as a test, but nothing (of course don't want to keep doing this because I will be deploying a few hundred in about the next week or so).

Thanks,
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17939870
Create a new GPO for just modifying the groups.  And make sure that Computer Configuration is enabled.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17939984
I was about to suggest that last comment... I.e. try a new different group.

Also just do a scan of gpresult output for the restricted groups in case there is somehow another gpo overriding (I know it shouldn't, all looks fine in rsop).

Any event log errors?

Steve
0
 

Author Comment

by:barnysanchez
ID: 17940020
Trarthur:

I just did that.  I ditched the GPO link to the new OU (which is the working GPO applied to the first OU working fine) and created a new GPO just for this task. Exactly the same is happening.  I see the list of admins with "gpresult /v" but not with nusrmgr.cpl.

I also did the following Test 3:
I moved one of the new PCs into the OU that is working, rebooted hoping that it would get the same settings as all the current 17 PCs in the same OU, but the problem is still occurring. It's almost like something at the PC is blocking the proper acceptance of the policies.  Is there a way to like "reset" GPO settings at the PC level?

I tell-ya, I am gonna get bald by the end of the day!

Thanks,
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17940088
Hmm...that is strange.  

There is some logging that can be enabled on the PC that will give you quite a bit of GPO related information.

Registry hacks:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/Registryhackstoturn-onverboseGPOlogging.html

You'll need to increase the size of the event logs, because you will get a LOT of entries.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:barnysanchez
ID: 17940121
Trarthur and Dragon-IT:

Created a new OU, moved the PCs there, created a new GPO for only that, rebooted PCs (twice)... and the same, no change!

Trarthur... I am going to try the logging based on link info provided and communicate back!

Thanks,
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17940297
Strange isn't  it.  There are some docs about 2000 but I assume this is XP obviously.

http://support.microsoft.com/kb/258595

I presume you havnt got some software installed designed to protect the user from dodgy apps such as anti spyware or av that might be stopping the changing of the memberships?
0
 

Author Comment

by:barnysanchez
ID: 17940336
Dragon-IT... you are assuming correct.  This is XP systems talking to a Windows 2003 Enterprise server.
No tools have been installed.  As per my previous input, not only are the new PCs clones of the current-working PCs, but also the GPO are kicking in to some extended.  Only the Administrators section isn't working.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17943256
OK, I haven't completely read everything above, however Restricted Groups is a confusing thing.

First of all, you do NOT want to enforce membership of the local Administrators group - this will remove any member not exclusively defined in your policy.

You want to ADD membership to the local Administrators group instead.

Remove the settings you made for Restricted Groups.  

Since you already appear to have enforced membership then it's likely that the default groups that belong in the local Administrators group have been removed - so we need to put them back.

1)  On the Default Domain Policy - configure a new Restricted Group.  Browse to Domain Admins.  Select OK.  On the next applet, in the lower section where it states "This group is a member of", click ADD then manually type Administrators.  Finish up and exit out of the Restricted Groups applet.  This should put the Domain Admins Group into the local Administrators group on every domain workstation and solve one problem.

2)  On each OU where membership will differ, you want to create a new GPO for Restricted Groups and repeat the steps above to add in the non-default groups you want.  If you have some groups that need to be in ALL local Administrators groups then add them to the Default Domain Policy so that it affects all PCs in the domain.  You only want to create and link new GPOs to OUs where you want ADDITIONAL groups added in.

By using the upper portion of the Restricted Groups applet you are REPLACING the membership of the group in question.  If you do this over multiple OUs you end up with membership that is not consistent with your goals.

Let us know if you need more explanation.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17945178
lol, finally got the time to look at this and got beaten to the cake by the cavalry :-)
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17945389
Good points, had missed that, silly really 'cos I always do it the other way around except on polcies designed to fix the local Admins group and remove any manually added users... it should still add these people though, surely?  Wonder if his other GPO is doing it the other way?

Steve
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17946187
It's likely working exactly as it should, but replacing membership with each GPO ends up in a tug of war for the outcome.

Normally, it's L-S-D-OU down to the client, but this can be changed in GPMC so the outcome is not one you would expect.

0
 

Author Comment

by:barnysanchez
ID: 18134034
This is long due and I apologize for posting days after, but I wanted to give an update.  After days and days of troubleshooting, reading logs, testing over and over again, I decided to reclone the new group of PCs (exactly the same image used for ALL previous PCs), and then things started working again.

What was the problem??  I HAVE NO IDEA... gotta love MS Windows.....

So I appreciate all the suggestions and ideas, and comments, but unfortunately none really help me fix the problem, which to the date it is still unclear to me what caused this behavior.

Thanks,

Barny Sanchez
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18414288
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now