If I could ask what might be the obvious, from a security perspective….
If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways:
And if you haven’t taking precautions, you should assume local admin on any machine with this password is local admin on them all. For it only takes one bad apple to spoil the whole bushel.
~Eric
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brenda Casey
Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch
AND
DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0<users> 37<machine> Sysvol: 0<user> 37<machine> Flags: 0 User extensions: not found Machine extensions: ..... Functionality version: 2
All fo the functionality versions are 2.
Thanks, Brenda
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you.
Darren
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there.
Thanks, Brenda
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect?
Thanks, Brenda |
- RE: [ActiveDir] GPO not applied - thinks it is empty Eric Fleischman
- RE: [ActiveDir] GPO not applied - thinks it is empty joe
- Re: [ActiveDir] GPO not applied - thinks it is empty Peter Jessop
- RE: [ActiveDir] GPO not applied - thinks it is empty Rick Kingslan
- RE: [ActiveDir] GPO not applied - thinks it is empty Darren Mar-Elia
- RE: [ActiveDir] GPO not applied - thinks it is empty deji
- RE: [ActiveDir] GPO not applied - thinks it is empty Eric Fleischman