Group Policy and the case of the missing permission.

Good morning.  I had a case yesterday that yielded several interesting article ideas.  This is probably the most interesting one, and I have seen this very issue on at least three occasions.  The issue started on a domain rename.  If you have ever done a domain rename, you know there are quite a few steps.  After doing some checks and making some corrections we were able to complete the domain rename.  My customer then advised that his Folder Redirection policy was not applying on any workstations.  So in this article I am going to cover how to troubleshoot a group policy not applying and the specific fix for the situation I ran into yesterday.

The first step when troubleshooting just about any group policy issue is to pull a group policy report from a client that should be getting the policy.  My preferred method is to go to a command prompt and run the following commands:

gpresult /h report.htm
report.htm

This will run the report and save it to a file called report.htm.  The second line then opens that report in a web browser.

When troubleshooting an issue where a policy is not applying I like to focus on the denied sections.  In our case folder redirection is a user policy, so I checked there.  Below is similar to what I found.
gpo-inaccessible

There were two clues as to what the issue was here.  The first clue is that the policy name is not being displayed.  Instead we just see the GUID (Globally Unique Identifier).  The second clue is the reason denied.  We can see it was denied because the policy is inaccessible, empty or disabled.

The next step was to check to see if the policy was accessible in the SYSVOL share.  In our case we had no problem accessing the files.  We then checked in the group policy management console.  We verified the policy was not empty or disabled.  So it would appear that we have eliminated all possible issues.  However there is another set of permissions.

delegation-tab

This was the set of permissions that were not correct in our case.  The Authenticated Users group was missing.  I have seen this issue on several occasions when one of my customers is trying to “lock down” the server.  Even if you add in another group, for instance Domain Users, and the user and/or computer is a member of that group, the GPO (Group Policy Object) will still fail to apply.  The fix is quite simple.  Add back the Authenticated Users group and give it read permissions.  After adding back Authenticated Users and running a gpupdate /force on the client the policy applied without issue.

I hope you have found this informative.  If you have anything to add or just want to comment, please do so below.

License compliance checking in Windows Essentials and Foundation

Good morning.  I figured it was time for another post on Essentials.  Some parts of this article also apply to Foundation edition.

Let’s start off with a little background on Essentials edition.  Windows Server Essentials edition is designed for a small to medium sized business.  It is a very good option for a small to medium sized business with less than 25 users/computers.  Here are a few of the advantages to running Essentials.

  • It is less expense than standard edition.  Typically by $200-300.
  • There are no additional CALs (Client Access Licenses) to purchase.  Twenty five user CALs are included.
  • Can be easily upgraded to standard edition with a single command.
  • Client PC Backup is builtin.  This feature automatically backs up client PCs to the server
  • Anywhere access is available.  This is a feature that was first introduced in SBS (Small Business Server)  It allows a user to remotely access computers and file shares.  It also allows the administrator to access the Dashboard from anywhere.  Additionally the administrator can setup a SSTP (Secure Socket Tunneling Protocol) VPN (Virtual Private Network) via a wizard.
  • Easy integration with Microsoft cloud solutions.

 

What’s the catch?  There is always a catch.  Windows Essentials edition is no exception.  Below are the limitations imposed by running Essentials.

  • The Essentials server MUST be a domain controller.
  • The Essentials server must hold all the FSMO (Flexible Single Master Operation) roles.  If you want to learn more about the FSMO roles here is a good article.
  • Only one domain is permitted in the forest where the Windows Essentials edition server resides.
  • No forest/domain trusts are permitted.
  • The Remote Desktop Session Host role feature is not supported and typically will not function.

So what if the server is not a domain controller or violates one of the rules above?  This is where the Server Infrastructure License Service comes into play.  This service regularly checks the server to verify it is not violating the EULA (End User License Agreement).  If a violation is found the server will shutdown every 27.67 days (27 days, 16 hours).  Why Microsoft chose 27.67 days, I have no idea.  Before it shuts down though it will warn you.  The events will show up in the Server Infrastructure Licensing log.
Server Infrastructure Licensing Error

The next question is how do we fix these errors.  I have seen three causes for this issue.  Let’s go over each one and how to fix it.  After you believe you have fixed the issue, see the the next section for a way to confirm the issue is resolved.

  1. The first cause of this issue is also the most painful to fix.  If the server is demoted, and put into a workgroup it will cause this issue.  All checks will fail because the domain can no longer be contacted.  Unfortunately the only fix is to reinstall Windows on the server.
  2. The second reason these errors might crop up is due to the check failing due to an issue with Active Directory.  For instance, if the server is not advertising as a domain controller due a SYSVOL issue.  If an Active Directory issue is suspected, the first place to start should be to run a dcdiag.  Dcdiag will test the basic functionality and report any issues found.  As stated above, if there are SYSVOL issues, then the server will likely fail the advertising test.
  3. The last reason I have seen on more than a few occasions is the following error:

    Log Name:      Microsoft-Windows-Server Infrastructure Licensing/Operational
    Event ID:      2
    Level:         Error

    Description:The Forest Trust Check in the Licensing component did not pass because error 0x80070008 occurred in function fe1 [YJBI].
    Not enough storage is available to process this command.

