locked
can't access management console on server RRS feed

  • Question

  • We have had forefront for a while now but I recently noticed that I could not access the application even from the server which manages all the definition updates and installed nodes.

    It looks like the server is being picked up as part of the default "Computers" OU in my domain and therefore the "Domain policy" is being applied instead of the "domain controllers policy". Same issue is happening on two of my file servers.

    The three servers are in a "servers" group and I have a policy set up to only apply to the group "servers".

    I did find that my forefront server was listed outside the domain controllers OU (b/c its not a dc) so I moved it into the correct OU but I am still not able to view the console after I did a group policy sync/reboot.

    So now that my machine is in the correct OU I would expect that the correct policy would be applied, but its not. What else should I look at in the configuration to help me find the cause of this issue?


    • Edited by Tanner Wood Wednesday, April 4, 2012 6:30 PM
    Wednesday, April 4, 2012 6:30 PM

Answers

  • So after a little reading I discovered all my domain level policies were "enforced" and therefore overrides were blocked by the higher OU. So that explains that. Now if I could just determine why some areas of the options screen are still grayed out...
    • Marked as answer by Tanner Wood Wednesday, April 4, 2012 9:02 PM
    Wednesday, April 4, 2012 9:02 PM

All replies

  • well I ran a rsop report wizard and it showed me that all my policies were being applied to the servers. So to fix it what I did was go into my forefront domain policy and my default domain policy and under delegation I added "read" control for my servers group but then clicked on advanced and chose "Deny apply policy". Then I ran a gpupdate /force and I can bring up the client security console.

    However, I thought group policy was supposed to be based off of an inheritance chain? If I have it configured correctly wouldn't it see that my domain controllers OU has higher policy presence than the root of the domain? For some reason I always thought all policies applied to everyone as a common base and then filtering and group membership allowed you to force other policies to apply accordingly to more important stuff. I didn't think I would have to deny policy apply on the lesser policy AND make a policy that only targets my higher up security group just to get it to apply to the higher up stuff. I hope that makes sense. Sort of inundated in policy confusion at the moment...

    Wednesday, April 4, 2012 8:17 PM
  • So after a little reading I discovered all my domain level policies were "enforced" and therefore overrides were blocked by the higher OU. So that explains that. Now if I could just determine why some areas of the options screen are still grayed out...
    • Marked as answer by Tanner Wood Wednesday, April 4, 2012 9:02 PM
    Wednesday, April 4, 2012 9:02 PM