Announcement

Collapse
No announcement yet.

Windows Server 2012 - Domain Local Group not getting members?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Server 2012 - Domain Local Group not getting members?

    Hi,

    I have a single forest with 3 subdomains, all Windows 2008R2 functional level and recently I decided to add a Windows Server 2012 (after some lab tests) on the smallest subdomain we had with 2 DC's Windows 2008R2 on that domain.

    Since all was going smooth, with the 1st DC after some weeks, I decided to add the 2nd DC and that subdomain, both were fresh installs, by the way.

    So that subdomain have now, 2 DC's on Windows Server 2012, but domain functionality level we kept on Windows 2008 R2.

    All went, so far good, until we noticed one GPO wasn't working properly, our Restricted Groups GPO that add some users of IT from Service Desk Team.

    Odd that only happens on that particular subdomain (when all was fine before introducing this 2 DC's on Windows Server 2012), the others 2 domains have the exact settings and philosophy and still working properly.

    Imagine the following scenario:
    Domain company.local with following subdomains, hq.company.local, stores.company.local and brand.company.local

    On hq.company.local we have the IT group (Global) that belongs ServiceDeskLocalAdmins (Universal)

    On each subdomain (all 3) the hq\ServiceDeskLocalAdmins and respective Domain Admins (Global), it's mapped to a DomainLocalAdmins (Local) on each subdomain.

    This scenario it's the way that been working all these last years (and best practices nesting groups, i believe), now since we upgraded (fresh installs) the 2 DC's of brand.company.local, it stopped working only on that specific domain.

    Appears that brand\DomainLocalAdmins doesn't read/get the members from hq\ServiceDeskLocalAdmins and brand\Domain Admins on the Restricted Groups, while the others subdomains, keeps working fine like before.

    If i test the same user membership on 3 subdomains, it goes well on hq and stores subdomain:

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    ...
    ServiceDeskLocalAdmins
    DomainLocalAdmins
    But, if i test the same user membership on brand subdomain:

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    ...
    ServiceDeskLocalAdmins
    The DomainLocalAdmins it's not list there and same goes for others accounts (that output it's from Administrator of Domain).

    I could map directly on Restricted Groups GPO directly hq\ServiceDeskLocalAdmins and brand\Domain Admins groups, instead of using brand\DomainLocalAdmins, but before I start rolling more DC's on 2012, I would like to understand, why this is happening?

    Thanks for your help or any tip.

  • #2
    Re: Windows Server 2012 - Domain Local Group not getting members?

    The first thing I would recommend would be to run GPRESULTS against the new server and see if the GPO is being applied and if not, why not.

    Comment


    • #3
      Re: Windows Server 2012 - Domain Local Group not getting members?

      Hi, thanks for the idea but, I did that already before, the gpresult with verbose output (also rsop.msc), that's the membership output on a working subdomain the first one and 2nd output it's from the non-working (now) subdomain.

      And yes the GPO in question, it's applied there, I see the brand\DomainLocalAdmins being applied there on Builtin\Administrators through GPO Restricted Groups, never had this issue, this is an old GPO that worked fine and still it's being applied.

      Problem (apparently) resides that brand\DomainLocalAdmins, Local Group Domain doesn't read anymore apparently Global Group? Not even the Default Domain Admins? That's a odd behavior.

      Results are pretty much the same against DC1.brand and DC2.brand, although a curious thing if I pipe the dsquery command, it reads fine?

      But as user logs, it doesn't get that belongs to brand\DomainLocalAdmins.

      If i map directly to the Universal Group from the other hq subdomain, he gets the right permission, but not any longer from brand\DomainLocalAdmins, when before this fresh DC's on 2012, it did pretty well.

      If i do a dsquery group DomainLocalAdmins | dsget group -members | dsget group -members, it maps the users fine?
      But not when I log in with that user? When it did before?
      That's what's puzzling me...

      Here's a simple diagram of the scenario, that always worked and now stop only to brand subdomain:
      img7.imageshack.us/img7/7818/localadminspermissions.png
      Last edited by ntex; 15th May 2013, 15:23. Reason: Diagram added

      Comment


      • #4
        Re: Windows Server 2012 - Domain Local Group not getting members?

        Apparently the problem solved by itself or was something on last updates released, I don't know, but one thing is certain, it's back working as before.

        Never had problems of replication or GPO not being applied.

        Comment

        Working...
        X