QEMS
asked on
Ghost Image or GP problem?
I use Ghost to make and apply images of Windows XP machines on our Windows 2003 server Domain.
I have an image I made in May this year and have used this on most of the computers in the domain previously without error. After swapping a failed HDD and applying this same image I have started to have problems with the administrator account after the computer was rejoined to the domain. The administrator account appears to have the group policies of a standard user applied and I can't finish setting up the machine. The run command is missing, right-click on many items is disabled and many of the properties tabs are unavailable (which is very necessary for students but not so helpful for me!)
I thought the image may be having problems if the replacement HDD was different to the original, so I tested this on another machine. This test machine has worked from this same image earlier this year and has had no change of hardware since the image was last used to successfully set it up. Unfortunately I have the same problem on this computer - I lose all admin rights on the admin account once the computer is joined to the domain.
I have tried to run RSOP but that has failed, I can post more details of that if necessary.
Has anyone got any ideas what may be going wrong? Or how I could identify where exactly the problem is?
I have an image I made in May this year and have used this on most of the computers in the domain previously without error. After swapping a failed HDD and applying this same image I have started to have problems with the administrator account after the computer was rejoined to the domain. The administrator account appears to have the group policies of a standard user applied and I can't finish setting up the machine. The run command is missing, right-click on many items is disabled and many of the properties tabs are unavailable (which is very necessary for students but not so helpful for me!)
I thought the image may be having problems if the replacement HDD was different to the original, so I tested this on another machine. This test machine has worked from this same image earlier this year and has had no change of hardware since the image was last used to successfully set it up. Unfortunately I have the same problem on this computer - I lose all admin rights on the admin account once the computer is joined to the domain.
I have tried to run RSOP but that has failed, I can post more details of that if necessary.
Has anyone got any ideas what may be going wrong? Or how I could identify where exactly the problem is?
ASKER
The local admin account behaves as expected. It is the domain admin account that is having problems.
I have tried RSOP and had problems, I can't run GPRESULT on the affected computers as the run command is not available. I would be able to run it as a local admin - but would that give me the information required? Or have you got a suggestion how I could run GPRESULT on a restricted account?
The computer the image was taken from was properly sysprepped and 90% of the computers in the domain (all the ones with identical hardware) have all had this same image successfully applied in May/June this year.
The computer accounts are in the correct OU, I have deleted the computer accounts, reapplied the image then moved them back to the correct OU and the problem is still the same. The thing I can't understand is that the other computers (identical hadrware using the same image) which have not been imaged since early summer are functioning as expected.
Since corruption occured on previous images, I now keep MD5 information of the fresh images. I am rechecking these to try to rule out any corruption in the image itself.
I will try to run RSOP again and see if I can get some useful information from that.
Thanks for your reply MrHussy, I will post back when I have some more information.
I have tried RSOP and had problems, I can't run GPRESULT on the affected computers as the run command is not available. I would be able to run it as a local admin - but would that give me the information required? Or have you got a suggestion how I could run GPRESULT on a restricted account?
The computer the image was taken from was properly sysprepped and 90% of the computers in the domain (all the ones with identical hardware) have all had this same image successfully applied in May/June this year.
The computer accounts are in the correct OU, I have deleted the computer accounts, reapplied the image then moved them back to the correct OU and the problem is still the same. The thing I can't understand is that the other computers (identical hadrware using the same image) which have not been imaged since early summer are functioning as expected.
Since corruption occured on previous images, I now keep MD5 information of the fresh images. I am rechecking these to try to rule out any corruption in the image itself.
I will try to run RSOP again and see if I can get some useful information from that.
Thanks for your reply MrHussy, I will post back when I have some more information.
If you have not used this image in quite some time other than this one machine, and do not have any present machines using this current image that work properly it may have become corrupt (I have seen this happen). you would need to reimage another machines with the current image to verify this. Otherwise have you tried removing and re-adding this machine to the domain?
ASKER
I have verified the MD5s of all the parts of the image and they all checked out ok.
I have tried adding and removing the machine to the domain a couple of times but without any success.
All of the other machines with the same hardware are running without problems from this same image, they just had it applied closer to when it was created (May this year), so I can't understand what is going wrong.
Just to clarify, I spotted the problem after a hardware failure and swapped a hard drive. I then tested the same image on another computer that has had no hardware change and I get the same problem.
I have tried adding and removing the machine to the domain a couple of times but without any success.
All of the other machines with the same hardware are running without problems from this same image, they just had it applied closer to when it was created (May this year), so I can't understand what is going wrong.
Just to clarify, I spotted the problem after a hardware failure and swapped a hard drive. I then tested the same image on another computer that has had no hardware change and I get the same problem.
Hi QEMS. Have you tried to Telnet either of the malfunctioning machines from a remote terminal logged in as Domain Admin? This might at least give you a command line with administrative privileges. Be careful when you perform this operation if in a school environment. It isn't very secure and sniffers could reveal important passwords at the least.
