AGPM 4.0 SP2 Errors

Hello

I'm getting the attached error when I try to delete a controlled GPO.

The service account :-

Is in the Domain Backup Operators Group
Is in the Group Policy Creator Owners Group
Does have full control over the local windows\temp folder
Does have full control over existing GPO's

Related Logging entry also attached

I've tried everything I can think of and looked at every forum I could find.

Can you help?
GPODeleteError.PNG
GPODeleteLogging.PNG
nico-Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
I'm guessing you're running AGPM in least privileged mode (AGPM service account is not a member of Domain Admins)?

You can reproduce the problem in the GPMC console. Open GPMC.msc while logged on as the AGPM service account. Go to the GPO in question or another test GPO. Open the delegation tab and click advanced. On the security tab try change the owner from the AGPM service account to another group like Domain Admins. You will get the same error.

The problem goes away if you make the AGPM service account a member of Domain Admins. Personally I've just left it as a least privileged setup and ignore the error. The GPO will still delete it just just the take ownership action that is failing. The only fix I've found is to make the service account a member of Domain Admins which many won't want to do if they're delegating specific GPO's to minions to manage.

It could be an issue with Server 2012. I haven't tried setting up AGPM in Server 2008 or Server 2008 R2.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nico-Author Commented:
Hello Learnctx

Indeed,  I've tried both of those things. I Haven't tried running in 2008/2008 R2 though, but then I'd have to downgrade AGPM and that wouldn't support the 2012 R2 / Windows 8.1 CSE's so that's not an option.  Although I'm assuming you're probably saying that the functionality might work in a previous version !

So basically, currently you reckon that the take ownership error isn't resolvable?  Looking around the forums/TechNet, the advice is just to ensure the pre-reqs are done for the service account least privilege, yet my experience is the same as yours, the take ownership error message doesn't seem to hold back the actual task of deleting a GPO from Production and Archive.  But the worry is, why is the Take Ownership subtask there in the first place - it must be in there for a reason.  Unless the error message is erroneous - there were a few like that back in the XP SP3 days and it wasn't until calling MS Support that they said to ignore the error !
0
LearnctxEngineerCommented:
There is an excellent 4 part series called "AGPM Under the Hood" by Steve Wiseman (Microsoft Fellow, etc).

Part 1: http://www.networksteve.com/?p=4366
Part 2: http://www.networksteve.com/?p=4823
Part 3: http://www.networksteve.com/?p=4933
Part 4: http://www.networksteve.com/?p=4982

Its a good read but didn't help me solve this particular 'problem'.

The change of ownership on the delete is pretty much redundant if you're deleting the GPO from production and the archive; its only relevant if you're deleting the GPO from the archive only (in my opinion). I would say they have probably shared code to avoid writing extra for something which would do the job. So that's why I generally ignore it. If I were to uncontrol a GPO I would likewise ignore the error and manually set the owner to Domain Admins myself afterwards.

I have contact my TAM to see if they knew what caused this but they have never gotten back to me with an answer. I have considered raising a case but I don't think I care enough :) Some things I have I tried through is to monitor the DC's and the AGPM boxes with Wireshark and Process Monitor. Nothing has jumped out to me as being an issue that I could see. So maybe a bug with GPMC. Try changing the owner of a GPO through GPMC as the AGPM service account and you should see the same error message.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

nico-Author Commented:
Hi Learnctx

Came across those article too on my wild goose chase search for the answer!  Very useful and in depth.

You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege.  Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?

Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?

Amazing really this, reading the Jeremy Moskowitz and other MVP articles with no mention of this.  Now I think about it, all the article I see have the AGPM on a Domain Controller (even though it's not recommended) and use the local system account !  I guess that's because they know it doesn't work using a member server !
0
LearnctxEngineerCommented:
For sure running it on a domain controller as system would fix your problem. But it won't be running in least privileged mode then. Being SYSTEM on a domain controller will give it full rights. But it would solve the issue.

I'll raise a case with Microsoft today to see if they can shed some light on this error. I'll let you know if they get back to me :)
0
nico-Author Commented:
Hi Learnctx

We might end up giving them a call to make sure there's definitely no impact with that error message and to avoid bypassing least privilege.

Would you mind answering those two questions so I'm not missing any concepts ?

1. You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege.  Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?

2. Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?

thank you for your help
0
LearnctxEngineerCommented:
Sorry I have been away.

1. A nuance of my setup. I have multiple AGPM instances for different areas of the company. They can create new GPO's but existing GPO's need to be delegated to their particular service accounts. It keeps them all happy knowing that others can't try take control of the GPO's they want to manage in their area. A bit of a pain really...

2. It is how we have it setup. All our GPO's have the owner set to Domain Admins until control is taken by AGPM.
0
nico-Author Commented:
Hi Learnctx

No worries, hope it was a good day off.

thanks for explanations.  With point 2, doesn't the agpm service account automatically take control from Domain Admins, rather than manually.

I'm just about to go through the process of creating a case with Microsoft, so if I find anything out one way or the other, I'll put an update on here !

Cheers
0
LearnctxEngineerCommented:
Yes you are correct. I was just talking about when I un-control a GPO. It fails to apply the default owner back to what it was :) The same error you see when deleting.
0
nico-Author Commented:
Apologies .. away for a while !!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.