Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

GPO in OU on specific servers & users won't apply

Posted on 2010-01-07
30
Medium Priority
?
972 Views
Last Modified: 2012-05-08
Hello,

I have a little problem with my group policy's.
I want a group policy for a group of users on a group of computers/servers.

To understand the full request I will sketch our domain.

DC: Windows 2003 R2 X64
Servers/VMserver: variating between 2003 to 2008R2
Client pc/laptops: variating between XP and Win7

DOMAIN SKETCH
Domain Name
OU Servers
OU VMServers
OU Users
Sub OU Admins
Sub OU Project Managers
Sub OU Users
OU Computers

Now I want to give my project managers restricted local administrative rights on the VMservers.
So I added the group Project Managers (who's in the OU PM) to the local administrator group on all of the VMServers.
I also want to restrict the permissions so they can't shut down a VMServer and etc...
I made an new GPO under the OU Project Managers and restricted everything to my wish under user configuration. Then in the security filtering I've added the servers that I want the policy to apply to.

Now my GPO works only on my project managers but on all my pc & servers. Not only those I've added in the Security Filtering.

I've also tried making a GPO in the OU VMserver and adding the usergroup to the security filtering but then the GPO doesn't work at all.

To explain why I want this, the firm I work for is an IT firm and our users may have full rights without restrictions on their personal pc/laptop. Our project managers can have restricted rights on the VMservers because these are development servers.

Can someone help my out with this one because I don't know where to look further...

ps: after every change in the GPO and before I test something out, I did a gpupdate /force on my DC.

Thanks for the reply's
0
Comment
Question by:NR_EIS
  • 14
  • 12
  • 3
  • +1
30 Comments
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 26200798
Are you using GPMC to manage your GPOs? If you are then, you should create a new GPO and  configuration of restrive group then link the GPO to the VMServers OU.
Here's a good how to and discussion on Restricted Group Policy:
http://www.frickelsoft.net/blog/?p=13

More info here:
http://technet.microsoft.com/en-us/library/cc756802.aspx
0
 

Expert Comment

by:anvarone
ID: 26200902
A GPO is on a user or on computer, can't be both.
If you want a GPO to apply both on a computer & on user groups then you need loopback processing.
This microsoft kb explains how it works http://support.microsoft.com/kb/231287
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1500 total points
ID: 26200923
It sounds to me (if I've understood correctly) like you need a loopback policy.

Just to explain, a loopback policy is a policy that is applied to a COMPUTER object, but contains USER settings - This then means, that when ANY (assuming filtering is left at default) logs on to the computer objects that the policy applies to, their settings are taken from the loopback policy rather than their normal policies.

There are 2 modes for loopback - Merge or Replace. Replace just replaces all their current policy settings with the ones you define in the loopback policy. Merge attempts to merge both settings in normal policy and in the loopback.

If that sounds like what you need, all you need to do is create a new policy (not linked to anything yet). Enable the setting Comp Config > Admin Templates > System > Group Policy > "User group policy loopback processing mode" and set it to either Replace or Merge mode (I prefer replace, it's less complicated).

Then, in the same policy (that's just preference, you can use another separate policy if you prefer) define all the settings you want to apply to any users that log on to the servers.

Now, use security filtering to ensure this policy can only apply to the specific user account you want (assuming that users other than the ones targeted will also log on to these servers).

Now just link the GPO to the OU that contains the COMPUTER objects (i.e. the VM servers).

Well, that's all the theory - However something like this should always be tested where possible, before deploying into a production environment, as any slight misconfig in the policy could cause you all sorts of stress. So if you have a test server, you should use that to play around until you get it right!

HTH

Pete
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 18

Expert Comment

by:Americom
ID: 26200937
after reread your description above, do you want your project manager to be a member of the local Administrators group of the VMServers to have admin access or not? Or what exactly do you want your Project Managers to do on the VM Servers other than that they shouldn't be able to shutdown the servers? By default, only Administrators, server operators, backup operators and print operators can shutdown server.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26201003
@anvarone : I think your wording is a little misleading - A GPO can contain both user and computer settings, and can apply to both types of objects.

