nico-
asked on
AGPM 4.0 SP2 Errors
Hello
I'm getting the attached error when I try to delete a controlled GPO.
The service account :-
Is in the Domain Backup Operators Group
Is in the Group Policy Creator Owners Group
Does have full control over the local windows\temp folder
Does have full control over existing GPO's
Related Logging entry also attached
I've tried everything I can think of and looked at every forum I could find.
Can you help?
GPODeleteError.PNG
GPODeleteLogging.PNG
I'm getting the attached error when I try to delete a controlled GPO.
The service account :-
Is in the Domain Backup Operators Group
Is in the Group Policy Creator Owners Group
Does have full control over the local windows\temp folder
Does have full control over existing GPO's
Related Logging entry also attached
I've tried everything I can think of and looked at every forum I could find.
Can you help?
GPODeleteError.PNG
GPODeleteLogging.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is an excellent 4 part series called "AGPM Under the Hood" by Steve Wiseman (Microsoft Fellow, etc).
Part 1: http://www.networksteve.com/?p=4366
Part 2: http://www.networksteve.com/?p=4823
Part 3: http://www.networksteve.com/?p=4933
Part 4: http://www.networksteve.com/?p=4982
Its a good read but didn't help me solve this particular 'problem'.
The change of ownership on the delete is pretty much redundant if you're deleting the GPO from production and the archive; its only relevant if you're deleting the GPO from the archive only (in my opinion). I would say they have probably shared code to avoid writing extra for something which would do the job. So that's why I generally ignore it. If I were to uncontrol a GPO I would likewise ignore the error and manually set the owner to Domain Admins myself afterwards.
I have contact my TAM to see if they knew what caused this but they have never gotten back to me with an answer. I have considered raising a case but I don't think I care enough :) Some things I have I tried through is to monitor the DC's and the AGPM boxes with Wireshark and Process Monitor. Nothing has jumped out to me as being an issue that I could see. So maybe a bug with GPMC. Try changing the owner of a GPO through GPMC as the AGPM service account and you should see the same error message.
Part 1: http://www.networksteve.com/?p=4366
Part 2: http://www.networksteve.com/?p=4823
Part 3: http://www.networksteve.com/?p=4933
Part 4: http://www.networksteve.com/?p=4982
Its a good read but didn't help me solve this particular 'problem'.
The change of ownership on the delete is pretty much redundant if you're deleting the GPO from production and the archive; its only relevant if you're deleting the GPO from the archive only (in my opinion). I would say they have probably shared code to avoid writing extra for something which would do the job. So that's why I generally ignore it. If I were to uncontrol a GPO I would likewise ignore the error and manually set the owner to Domain Admins myself afterwards.
I have contact my TAM to see if they knew what caused this but they have never gotten back to me with an answer. I have considered raising a case but I don't think I care enough :) Some things I have I tried through is to monitor the DC's and the AGPM boxes with Wireshark and Process Monitor. Nothing has jumped out to me as being an issue that I could see. So maybe a bug with GPMC. Try changing the owner of a GPO through GPMC as the AGPM service account and you should see the same error message.
ASKER
Hi Learnctx
Came across those article too on my wild goose chase search for the answer! Very useful and in depth.
You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege. Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?
Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?
Amazing really this, reading the Jeremy Moskowitz and other MVP articles with no mention of this. Now I think about it, all the article I see have the AGPM on a Domain Controller (even though it's not recommended) and use the local system account ! I guess that's because they know it doesn't work using a member server !
Came across those article too on my wild goose chase search for the answer! Very useful and in depth.
You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege. Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?
Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?
Amazing really this, reading the Jeremy Moskowitz and other MVP articles with no mention of this. Now I think about it, all the article I see have the AGPM on a Domain Controller (even though it's not recommended) and use the local system account ! I guess that's because they know it doesn't work using a member server !
For sure running it on a domain controller as system would fix your problem. But it won't be running in least privileged mode then. Being SYSTEM on a domain controller will give it full rights. But it would solve the issue.
I'll raise a case with Microsoft today to see if they can shed some light on this error. I'll let you know if they get back to me :)
I'll raise a case with Microsoft today to see if they can shed some light on this error. I'll let you know if they get back to me :)
ASKER
Hi Learnctx
We might end up giving them a call to make sure there's definitely no impact with that error message and to avoid bypassing least privilege.
Would you mind answering those two questions so I'm not missing any concepts ?
1. You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege. Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?
2. Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?
thank you for your help
We might end up giving them a call to make sure there's definitely no impact with that error message and to avoid bypassing least privilege.
Would you mind answering those two questions so I'm not missing any concepts ?
1. You mentioned about making the service account a member of the Domain Admins group, bypassing least privilege. Why would that affect delegating the GPO to the minions? - I thought the Full Control, Review, Approver etc roles provided the appropriate delegation of permissions and the service account side of things was separate ?
2. Another query - Why would you manually change the Domain Admins after deleting/controlling the GPO?
thank you for your help
Sorry I have been away.
1. A nuance of my setup. I have multiple AGPM instances for different areas of the company. They can create new GPO's but existing GPO's need to be delegated to their particular service accounts. It keeps them all happy knowing that others can't try take control of the GPO's they want to manage in their area. A bit of a pain really...
2. It is how we have it setup. All our GPO's have the owner set to Domain Admins until control is taken by AGPM.
1. A nuance of my setup. I have multiple AGPM instances for different areas of the company. They can create new GPO's but existing GPO's need to be delegated to their particular service accounts. It keeps them all happy knowing that others can't try take control of the GPO's they want to manage in their area. A bit of a pain really...
2. It is how we have it setup. All our GPO's have the owner set to Domain Admins until control is taken by AGPM.
ASKER
Hi Learnctx
No worries, hope it was a good day off.
thanks for explanations. With point 2, doesn't the agpm service account automatically take control from Domain Admins, rather than manually.
I'm just about to go through the process of creating a case with Microsoft, so if I find anything out one way or the other, I'll put an update on here !
Cheers
No worries, hope it was a good day off.
thanks for explanations. With point 2, doesn't the agpm service account automatically take control from Domain Admins, rather than manually.
I'm just about to go through the process of creating a case with Microsoft, so if I find anything out one way or the other, I'll put an update on here !
Cheers
Yes you are correct. I was just talking about when I un-control a GPO. It fails to apply the default owner back to what it was :) The same error you see when deleting.
ASKER
Apologies .. away for a while !!
ASKER
Indeed, I've tried both of those things. I Haven't tried running in 2008/2008 R2 though, but then I'd have to downgrade AGPM and that wouldn't support the 2012 R2 / Windows 8.1 CSE's so that's not an option. Although I'm assuming you're probably saying that the functionality might work in a previous version !
So basically, currently you reckon that the take ownership error isn't resolvable? Looking around the forums/TechNet, the advice is just to ensure the pre-reqs are done for the service account least privilege, yet my experience is the same as yours, the take ownership error message doesn't seem to hold back the actual task of deleting a GPO from Production and Archive. But the worry is, why is the Take Ownership subtask there in the first place - it must be in there for a reason. Unless the error message is erroneous - there were a few like that back in the XP SP3 days and it wasn't until calling MS Support that they said to ignore the error !