hazymatMemberFeb 11, 2008 at 1:49 am #130299
Are you sitting comfortably?!
I’ve been using group policy for software installation for years, and I’m no stranger to security group filtering different packages within the same GPO, so that different computers in an OU can get different software.
Over the past few months I have been ‘cleaning up’ a domain since I started a new job, and part of this is dealing with the messiness of the group policies here. By the end of it, I hope to have a much smaller, more flexibly architected set of policies.
I have, however, hit a problem which I’ve now spent weeks trying to solve myself. Each time I come back to the problem, I get more and more deeply involved with the way in which group policy stores its data, but I haven’t found the solution (or even the reason!) yet.
Note 1: this problem is not an issue with group policy application
Note 2: over the weeks of research I have done on technet, etc, I have not found a single article that addresses my questions specifically, although many have helped me understand group policy in greater depth.
Note 3: I have used every MS tool I can lay my hands on to troubleshoot this problem, mainly dcgpofix.exe, gpotool.exe, gpmonitor.exe. There may be more though?
1) Create and link a new GPO to an OU that has a single test computer in.
2) Assign a software installation to the computer part of this GPO
3) Verify that group policy modelling picks up on this (run the query with all the default options, against the current DC, and using domain users and computers to pick up the settings rather than user and computer OUs).
4) Add the test computer to a test security group
5) Using the ACL editor for the software installation itself, remove ‘authenticated users’ from the list (first unticking “allow inheritable permissions…”
6) Use GP modelling tool again to verify the software is no longer assigned to this computer
7) Now add back the test security group to the software installation in the GPO.
Tadaa – the group policy modelling tool should show the software application being assigned to the computer in question, but it doesn’t.
I don’t want to oversimplify at this point, but to write-out everything I have done to test and solve this problem would take an age.
Suffice to say I have delved deeply into ensuring that permission inheritance on SYSVOL folders is correct, and that GPMC correctly verifies permission synchronisation between Active Directory database objects and SYSVOL.
I have virtualised our two DCs in order to do some destructive testing, and still haven’t solved it.
Note, there are no other notable issues with the DCs that may affect this. For example, netdiag and dcdiag, sysvol frs replication, and Active Directory replication are all healthy.
Background – at one point in the past, I had to rebuild SYSVOL using the burflags method. This went smoothly, and at first I thought this may have been the start of the above problem. However I have done so much validation of SYSVOL now that I am convinced the problem doesn’t lie there, although I may be wrong.
A friend suggested to me that I wireshark the unencrypted LDP traffic between DCs as a next step. I guess I could do, but….
Does anyone have any ideas to throw my way?
p.s. I don’t want to use PSS!
You must be logged in to reply to this topic.