Simple obvious things first. Have the servers been rebooted since their OU and group memberships have been changed?
Tony Kibble | Sr. Data Security Technologist | Business Information Security Officer - International | IT From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: 02 October 2015 15:58 To: [email protected] Subject: [NTSysADM] WSUS GPO seems inacessible but only for new members This is odd. I have a GPO which assigns WSUS settings; criteria is that computer account must be in a specific OU, and a member of a specific AD group. This has been working well for years. Now, we've added a couple new servers at a remote site, and so I set them up for WSUS (moved their machine accounts to the right OU, added them to the right group). In AD, that's what I see, and the changes have replicated to all DCs. When I do a Group Processing Policy result for these accounts, it sees that the GPO is being listed as "inaccessible". Also, the GPO is being listed by it's GUID, and not it's name. [Inline image 1] I don't know what's up with that, as the other accounts that this GPO applies to properly show the GPO as applied, and with it's proper name. It's only these new members that are showing this. (I spot checked 3 or 4 other group members; they all show it as applied). So what would cause these new members to not be able to read the GPOs (that's what inaccessible usually means, right?). The GPO is accessible to all the other group members, so it shouldn't be a permissions issue of the GPO itself, I wouldn't think. Doing a "gpresult /r" on these new members, the group membership does NOT show the new groups the account belongs to, but DOES show that it is in the correct OU (I see the OU name in the CN). It says that Group Policy is being applied, as it is listing the 3 GPOs above as being DENIED, but doesn't show the last GPO (the WSUS one). It DOES show the proper group memberships for the logged on user, too. (not that that is relevant to the GPO, but does sort of indicate that the machine is speaking to AD). I see no errors in event log on the member server. Not seeing anything in the event log of the DC that the member says it is getting it's GPO info from, either. Ideas as to where to go next? I have IP connectivity; the member is doing what it's supposed to do (some sort of security camera setup). It does run antivirus - Kaspersky for Windows Servers 8.0.2.213, like other servers. The AV policy shouldn't be blocking anything AD related ... ________________________________ DISCLAIMER This material has been checked by us for computer viruses and, although none has been found, we cannot guarantee that it is completely free from such problems and we do not accept liability for loss or damage which may be caused. This message is intended only for use of the individual or entity to whom it is addressed and may contain information which may be privileged and confidential. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete the message. Thank you. ******************************************************* Travelers Insurance Company Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority in the UK and is regulated by the Central Bank of Ireland for conduct of business rules. Registered in England 1034343. Registered as a branch in Ireland 903382. Travelers Syndicate Management Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Registered in England 03207530. Travelers Underwriting Agency Limited is authorised and regulated by the Financial Conduct Authority. Registered in England 03708247. Travelers Professional Risks Limited is an appointed representative of Travelers Insurance Company Limited which is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Registered in England 05201980 Travelers Management Limited. Registered in England 00972175. The registered offices for all companies listed above is: Exchequer Court, 33 St Mary Axe, London, EC3A 8AG. All other branch offices are available from our websites. travelers.co.uk travelers.ie Issues to: mailto: [email protected] ________________________________ This communication, including attachments, is confidential, may be subject to legal privileges, and is intended for the sole use of the addressee. Any use, duplication, disclosure or dissemination of this communication, other than by the addressee, is prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy this communication and all copies. TRVDiscDefault::1201
