none
I can't determine how a group policy is being applied. Please help. Thank you.

    Question

  • Hi,

    I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain).  When ever a user logs into a domain, the computer get's a new local group policy.  One particular attribute is that the local admin account get's renamed:

    I can't figure out where it's coming from.  I've run gpresult, and I'm assuming it's the default domain policy.

    But when I go to the domain controller and look at the default domain policy, the entry is empty:

    I'm really at a loss.  However, I really don't think it's the default domain policy, but I can't figure out what else it could be?

    Any help would be greatly appreciated.  Thanks!!!  -Tim


    • Edited by Timpu33 Thursday, February 12, 2015 9:33 PM
    Thursday, February 12, 2015 9:31 PM

Answers

  • Thank you all.

    I solved the issue, but not completely.

    If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin.  However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer.  It feels as if something might be buggy with my domain's usage of group policy.  It's as if there's a cached entry that get's used if I disable that feature.  Or this feature is getting applied from somewhere else, but I have no idea how.  The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.  If anyone knows of a different place this would reside, I would love to know of it.  Many thanks for all your thoughts.

    Tim

    Friday, February 13, 2015 6:47 PM

All replies

  • Your screenshots don't show a gpresult /h, or gpresult /z, done at the client.

    Have you tried that? (that's a good way to see the total RSOP, and other subtle stuff like loopback, inheritance, force/override, GPP, scripts, etc)

    It could always be a non-Microsoft component doing it ? (eg some other security product/agent?)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, February 12, 2015 9:55 PM
  • Does this help

    C:\Users\***>gpresult /z

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 2/12/2015 at 1:57:06 PM


    RSOP data for ****\*** on H9MHD12 : Logging Mode
    ------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\***
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=H9MHD12,CN=Computers,DC=***,DC=com
        Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
        Group Policy was applied from:      ***.***.Com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ****
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Local Group Policy

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            H9MHD12$
            Domain Computers
            System Mandatory Level

        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  42

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  N/A

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            NewAdministratorName
                    Computer Setting:  Enabled

                N/A

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Local Group Policy
                    KeyName:     Software\Policies\Microsoft\Windows\ScPnp\EnableScP
    nP
                    Value:       0, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
        Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
        Group Policy was applied from:      ***.***.Com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ***
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL

        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Shut down the system
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Remove computer from docking station
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Change the time zone
            Create symbolic links
            Increase a process working set

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A

    Thursday, February 12, 2015 10:02 PM
  • Does this help

    C:\Users\***>gpresult /z

    <....>
    COMPUTER SETTINGS
    ------------------
        CN=H9MHD12,CN=Computers,DC=***,DC=com
    <....>

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Local Group Policy

    <....>
        Resultant Set Of Policies for Computer
        ---------------------------------------

    <....>
            Security Options
            ----------------
    <....>

                GPO: Default Domain Policy
                    Policy:            NewAdministratorName
                    Computer Setting:  Enabled

    <.....>

    seems like this is configured, but your earlier screenshot of the DDP didn't show it?
    I'm beginning agree with your bewilderment :S

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, February 13, 2015 9:05 AM
  • > applied on my domain (I've inherited this domain).  When ever a user
    > logs into a domain, the computer get's a new local group policy.  One
     
    Recap: When a USER logs on, a local COMPUTER GPO is created?
     
    Anyway: To identify processes dealing with local policies, run process
    monitor with a filter for %windir%\System32\GroupPolicy
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 13, 2015 11:21 AM
  • Thank you all.

    I solved the issue, but not completely.

    If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin.  However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer.  It feels as if something might be buggy with my domain's usage of group policy.  It's as if there's a cached entry that get's used if I disable that feature.  Or this feature is getting applied from somewhere else, but I have no idea how.  The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.  If anyone knows of a different place this would reside, I would love to know of it.  Many thanks for all your thoughts.

    Tim

    Friday, February 13, 2015 6:47 PM