Group policy applies even if I block it from Delegation tab

-

hi.

i block "wpad proxy" policy delegation tab. put permission group email_allow ->  read:no.

everything worked pretty well. 1 day policy started apply clients.

gpresult clients, , group policy results wizard show same result.

rsop data domain\username on computername : logging mode ----------------------------------------------------------------  os configuration: member workstation os version: 6.1.7601 site name: n/a roaming profile: n/a local profile: c:\users\username connected on slow link?: no   user settings --------------     cn=username,ou=subou1,ou=ou1,dc=loc,dc=domain,dc=com     last time group policy applied: 6/20/2016 @ 8:39:52     group policy applied from: dc1.loc.domain.com     group policy slow link threshold: 500 kbps     domain name: domain     domain type: windows 2000      applied group policy objects     -----------------------------         usertile         bginfo         default domain policy         user_comp_assign         flashplayer         admin_shares         allow remote assitance         firefox         firewall         install_certificates         java32         localadmin         netsupport         reader         klmover         wpad proxy
the user part of following security groups
    ---------------------------------------------------
        domain users
        everyone
        builtin\users
        nt authority\interactive
        console logon
        nt authority\authenticated users
        this organization
        local
        email_allow
        medium mandatory level

the weird thing here that computer policies are displayed here in user settings. flashplayer, admin_shares gpos are only computer settings policies. should not here. actually, should (took working computer):

user settings --------------     cn=username,ou=subou1,ou=myou1,dc=loc,dc=domain,dc=com     last time group policy applied: 6/17/2016 @ 2:35:15 pm     group policy applied from:      dc1.loc.domain.com     group policy slow link threshold:   500 kbps     domain name:                        domain     domain type:                        windows 2008 or later      applied group policy objects     -----------------------------         usertile         bginfo         user_comp_assign         netsupport         no_proxy

however, figured out security settings of gpo applied successfully (denies access gpo). client computer trying access policy \\loc.domain.com\sysvol\loc.domain.com\policies\{0a7a5390-ead6-4deb-ba95-2f3ea4dd2861} , don't have permission. so, physically clients can't access policy. though applied.

dcdiag - no errors on every dc.



finally, found solution.

there update ms16-072 \ kb3163622. it fixes man-in-the-middle theoretical attack flaw in windows. , changes "security context user group policies retrieved" organizations using group policy.

to fix gpo security issue need add “authenticated users” group “read” permissions on affected group policy objects (gpos).

for further information read following article: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

in case, gpo's applied if block them security tab.

to fix need add security group "read" permission and deny "apply group policy" permission on gpos.

that's how block gpos applying groups.



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more

ADFS 3.0 Event ID 4625 | An Error occurred During Logon | Status: 0xC000035B

-
we're getting these random errors on our adfs security logs, how can track down generating them? an account failed log on. subject: security id: null sid account name: - account domain: - logon id: 0x0 logon type: 3 account logon failed: security id: null sid account name: account domain: failure information: failure reason: an error occured during logon. status: 0xc000035b sub status: 0x0 process information: caller process id: 0x0 caller process name: - network information: workstation name: - source network address: - source port: - detailed authentication information: logon process: kerberos authentication package: kerberos transited services: - package name (ntlm only): - key length: 0 event generated when logon request fails. generated on computer access attempted. subject fields indicate account on local system requested logon. commonly service such server service, or local process such ...
Read more

DFSR RPC replication errors 5014 1726 with large files over VPN

-
i have similar issue ryan in reply http://social.technet.microsoft.com/forums/en-gb/winserverfiles/thread/6d49fd71-2236-4fcb-9763-bf1c03459ee8 cited below. start additional thread here because other 1 related windows server 2003 (r2) , i'm (as ryan) on windows 2008 r2 x64. here first of post ryan: i've got same problem on 2008 r2 dfsr server.  the spoke server has 2x intel 1 gigb on-board nics in active/standby teamed configuration. the hub server (running on vmware using 10gbit vmnet3 nic driver) logs dfsr event 5014 every 2-15mins (usually around 5mins). the spoke server not log event. replication running slowly. initial sync/replication. had re-configure replication folder because of lost dfsr database on spoke server.  could teamed nic on spoke causing error on host? a note: last time did initial sync on folder processed @ 30k files , hour. time it's doing few hundred and hour. another note: hub server has several replication groups , conne...
Read more