none
Restricted Group setting in GPO is not configured after domain join

    Question

  • Hi all,

    I'm configuring a GPO as part of a test environment in which I create a custom GPO for within an OU, it configures fine and I can RDP (using the settings in the GPO) to the domain controller. However, when I add a computer to the AD domain, I cannot RDP using the user, I can log on locally though. After looking into it further I've found that the setting I have applied to my Restricted Group is not being brought across properly. The group I need is in the restricted group but it is not appearing as a member of Administrators (in the "Member of") column. I have an 'X' in red next to the group giving the usual check win logon log file. The content of which is:

    *************************

    Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkDomain 

    Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkOrganizationUnit 

    Process GP template gpt00000.dom.

    This is not the last GPO.
    -------------------------------------------
    Monday, April 27, 2015 3:36:03 PM
    Copy undo values to the merged policy.


    ----Un-initialize configuration engine...

    Process GP template gpt00001.inf.
    -------------------------------------------
    Monday, April 27, 2015 3:36:03 PM
    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...


    ----Configure User Rights...
    Configure S-1-5-32-545.
    remove SeInteractiveLogonRight.
    Configure S-1-5-32-551.
    remove SeInteractiveLogonRight.
    Configure S-1-5-32-555.
    remove SeRemoteInteractiveLogonRight.
    Configure S-1-5-21-330840483-2018858548-1314766947-1104.
    add SeInteractiveLogonRight.
    add SeRemoteInteractiveLogonRight.
    Configure S-1-5-32-544.

    User Rights configuration was completed successfully.


    ----Configure Group Membership...
    Configure SHIRE6\System_Admins.
    successfully added object to Administrators.
    new memberof tattoo list: *S-1-5-32-544,

    Group Membership configuration was completed successfully.


    ----Configure Security Policy...
    0
    Undo value for group policy setting <MinimumPasswordLength> was saved.
    0
    Undo value for group policy setting <PasswordHistorySize> was saved.
    42
    Undo value for group policy setting <MaximumPasswordAge> was saved.
    0
    Undo value for group policy setting <MinimumPasswordAge> was saved.
    1
    Undo value for group policy setting <PasswordComplexity> was saved.
    0
    Undo value for group policy setting <RequireLogonToChangePassword> was saved.
    0
    Undo value for group policy setting <ClearTextPassword> was saved.
    Configure password information.
    0
    Undo value for group policy setting <LockoutBadCount> was saved.
    0
    Undo value for group policy setting <ForceLogoffWhenHourExpire> was saved.
    Configure account force logoff information.

    System Access configuration was completed successfully.
    LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
    0
    Undo value for group policy setting <LSAAnonymousNameLookup> was saved.
    Configure LSA anonymous lookup setting.
    Configure machine\system\currentcontrolset\control\lsa\nolmhash.
    Mismatch       - machine\system\currentcontrolset\control\lsa\nolmhash.
    Undo value for group policy setting <machine\system\currentcontrolset\control\lsa\nolmhash> was saved.

    Configuration of Registry Values was completed successfully.
    Configure event audit settings.
    0
    Undo value for group policy setting <AuditPrivilegeUse> was saved.
    0
    Undo value for group policy setting <AuditAccountLogon> was saved.

    Audit/Log configuration was completed successfully.


    ----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


    ----Un-initialize configuration engine...

    this is the last GPO.
    **************************

    Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

    Process GP template gpt00000.dom.

    This is not the last GPO.
    -------------------------------------------
    Monday, April 27, 2015 3:42:06 PM
    Copy undo values to the merged policy.


    ----Un-initialize configuration engine...

    Process GP template gpt00001.inf.
    -------------------------------------------
    Monday, April 27, 2015 3:42:06 PM
    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...


    ----Configure User Rights...
    Configure S-1-5-21-330840483-2018858548-1314766947-1104.
    Configure S-1-5-32-544.

    User Rights configuration was completed successfully.


    ----Configure Group Membership...
    Configure SHIRE6\System_Admins.
    old memberof tattoo list: *S-1-5-32-544,
    object already member of Administrators.
    new memberof tattoo list: *S-1-5-32-544,

    Group Membership configuration was completed successfully.


    ----Configure Security Policy...
    Configure password information.
    Configure account force logoff information.

    System Access configuration was completed successfully.
    LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
    Configure LSA anonymous lookup setting.
    Configure machine\system\currentcontrolset\control\lsa\nolmhash.

    Configuration of Registry Values was completed successfully.

    Audit/Log configuration was completed successfully.


    ----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


    ----Un-initialize configuration engine...

    this is the last GPO.

    Any help would be much appreciated.

    Thanks,

    Adrian




    • Edited by AJSandham Monday, April 27, 2015 11:56 PM
    Monday, April 27, 2015 11:42 PM

All replies