ASKER
Hi Radar07. Thanks for the suggestion, I haven't tried telnet yet but I will try it out at the end of the day when it gets quieter here.
I am still looking at RSOP and trying to work out if I can get a result from that...
I am still looking at RSOP and trying to work out if I can get a result from that...
You could try the telnet option and use gpresult as the command-line RSOP alternative.
Another idea is to use a remote computer to run compmgmt.msc and connect to the defective machine. Create a new user account that is a member of the local Administrators group. Then logon locally under the new account and see what happens.
Another idea is to use a remote computer to run compmgmt.msc and connect to the defective machine. Create a new user account that is a member of the local Administrators group. Then logon locally under the new account and see what happens.
ASKER
Hi, appologies for the slow response but it is difficult to find time to test this out, especially when the problem does not directly affect pupil use of the machine.
Thank you for all the answers so far, they have helped me get a much better idea of what is going on at the minute.
I have managed to get some information from RSOP and it would appear that the default domain policy has some excessive restrictions on it. These restrictions are very necessary for the pupils accounts (and some of the staff accounts!) but they appear to be applied to the domain admin account as well.
Is there any way of easily excluding the domain admin account from the default domain policy to check if this is the case? Does anyone have a suggestion of a good way to test this out?
Assuming that the default domain policy is locked down too much, can anyone offer me a good solution to (quickly and easily) taking all of the settings from the default domain policy and applying them to other policies as required?
I still don't understand why these policies are applied to the domain admin account on newly imaged machines but not to the stations that were imaged a couple of months previously. I would have expected the default domain policy to have been applied to the domain admin account on other computers by now - does anyone have any ideas what is going on there?
Thank you for all the answers so far, they have helped me get a much better idea of what is going on at the minute.
I have managed to get some information from RSOP and it would appear that the default domain policy has some excessive restrictions on it. These restrictions are very necessary for the pupils accounts (and some of the staff accounts!) but they appear to be applied to the domain admin account as well.
Is there any way of easily excluding the domain admin account from the default domain policy to check if this is the case? Does anyone have a suggestion of a good way to test this out?
Assuming that the default domain policy is locked down too much, can anyone offer me a good solution to (quickly and easily) taking all of the settings from the default domain policy and applying them to other policies as required?
I still don't understand why these policies are applied to the domain admin account on newly imaged machines but not to the stations that were imaged a couple of months previously. I would have expected the default domain policy to have been applied to the domain admin account on other computers by now - does anyone have any ideas what is going on there?
To discover why its failing on the older machines, try running RSOP on them and see if any parts of the Default policy are being blocked. Has another person with administrative access (either past or present) change the persmissions on the policy? The computers may be filtered out causing the policy not to apply to them.
Your desire to relocate the restrictive policy settings is admirable. You may be able to use the Security Configuration and Analysis tool to copy the settings.
The policy settings should definitely be removed from the Default GPO or the user settings will always apply to the adminstrator as well. You could try changing the security settings on the policy to deny the Administrators the Apply Policy permission. This should only be a temporary measure, if used at all.
Your desire to relocate the restrictive policy settings is admirable. You may be able to use the Security Configuration and Analysis tool to copy the settings.
The policy settings should definitely be removed from the Default GPO or the user settings will always apply to the adminstrator as well. You could try changing the security settings on the policy to deny the Administrators the Apply Policy permission. This should only be a temporary measure, if used at all.
ASKER
Thanks for answering promptly, even after I haven't posted for quite a while.
I did try running RSOP on one of the older machines and as far as I could tell the same policys were being applied - even though the effects on the machines are quite different!
Again - as far as I can tell - the computers are not being filtered out, but I will try to have another more detailed look at this one.
I will have a look in to the Security Configuration and Analysis tool, I am not really familiar with it but I can google! In case I don't get on to this today do you know of a good resource or two that are worth using to get me started?
I did try running RSOP on one of the older machines and as far as I could tell the same policys were being applied - even though the effects on the machines are quite different!
Again - as far as I can tell - the computers are not being filtered out, but I will try to have another more detailed look at this one.
I will have a look in to the Security Configuration and Analysis tool, I am not really familiar with it but I can google! In case I don't get on to this today do you know of a good resource or two that are worth using to get me started?
You might want to start here, especially the How To.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much :)
ASKER
Thanks very much for your help, I just need to pick through the policies now and make sure they are applied properly.
I appreciate the quick answers even when I have had to take some time to test things out.
I appreciate the quick answers even when I have had to take some time to test things out.
Do you mean the "Local Administrator Account" ?
Try domain admin account and check the RSOP, may be a computer policy that affects all users, run GPRESULT and see which GPOs applied
Make sure your image is either sysprepped or a way which re-creates the SID
If the lately joined computers are having issues, then this may be a policy issue, check if computer accounts are in an OU and has GPOs or make sure these policies are not applied on default domain policy.
Regards