Re: Restricted Groups Not Working
- From: "Roger" <Roger@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Apr 2005 08:43:09 -0700
Jody,
I was re-reading your original post and was struck by the log entry "this is
not the last GPO". So, my (obvious) question is: Is there another policy
that's being applied after this one that only affects the desktops, or that
could be "un-doing" the change you're trying to make?
Regarding the imaging process, if this sounds like a stupid question,
forgive me, but here goes: Does the base image (that gets ghosted) include
SP2? If not, then (from your last post) it sounds like you're relying on SUS
to apply SP2 and any other patches/hotfixes... Is that correct? If so, have
you tried a "gpupdate /replace"?
One last question. Have you tried running the GPMC's "Group Policy
Modeling" and "Group Policy Results" against one of the user accounts and
desktop machines?
Cheers,
Roger
"Jody" wrote:
> Roger,
> Yes at the end of the ghost process sysprep is run which changes the sid
> id's. Also all machines are running SP2 and with the latest hotfixes as
> provided by our SUS server. Also all machines are in the correct OU and
> serviced by the 'nottsxpadmins' policy.
> I can get the policy to apply to a machine occasionly but this seems to
> be intermittent.
> Any idea's??
>
> cheers
>
>
> Roger wrote:
> > Jody,
> >
> > These machines are built from "ghosted images" (assuming you're using
> > Symantec Ghost), so I'm assuming you're changing the SID's once the image is
> > transferred to the target machine? I know, it's one of those "dumb
> > questions", but sometimes ya just gotta ask...
> >
> > You said that this worked with laptops, but not desktop. Is the
> > "Notts-xpadmins" policy applied to the OU where the desktop machines are
> > located?
> >
> > On a related note, are all the machines (desktops and laptops) running XP
> > SP2? More to the point, are there any differences with respect to hot-fixes,
> > updates or service packs between the laptops and desktops?
> >
> > One other thing to consider: There has been quite a bit of traffic
> > regarding the use of both the "Members of this group" AND "This group is a
> > member of", especially when the "Administrator" group is involved.
> >
> > The way I approached this was:
> > 1) Created a "Global Security Group", and put all the "target" users into
> > that group
> > 2) Used GPMC to create a policy that modified the membership of the "local
> > Administrator" group in:
> > Computer Configuration | Windows Settings | Security Settings |
> > Restricted Groups
> > 3) When adding users to the "Administrators" group, remember that you can't
> > browse for that group, you have to type "Administrators".
> > 4) In the "Members of this group", browse for the "Global Security Group"
> > created in Step 1.
> > 5) close the policy
> > 6) In the GPMC, apply the policy to the OU with the computers that are being
> > used by the "target" users. Note, if this is going to apply to all your
> > machines, you should be careful about applying this policy to the entire
> > domain.
> >
> > Very Important: The "Administrators" group contains the global group "Domain
> > Admins" by default, if you modify the membership of the "Administrators"
> > group via group policy, the membership becomes explicit. That is, any user
> > or group not listed in the policy will not be included in the
> > "Administrators" group, so remember to add "Domain Admins" to the
> > "Administrators" group.
> >
> > Roger
> >
> >
> > "Jody" wrote:
> >
> >
> >>In addition, i been doing some further troubleshooting and have been
> >>able to get the restricted groups setting working on a load of laptops.
> >>The machines that I have the problem with are our build xp machines
> >>which are all created from a ghost image. the problem seems to lie with
> >>the machines that are all ghosted from this image.
> >>What on the client side could be causing this?
> >>
> >>cheers
> >>
> >>Jody wrote:
> >>
> >>>Roger wrote:
> >>>
> >>>
> >>>>Jody,
> >>>>
> >>>>Has the problem been resolved? If not, I may have a solution for you.
> >>>>
> >>>>"Nick Finco [MSFT]" wrote:
> >>>>
> >>>>
> >>>>
> >>>>>Can you work with the
> >>>>>C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
> >>>>>via secedit /validate, /import, or /configure? If the template is
> >>>>>the issue, you can edit it and it will contain the GUID of the GPO
> >>>>>from which it came so you can fix manually in the sysvol or via
> >>>>>gpedit. If the template is fine,
> >>>>>%windir%\security\database\secedit.sdb might be corrupt. You might
> >>>>>be able to try using "esentutl /r edb" while in the %windir%\security
> >>>>>directory to recover it or refer to KB278316.
