Home / server / Questions / 67533
Accepted
David
Asked: 2009-09-22 16:24:23 +0800 CST

Active Directory Group Policy Security Groups Differ From User's Groups

  • 772

I've been having some weird group policy issues lately, so I wanted to test on a clean setup and haven't had any luck, so I'm hoping someone else can shed some light. This is on Windows 2003 R2.

I created a test user and added it to a test global group. I then set up a GPO linked to the root of the domain that has security filtering to only apply to the test group and tried to see if my settings applied.

If I use Group Policy Modeling, everything looks correct, but when I do Group Policy Results or check the actual machine, nothing gets applied. I first thought I had GP issues and tried the usual with rebooting, gpupdate, waiting a day hoping things would apply, etc. I then tried created a different user, tried a different machine, even tried adding the Administrator account to the test group and nothing worked.

Then I noticed that under "Security Group Membership when Group Policy was applied" in GPMC and "The user is a part of the following security groups," the test group is not listed as a group the user is a member of.

I've tried creating a different domain local group. I've tried adding Administrator to the groups and seeing of the GPs will apply to that account, but it doesn't.

However, if I create a share on the domain controller and only give that group access to it, the test user can access it fine, so I know the user is definitely a member of that group.

How can I convince GP that my user is really a member of those groups?

group-policy

2 Answers

  1. Best Answer

    Have you checked your eventvwr logs? Do you have other Domain Controllers (DCs) in this domain? Which one is the Global Catalog (GC) FSMO? Try running

    dcdiag.exe

    and check the output for problems, especially with the SYSVOL and/or replication with other DCs.

    THIS CAN BE DANGEROUS: If this is not the only DC in the directory, and the event logs don't reveal anything, try making a copy of the sysvol\domain\policies and place it elsewhere on the hard drive of the server. Make sure you do this during off hours and make sure you perform a complete AD backup using:

    ntbackup.exe backup systemstate /J "pre-delete-ad-backup" /F "c:\adbackups\ForestBackup.bkf" /V:yes /M normal

    Copy the ForestBackup.bkf off of the server after the backup is complete.

    After you create the backup and copy it elsewhere, delete the sysvol\domain\policies directory. Then force a replication with another DC in the Directory using replmon.exe

    Check the FRS eventlog and see if you get messages about a successful sysvol replication. Keep in mind that until Sysvol is restored in complete, your server will not be able act as a DC, so make sure that another DC is available to your clients...

    • 1

  2. Sounds like GPO inheritance might be a possible cause. Have a look here: http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx

    • 1