Link to home
Start Free TrialLog in
Avatar of NR_EIS
NR_EIS

asked on

GPO in OU on specific servers & users won't apply

Hello,

I have a little problem with my group policy's.
I want a group policy for a group of users on a group of computers/servers.

To understand the full request I will sketch our domain.

DC: Windows 2003 R2 X64
Servers/VMserver: variating between 2003 to 2008R2
Client pc/laptops: variating between XP and Win7

DOMAIN SKETCH
Domain Name
OU Servers
OU VMServers
OU Users
Sub OU Admins
Sub OU Project Managers
Sub OU Users
OU Computers

Now I want to give my project managers restricted local administrative rights on the VMservers.
So I added the group Project Managers (who's in the OU PM) to the local administrator group on all of the VMServers.
I also want to restrict the permissions so they can't shut down a VMServer and etc...
I made an new GPO under the OU Project Managers and restricted everything to my wish under user configuration. Then in the security filtering I've added the servers that I want the policy to apply to.

Now my GPO works only on my project managers but on all my pc & servers. Not only those I've added in the Security Filtering.

I've also tried making a GPO in the OU VMserver and adding the usergroup to the security filtering but then the GPO doesn't work at all.

To explain why I want this, the firm I work for is an IT firm and our users may have full rights without restrictions on their personal pc/laptop. Our project managers can have restricted rights on the VMservers because these are development servers.

Can someone help my out with this one because I don't know where to look further...

ps: after every change in the GPO and before I test something out, I did a gpupdate /force on my DC.

Thanks for the reply's
ASKER CERTIFIED SOLUTION
Avatar of Americom
Americom
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of anvarone
anvarone

A GPO is on a user or on computer, can't be both.
If you want a GPO to apply both on a computer & on user groups then you need loopback processing.
This microsoft kb explains how it works http://support.microsoft.com/kb/231287
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
after reread your description above, do you want your project manager to be a member of the local Administrators group of the VMServers to have admin access or not? Or what exactly do you want your Project Managers to do on the VM Servers other than that they shouldn't be able to shutdown the servers? By default, only Administrators, server operators, backup operators and print operators can shutdown server.
@anvarone : I think your wording is a little misleading - A GPO can contain both user and computer settings, and can apply to both types of objects.

However any settings within the 'Computer Config' section of a GPO can only apply to Computer objects, and settings within 'User Config' can only apply to user objects.

But if a GPO contains both types of settings, and is applied to either the domain or to an OU that contains both computer and user objects, that will still work just fine.

But you need loopback processing if you want a different set of settings to apply to user accounts but ONLY when they log on to a specific computer or group of computers...

I think that's probably what you were saying, but your wording was a little unclear... :)

Pete
Avatar of NR_EIS

ASKER

The project managers should be able to register a new service from out Visual Studio and start & stop the current services.
The loopback proccesing looks what I need, but I'm going to try out the restricted groups also. Will be back in a few hours.
Thanks for all the quick reply's
Well it would depend really - If you just want to add some users/groups to a local group (i.e. all users in the Project Managers group added to the local Administrators group on the servers) through a GPO, then restricted groups is the way to do it.

You only really need loopback if you want different policy settings / log on scripts / admin templates settings etc etc... So you can basically have a different set of settings for users when they log into either Terminal Server environments, VMs, Citrix servers or whatever... But when logging on to their own PCs/Laptops, they get their normal settings instead.

Just remember that adding users to local admin groups may result in them having many permissions they don't need, i.e. shutting down the servers etc...

HTH

Pete

Avatar of NR_EIS

ASKER

Still have problem, followed the instruction like this.
* Create new GPO in group policy objects
in computer config - admin templates - system - group policy - enable user group policy loopback processing mode (with replace option).
* Added my user configuration, just a simple test:
- internet explorer maintenance - browser interface - browser title
- hide recycle bin in admin templates.
* removed authenticated users out of security filtering and replaced it with a user (test)
* linked to gpo to OU vmservers

Now when I login to one of the vmserver I'm still getting the browser name from the Domain GPO (default) & my recycle bin is still on my desktop.
Also I did a gpupdate /force on my dc and on the vmserver used for the test.

