I have these 2x Windows 2012 Domain Controllers that inherited policies from the old GPO which were created since Windows 2003 days. I did not realize there were problems until some of the features that I want to use started acting badly (e.g. access denied, etc).
Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.
So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.
To clean up the GPO run the following command:
C:\> DCGPOFIX
Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:
C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite
Reboot the DC
Showing posts with label gpo. Show all posts
Showing posts with label gpo. Show all posts
Wednesday, April 17, 2013
Thursday, June 12, 2008
Kerberos Ticket Granting Ticket
One day - I was setting up WSUS and creating GPO that only applies (with Security Filtering) to a security group that has computer accounts as a member of. So I started adding computers to this new security group.
I waited... waited... and waited... but nothing happened on the WSUS console. Those computers that I added to the security group do not appear on the WSUS console.
I ran the gpresult and found out that the GPO has not been applied to the computer. I ran gpupdate /force so many time, but nothing was working.
It turns out that the computer would not know about its membership until the Kerberos TGT is renewed. To renew the ticket, the computer has to be restarted, wait for 7 days (default value) or use klist.exe to purge the ticket and renew it. Because the computer does not know anything about its new membership, the GPO wasn't applied to it.
To use KLIST, do the following:
I waited... waited... and waited... but nothing happened on the WSUS console. Those computers that I added to the security group do not appear on the WSUS console.
I ran the gpresult and found out that the GPO has not been applied to the computer. I ran gpupdate /force so many time, but nothing was working.
It turns out that the computer would not know about its membership until the Kerberos TGT is renewed. To renew the ticket, the computer has to be restarted, wait for 7 days (default value) or use klist.exe to purge the ticket and renew it. Because the computer does not know anything about its new membership, the GPO wasn't applied to it.
To use KLIST, do the following:
- get psexec.exe from MS SysInternals
- get the klist.exe from Windows Resource Tool Kit
- get the nltest.ext from Windows Resource Tool Kit
- run the cmd.exe as a system shell:
psexec.exe /i /s /d cmd.exe
- from that new cmd prompt, run:
klist tgt
- check when was the ticket renewed
- to purge the tickets, run:
klist purge
- to renew the tickets, run:
nltest /dclist:
Then you can run gpupdate /force again to force the GPO and then run wuauclt.exe /detectnow to register the client to the WSUS