Re: GPO w/ Security Filter creates WMI disaster
- From: "Darren Mar-Elia \(MVP\)" <dmanonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 20:00:27 -0700
Problem #1 is as expected. Security policy does not undo itself because it
does not keep track of what its state was before, obviously you could have
any local group membership in place before you applied restricted groups so
it doesn't keep track of that. You have to explicitly change the group
membership, either with another policy or a script, to "undo" the policy.
Problem #2 sounds weird. Did you do anything else in that GPO other than the
aforementioned restricted group policy? It almost sounds like a combination
of things. For example, Windows Firewall being enabled with no exceptions
would result in remote RSOP or remote desktop not working and WMI not being
remotely accessible, but that is not related to restricted groups.
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
"KH" <KH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A0603A28-B4FA-4859-B6CA-1044E6C4B2B2@xxxxxxxxxxxxxxxx
( FYI : This is a new AD domain setup w/ an equally new SMS 2003
deployment )
I created a simple GPO that only does one thing - performs a "Member of"
Group Restriction to add domain group "Temp Local Admins" to the local
Administrator group.
I filter this GPO based on Computer name and used a couple of workstations
in a lab OU. If there is a better way to apply a GPO to a subset of
computers based on their NetBIOS name, I'll do it. Using the security
filter
in the GPMC seemed the most straight forward method, but it's really
created
a big mess.
Problem 1 :
GPO works properly when assigned and the filter works initially, but when
I
change the Security Filter, say to take out one of the two lab PC's to
verify
the setting doesn't stick, the setting still sticks to the system no
longer
in the security filter list. The change is still there after verifying w/
gpresult that the GPO should filter out.
Problem 2 :
The following errors appeared on every PC the GPO was applied to. Systems
in the lab OU that never met the filter criteria do not have any of these
errors. Along w/ these error messages, GPO's were not applied, I couldn't
view my XP firewall settings, and I couldn't Remote Desktop into either
PC.
Windows couldn't log the RSoP (Resultant Set of Policies) session status.
An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.
**
Windows cannot perform filter check for Group Policy object cn=
**
WinMgmt could not initialize the core parts. This could be due to a badly
installed version of WinMgmt, WinMgmt repository upgrade failure,
insufficient disk space or insufficient memory.
( tried JSI #7751 to fix this, but no good )
**
Windows cannot display the properties of this connections. The Windows
Management Instrumentation (WMI) information might be corrupted. To
correct this, use System Restore to restore Windows to an earlier time
(called a restore point). System Restore is located in the System
Tools folder in Accessories.
**
When viewing network properties, receive "WMI might be corrupted..."
( JSI #7080 does fix this problem )
.
- Prev by Date: Re: Group Policy Not Applied to DC's
- Next by Date: Lock myself out of PC
- Previous by thread: Re: VBS Script in GPO do not work
- Next by thread: Lock myself out of PC
- Index(es):
Relevant Pages
|
