Remove From My Forums

I can't determine how a group policy is being applied. Please help. Thank you.

Question

0

Sign in to vote
Hi,

I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain). When ever a user logs into a domain, the computer get's a new local group policy. One particular attribute is that the local admin account get's renamed:

I can't figure out where it's coming from. I've run gpresult, and I'm assuming it's the default domain policy.

But when I go to the domain controller and look at the default domain policy, the entry is empty:

I'm really at a loss. However, I really don't think it's the default domain policy, but I can't figure out what else it could be?

Any help would be greatly appreciated. Thanks!!! -Tim
- Edited by Timpu33 Thursday, February 12, 2015 9:33 PM
Thursday, February 12, 2015 9:31 PM

Reply

|

Quote

Answers

0

Sign in to vote
Thank you all.

I solved the issue, but not completely.

If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin. However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer. It feels as if something might be buggy with my domain's usage of group policy. It's as if there's a cached entry that get's used if I disable that feature. Or this feature is getting applied from somewhere else, but I have no idea how. The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options. If anyone knows of a different place this would reside, I would love to know of it. Many thanks for all your thoughts.

Tim
- Marked as answer by Mandy YeModerator Wednesday, February 25, 2015 8:06 AM
Friday, February 13, 2015 6:47 PM

Reply

|

Quote

All replies

0

Sign in to vote

Your screenshots don't show a gpresult /h, or gpresult /z, done at the client.

Have you tried that? (that's a good way to see the total RSOP, and other subtle stuff like loopback, inheritance, force/override, GPP, scripts, etc)

It could always be a non-Microsoft component doing it ? (eg some other security product/agent?)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Thursday, February 12, 2015 9:55 PM

Reply

|

Quote

0

Sign in to vote

Does this help

C:\Users\***>gpresult /z

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/12/2015 at 1:57:06 PM

RSOP data for ****\*** on H9MHD12 : Logging Mode
------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\***
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=H9MHD12,CN=Computers,DC=***,DC=com
    Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
    Group Policy was applied from:      ***.***.Com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ****
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        H9MHD12$
        Domain Computers
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting: 42

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting: N/A

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting: N/A

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting: 1

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting: N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting: Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting: Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting: Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting: Not Enabled

            GPO: Default Domain Policy
                Policy:            NewAdministratorName
                Computer Setting: Enabled

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Local Group Policy
                KeyName:     Software\Policies\Microsoft\Windows\ScPnp\EnableScP
nP
                Value:       0, 0, 0, 0
                State:       Enabled

USER SETTINGS
--------------
    CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
    Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
    Group Policy was applied from:      ***.***.Com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ***
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering: Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

Thursday, February 12, 2015 10:02 PM

Reply

|

Quote

0

Sign in to vote

Does this help

C:\Users\***>gpresult /z

<....>
COMPUTER SETTINGS
------------------
    CN=H9MHD12,CN=Computers,DC=***,DC=com
<....>

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

<....>
    Resultant Set Of Policies for Computer
    ---------------------------------------

<....>
        Security Options
        ----------------
<....>

            GPO: Default Domain Policy
                Policy:            NewAdministratorName
                Computer Setting: Enabled

<.....>

seems like this is configured, but your earlier screenshot of the DDP didn't show it?
I'm beginning agree with your bewilderment :S
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Friday, February 13, 2015 9:05 AM

Reply

|

Quote

0

Sign in to vote

> applied on my domain (I've inherited this domain). When ever a user

> logs into a domain, the computer get's a new local group policy. One

Recap: When a USER logs on, a local COMPUTER GPO is created?

Anyway: To identify processes dealing with local policies, run process

monitor with a filter for %windir%\System32\GroupPolicy

Martin

Mal ein GUTES Buch über GPOs lesen?

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Friday, February 13, 2015 11:21 AM

Reply

|

Quote

0

Sign in to vote
Thank you all.

I solved the issue, but not completely.

If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin. However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer. It feels as if something might be buggy with my domain's usage of group policy. It's as if there's a cached entry that get's used if I disable that feature. Or this feature is getting applied from somewhere else, but I have no idea how. The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options. If anyone knows of a different place this would reside, I would love to know of it. Many thanks for all your thoughts.

Tim
- Marked as answer by Mandy YeModerator Wednesday, February 25, 2015 8:06 AM
Friday, February 13, 2015 6:47 PM

Reply

|

Quote

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

I can't determine how a group policy is being applied. Please help. Thank you.

Question

Answers

All replies