Am i forgetting something?
Not sure you want the project managers to be able to register a new service as registering new services usuall involve install which required admin rights. But if the Visual Studio service already installed and on the systems and you just want the project managers to be able to start & stop the services, then you only need to create a computer GPO and allow this the Project Managers group to perform this task then link the GPO to the VM Server OU. This computer GPO can be configured as follow:
1) assuming you alread have a domain group called Project Managers
2) Create a new GPO with a meaningful name(again, hope you are using GPMC, are you?)
3) Under computer configuration>Windows Settings>Security settings>System Services
4) Locate the services you want the Project manager to manage and double click on the service
5) Check the Define this policy setting and select "automatic" if this is what you need.
6) Then click on the Edit Security..., this is where you add the Project managers group and assign the permissio you prefer

Note: in general, if you cannot find the services, then you should run GPMC from the system where the service exist and create the GPO there. If the system(ie your VMServer) is a Win2k8, the you can run the Group Policy Management console. If the systems are Win2k3, then you need to install GPMC.

To get GPMC: http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Sorry here, I know we're at crossed purposes and suggesting different things so it may be hard to follow properly...

So I'll just continue down the path I had taken before, with the loopback GPO - It sounds like you've done everything correctly to me. To be sure everything has settled properly, just run a 'gpresult' or RSoP logging session (gpresult from a command prompt whilst logged in as 'test' to a vmserver, RSoP is run from AD U&C against the VMserver, whilst specifying the test user from the RSoP wizard) - This should tell you whether or not the user and computer are applying the new policy you created. Confirm that first, as I have a feeling you may find a problem there, because the config looks good...

RSoP would probably be your best bet...

Pete
Avatar of NR_EIS

ASKER

@ Americon: thanks for the explenation but that is not exactly what I'm looking for. And my PM's must have the right to publish/start/stop a service at our development servers (vmservers)
The security setting is handy for making a group of users local admin.

@ PeteJThomas: I waited a whole night but without result. This morning I ran a RSoP on one off the vmservers with the user test, and when I look in the user configuration properties (right click on user configuration) the only policy that is active is the default domain policy. When I view all the GPO's and filtering status, then my newly created GPO isn't between the list.
So I'm thinking that there is a problem with the implementation off a GPO on a OU
Ok, can you run a gpresult on any VMServers and just see if the new policy you created shows up under the Computer Settings section? It needs to apply successfully to the computer object (which is obviously the part that is enabling the loopback setting - Without it applying successfully to the comp object, the rest definitely won't work).

So you need to see the name of your new policy showing up under the "Applied Group Policy Objects" section within the "Computer Settings" section in the output of the gpresult command.

If it's in the "The following GPOs were not applied because they were filtered out", we need to know the reason (which it should tell you next to the policy name itself).

If it doesn't show up anywhere at all, then there's something wrong with the linking of the policy to the correct OU in the first place!

Run through that, and let me know what you find?

Cheers!

Pete
Avatar of NR_EIS

ASKER

Would be logical to check that :)

In that list I can see 2 GPO's that are listed by there string name ({letters-number}), one of them is a disabled one and the other one is my GPO that is linked to VMServers.
The Filtering is: Not applied, unknow reason. I know for sure that is the correct one because in the scope of managment I can see the OU

Now the strange part is that if I look in \dc\sysvol\domainname\policies\ my GPO has another string.
So in RSop the string is {D02868A7-60D8-4B3B-8345-66212CFFF3B9} en in the sysvol folder the string is {01CA0E73-6AF7-4DD1-A3DE-D1F121BE483A} (I know for sure that this string is the correct one in sysvol folder because I made a comment in gpmc on that GPO and then there is a .cmt file created in your folder with that comment)

Look through my event logs but I can't find any notion why the GPO isn't applied. Is there a way to find out what the exact reason is why the gpo isn't applied?
Do you just have the 1 DC?

I understand what you're saying about the GUIDs, but I'd still like to see what the GPO itself thinks it's GUID is... So open GPMC, expand down to the Group Policy Objects container, then right-click and Edit your new GPO.

When the window opens, just right-click the name of the GPO (at the very top of the tree), and select Properties. In the general tab, you should see 'Unique Name' followed by the GUID.

