Re: Default Domain Controllers Policy reverts to previous settings
- From: "Chriss3 [MVP]" <removethis_christoffer.andersson@xxxxxxxxxx>
- Date: Mon, 5 Feb 2007 18:56:01 +0100
Hello!
I don't think it's a good idea to use the setting "Enforce Policy" for the DDP and the DDCP, if Auditing is defined it the DDP it will take precedence over all other Audit settings from any other GPO expect if a Policy is linked more closely to the object and also have the "Enforce Policy" flag set.
Use RSOP (Result Set of Policies) to Troubleshoot Group Policies. Use the following tools. RSOP.msc (Windows Server 2003, Windows XP) and gpresult (Windows 2000).
Search Google for gpresult and download the gpresult.exe for Windows 2000, these tools will help you to determine how policy settings applies to your computers and servers.
--
Regards
Christoffer Andersson
Executive Consultant - TrueSec
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources
<kenz@xxxxxxxx> wrote in message news:ulpur25a5vscacuat5rqgfof5bjm763g65@xxxxxxxxxx
This one is driving me off the deep end, I hope someone has an idea on
this. Our forest is an empty root with three domain under it. In the
domain I manage both DDP and DDCP policies are enforced. Auditng
settings are defined in both policies, not my idea I inherited this
config from previous administrators. What I need to accomplish is
this.
1) Create new auditing policy linked to the domain. (not enforced)
This is to allow sys-admins of member servers to audit aditional
events as needed.
2) Remove all auditng policies from DDP.
3) Set auditing policies for the DCs to prevent event log overfill. So
I need to set a slightly different set of auditing policies in the
DDCP to accomplish this.
Everything worked great in the test forest, doesnt it always. When I
made the change in the production domain I found that the DDCP
auditing settings would revert to their previous settings within an
hour after change. The other DAs assure me that non of them are
running anything to affect the DDCP. At this point I can only assume
that it is something corupt on one of my DCs. I have determined that
there are no morhped folders in any sysvol location.
Domain and forest are at Windows 2000 Native mode.
Domain caontains a mix of Windows 2000 sp4 and Windows 2003 sp1 DCs
(Upgrade starts next year, yeah!)
5 DCs located in my central datacenter where I am at and anothor 90
DCs located around the country.
I am stumped at this point about what to look at next. And of course
managment wants me to exhaust ALL avenues before they will let me open
a case with Microsoft.
Ken Zalewski
.
- Follow-Ups:
- Re: Default Domain Controllers Policy reverts to previous settings
- From: Paul Williams [MVP]
- Re: Default Domain Controllers Policy reverts to previous settings
- Prev by Date: Re: Event ID 1863
- Next by Date: Re: WSUS on a DC?
- Previous by thread: Re: 2003 Server Standard Edition no connectcomputer wizard
- Next by thread: Re: Default Domain Controllers Policy reverts to previous settings
- Index(es):
Relevant Pages
|
