On Fri, Oct 2, 2015 at 11:05 AM, Kibble,Tony <[email protected]> wrote: > > Simple obvious things first. > > > > Have the servers been rebooted since their OU and group memberships have been > changed?
Not in the middle of the day, these are production machines. :-) And they shouldn't need to be rebooted, the gprsult shows the OU change. And the gpupdate /force should negate the need for a reboot (based on the simple changes I made to the machine account). > > > > Tony Kibble | Sr. Data Security Technologist | Business Information Security > Officer - International | IT > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael Leone > Sent: 02 October 2015 15:58 > To: [email protected] > Subject: [NTSysADM] WSUS GPO seems inacessible but only for new members > > > > This is odd. I have a GPO which assigns WSUS settings; criteria is that > computer account must be in a specific OU, and a member of a specific AD > group. This has been working well for years. > > > > Now, we've added a couple new servers at a remote site, and so I set them up > for WSUS (moved their machine accounts to the right OU, added them to the > right group). In AD, that's what I see, and the changes have replicated to > all DCs. > > > > When I do a Group Processing Policy result for these accounts, it sees that > the GPO is being listed as "inaccessible". Also, the GPO is being listed by > it's GUID, and not it's name. > > > > I don't know what's up with that, as the other accounts that this GPO applies > to properly show the GPO as applied, and with it's proper name. It's only > these new members that are showing this. (I spot checked 3 or 4 other group > members; they all show it as applied). > > > > So what would cause these new members to not be able to read the GPOs (that's > what inaccessible usually means, right?). The GPO is accessible to all the > other group members, so it shouldn't be a permissions issue of the GPO > itself, I wouldn't think. > > > > Doing a "gpresult /r" on these new members, the group membership does NOT > show the new groups the account belongs to, but DOES show that it is in the > correct OU (I see the OU name in the CN). It says that Group Policy is being > applied, as it is listing the 3 GPOs above as being DENIED, but doesn't show > the last GPO (the WSUS one). > > > > It DOES show the proper group memberships for the logged on user, too. (not > that that is relevant to the GPO, but does sort of indicate that the machine > is speaking to AD). > > > > I see no errors in event log on the member server. Not seeing anything in the > event log of the DC that the member says it is getting it's GPO info from, > either. > > > > Ideas as to where to go next? I have IP connectivity; the member is doing > what it's supposed to do (some sort of security camera setup). It does run > antivirus - Kaspersky for Windows Servers 8.0.2.213, like other servers. The > AV policy shouldn't be blocking anything AD related ... > > > > > > > > > > > ________________________________ > > DISCLAIMER > > This material has been checked by us for computer viruses and, although none > has been found, we cannot guarantee that it is completely free from such > problems and we do not accept liability for loss or damage which may be > caused. > > This message is intended only for use of the individual or entity to whom it > is addressed and may contain information which may be privileged and > confidential. If you are not the intended recipient you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this e-mail in error, please notify > the sender immediately via e-mail and delete the message. Thank you. > > ******************************************************* > > Travelers Insurance Company Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority in the > UK and is regulated by the Central Bank of Ireland for conduct of business > rules. Registered in England 1034343. Registered as a branch in Ireland > 903382. > > Travelers Syndicate Management Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and the > Prudential Regulation Authority. Registered in England 03207530. > > Travelers Underwriting Agency Limited is authorised and regulated by the > Financial Conduct Authority. Registered in England 03708247. > > Travelers Professional Risks Limited is an appointed representative of > Travelers Insurance Company Limited which is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and the > Prudential Regulation Authority. Registered in England 05201980 > > Travelers Management Limited. Registered in England 00972175. > > The registered offices for all companies listed above is: Exchequer Court, 33 > St Mary Axe, London, EC3A 8AG. > All other branch offices are available from our websites. > > travelers.co.uk > travelers.ie > > Issues to: mailto: [email protected] > ________________________________ > This communication, including attachments, is confidential, may be subject to > legal privileges, and is intended for the sole use of the addressee. Any use, > duplication, disclosure or dissemination of this communication, other than by > the addressee, is prohibited. If you have received this communication in > error, please notify the sender immediately and delete or destroy this > communication and all copies. > > TRVDiscDefault::1201
