Search This Blog

Thursday, January 24, 2013

Group Policy Objects not applying and Domain Admins missing from local administrators group on Server 2008

Recently had this issue, where I had added a server to a domain, everything had gone smoothly, or so it seemed….

The server had been running for a while as a standalone server, and had be doing so successfully and uneventfully.

So now I had added the server to the domain, I could log on as a Domain Administrator and everything seemed good. The problems started when I tried to deploy GPOs, other machines in the domain were happily accepting the GPOs and applying them.

The GPO in question was to add a group to the local administrators group, this was to do with an external trust that had been setup. I discuss this here

In addition I noticed that I could not remotely browse to shares on the server, now this issue I cannot guarantee it was not there before (I don’t think it was as I am sure it would have driven me mad earlier).

So I went looking for information in the event viewer… strange no errors. So I then began looknig for logs that would help me with trying to resolve this issue. I found that there are a number of logs you can switch on which will provide more information. I found this page on the microsoft site which lists a lot of logs

Now I choose to enable only one

Group Policy core (UserEnv) and registry CSE

I found I had to change the registry entry and then reboot the server, it seems to imply you can just run gpupdate but that didnot work in my case. Once the machine had rebooted i also found the log file was not called userenv.log but was called gpsvc.log (but the location was correct, C:\Windows\debug\UserMode\).

On inspecting the log which has a ton of information I found one interesting line

GPO <PolicyName> doesn't contain any data since the version number is 0.  It will be skipped.

This didnot seem right, so I started trying to track that issue down. Now all things this seemed to lead to was about VMs, but this wasn’t a VM…. but I had a feeling an image had been used to create this server. So it seemded to be plausible that the issue was the same thing. Now the problem is to do with duplicate SIDs, I wasn’t seeing any inforamtion (event logs) to say that was the issue, but I was running out of options.

So I ran sysprep.exe clicking the generalise option. Now the server reboots, and of course all settings have been reset. I had to rename the machine back, I had to fix up the networking (teaming had broken) as the network deivces had been readded as different IDs. Now I tried to add the server to the domain (I had to delete the old server listing from the domain controller prior to this). All good. And now looking at the local administrator group the domain administrator group is now appearing and also the group I wanted added by GPO has also been added.

So all of my problems were caused by duplicate SIDs, just wish there was more of an obvious error to point you in that direction.


No comments:

Post a Comment