none
Default Domain Policy applies User Rights Assignments that are not in the Default Domain Policy

    Question

  • I have recently been charged with implementing some group policy settings on a small domain that I did not build. This domain was built as a package years ago, and is being deployed to our environment as a stand-alone enclave.  Some details:

    DC and Member Servers are Server 2008 R2
    Domain Functional Level 2008 R2
    Single DC
    No OUs

    User Rights Assignments on this domain were implemented via a combination of the Default Domain Policy and a security template deployed on each system.  I need to ditch the security template and apply the settings via GPO.  Here in lies the problem.

    At first an RSOP and a GPRESULT would display a blank source for the User Rights Assignments that were being applied, most of which are not set to what I would want. I was able to use the GPRESULT wizard from GPMC to show that the Winning GPO was {31B2F340-016D-11D2-945F-00C04FB984F9} which is the GUID for the Default Domain Policy.  However the default domain policy did not have the same settings.  Incidentally, in GPMC under Group Policy Results after querying one of my servers, it shows under Component Status that the last time the Security component was applied was June 10<sup>th</sup> 2014, almost 3 years ago… 

    After modifying the default domain gpo and verifying the order of GPOs, delegation, permissions, creating my own GPOs, blocking inheritance and then creating an OU and trying all of this again, I tried to use DCGPOFIX /Target:domain to reset the GPO to default but I get an error “Unable to set required Active Directory attributes for the CN=…DC=local GPO. The parameter is incorrect. The restore failed.

    I then used a combination of LDP and ADSI edit to attempt to reset the gpo to a state that I could run the DCGPOFIX tool successfully but was unable to.

    I ended up deleting the existing default domain GPO and creating a new blank gpo, then giving the proper GUID, changing its file name on sysvol to the new GUID and attempting again to use DCGPOFIX, but that failed as well with the same error.

    After doing all of this, rsop and gpresult no longer return blank sources, but show Default Domain GPO, all the same user rights assignments are applied claiming Default Domain GPO as the source, but that gpo is now empty. 

    I looked through every registry setting on the DC for references to {31B2F340-016D-11D2-945F-00C04FB984F9} and every single filepath value is pointing to the correct folder.

    No matter what changes I make to GPO, all the User Rights Assignments are being applied by the Default Domain Policy.  I tried to change this by removing those settings from the GPO, and by creating a separate GPO, blocking inheritance, creating an OU and blocking inheritance while linking only one GPO with the settings I want. I have disabled the default domain GPO and unlinked it from the domain, and enforced the GPO I want to apply.  No matter what changes I make to the default domain gpo, or any gpo, the same settings apply.  It is like they are being pulled from some cache, but I have no idea where that is.

    If it were up to me I would rebuild the domain controller.  Unfortunately that is not possible at the moment. 

    In the end, I need to stop these phantom settings from being applied with the default domain gpo and instead apply settings from a separate custom GPO.

    Thursday, March 16, 2017 12:05 AM

All replies

  • Hi,

    First, I suggest you try to run Dcdiag to check the health of your domain environment.

    And you have delete the default domain policy and run dcgpofix to recreate the default domain policy?

    Has the default domain policy been recreated successfully?

    If yes, please run gpupdate /force on client. Then run gpresult /h gpreport.html to check if the group policy has been applied.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 16, 2017 7:02 AM
    Moderator
  • > it shows under Component Status that the last time the Security component was applied was June 10<sup>th</sup> 2014, almost 3 years ago…
     
    RSoP will not show you what the "live" deployment does, but what was recorded as "applied GPO" the last time GPOs were processed. So if your DDP in 2014 deployed these sec settings, they will remain in RSoP until Security is processed again.
     
    > “Unable to set required Active Directory attributes for the CN=…DC=local GPO. The parameter is incorrect. The restore failed.
     
    This could be tracked down via LDAP logging on the DC to see what exactly dcgpofix tries to do. Google can assist in how to enable :-)
     
    > giving the proper GUID, changing its file name on sysvol to the new GUID and attempting again to use DCGPOFIX, but that failed as well with the same error.
     
    How did you change the GUID exactly?
     
     
    Thursday, March 16, 2017 10:03 AM
  • @Jay Gu  no the DCGPOFIX command fails every time. dcdiag returns passed for everything.

    @Martin Binder I will look into LDAP logging to find out what is happening to dcgpofix, as far as the GUID goes, I used ldp and ADSI edit to first rename the DDP, then I created a new GPO and used ldp and ADSI edit to change its name and GUID to the DDP GUID, then I changed the sysvol folder to match the name change of the DDP, I renamed the folder created when I made the new GPO to the DDP Guid and updated the AD attributes to point to the new DDP folder. 

    I recognize that this is a convoluted mess, and I am messing with things that aught not be meddled with. I have a snapshot I can roll back to, and the enclave is not currently in production, that is the only reason I have been able to do some of the things I have.  I appreciate your help.


    Thursday, March 16, 2017 2:22 PM
  • So far I have tried turning on KCC, Security Events, LDAP Interface Events, Directory Access, Group Caching and DS Schema logging up to 2 but no logs are generated when I run dcgpofix.
    Thursday, March 16, 2017 3:24 PM
  • > So far I have tried turning on KCC, Security Events, LDAP Interface Events, Directory Access, Group Caching and DS Schema logging up to 2 but no logs are generated when I run dcgpofix.
     
     
    I'd suggest enabling 7,8,9,15,16.
     
    Since changes take effect immediately AFAIK, enable them / run dcgpofix / disable them.
     
    Thursday, March 16, 2017 4:31 PM
  • Just set those in the registry to 2 and see nothing in the event log. Rebooted the DC and checked again.  I am not seeing any events in the Windows event logs, or the applications and services logs.
    Thursday, March 16, 2017 6:32 PM
  • > Just set those in the registry to 2 and see nothing in the event log. Rebooted the DC and checked again.  I am not seeing any events in the Windows event logs, or the applications and services logs.
     
    Then I'm kinda "out of the game"... :-( Did you check the Directory Services eventlog too? (I think so, but just to be sure...)
     
    Friday, March 17, 2017 8:38 AM
  • I am sorry for the late reply, I have been unable to log in to TechNet for the last 3 hours... I did check Directory Services log and I didn't see anything popping up. 

    I have found that if I change the name of my new DDP in GPMC it will reflect that name change in RSOP, so at some level my new GPO is being detected as the default domain policy by its GUID and it is being listed as the Winning GPO for user rights assignments.

    What I think is happening is that the user rights assignments are not being applied at all by any GPO, and rsop\gpresult is only showing the last user rights assignments that were processed.  I have been unable to find any information as to why those settings will not process, or why my other GPOs that are higher precedence will not overwrite them.

    Friday, March 17, 2017 4:07 PM