> >>>>>
> >>>>>N
> >>>>>
> >>>>>--
> >>>>>This posting is provided "AS IS" with no warranties, and confers no
> >>>>>rights. Any opinions or policies stated within are my own and do not
> >>>>>necessarily constitute those of my employer. Use of included script
> >>>>>samples are subject to the terms specified at
> >>>>>http://www.microsoft.com/info/cpyright.htm
> >>>>>
> >>>>>
> >>>>>"Jody Stoll" <jo@xxxxxxxxxxxxxxxx> wrote in message
> >>>>>news:ug%23AfLFPFHA.3880@xxxxxxxxxxxxxxxxxxxxxxx
> >>>>>
> >>>>>
> >>>>>>Hi ,
> >>>>>>I'm trying through Group policy to add a Security Group which I have
> >>>>>>created called Notts-xpadmins to the local administrators group on
> >>>>>>my xp workstations. I have created the group in ad and have assigned
> >>>>>>the users to the group through the 'Members of this Group' section
> >>>>>>in the Restricted groups and specified 'administrators' in the 'This
> >>>>>>group is a member of '
> >>>>>>
> >>>>>>So far nothing is working although the rest of the GP is working.
> >>>>>>I have researched this slighly and have turned on debugging so that
> >>>>>>I can see the winlogon.log file in the security folder. I am getting
> >>>>>>scecli 1202 events in the eventlog but cannot seem to see what the
> >>>>>>problem is. The MS article refers to the users/group being recently
> >>>>>>deleted in AD but this is definately not the case.
> >>>>>>
> >>>>>>Could it be a corrupted GP? If so then it would be 2 separate GPs
> >>>>>>which are corrupted as this is occuring with at least 2 GP's that I
> >>>>>>have tried.
> >>>>>>
> >>>>>>Although previously I have had this working by using the Domain
> >>>>>>Users group to the local administrators group I do not want to add
> >>>>>>domain users to local admins for obvious reasons.
> >>>>>>
> >>>>>>Please find below a copy of the winlog.log file i have taken from my
> >>>>>>win xp sp2 workstation
> >>>>>>The MS KB article I have been using to troubleshoot is Q324383.
> >>>>>>
> >>>>>>The Domain is Win2k3 running in full Native mode.
> >>>>>>
> >>>>>>Any help would be most gratefully recieved.
> >>>>>>
> >>>>>>cheers
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>**************************
> >>>>>>
> >>>>>>No template is defined in GPO
> >>>>>>\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
> >>>>>>
> >>>>>>
> >>>>>>Make a local copy of
> >>>>>>\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
> >>>>>>NT\SecEdit\GptTmpl.inf.
> >>>>>>GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> >>>>>>
> >>>>>>Make a local copy of
> >>>>>>\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
> >>>>>>NT\SecEdit\GptTmpl.inf.
> >>>>>>GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
> >>>>>>
> >>>>>>Process GP template gpt00000.dom.
> >>>>>>
> >>>>>>This is not the last GPO.
> >>>>>>-------------------------------------------
> >>>>>>08 April 2005 16:25:59
> >>>>>>Administrative privileged user logged on.
> >>>>>>Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
> >>>>>>Error 1208: An extended error has occurred.
> >>>>>>Error creating database.
> >>>>>>----Configuration engine was initialized with one or more errors.----
> >>>>>>
> >>>>>>
> >>>>>>----Un-initialize configuration engine...
> >>>>>>**************************
> >>>>>>
> >>>>>>No template is defined in GPO
> >>>>>>\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
> >>>>>>
> >>>>>>
> >>>>>>Make a local copy of
> >>>>>>\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
> >>>>>>NT\SecEdit\GptTmpl.inf.
> >>>>>>GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> >>>>>>
> >>>>>>Make a local copy of
> >>>>>>\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
> >>>>>>NT\SecEdit\GptTmpl.inf.
> >>>>>>GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
> >>>>>>
> >>>>>>Process GP template gpt00000.dom.
> >>>>>>
> >>>>>>This is not the last GPO.
> >>>>>>-------------------------------------------
> >>>>>>08 April 2005 16:26:05
> >>>>>>Administrative privileged user logged on.
> >>>>>>Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
> >>>>>>Error 1208: An extended error has occurred.
> >>>>>>Error creating database.
> >>>>>>----Configuration engine was initialized with one or more errors.----
> >>>>>>
> >>>>>>
> >>>>>>----Un-initialize configuration engine...
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>No,still not been able to be resolved!
> >>
>
.
- References:
- Restricted Groups Not Working
- From: Jody Stoll
- Re: Restricted Groups Not Working
- From: Nick Finco [MSFT]
- Re: Restricted Groups Not Working
- From: Roger
- Re: Restricted Groups Not Working
- From: Jody
- Re: Restricted Groups Not Working
- From: Jody
- Re: Restricted Groups Not Working
- From: Roger
- Re: Restricted Groups Not Working
- From: Jody
- Restricted Groups Not Working
- Prev by Date: Re: Restricted Groups Not Working
- Next by Date: Re: Restricted Groups Not Working
- Previous by thread: Re: Restricted Groups Not Working
- Next by thread: Re: Restricted Groups Not Working
- Index(es):
Relevant Pages
|
