General discussion


Incorrect iheritancy has broken things..

By TechieRob ·
Hey all

I run a smallish network (40 odd users) and Windows 2000 advanced server with active directory. I have basically grouped pc's into seperate OUs based on their role and OS version. The other day I was trying out some 'new' security templates from microsoft

I created an OU called "test environment" and placed my own machine in there... created a new Group policy and applied the "Enterprise - client - desktop" template to it and refreshed the group policy to my machine. Unfortunately that same Group policy found its way into the other OUs and managed to apply itself to a number of our 2000 clients causing the following to happen:

Outlook comes up with a password prompt (user, password and domain) and nothing will authenticate with it porperly.
IE refuses to work citing a DNS error
"net use" becomes an unsupported command when tying to connect to remote drives

I checked the event log and found that part of the problem was that "a user account in the group policy could not be resolved to a SID" so I dug through the group policy itself and tried to resolve it by first removing the accounts from the user rights assignment.. then adding all the valid accounts. Refreshing the policy on the 2000 clients seemed to work, so I quickly deleted the link to the incorrect group policy and just have the "default domain policy" (which is unchanged) applied

The only problem is that the problem has reared its ugly head again today and I cannot get it fixed despite what I do. I figure its not a GP error now as the other 2000 clients are fine...

I cant seem to wrap my head around this one

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Incorrect iheritancy has ...

Do you have more than one domain controller in the environment? If you do, the GPO could still be in existence on another domain controller which has not yet replicated with the one that has removed the policy. I would check the PDC Emulator as the most likely culprit to be holding a copy of the GPO.

Where did you create and apply the GPO? Did you create links from the GPO to other OU objects? Since you said that it applied to other systems, you either created on an OU holdign other OU's or it was linked to other OU's.

Did you create a separate GPO for this template or did you import it into an already existing GPO?

If the administrative template "tatooed" the registry of the systems to which it was applied, that change is permanent. You may have to manually change the registry back, depending upon which settings you changed.

If you could provide more information on exactly which template was applied and where, I could advise a more complete course of action.

An additional note of advice would be to pick up a copy of VMWare with 5 licenses. Then you could model your changes and test the effects without introducing a potential issue into the environment.

Collapse -

by TechieRob In reply to

Poster rated this answer.
Thanks for such a quick reply. Note that since my computer is playing up also, I do not recieve email notifications purely due to Exchange not letting me in

The domain I manage only has one domain controller, so luckily thse settings didn't replicate through to another domain. The GPO in question was created from new, the template in question is called "Enterprise Client - Desktop" (from Microsoft's Security hardening guide) and this template was imported into the Windows settings > security settings part. I have a copy of this template that I can email through, because I wouldn't have a clue where to start in the registry I do not know what the default values would be for what has changed.

The real pain of it is the fact that the OU that I created for the "test environment" was at the end of the tree, meaning that the inheritance really should nver have propergated. The whole idea behind that OU was that I do not have access to VMware or similar; and if I broke one computer (being mine) I figured it wouldn't be an inconvienience to anyone else.

Is there any way of restoring a registry without having to reinstall?? or should I dig out my magnifying glass on this one?

Collapse -

by TechieRob In reply to Incorrect iheritancy has ...

This question was closed by the author

Related Discussions

Related Forums