Re: Restricted Groups Not Working
- From: Jody <jo@xxxxxxxxxxxxxxxx>
- Date: Tue, 26 Apr 2005 09:19:52 +0100
Roger,
I've read Todds post and can verify that:
1:name resolution is not an issue and neither is DNS as this is all configured correctly.
2:Please bear in mind that 90% of the policy is applying it only seems to be the restricted groups section that isnt taking effect and 'allow to load and unload device drivers' which also doesnt seem to be working.
3:The way the policies are is that at my departmental OU i have a Computer policy for all the PC's ie with SUS server settings etc etc and restricted groups. Then for each seperate 'Team'(OU) within the department I have User policies depending on their specific needs. Within the computer policy the user settings are disabled and for each 'Team' user policy then the computer policy is disabled
4:SP2 is on the ghost image and not being rolled out by SUS however hotfixes are rolled out by SUS.
5:The same computer policy sometimes will apply to a machine but 9 times out of 10 it wont. My own personal laptop that I use I can get it to apply everytime when i place the computer account in the department OU. So it would seem to suggest that it is something local to my ghost image. (But i'll be damned if I know what)!! Norton antivirus Corporate edition is also installed but no Firewall.
6:On the ghost Image Novell Client 4.90 is installed along with Novell Zenworks Agents. (However this is also true of my laptop)and other machines where i have had the policy to work.
7:I have run RSOP and all seems to be OK
HELP!
Roger wrote:
Jody,
Todd Heron wrote an excellent checklist on page 1 of this group. Look for the entry "Domain Users into Local Admins".
Cheers,
Roger
"Jody" wrote:
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid id's. Also all machines are running SP2 and with the latest hotfixes as provided by our SUS server. Also all machines are in the correct OU and serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to be intermittent.
Any idea's??
cheers
Roger wrote:
Jody,
These machines are built from "ghosted images" (assuming you're using Symantec Ghost), so I'm assuming you're changing the SID's once the image is transferred to the target machine? I know, it's one of those "dumb questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the "Notts-xpadmins" policy applied to the OU where the desktop machines are located?
On a related note, are all the machines (desktops and laptops) running XP SP2? More to the point, are there any differences with respect to hot-fixes, updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic regarding the use of both the "Members of this group" AND "This group is a member of", especially when the "Administrator" group is involved.
The way I approached this was:
1) Created a "Global Security Group", and put all the "target" users into that group
2) Used GPMC to create a policy that modified the membership of the "local Administrator" group in:
Computer Configuration | Windows Settings | Security Settings | Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group" created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being used by the "target" users. Note, if this is going to apply to all your machines, you should be careful about applying this policy to the entire domain.
Very Important: The "Administrators" group contains the global group "Domain Admins" by default, if you modify the membership of the "Administrators" group via group policy, the membership becomes explicit. That is, any user or group not listed in the policy will not be included in the "Administrators" group, so remember to add "Domain Admins" to the "Administrators" group.
Roger
"Jody" wrote:
In addition, i been doing some further troubleshooting and have been able to get the restricted groups setting working on a load of laptops. The machines that I have the problem with are our build xp machines which are all created from a ghost image. the problem seems to lie with the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Jody wrote:
Roger wrote:
No,still not been able to be resolved!Jody,
Has the problem been resolved? If not, I may have a solution for you.
"Nick Finco [MSFT]" wrote:
Can you work with the C:\WINDOWS\security\templates\policies\gpt00000.dom template manually via secedit /validate, /import, or /configure? If the template is the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine, %windir%\security\database\secedit.sdb might be corrupt. You might be able to try using "esentutl /r edb" while in the %windir%\security directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated within are my own and do not necessarily constitute those of my employer. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
"Jody Stoll" <jo@xxxxxxxxxxxxxxxx> wrote in message news:ug%23AfLFPFHA.3880@xxxxxxxxxxxxxxxxxxxxxxx
Hi ,
I'm trying through Group policy to add a Security Group which I have created called Notts-xpadmins to the local administrators group on my xp workstations. I have created the group in ad and have assigned the users to the group through the 'Members of this Group' section in the Restricted groups and specified 'administrators' in the 'This group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that I can see the winlogon.log file in the security folder. I am getting scecli 1202 events in the eventlog but cannot seem to see what the problem is. The MS article refers to the users/group being recently deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs which are corrupted as this is occuring with at least 2 GP's that I have tried.
Although previously I have had this working by using the Domain Users group to the local administrators group I do not want to add domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO \\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of \\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO. ------------------------------------------- 08 April 2005 16:25:59 Administrative privileged user logged on. Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom. Error 1208: An extended error has occurred. Error creating database. ----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine... **************************
No template is defined in GPO \\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of \\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO. ------------------------------------------- 08 April 2005 16:26:05 Administrative privileged user logged on. Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom. Error 1208: An extended error has occurred. Error creating database. ----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
.
- References:
- Restricted Groups Not Working
- From: Jody Stoll
- Re: Restricted Groups Not Working
- From: Nick Finco [MSFT]
- Re: Restricted Groups Not Working
- From: Roger
- Re: Restricted Groups Not Working
- From: Jody
- Re: Restricted Groups Not Working
- From: Jody
- Re: Restricted Groups Not Working
- From: Roger
- Re: Restricted Groups Not Working
- From: Jody
- Re: Restricted Groups Not Working
- From: Roger
- Restricted Groups Not Working
- Prev by Date: Re: Restricted Groups Not Working
- Next by Date: RE: User GPOs getting applied to all users on a system
- Previous by thread: Re: Restricted Groups Not Working
- Next by thread: Re: Restricted Groups Not Working
- Index(es):
Relevant Pages
|