However any settings within the 'Computer Config' section of a GPO can only apply to Computer objects, and settings within 'User Config' can only apply to user objects.

But if a GPO contains both types of settings, and is applied to either the domain or to an OU that contains both computer and user objects, that will still work just fine.

But you need loopback processing if you want a different set of settings to apply to user accounts but ONLY when they log on to a specific computer or group of computers...

I think that's probably what you were saying, but your wording was a little unclear... :)

Pete
0
 

Author Comment

by:NR_EIS
ID: 26201075
The project managers should be able to register a new service from out Visual Studio and start & stop the current services.
The loopback proccesing looks what I need, but I'm going to try out the restricted groups also. Will be back in a few hours.
Thanks for all the quick reply's
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26201192
Well it would depend really - If you just want to add some users/groups to a local group (i.e. all users in the Project Managers group added to the local Administrators group on the servers) through a GPO, then restricted groups is the way to do it.

You only really need loopback if you want different policy settings / log on scripts / admin templates settings etc etc... So you can basically have a different set of settings for users when they log into either Terminal Server environments, VMs, Citrix servers or whatever... But when logging on to their own PCs/Laptops, they get their normal settings instead.

Just remember that adding users to local admin groups may result in them having many permissions they don't need, i.e. shutting down the servers etc...

HTH

Pete

0
 

Author Comment

by:NR_EIS
ID: 26201708
Still have problem, followed the instruction like this.
* Create new GPO in group policy objects
in computer config - admin templates - system - group policy - enable user group policy loopback processing mode (with replace option).
* Added my user configuration, just a simple test:
- internet explorer maintenance - browser interface - browser title
- hide recycle bin in admin templates.
* removed authenticated users out of security filtering and replaced it with a user (test)
* linked to gpo to OU vmservers

Now when I login to one of the vmserver I'm still getting the browser name from the Domain GPO (default) & my recycle bin is still on my desktop.
Also I did a gpupdate /force on my dc and on the vmserver used for the test.

Am i forgetting something?
0
 
LVL 18

Expert Comment

by:Americom
ID: 26201835
Not sure you want the project managers to be able to register a new service as registering new services usuall involve install which required admin rights. But if the Visual Studio service already installed and on the systems and you just want the project managers to be able to start & stop the services, then you only need to create a computer GPO and allow this the Project Managers group to perform this task then link the GPO to the VM Server OU. This computer GPO can be configured as follow:
1) assuming you alread have a domain group called Project Managers
2) Create a new GPO with a meaningful name(again, hope you are using GPMC, are you?)
3) Under computer configuration>Windows Settings>Security settings>System Services
4) Locate the services you want the Project manager to manage and double click on the service
5) Check the Define this policy setting and select "automatic" if this is what you need.
6) Then click on the Edit Security..., this is where you add the Project managers group and assign the permissio you prefer

Note: in general, if you cannot find the services, then you should run GPMC from the system where the service exist and create the GPO there. If the system(ie your VMServer) is a Win2k8, the you can run the Group Policy Management console. If the systems are Win2k3, then you need to install GPMC.

To get GPMC: http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26202210
Sorry here, I know we're at crossed purposes and suggesting different things so it may be hard to follow properly...

So I'll just continue down the path I had taken before, with the loopback GPO - It sounds like you've done everything correctly to me. To be sure everything has settled properly, just run a 'gpresult' or RSoP logging session (gpresult from a command prompt whilst logged in as 'test' to a vmserver, RSoP is run from AD U&C against the VMserver, whilst specifying the test user from the RSoP wizard) - This should tell you whether or not the user and computer are applying the new policy you created. Confirm that first, as I have a feeling you may find a problem there, because the config looks good...

RSoP would probably be your best bet...

Pete
0
 

Author Comment

by:NR_EIS
ID: 26207882
@ Americon: thanks for the explenation but that is not exactly what I'm looking for. And my PM's must have the right to publish/start/stop a service at our development servers (vmservers)
The security setting is handy for making a group of users local admin.

