jaxjags
asked on
Computer Picking Up Old GPO from Server
Hello. I was having problems logging into machines with any domain user account. I needed to explicitly add a domain user to a machine before that user could log in.
I adjusted an old Default Domain Policy so that the setting for "Allow log on locally" is for Domain Users, Domain Admins and local Admins. (It was lacking the "Domain Users" group and I believe this is what was creating this situation)
At first, this setting seemed work and I could go to a machine and domain users could log in no problem. Then, it seemed to be randomly, it stopped working. When I checked the GPO on the server, the policy was still the adjusted one. However, when logging in locally, I noticed the local security policy had reverted back to the old one and disallowed domain users to log in without being added explicitly.
I have researched this ad nauseum and have not gotten too far with this. I have removed and rejoined the domain, I have tried to create a new default domain policy etc... I have looked into the registry but don't understand too much about that, hoping there was a way to change a setting or find the old policy and destroy it.
Client is Windows 7 and Server 2008 R2. Any other ideas?
I adjusted an old Default Domain Policy so that the setting for "Allow log on locally" is for Domain Users, Domain Admins and local Admins. (It was lacking the "Domain Users" group and I believe this is what was creating this situation)
At first, this setting seemed work and I could go to a machine and domain users could log in no problem. Then, it seemed to be randomly, it stopped working. When I checked the GPO on the server, the policy was still the adjusted one. However, when logging in locally, I noticed the local security policy had reverted back to the old one and disallowed domain users to log in without being added explicitly.
I have researched this ad nauseum and have not gotten too far with this. I have removed and rejoined the domain, I have tried to create a new default domain policy etc... I have looked into the registry but don't understand too much about that, hoping there was a way to change a setting or find the old policy and destroy it.
Client is Windows 7 and Server 2008 R2. Any other ideas?
ASKER
Thanks. I ran the RSOP on the machine and it says it is getting the default domain policy and that html file reflects that change! However, when I go to "local security policy" it shows the old GPO and still behaves according to that old GPO.
It happens to any user I try to log in with... any domain user is locked out, except domain admins which is on the old GPO as permitted any way.
Now I think I'm more confused!
It happens to any user I try to log in with... any domain user is locked out, except domain admins which is on the old GPO as permitted any way.
Now I think I'm more confused!
Just to confirm - you're applying to an OU with computers?
I would try creating a test OU and have 2 test pcs in there. Link only the policy you want to test to it. Run gpupdate / force and see what it picks up.
I would try creating a test OU and have 2 test pcs in there. Link only the policy you want to test to it. Run gpupdate / force and see what it picks up.
ASKER
Thanks. Yes I am apply to OU with computers. It is inherited via the Default Domain Policy. I also went ahead and tried to link directly even though I shouldn't need to. By adding the "Users" group it worked... for a few hours. By the time I signed back in the next morning, it once again reverted back to the old domain settings and said I can't log in using this method. When running RSOP it says it's getting settings from default domain policy but these are NOT the settings on the server.
Is there any way to find some rogue, old copy of the default domain GPO?
What's even more confusing, is that I am testing this on two PCs. The one I am speaking about and another one that IS picking up the new Domain Policy and HOLDING those settings without reverting back... perhaps this is a clue?
Is there any way to find some rogue, old copy of the default domain GPO?
What's even more confusing, is that I am testing this on two PCs. The one I am speaking about and another one that IS picking up the new Domain Policy and HOLDING those settings without reverting back... perhaps this is a clue?
ASKER
Check that last paragraph... now the same condition is happening to both machines in that OU. Even if I move the machines to a different OU, it picks them up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for that guidance. Unfortunately, the domain policy applies but over night it reapplies the old one again. So stuck at the same spot.
ASKER
These were all great steps to take to resolve this issue. Unfortunately, the true issue was found in the Replication Log on the domain controller. It was stuck in an error state and was not working properly. I had Microsoft find that and fix it for a fee.
Event ID: 13568 "JRNL_WRAP_ERROR"
http://social.technet.microsoft.com/Forums/en-US/d88385dd-ba83-43d4-8bc7-85e15aa1ae58/event-id-13568
Event ID: 13568 "JRNL_WRAP_ERROR"
http://social.technet.microsoft.com/Forums/en-US/d88385dd-ba83-43d4-8bc7-85e15aa1ae58/event-id-13568
Please also open cmd > gpresult /h and it will output to an html file. Check what groups / gpos the user is in and applied.
Is it only applying to this user or all users? If it's just one, try removing them from all groups and OU for testing purposes.