Which does this match? The GUID in SYSVOL or the GUID showing in gpresult?
Avatar of NR_EIS

ASKER

Yes only 1 DC

The GUID matches the one in the SYSVOL folder and after deleting the link 3 times and adding again the GUID is also the same in the RSoP result.

But still the gpo is not applied with unknown reason.

I was using the remote administrative tools off windows7, to be sure that wasn't a problem. I switched back to the gpmc sp1 under windows xp, but with the same results.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NR_EIS

ASKER

There is definitly something wrong.
When I run RSoP directly on the DC and I check the boxes "display scope of management" & "display revision information" I get an error from the Administrative templates:

The following error occurred in c:\windows\inf\aer_1028.adm on line 30: Error 64 Help string specified mote than one. The file can not be loaded

After spending some time googling this error, I allways come out at removing the admin templates or reinstalling the latest service pack.
Avatar of NR_EIS

ASKER

Also when viewing the results on the DC he says that the GPO is applied.
Viewing the results (with the same domain admin logged in) on any other machine, it is not applied
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In fact, you can see a full list here: http://technet.microsoft.com/en-us/library/dd346950.aspx

Scroll passed the first bit (Country/Region), and the second table is for languages. The corresponding number will indicate which aer.adm files are for what languages...
1028 is "Chinese (Taiwan)"...
That confuses me a little - When you say "Also when viewing the results on the DC he says that the GPO is applied." - Do you mean when running RSoP directly from the DC? As the GPO should not be applying to anything other than the VMServers, if it was only linked to their OU...

Did you have a look at the advanced security section too? Try adding your VMServers to the ACL of the GPO, ensuring they have read and apply rights - Enterprise DCs is a default group in GPOs I believe - Not sure if you've removed something else that is required for the comps to be able to apply the policy?

Pete
Avatar of NR_EIS

ASKER

Idd chinese odd...
Moved them all out except the 1033. No fault or error then...
All GPO's are applied without error.

When viewing out off the DC still the same problem. Gave one off the vmservers full control in the delegation as test, still same problem. When viewing the rsop in that vmserver or at another device the gpo is not applied with an unknow error.

And the gpo still doesn't work, just in case :)
Avatar of NR_EIS

ASKER

enterprise domain controllers is idd a group who has read rights in the delegation.

You can run a rsop on the dc in the active directory users & computers under all tasks. then I fill out the form without a user and the vmserver as the computer.
Normally its the same as running one on a client or a server who has the gpo applied. But in this case it has different results
Verrrry confusing!! lol, we've moved from one problem to another... =:O

Well, now you've hopefully sorted out the general GPO problem, note down everything you configured in this new policy, then delete it, and recreate it from scratch.

Once recreated, double check that all your GUIDs are matching up properly from the get-go in SYSVOL and in the GPMC. If all looks ok there (as there's no reason there should be a GUID mismatch with only 1 DC!), try linking again to the VMServers OU, then log on, run gpupdate /force, and then run another gpresult.

What do we get now? Same thing?

Pete
Avatar of NR_EIS

ASKER

Idd again same thing.

deleted the whole GPO, created, checked the GUID (everything ok), linked them, log on, gpupdate /force, rsop and again not applied unknow reason.

Tried googling on a eventlog or something that could give some more information on why but can't find a specific resolution.
In the gpresult output, is it now showing you the policy names? Or still the GUIDs?

Should be like this:
GPResult.JPG
Avatar of NR_EIS

ASKER

And I got working (finally!) :)
I've got to add everything manually to delegation and give them read & apply rights.

When there are more then 1 items in the OU, you gave got to insert them all into delegations manually and apply the rights.

On the existing gpo it doesn't work, you gave to delete them as link, then the object. Recreate them, add the delegations (servers & users seperatly), link them and do a gpupdate /force on the dc and then /force on the servers specified in the OU.

When putting back the ADM files, it doesn't work anymore (strangly enough)...
Avatar of NR_EIS

ASKER

@ PeteJThomas: thanks for the quick & wonderfull help
You're welcome - Glad we got there in the end! Now after all that work is where you find that this method doesn't actually achieve what you wanted in the first place... ;)

Thanks for the points!

Pete