none
Group policies randomly not applying

    Question

  • Hi, In our environment group policies are randomly not applying. After running the BPA on each domain controller it is reporting an error

    "Domain Controller <DC-Name> does not have user right “Access this computer from the network” granted to ‘Builtin Administrators,’ ‘Enterprise Domain Controllers,’ or ‘Authenticated Users,’ or have the user right “Deny Access to this computer from the network” assigned to either of those groups or ‘Everyone.’ "

    After checking the local security policies the 2 groups ‘Builtin Administrators’ and ‘Enterprise Domain Controllers" have been removed.  What is the effect of removing these 2 groups?

    Thursday, December 17, 2015 9:25 AM

Answers

  • Hello Pete.75,

    The answer to your question on what is the effect of removing these 2 groups?

    Here is a document with that info:
    AD DS: This domain controller must have "Access this Computer from the Network" granted to the appropriate security principals
    https://technet.microsoft.com/en-us/library/ff646935%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Impact

    Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.          

    Two of the most common root causes of domain controller replication failure are not having the “Access this computer from the network” user right granted to the ‘Builtin Administrators,’ ‘Enterprise Domain Controllers,’ or ‘Authenticated Users’ security groups or having the ‘Enterprise Domain Controllers,’ ‘Everyone,’ ‘Builtin Administrators,’ or ‘Authenticated Users’ security groups in the settings of the “Deny access to this computer from network” user right. Any domain controller trying to replicate from a domain controller with the aforementioned policy setting may fail, and users and computers may also experience failure to apply Group Policy objects.



    If your GPOs are not applying randomly this could be due a bad replication of the GPO objects within the SYSVOL folder between you Domain Controllers

    I hope this information help you to reach your goal. :D

    5ALU2 !
    Wednesday, January 6, 2016 9:59 PM