?
Solved

Ghost Image or GP problem?

Posted on 2007-10-08
14
Medium Priority
?
341 Views
Last Modified: 2013-12-02
I use Ghost to make and apply images of Windows XP machines on our Windows 2003 server Domain.

I have an image I made in May this year and have used this on most of the computers in the domain previously without error. After swapping a failed HDD and applying this same image I have started to have problems with the administrator account after the computer was rejoined to the domain. The administrator account appears to have the group policies of a standard user applied and I can't finish setting up the machine. The run command is missing, right-click on many items is disabled and many of the properties tabs are unavailable (which is very necessary for students but not so helpful for me!)

I thought the image may be having problems if the replacement HDD was different to the original, so I tested this on another machine. This test machine has worked from this same image earlier this year and has had no change of hardware since the image was last used to successfully set it up. Unfortunately I have the same problem on this computer - I lose all admin rights on the admin account once the computer is joined to the domain.

I have tried to run RSOP but that has failed, I can post more details of that if necessary.

Has anyone got any ideas what may be going wrong? Or how I could identify where exactly the problem is?
0
Comment
Question by:QEMS
14 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20033087
  Hi QEMS
        Do you mean the "Local Administrator Account" ?
        Try domain admin account and check the RSOP, may be a computer policy that affects all users, run GPRESULT and see which GPOs applied
         Make sure your image is either sysprepped or a way which re-creates the SID
        If the lately joined computers are having issues, then this may be a policy issue, check if computer accounts are in an OU and has GPOs or make sure these policies are not applied on default domain policy.

Regards
0
 
LVL 5

Author Comment

by:QEMS
ID: 20033474
The local admin account behaves as expected. It is the domain admin account that is having problems.

I have tried RSOP and had problems, I can't run GPRESULT on the affected computers as the run command is not available. I would be able to run it as a local admin - but would that give me the information required? Or have you got a suggestion how I could run GPRESULT on a restricted account?

The computer the image was taken from was properly sysprepped and 90% of the computers in the domain (all the ones with identical hardware) have all had this same image successfully applied in May/June this year.

The computer accounts are in the correct OU, I have deleted the computer accounts, reapplied the image then moved them back to the correct OU and the problem is still the same. The thing I can't understand is that the other computers (identical hadrware using the same image) which have not been imaged since early summer are functioning as expected.

Since corruption occured on previous images, I now keep MD5 information of the fresh images. I am rechecking these to try to rule out any corruption in the image itself.

I will try to run RSOP again and see if I can get some useful information from that.

Thanks for your reply MrHussy, I will post back when I have some more information.
0
 
LVL 5

Expert Comment

by:cpottercpotter
ID: 20033530
If you have not used this image in quite some time other than this one machine, and do not have any present machines using this current image that work properly it may have become corrupt (I have seen this happen). you would need to reimage another machines with the current image to verify this. Otherwise have you tried removing and re-adding this machine to the domain?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 5

Author Comment

by:QEMS
ID: 20034252
I have verified the MD5s of all the parts of the image and they all checked out ok.

I have tried adding and removing the machine to the domain a couple of times but without any success.

All of the other machines with the same hardware are running without problems from this same image, they just had it applied closer to when it was created (May this year), so I can't understand what is going wrong.

Just to clarify, I spotted the problem after a hardware failure and swapped a hard drive. I then tested the same image on another computer that has had no hardware change and I get the same problem.
0
 
LVL 5

Expert Comment

by:Radar07
ID: 20036896
Hi QEMS. Have you tried to Telnet either of the malfunctioning machines from a remote terminal logged in as Domain Admin? This might at least give you a command line with administrative privileges. Be careful when you perform this operation if in a school environment. It isn't very secure and sniffers could reveal important passwords at the least.
0
 
LVL 5

Author Comment

by:QEMS
ID: 20039406
Hi Radar07. Thanks for the suggestion, I haven't tried telnet yet but I will try it out at the end of the day when it gets quieter here.

I am still looking at RSOP and trying to work out if I can get a result from that...
0
 
LVL 5

Expert Comment

by:Radar07
ID: 20039550
You could try the telnet option and use gpresult as the command-line RSOP alternative.

Another idea is to use a remote computer to run compmgmt.msc and connect to the defective machine. Create a new user account that is a member of the local Administrators group. Then logon locally under the new account and see what happens.
0
 
LVL 5

Author Comment

by:QEMS
ID: 20240076
Hi, appologies for the slow response but it is difficult to find time to test this out, especially when the problem does not directly affect pupil use of the machine.

Thank you for all the answers so far, they have helped me get a much better idea of what is going on at the minute.

I have managed to get some information from RSOP and it would appear that the default domain policy has some excessive restrictions on it. These restrictions are very necessary for the pupils accounts (and some of the staff accounts!) but they appear to be applied to the domain admin account as well.

Is there any way of easily excluding the domain admin account from the default domain policy to check if this is the case? Does anyone have a suggestion of a good way to test this out?

Assuming that the default domain policy is locked down too much, can anyone offer me a good solution to (quickly and easily) taking all of the settings from the default domain policy and applying them to other policies as required?

I still don't understand why these policies are applied to the domain admin account on newly imaged machines but not to the stations that were imaged a couple of months previously. I would have expected the default domain policy to have been applied to the domain admin account on other computers by now - does anyone have any ideas what is going on there?
0
 
LVL 5

Expert Comment

by:Radar07
ID: 20246164
To discover why its failing on the older machines, try running RSOP on them and see if any parts of the Default policy are being blocked. Has another person with administrative access (either past or present) change the persmissions on the policy? The computers may be filtered out causing the policy not to apply to them.

Your desire to relocate the restrictive policy settings is admirable. You may be able to use the Security Configuration and Analysis tool to copy the settings.

The policy settings should definitely be removed from the Default GPO or the user settings will always apply to the adminstrator as well. You could try changing the security settings on the policy to deny the Administrators the Apply Policy permission. This should only be a temporary measure, if used at all.
0
 
LVL 5

Author Comment

by:QEMS
ID: 20248183
Thanks for answering promptly, even after I haven't posted for quite a while.

I did try running RSOP on one of the older machines and as far as I could tell the same policys were being applied - even though the effects on the machines are quite different!
Again - as far as I can tell - the computers are not being filtered out, but I will try to have another more detailed look at this one.

I will have a look in to the Security Configuration and Analysis tool, I am not really familiar with it but I can google! In case I don't get on to this today do you know of a good resource or two that are worth using to get me started?
0
 
LVL 5

Expert Comment

by:Radar07
ID: 20248233
You might want to start here, especially the How To.
0
 
LVL 5

Accepted Solution

by:
Radar07 earned 2000 total points
ID: 20248234
0
 
LVL 5

Author Comment

by:QEMS
ID: 20248467
Thanks very much :)
0
 
LVL 5

Author Closing Comment

by:QEMS
ID: 31408079
Thanks very much for your help, I just need to pick through the policies now and make sure they are applied properly.

I appreciate the quick answers even when I have had to take some time to test things out.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question