LinkBack URL
About LinkBacks
Reply With QuoteHi Mat,
Quick question....
Have you tried to send an e-mail to the GPO group at Microsoft to see if they have encountered or can reproduce this problem?
100+ Helpful Posts!
50+ Helpful Posts
[This was also posted at petri.co.il but no answers to the problem there.]
Are you sitting comfortably?!
Dear all
I've been using group policy for software installation for years, and I'm no stranger to security group filtering different packages within the same GPO, so that different computers in an OU can receive deployments of different software.
Over the past few months I have been 'cleaning up' a domain since I started a new job, and part of this is dealing with the messiness of the group policies here. By the end of it, I hope to have a much more lean, and more flexibly architected set of policies.
I have, however, hit a problem which I've now spent weeks trying to solve myself. Each time I come back to the problem, I get more and more deeply involved with the innards of GP object ACLs (in the Active Directory and SYSVOL), but I haven't found the solution (or even the reason!) yet.
Note 1: this problem is not an issue with group policy application
Note 2: over the weeks of research I have done on technet, etc, I have not found a single article that addresses my questions specifically, although many have helped me understand group policy in greater depth.
Note 3: I have used every MS tool I can lay my hands on to troubleshoot this problem, mainly dcgpofix.exe, gpotool.exe, gpmonitor.exe. There may be more though?
The problem:
1) Create and link a new GPO to an OU that has a single test computer in.
2) Assign a software installation to the computer part of this GPO
3) Verify that group policy modelling picks up on this (run the query with all the default options, against the current DC, and using domain users and computers to pick up the settings rather than user and computer OUs).
4) Add the test computer to a test security group
5) Using the ACL editor for the software installation itself, remove 'authenticated users' from the list (first unticking "allow inheritable permissions..."
6) Use GP modelling tool again to verify the software is no longer assigned to this computer
7) Now add back the test security group to the software installation in the GPO.
Tadaa - the group policy modelling tool should show the software application being assigned to the computer in question, but it doesn't.
If you then add back Authenticated Users to the ACL list of the software deployment itself (within the GPO), the GP Modelling tool still does not show the software installation (and obviously the computers don't receive the deployments in real life!)
I have checked that Authenticated Users has the correct permissions (list contents, read all properties, read permissions).
The only way to get GP Modelling to show the software package again is to reset the software installation's ACL list to defaults (i.e. security tab > advanced > default), which also resets the inheritance attribute.
To conclude, there must be something special happening when you click that 'default' button, something that simply cannot be replicated by adding the permissions manually.
I have put a filemon trace on the actions of changing permissions, but this doesn't throw up anything useful.
*tears hair out*
I don't want to oversimplify at this point, but to write-out everything else I have done to test and solve this problem would take an age.
Suffice to say I have delved deeply into ensuring that permission inheritance on SYSVOL folders is correct, and that GPMC correctly verifies permission synchronisation between Active Directory database objects and SYSVOL.
I have virtualised our two DCs in order to do some destructive testing, and still haven't solved it.
Note, there are no other notable issues with the DCs that may affect this. For example, netdiag and dcdiag, sysvol frs replication, and Active Directory replication are all healthy.
Background - at one point in the past, I had to rebuild SYSVOL using the burflags method. This went smoothly, and at first I thought this may have been the start of the above problem. However I have done so much validation of SYSVOL now that I am convinced the problem doesn't lie there, although I may be wrong.
A friend suggested to me that I wireshark the unencrypted LDP traffic between DCs as a next step. I guess I could do, but....
Does anyone have any ideas to throw my way?
I'm at my wit's end with this stupid issue!
Best,
Mat
100+ Helpful Posts!
50+ Helpful Posts
Hi Mat,
Quick question....
Have you tried to send an e-mail to the GPO group at Microsoft to see if they have encountered or can reproduce this problem?
100+ Helpful Posts!
50+ Helpful Posts
HeyOriginally Posted by JerryC
Thanks for the pointer. I found the Windows Server 2008 Technet forum, the group policy team blog, and other communities listed on the Windows Server Group Policy technet page, is there something else I am missing?
I'd love to know if there is a vaguely 'official' place to post this kind of issue, but obviously it doesn't come under Win 2008 Server GP forum.
Any ideas?
Posting Permissions