@ PeteJThomas: I waited a whole night but without result. This morning I ran a RSoP on one off the vmservers with the user test, and when I look in the user configuration properties (right click on user configuration) the only policy that is active is the default domain policy. When I view all the GPO's and filtering status, then my newly created GPO isn't between the list.
So I'm thinking that there is a problem with the implementation off a GPO on a OU
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26208124
Ok, can you run a gpresult on any VMServers and just see if the new policy you created shows up under the Computer Settings section? It needs to apply successfully to the computer object (which is obviously the part that is enabling the loopback setting - Without it applying successfully to the comp object, the rest definitely won't work).

So you need to see the name of your new policy showing up under the "Applied Group Policy Objects" section within the "Computer Settings" section in the output of the gpresult command.

If it's in the "The following GPOs were not applied because they were filtered out", we need to know the reason (which it should tell you next to the policy name itself).

If it doesn't show up anywhere at all, then there's something wrong with the linking of the policy to the correct OU in the first place!

Run through that, and let me know what you find?

Cheers!

Pete
0
 

Author Comment

by:NR_EIS
ID: 26208257
Would be logical to check that :)

In that list I can see 2 GPO's that are listed by there string name ({letters-number}), one of them is a disabled one and the other one is my GPO that is linked to VMServers.
The Filtering is: Not applied, unknow reason. I know for sure that is the correct one because in the scope of managment I can see the OU

Now the strange part is that if I look in \dc\sysvol\domainname\policies\ my GPO has another string.
So in RSop the string is {D02868A7-60D8-4B3B-8345-66212CFFF3B9} en in the sysvol folder the string is {01CA0E73-6AF7-4DD1-A3DE-D1F121BE483A} (I know for sure that this string is the correct one in sysvol folder because I made a comment in gpmc on that GPO and then there is a .cmt file created in your folder with that comment)

Look through my event logs but I can't find any notion why the GPO isn't applied. Is there a way to find out what the exact reason is why the gpo isn't applied?
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26208556
Do you just have the 1 DC?

I understand what you're saying about the GUIDs, but I'd still like to see what the GPO itself thinks it's GUID is... So open GPMC, expand down to the Group Policy Objects container, then right-click and Edit your new GPO.

When the window opens, just right-click the name of the GPO (at the very top of the tree), and select Properties. In the general tab, you should see 'Unique Name' followed by the GUID.

Which does this match? The GUID in SYSVOL or the GUID showing in gpresult?
0
 

Author Comment

by:NR_EIS
ID: 26208602
Yes only 1 DC

The GUID matches the one in the SYSVOL folder and after deleting the link 3 times and adding again the GUID is also the same in the RSoP result.

But still the gpo is not applied with unknown reason.

I was using the remote administrative tools off windows7, to be sure that wasn't a problem. I switched back to the gpmc sp1 under windows xp, but with the same results.
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1500 total points
ID: 26208695
Hmmmmmm weird...

Let's see if RSoP can shed any light - Run RSoP again against the VMServer - Choose 'Do not display user policy settings...'' as we're not interested in them at this point.

Ensure you also tick the 'Gather extended error information' on the following screen of the wizard. Then wait for the results to be generated, and look out for little exclamation marks anywhere in the results. If you can see any, you should be able to right-click and view the error information.

You may well find that it gives a similar 'Unknown' type response, or it may give something more useful.

Also, in the delegation - Advanced area in the GPO itself, can you try just adding in one/all of the VMServers directly, ensuring they have read and apply rights. I would expect to see the reason being 'Access Denied' if that were the case, so this is just to eliminate that possibility...

I actually think you've got some funky problem with your GPOs, which would be why you had that strange problem just know with the GUIDs. This is all probably still part of the same problem, though I'm not sure what it is yet!

