Answered by:
I can't determine how a group policy is being applied. Please help. Thank you.

-
Hi,
I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain). When ever a user logs into a domain, the computer get's a new local group policy. One particular attribute is that the local admin account get's renamed:
I can't figure out where it's coming from. I've run gpresult, and I'm assuming it's the default domain policy.
But when I go to the domain controller and look at the default domain policy, the entry is empty:
I'm really at a loss. However, I really don't think it's the default domain policy, but I can't figure out what else it could be?
Any help would be greatly appreciated. Thanks!!! -Tim
- Edited by Timpu33 Thursday, February 12, 2015 9:33 PM
Question
Answers
-
Thank you all.
I solved the issue, but not completely.
If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin. However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer. It feels as if something might be buggy with my domain's usage of group policy. It's as if there's a cached entry that get's used if I disable that feature. Or this feature is getting applied from somewhere else, but I have no idea how. The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options. If anyone knows of a different place this would reside, I would love to know of it. Many thanks for all your thoughts.
Tim
- Marked as answer by Mandy YeModerator Wednesday, February 25, 2015 8:06 AM
All replies
-
Your screenshots don't show a gpresult /h, or gpresult /z, done at the client.
Have you tried that? (that's a good way to see the total RSOP, and other subtle stuff like loopback, inheritance, force/override, GPP, scripts, etc)
It could always be a non-Microsoft component doing it ? (eg some other security product/agent?)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Does this help
C:\Users\***>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001Created On 2/12/2015 at 1:57:06 PM
RSOP data for ****\*** on H9MHD12 : Logging Mode
------------------------------------------------------OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\***
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=H9MHD12,CN=Computers,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ****
Domain Type: Windows 2000Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group PolicyThe computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
H9MHD12$
Domain Computers
System Mandatory LevelResultant Set Of Policies for Computer
---------------------------------------Software Installations
----------------------
N/AStartup Scripts
---------------
N/AShutdown Scripts
----------------
N/AAccount Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/AGPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/AGPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/AAudit Policy
------------
N/AUser Rights
-----------
N/ASecurity Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: NewAdministratorName
Computer Setting: EnabledN/A
Event Log Settings
------------------
N/ARestricted Groups
-----------------
N/ASystem Services
---------------
N/ARegistry Settings
-----------------
N/AFile System Settings
--------------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
GPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows\ScPnp\EnableScP
nP
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
--------------
CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ***
Domain Type: Windows 2000Applied Group Policy Objects
-----------------------------
Default Domain PolicyThe following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCALThe user has the following security privileges
----------------------------------------------Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working setResultant Set Of Policies for User
-----------------------------------Software Installations
----------------------
N/ALogon Scripts
-------------
N/ALogoff Scripts
--------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
N/AFolder Redirection
------------------
N/AInternet Explorer Browser User Interface
----------------------------------------
N/AInternet Explorer Connection
----------------------------
N/AInternet Explorer URLs
----------------------
N/AInternet Explorer Security
--------------------------
N/AInternet Explorer Programs
--------------------------
N/A -
Does this help
C:\Users\***>gpresult /z
<....>
COMPUTER SETTINGS
------------------
CN=H9MHD12,CN=Computers,DC=***,DC=com
<....>Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy<....>
Resultant Set Of Policies for Computer
---------------------------------------<....>
Security Options
----------------
<....>GPO: Default Domain Policy
Policy: NewAdministratorName
Computer Setting: Enabled<.....>
I'm beginning agree with your bewilderment :SDon
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
> applied on my domain (I've inherited this domain). When ever a user> logs into a domain, the computer get's a new local group policy. OneRecap: When a USER logs on, a local COMPUTER GPO is created?Anyway: To identify processes dealing with local policies, run processmonitor with a filter for %windir%\System32\GroupPolicy
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Thank you all.
I solved the issue, but not completely.
If I enable "rename administrator account" in my default domain policy, the computers will then have a local policy with a renamed local admin. However, If I disable this feature or enable it with the name "administrator", then the old admin name reappears in the local group policy of a domain computer. It feels as if something might be buggy with my domain's usage of group policy. It's as if there's a cached entry that get's used if I disable that feature. Or this feature is getting applied from somewhere else, but I have no idea how. The only way I know how to enforce a local group policy on the domain is by going to Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options. If anyone knows of a different place this would reside, I would love to know of it. Many thanks for all your thoughts.
Tim
- Marked as answer by Mandy YeModerator Wednesday, February 25, 2015 8:06 AM