|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
One of my clients has a situation where the default domain policy is being
applied to all computers within the domain. We can tell this by using
gpresult. Yet, in AD Users and Computers, the Default Domain Policy is only
linked to the domain controllers OU, and only the domain controllers are in
that OU.
If their current network admin logs in to a workstation with domain admin
rights, he cannot change any of the security settings in the workstation's
local policy. Within the security setting section, all of the options are
greyed out like they have been locked by some policy, but what policy might
that be?
Their previous network admin did a lot of fiddling with settings, and does
not know how this might have happened. It only showed up once they recently
removed from their network a server that had been the first domain controller
when they set up their Windows 2000 Active Directory domain. They had demoted
that server to a member server some time and, and have since upgraded to a
Windows 2003 native domain.
Any ideas on how to fix this?
|
|
On Jul 13, 2:28 pm, KevinW2104 <KevinW2...[ at ]discussions.microsoft.com>
wrote:
[Quoted Text] > One of my clients has a situation where the default domain policy is being
> applied to all computers within the domain. We can tell this by using
> gpresult. Yet, in AD Users and Computers, the Default Domain Policy is only
> linked to the domain controllers OU, and only the domain controllers are in
> that OU.
>
> If their current network admin logs in to a workstation with domain admin
> rights, he cannot change any of the security settings in the workstation's
> local policy. Within the security setting section, all of the options are
> greyed out like they have been locked by some policy, but what policy might
> that be?
>
> Their previous network admin did a lot of fiddling with settings, and does
> not know how this might have happened. It only showed up once they recently
> removed from their network a server that had been the first domain controller
> when they set up their Windows 2000 Active Directory domain. They had demoted
> that server to a member server some time and, and have since upgraded to a
> Windows 2003 native domain.
>
> Any ideas on how to fix this?
Just a shot in the dark here, but have you verified that all the FSMO
roles have been transferred to one of the other functioning DC's? If
this started happening after you removed the old domain controller, it
sounds like old DC still had some roles or functionality assigned to
it. I could be way off.
|
|
|
[Quoted Text] >"theta12" wrote:
>
> Just a shot in the dark here, but have you verified that all the FSMO
> roles have been transferred to one of the other functioning DC's? If
> this started happening after you removed the old domain controller, it
> sounds like old DC still had some roles or functionality assigned to
> it. I could be way off.
>
Good idea. I hadn't thought to check those. I'll let you know the results
soon. :-)
|
|
Try using the dcdiag and netdiag utilities, on the DCs and on a
client that shows this issue.
BTW, linking both the Default Domain and the Default Domain
Controllers GPOs to only the Domain Controllers OU is bizarre.
The Default Domain GPO belongs on the domain object, although
it if has been altered you probably would not want to do that in the
blind. Perhap use GPMC to clone the existing, link the new to
the DCs OU for the time being, restore the Default Domain GPO
to install defaults and link it to the domain. It for example carries
Kerberos settings (that you should want) and Account policies that
are only effective if linked to the domain.
Then look carefully at what is in the clone impacting the DCs
Roger
"KevinW2104" <KevinW2104[ at ]discussions.microsoft.com> wrote in message
news:A618867A-3308-4956-B82B-19A33D6B1989[ at ]microsoft.com...
[Quoted Text] > >"theta12" wrote:
>>
>> Just a shot in the dark here, but have you verified that all the FSMO
>> roles have been transferred to one of the other functioning DC's? If
>> this started happening after you removed the old domain controller, it
>> sounds like old DC still had some roles or functionality assigned to
>> it. I could be way off.
>>
>
> Good idea. I hadn't thought to check those. I'll let you know the results
> soon. :-)
|
|
Oops - I typed my post wrong. :-(
The Default Domain CONTROLLER policy is effecting all computers when it
should not be. It is only linked to the DC OU, but is acting as if it is
linked to the entire domain.
"Roger Abell [MVP]" wrote:
[Quoted Text] > Try using the dcdiag and netdiag utilities, on the DCs and on a
> client that shows this issue.
> BTW, linking both the Default Domain and the Default Domain
> Controllers GPOs to only the Domain Controllers OU is bizarre.
> The Default Domain GPO belongs on the domain object, although
> it if has been altered you probably would not want to do that in the
> blind. Perhap use GPMC to clone the existing, link the new to
> the DCs OU for the time being, restore the Default Domain GPO
> to install defaults and link it to the domain. It for example carries
> Kerberos settings (that you should want) and Account policies that
> are only effective if linked to the domain.
> Then look carefully at what is in the clone impacting the DCs
>
> Roger
>
> "KevinW2104" <KevinW2104[ at ]discussions.microsoft.com> wrote in message
> news:A618867A-3308-4956-B82B-19A33D6B1989[ at ]microsoft.com...
> > >"theta12" wrote:
> >>
> >> Just a shot in the dark here, but have you verified that all the FSMO
> >> roles have been transferred to one of the other functioning DC's? If
> >> this started happening after you removed the old domain controller, it
> >> sounds like old DC still had some roles or functionality assigned to
> >> it. I could be way off.
> >>
> >
> > Good idea. I hadn't thought to check those. I'll let you know the results
> > soon. :-)
>
>
>
|
|
Sorry - I meant from the first to say that the Default Domain CONTOLLER
Policy is effecting all domain computers, even though it should only be
applied to the Domain Controller servers in the Domain Controllers OU.
I wish there was a way to edit the title of the thread...
|
|
|