Solved

Weird Issues with AD GPOs

Posted on 2016-09-12
5
75 Views
1 Endorsement
Last Modified: 2016-09-12
Hey,

I am having sparatic problems with Active Directory, in particular the Group Policies. I have a couple of policies (folder redirection, drive mapping) that just will not get to the users/computers in question. If I do a Group Policy Modeling it says the computer applied the policies in question, but when I do a GPRESULT /R its not listed, not even in Denied section. I have other policies that map folders and drives and they are working no problem. Here is what I did to diagnose so far:

Checked security ACL on the affected users home folder locations, all good (tested manual mapping the folder and accessing it with the user credentials not issues)

Reapplied Permissions to the affected users in questions, no effect

Deleted and Recreated the Group Policies in question, no change

Checked Group Policy OU for security delegation issues, none found

Checked Event Log on Server/Workstations found these event:

The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

On some computer accounts -----> The session setup from the computer HS-RM146-34 failed to authenticate. The name(s) of the account(s) referenced in the security database is HS-RM146-34$.  The following error occurred:
Access is denied.


I did find this on the the DCs :

]This is the replication status for the following directory partition on this directory server.
 
Directory partition:
CN=Schema,CN=Configuration,DC=prsdnj,DC=org
 
This directory server has not received replication information from a number of directory servers within the configured latency interval.
 
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
 
The latency interval can be modified with the following registry key.
 
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3902

Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller PR-DC01.prsdnj.org for FRS replica set configuration information.
 
 The nTDSConnection object cn=986cb6b1-98dd-4e0f-a8f3-fcc735f37d7b,cn=ntds settings,cn=pr-dc01,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=prsdnj,dc=org is conflicting with cn=9a21485c-2617-48bc-9edc-627e9b92d57b,cn=ntds settings,cn=pr-dc01,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=prsdnj,dc=org. Using cn=986cb6b1-98dd-4e0f-a8f3-fcc735f37d7b,cn=ntds settings,cn=pr-dc01,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=prsdnj,dc=org

Any help would be greatly appreciated!
1
Comment
Question by:Jonathan Jones
  • 3
  • 2
5 Comments
 
LVL 16
ID: 41794220
Make sure the GPO is scoped for "Authenticated Users". If you don't want it to apply to all "authenticated users" go into delegation and set the "authenticated users" to not apply GPO. The rule is that "authenticated users must be a part of every GPO though.

In the past it hasn't mattered, but a recent client side update has turned this into an issue (recent, as in within the last couple months). Microsoft's response on it is that the "authenticated users" group, which default for any new policy, should not be removed, but should be managed in delegation if you don't want a particular policy to apply.

I guess they figured that everyone was applying policy by OU linking and not via security groups.

MO
0
 

Author Comment

by:Jonathan Jones
ID: 41794301
Michael,

Thanks for the quick response!

I just checked the scope on the GPO's inquestion, they do have the Authenticated Users with READ on all the suspected OU's. Just delegated control of Authenticated users to the entire domain to be sure, with Read and Password change checked. I reran Group Policy Results and Modeling, what I am seeing is that the descending OU that contains the users gets and processes the GPO without issue, BUT the actual users are not getting it at all now. I am starting to think its a security permission on the AD forrest, its been passed down since 2003 with multiple Net Admins... Is there any Powerscript or way to reset the entire forest back to a default security state, and I could then just scope and the GPOs to security groups again?

BELOW is the error the users get now:

Folder Redirection did not complete policy processing because the user needs to log on again for the settings to be applied. Group Policy will attempt to apply the settings at the user's next logon.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 9/12/2016 8:48:05 AM and 9/12/2016 8:48:05 AM.
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
ID: 41794418
Ok, so the folder redirection policy is beeing seen by the client. This seems like a permission issue on the user share you're redirecting to. Can you verify permissions?

If the actual user folders were set up manually (manually is any process that wasn't the result of the actual GPO creating the folder) then the owner of the folders would not be set properly. The default configuration of the folder redirection setting is to "grant exclusive rights", so if the folders in question were created manually the owner would not be set to the user and the policy would fail to complete redirection...because grant exclusive rights would attempt to change ownership and it would fail doing that.

Couple things you can do:

1. You can remove all the user folders in the share and let the GPO create the folders for you, setting the exclusive rights to the user, or

2. You can remove the checkmark in the policy to grant exclusive rights, but you have to make sure that the users' in question have modify rights at least so they can create folders and redirect their data.

MO
0
 

Author Closing Comment

by:Jonathan Jones
ID: 41794544
Awesome info! Thanks sooo much it was the Folder permissions, as soon as I reset them it worked
0
 
LVL 16
ID: 41794934
Glad that worked for you.

MO
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now