|
~Eric, “If
you have a policy out there resetting the local admin password, how are you
storing the new password in the script?” Fully admitting I haven’t delved
deeply into this…. As a parameter to the script passed from the GPO
settings on a Startup Script object? -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman If I could ask what might be the obvious,
from a security perspective…. If you have a policy out there resetting
the local admin password, how are you storing the new password in the script?
Hopefully you have something very clever in place, else I can get the local
admin password out of your policy in so many ways:
And if you haven’t taking
precautions, you should assume local admin on any machine with this password is
local admin on them all. For it only takes one bad apple to spoil the whole
bushel. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Thanks Darren- I ran the gpotool as
you suggested. As part of the output I am told: Error:
ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34
pm DS Version
0<users> 37<machine> Sysvol: 0<user>
37<machine> Flags: 0 User extensions: not
found Machine extensions:
..... Functionality version:
2 All fo the
functionality versions are 2. Thanks, Brenda From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Brenda- This usually means that the client is
looking at the GPO's version number and it is showing up as 0 for computer
revisions (in other words, it doesn't think any computer policy has been set in
that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against
your DCs and see if any of them show a revision number of 0 for the computer
side of the GPO containing your script. This could still mean that you have
some issues with sysvol replication. Essentially, there is a file called
gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a
version number that lists how many changes were made to the computer and user
sides of a GPO. That version should be the same as the version of that GPO held
on the versionNumber attribute of the GPC object in AD. If there are
discrepancies, then gpotool will tell you. Darren From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey I am no longer having
replication issues on any servers, however, now when I run gpresult I am told
that my gpo was not applied because it is empty. I can manually open the
GPO and see my startup script is there. Thanks, Brenda From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey I have created a
startup script to change my administrator password on specific machines as part
of my group policy. These computers are part of a group, I have applied
the policy to this group, and set the security permissions appropriately.
When I run gpupdate on the pc, I get no error in the Event log, but when I
restart the machine, the administrator account password has not been changed. I have run replmon.exe
and have found that 1 dc (out of 30) is not replicating, as it is out of hard
drive space on c:. Could 1 out of 30 dc's be causing the problem, or is
there something else I am missing? How long should it take, before the
policy takes effect? Thanks, Brenda |
- RE: [ActiveDir] GPO not applied - thinks it is empty Rick Kingslan
