none
Issue with GPO

    Question

  • Hello Team,

    I have a scenario here which describe the issue and need advice on the same.

    We have a GPO that enables "Offer Remote Assistance" and have applied it for different OUs based on the country. Now few days back an onsite engineer reported that he have lost admin access to all the system. But its not the same for all the OUs only for three OUs that are effected. And the users in those group have lost admin access to all the system in that particular OU.

    I checked the groups assigned as a part of this GPO on the OUs. The AD delegation of all the groups seems to be same.

    I checked on few systems affected and found that this particular group does not appear in "Administrators" local group. But the same appears in the systems in the OUs that does not have this issue.

    I am not sure how to proceed and fix this. I checked the GPO and groups in that and everything seems to be fine.

    Regards,

    Suman Rout

     

    Monday, April 18, 2016 5:28 PM

Answers

  • Hi Suman,
    First of all, please check if the GPO is applied successfully to the problematic OUs, you could run gpresult /r command or use group policy result wizard to check it.
    A computer want to receive Remote Assistance offers, we need to configure the Offer Remote Assistance policy setting, configure Windows Firewall for offer-based Remote Assistance and configure the policy to enable Remote Connections.
    If the GPO worked well before and suddenly the issue happened, in this case, some settings is changed somewhere, I would suggest you refer to the following article and check one by one:
    https://support.microsoft.com/en-us/kb/301527

    >> I checked on few systems affected and found that this particular group does not appear in "Administrators" local group.
    Based on my test in lab environment, if the GPO is applied successfully, a group named “Offer Remote Assistance helpers” will be created on local computers and the specific group which defined in GPO will be added in to this group. So I would suggest you go to check it again.

    In addition, you could compare the problematic OU with the one which have no issue to check if any settings are different in group policy applying or group membership.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 19, 2016 8:19 AM
    Moderator