Announcement

Collapse
No announcement yet.

DC's not replicating policy to member server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DC's not replicating policy to member server

    I have a 2003 Server network with 2 domains. All DC's and member servers have SP2 applied. I have been adding Admin type accounts using Delegation on an OU. Then ,in order to control this have been modifying the policy under Local Rights Assignments to "Logon on locally" and "logon using Terminal services".
    When I first applied this, it seemed to work on several of the member servers. On closer examination of Local Securoty Policy on each member server, the polcy had not been replicated. The trend wasnt common in that, some server in the DMZ had been populated, some not and even servers in the inside had and some not.

    I have run DCDIAG and no errors reported andf checked event logs - no errors in there. Have done tests liek changing passwords on a users account to see if it changing. This works fine.
    Any ideas as to why this replication worked on some member servers and NOT on some. I even took one of the member servers it faield on out of the domain and back in the domain. Still didnt work.

  • #2
    Re: DC's not replicating policy to member server

    Hi,

    A couple of things to check,

    The computer accounts are all on the OU.
    Try the Group Policy Results wizard from GPMC for one of the problematic computers to check what policies are applied.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: DC's not replicating policy to member server

      I have checked the policy, nothign is being replicated to certain member serers. The user in the OU I am not even testing as yet , as it replies on the Group Policy being replicted.

      Comment


      • #4
        Re: DC's not replicating policy to member server

        How/Where is this ? Group Policy Results wizard from GPMC

        Comment


        • #5
          Re: DC's not replicating policy to member server

          Originally posted by [email protected] View Post
          How/Where is this ? Group Policy Results wizard from GPMC
          On the GPMC console, The bottom one on the left hand section.
          The GUI version of RSOP.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: DC's not replicating policy to member server

            Originally posted by [email protected] View Post
            How/Where is this ? Group Policy Results wizard from GPMC
            Also, available as a snap-in.

            Go to run, type MMC.

            File, Add/Remove Snap-in.

            Add 'Resultant Set of Policy'. Follow other prompts.

            Right click on the main container and follow the wizard through.

            Comment


            • #7
              Re: DC's not replicating policy to member server

              New changes dont seem to be replicated. Just added a user account to logon on as a service. BUt this has not replicated

              Comment


              • #8
                Re: DC's not replicating policy to member server

                Originally posted by [email protected] View Post
                New changes dont seem to be replicated. Just added a user account to logon on as a service. BUt this has not replicated
                Can you be a bit more clear as to what you are trying to achieve because I m getting a bit lost?
                Also it's not called replication, maybe propagation.
                Are you editing an existing GPO or are you creating a new one?
                Have you checked with RSOP if the policy has been applied?
                Have you run GPUPDATE on the machine where the policy is intended for?

                Ta
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: DC's not replicating policy to member server

                  Well origianlly the task was to create a group and user and Delegate Control so that the user can onyl reset password and NOT change.
                  So to make this happen, also had to modify the main policy to allow the user account to sign onto DC's and member servers as there are local accounts involved as well.
                  All seemed to be working and I modified the main policy to allow local login by group membership and logon usign terminal services....
                  But then for no reason we started to lose the ability to sign on to member servers from users accounts that previsouly were allowed to login.
                  At this point noticed that global setting were selectivly applied to member servers.

                  Ran GPUPDATE on a member server that had not propegated and still not worked.

                  Comment


                  • #10
                    Re: DC's not replicating policy to member server

                    Sorry if i'm asking stupid and/or obvious questions or that have arleady been asked/answered - are both th computer and the user in the correct OU ?

                    Are you remembering the correct order gpos are applied in ? Local System, Domain, Org. Unit

                    Is another gpo overriding this ?

                    gpresult | more will tell you which policies are applied, which are valid but not applied for whatever rason..
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment


                    • #11
                      Re: DC's not replicating policy to member server

                      Thanks for that, everything is where it shoudl be. The problem is, the changes were done on a Development domain prior to going "live" and this network is played around with lots. So, the issues might be created by the network.
                      The issue of OU management is not really an issue as this is a production network not with any user accounts that sign on using the full power of the GP in AD.

                      Was hoping someone might have seen this before. I cant see any reason as to why changing those settings shoudl create such mixed findings when signing/attempting to sign on to member server in the domain

                      Comment

                      Working...
                      X