If all the other policies look fine, you might want to try just flat out deleting this new policy and recreating it. gpresult etc shouldn't be showing you the GUID, but the policy names themselves, so that's an indication that something is wrong straight away... Do all your GPOs show up as GUIDs in the results?
0
 

Author Comment

by:NR_EIS
ID: 26208829
There is definitly something wrong.
When I run RSoP directly on the DC and I check the boxes "display scope of management" & "display revision information" I get an error from the Administrative templates:

The following error occurred in c:\windows\inf\aer_1028.adm on line 30: Error 64 Help string specified mote than one. The file can not be loaded

After spending some time googling this error, I allways come out at removing the admin templates or reinstalling the latest service pack.
0
 

Author Comment

by:NR_EIS
ID: 26208874
Also when viewing the results on the DC he says that the GPO is applied.
Viewing the results (with the same domain admin logged in) on any other machine, it is not applied
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 1500 total points
ID: 26208892
Hmmm yes, these appear to be the language files to display the templates in... I'm not sure which language 1028 represents, but I see that 1033 is US (English).

Out of interest, see what happens when you move ALL the aer*.adm files out of that location, except the 1033 one... Just move them elsewhere, don't delete them in case you need them later...

I'd be interested to see what happens!
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26208907
In fact, you can see a full list here: http://technet.microsoft.com/en-us/library/dd346950.aspx

Scroll passed the first bit (Country/Region), and the second table is for languages. The corresponding number will indicate which aer.adm files are for what languages...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26208910
1028 is "Chinese (Taiwan)"...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26208934
That confuses me a little - When you say "Also when viewing the results on the DC he says that the GPO is applied." - Do you mean when running RSoP directly from the DC? As the GPO should not be applying to anything other than the VMServers, if it was only linked to their OU...

Did you have a look at the advanced security section too? Try adding your VMServers to the ACL of the GPO, ensuring they have read and apply rights - Enterprise DCs is a default group in GPOs I believe - Not sure if you've removed something else that is required for the comps to be able to apply the policy?

Pete
0
 

Author Comment

by:NR_EIS
ID: 26208935
Idd chinese odd...
Moved them all out except the 1033. No fault or error then...
All GPO's are applied without error.

When viewing out off the DC still the same problem. Gave one off the vmservers full control in the delegation as test, still same problem. When viewing the rsop in that vmserver or at another device the gpo is not applied with an unknow error.

And the gpo still doesn't work, just in case :)
0
 

Author Comment

by:NR_EIS
ID: 26208958
enterprise domain controllers is idd a group who has read rights in the delegation.

You can run a rsop on the dc in the active directory users & computers under all tasks. then I fill out the form without a user and the vmserver as the computer.
Normally its the same as running one on a client or a server who has the gpo applied. But in this case it has different results
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26209005
Verrrry confusing!! lol, we've moved from one problem to another... =:O

Well, now you've hopefully sorted out the general GPO problem, note down everything you configured in this new policy, then delete it, and recreate it from scratch.

Once recreated, double check that all your GUIDs are matching up properly from the get-go in SYSVOL and in the GPMC. If all looks ok there (as there's no reason there should be a GUID mismatch with only 1 DC!), try linking again to the VMServers OU, then log on, run gpupdate /force, and then run another gpresult.

What do we get now? Same thing?

Pete
0
 

Author Comment

by:NR_EIS
ID: 26209239
Idd again same thing.

deleted the whole GPO, created, checked the GUID (everything ok), linked them, log on, gpupdate /force, rsop and again not applied unknow reason.

Tried googling on a eventlog or something that could give some more information on why but can't find a specific resolution.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26209372
In the gpresult output, is it now showing you the policy names? Or still the GUIDs?

Should be like this:
GPResult.JPG
0
 

Author Comment

by:NR_EIS
ID: 26209422
And I got working (finally!) :)
I've got to add everything manually to delegation and give them read & apply rights.

When there are more then 1 items in the OU, you gave got to insert them all into delegations manually and apply the rights.

On the existing gpo it doesn't work, you gave to delete them as link, then the object. Recreate them, add the delegations (servers & users seperatly), link them and do a gpupdate /force on the dc and then /force on the servers specified in the OU.

When putting back the ADM files, it doesn't work anymore (strangly enough)...
0
 

Author Comment

by:NR_EIS
ID: 26209461
@ PeteJThomas: thanks for the quick & wonderfull help
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 26210799
You're welcome - Glad we got there in the end! Now after all that work is where you find that this method doesn't actually achieve what you wanted in the first place... ;)

Thanks for the points!

Pete
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question