none
Critical - Taking control of GPOs through AGPM is causing problems

    Question

  • Hey guys,

    This one was extremely tough.  We are on 2012r2 domain with Win7 clients.  We are still using login scripts inside GPOs.  Through AGPM 4.0sp3 running on 2016 AGPM server, I took control of our GPOs yesterday and all of the login scripts stopped working when people rebooted.  I thought it might be a security issue and added in some mapping through preferences and that also did not work.  I then deleted the GPOs(Archive only) and it still did not fix things.  Nothing worked until I copied the existing GPOs and reapplied them with the same security filters and then login scripts started working again.  Does anyone have any ideas of how taking control of a GPO can cause things to break?  The GPO looks like it is still being applied to the same OUs with the same security filters and delegation permissions, etc.

    If I look at it not, the original GPOs look perfect, but will not show up at all under gpresult from the users.  The copied GPOs do show up and are working fine.  I have double-checked that the GPOs have the same links, that the links are enabled, they have the same security filter, and the same delegation.  This one could cost me my job as management wants to know what happened, but just not sure.  Any help is appreciated.

    Thanks,


    Dave











    • Edited by DaveBryan37 Thursday, April 20, 2017 5:23 PM
    Thursday, April 20, 2017 4:36 PM

All replies

  • Hi Dave,
    Have you verified that AGPM has taken ownership of GPOs successfully? And are there any event logs in the event viewer for troubleshooting?
    And are you running AGPM in least privileged mode? If yes, please have a try to add AGPM service account as a member of Domain Admins and see if it helps.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 21, 2017 7:05 AM
    Moderator
  • I opened a case with Microsoft and spent hours on the phone with them yesterday.  We have confirmed that when AGPM takes control of policies, it is indeed corrupting a lot of them.  They cannot explain that yet and we are going through everything we can think of, but I will be lucky to keep my job through this.

    Dave



    Friday, April 21, 2017 2:22 PM
  • Hey guys,

    Somehow when I brought AGPM online, Windows Update MS17-062 came into play again.  I know I had changed those GPO permissions a year ago and I even posted a comment to the URL below on how I did it, but I had upgraded since then and somehow they were removed when AGPM took control.  My thinking is that because the AGPM has a "Production Delegation" tabe with different default ACLs that somehow it removed Domain computers from all policies when I took control.  Either way, I was able to run the same powershell script I mentioned in the article below, and it fixed all my issues, then I added Domain Computers to the Production Delegation tab, and took control again with no issues this time.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/  


    Dave




    Friday, April 21, 2017 10:17 PM
  • Hi Dave,
    Great share and update, could you please help to mark it as answer? It will be greatly helpful to others who have the similar questions.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 24, 2017 2:30 PM
    Moderator