    This error seems to indicate that we are low on hard drive space.  However this is not the case.  This error is actually referring to a special pool in memory (RAM, Random Access Memory) called the heap.  The heap is a finite size, regardless of how much RAM is in the system.  Normally Windows will not experience a heap exhaustion, that is where this special pool of memory is completely depleted.  However, if a program or driver is leaking memory, then the pool will eventually run out.  In case you are wondering what a memory leak is, it occurs when a program or driver allocates memory, but does not free it when complete.
    So in essence this error is caused by a malfunctioning program or driver.  The good news is that every time I have seen this issue in Essentials or Foundation it was caused by a printer driver.  There are 2 ways to fix this problem.  The first way is to simply restart the printer spooler service.  Restarting the printer spooler service unloads the printer drivers and frees all memory associated with them.  This will temporarily eliminate the issue.  A scheduled task could then be created to automatically do this on a regular basis.  The optimal solution though is to find the problem driver and either remove or update it.

So to this point we have covered some of the pros and cons of running Essentials, what happens when the EULA is violated, and some common causes for the Server Infrastructure Licensing service shutting down the server.  The last item I wanted to cover is how to force a new compliance check from the Server Infrastructure Licensing service.  This process works for both Essentials and Foundation edition.  This is useful if you are seeing compliance check errors, have taken measures to correct them, and now want to test if the issue is resolved.  It is surprisingly easy to force a compliance check.  Only one PowerShell command is required.  Ensure you run PowerShell as administrator when running this command.

Stop-Process -ProcessName silsvc -Force

The above command forces the Server Infrastructure License service process to stop.  The process will then immediately start again.  The trick here is that the Server Infrastructure License does a compliance check every time it starts.  You should see a compliance check within 2-3 minutes after the service stops.
Well, we covered a lot of ground with this post.  If you have any questions, or any suggestions please add a comment below.

10 < 6

It turns out when performing a WMI (Windows Management Instrumentation) query, 10 is less than 6.  The reason for this is because the version number is treated as a string and not a number.  So the 10 is actually treated as 1, and 1 is less than 6.

So why is this important?  In Windows Server 2012 Essentials folder redirection will not work for Windows 10 clients by default.  This is due to the WMI query used by the folder redirection group policy.

The fix is to edit the WMI query used by the policy.  Here is the process.

  1. Open the Group Policy Management console. (gpmc.msc)
  2. Expand Forest, then Domains, and finally the domain name.
  3. Click on the “WSE Group Policy Folder Redirection” policy.
  4. At the bottom of the Scope tab on the right, click Open in the WMI filtering section.
  5. Click the Edit Filter button.
  6. Click on Edit.
  7. Change the query to: select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″
  8. Click OK on the warning about the namespace.
  9. Click the Save button.
  10. Close the Group Policy Management console.

Once the WMI query is corrected, the Windows 10 client will need to be rebooted or have group policy updated.  To force group policy update on any Windows device, run gpupdate /force from a command line.

So there you have it 10 can be less than 6.

 

Source: grouppolicy.biz

How to reset secure channel on a domain controller

I have run across the situation a few times where I needed to reset secure channel for the computer account of a domain controller.  Before I get into how to do this, let me present a few of  the symptoms that would require resetting secure channel.

  1. You receive an access denied error when access the DNS management console on the problem domain controller.
  2. You run nltest /sc_query:domain.local and receive access denied.
  3. You run nltest /sc_verify:domain.local and receive access denied.

 

Here is how you reset secure channel on a domain controller:

  1. Open an administrative command line
  2. Run the following commands*:
    • net stop kdc
    • klist purge
    • netdom resetpwd /server:<DCName> /userD:<domain\username> /passwordD:*
    • net start kdc

 

*In the netdom resetpwd command replace <DCName> with the name of a peer DC, or in the case of a single domain controller, the server  itself.

Domain controller time synchronization

Here is a scenario that I have run into a few times.  An Active Directory environment where the PDC (Primary Domain Controller) Emulator role is hosted on a virtualized domain controller that is running on Hyper-V.  It is perfectly acceptable to do this, however it is very likely  that the environment will suffer from time drift.  In some cases this it can be a big problem.  Here is a solution I have tested and found to work well.

  1. Remove time synchronization for the PDC Emulator in Hyper-V:
    • In the Hyper-V management console, go to the settings for the PDC Emulator domain controller.
    • Select Integration Services and uncheck Time synchronization.
  2. Set the PDC Emulator to synchronize with an external source.
    • Connect to the PDC emulator
    • Download and run the following Microsoft fix it.*  Set the NtpServer to us.pool.ntp.org,0x1
    • Run the following commands in an administrative command window:
      • net start w32time
      • w32tm /config /manualpeerlist:“us.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
      • w32tm /config /update
      • w32tm /resync
      • w32tm /resync /rediscover
    • In the same command window  run w32tm /query /status.  At this point the source should be us.pool.ntp.org.
  3. Set the peer domain controllers to sync with the PDC Emulator.
    • Connect to each peer domain controller and run the following commands in an administrative command window:
      • w32tm /config /syncfromflags:DOMHIER /update
      • net stop w32time && net start w32time
      • w32tm /resync /force

 

 

 

* If the link no longer works, then go here and choose the fix it for me under “Configuring the Windows Time service to use an external time source.”