Difference between revisions of "Active Directory/Documentation/Planning"
Jump to navigation
Jump to search
(28 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Tasks= | =Tasks= | ||
+ | ==Licensing/Activation== | ||
+ | * [http://microsys.unity.ncsu.edu/documentation/Microsoft-Volume-License-Activation/ KMS@NCSU] | ||
+ | |||
==Group Policies== | ==Group Policies== | ||
===Block Incompatible GPOs=== | ===Block Incompatible GPOs=== | ||
Use WMI filters to block incompatible GPOs. | Use WMI filters to block incompatible GPOs. | ||
− | * | + | * ECE-Enable Remote Assistance - Will need separate Vista policy (HelpAssistant user doesn't exist in Vista). |
− | |||
* FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender. | * FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender. | ||
+ | * FW-NCSU-Microsoft-GPMC-1.0.2-20050217 - Vista already has the GPMC. | ||
* FW-NCSU-Microsoft-UPHClean-1.6d-20060616 | * FW-NCSU-Microsoft-UPHClean-1.6d-20060616 | ||
* FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207 | * FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207 | ||
− | * FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has | + | * FW-NCSU-SWE von Schleusen-UltimateZip-2.7.1-20041028 - Not Vista compatible. |
+ | * FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has built-in defrag scheduling. | ||
* SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible. | * SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible. | ||
+ | * SW-NCSU-MathWorks-MATLAB-7.4-20070306 - WinSxS Problem | ||
+ | ** Fixed | ||
* SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible. | * SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible. | ||
* SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible. | * SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible. | ||
Line 16: | Line 22: | ||
* SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible. | * SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible. | ||
* SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible. | * SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible. | ||
+ | ** Published SAV 10.2 for Vista | ||
* SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible. | * SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible. | ||
+ | ** Published SAV 10.2 for Vista | ||
+ | * SW-ECE-WolfTech-Support Icons-2.0-20060826 - MSI Install Issues | ||
+ | * SW-COE-National Instruments-LabVIEW-8.20-20061220 - WinSxS Problem | ||
===Domain Policy=== | ===Domain Policy=== | ||
− | Options | + | ====Options==== |
*Create separate domain policies for Vista and Windows 2000/XP/2003. | *Create separate domain policies for Vista and Windows 2000/XP/2003. | ||
**Creates more complexity by having completely separate group policy environments for different OS's. | **Creates more complexity by having completely separate group policy environments for different OS's. | ||
Line 34: | Line 44: | ||
**Reduces complexity by having common security policies for all OS's. | **Reduces complexity by having common security policies for all OS's. | ||
**Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide. | **Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide. | ||
+ | *Create pre-Vista, Vista, and common domain policies. | ||
+ | **Will have to split the current Default Domain Policy to pull out pre-Vista group policies. | ||
+ | **May be necessary because firewall rules are different in Vista and XP. If the new Vista policies work for XP, this may not be necessary. | ||
− | Observations | + | ====Observations==== |
− | *Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation. | + | *Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation and the extended firewall. |
+ | |||
+ | ====Policies==== | ||
+ | * Desktop Policy | ||
+ | ** Very similar to XP/2003 Desktop Policy. | ||
+ | ** Some new features specific to Vista. | ||
+ | ** Firewall management is different. | ||
+ | *** Port/Application rules are fine, but special rules are different, such as remote administration. | ||
+ | *** Not sure yet if the Vista policies would work on XP/2003 machines instead of the old policies. | ||
+ | *** Outgoing firewall rules??? | ||
+ | ** Todo | ||
+ | * Laptop Policy | ||
+ | ** No changes from the existing laptop policy are necessary. | ||
+ | * Domain Policy | ||
+ | ** Defines user account password and lockout policies. | ||
+ | ** No need for separate policies for XP/2003 and Vista. | ||
+ | ** New settings were applied to the Domain-Domain Accounts Policy | ||
+ | * User Policy | ||
+ | ** Added some new policies, mostly from IE7, to Default Domain Policy. | ||
+ | ** Shouldn't cause problems for computers that don't support new group policies. | ||
+ | |||
+ | ====Plan A==== | ||
+ | A [http://www.wolftech.ncsu.edu/activedirectory/docs/VistaGPArch.vsd visual diagram] is available. | ||
+ | |||
+ | * Rename Default Domain Policy to Default Domain Policy-XP/2003. | ||
+ | **Done | ||
+ | * Use WMI Filter to make Default Domain Policy-XP/2003 only apply to Windows 2000/XP/2003 Computers. | ||
+ | ** Done | ||
+ | * Move user settings and common settings from Default Domain Policy to Default Domain Policy. | ||
+ | **Done | ||
+ | * Create Default Domain Policy-Vista from Vista Security Guide. | ||
+ | **Done | ||
+ | * Use WMI Filter to make Default Domain Policy-Vista only apply to Windows Vista Computers. | ||
+ | ** Done | ||
+ | * Rectify Vista user settings with existing user settings. | ||
+ | * Edit/Audit Default Domain Policy-Vista. | ||
+ | * Create Default Domain Policy for settings common to all current and hopefully future Windows OS's. | ||
+ | ===Remote Assistance=== | ||
+ | *Created ECE-Enable Remote Assistance-Vista to enable unsolicited remote assistance for Vista computers. | ||
==Test Software== | ==Test Software== | ||
Line 42: | Line 93: | ||
===Incompatible=== | ===Incompatible=== | ||
===Untested=== | ===Untested=== | ||
+ | |||
+ | ==Script Problems== | ||
+ | *Local Admin Password Crawler (LAPCrawl) doesn't appear to work on Vista computers. | ||
+ | **Caused by the firewall blocking it. Resolved by firewall rules. | ||
+ | |||
+ | ==Firewall Rules== | ||
==Migration Wizard== | ==Migration Wizard== | ||
Line 56: | Line 113: | ||
===Create Unattended Image=== | ===Create Unattended Image=== | ||
*Created Image | *Created Image | ||
+ | * Make image actually install unattended. | ||
Todo: | Todo: | ||
− | + | ||
==Resolve Errors== | ==Resolve Errors== | ||
===Unable to Update Group Policy=== | ===Unable to Update Group Policy=== | ||
Line 64: | Line 122: | ||
When I run <code>gpupdate /force</code>, I get the following error message and the following event is logged: | When I run <code>gpupdate /force</code>, I get the following error message and the following event is logged: | ||
− | User policy could not be updated successfully. The following errors were | + | User policy could not be updated successfully. The following errors were |
− | + | encountered: | |
− | + | The processing of Group Policy failed. Windows could not resolve the computer | |
− | The processing of Group Policy failed | + | name. This could be caused by one of more of the following: |
− | + | a) Name Resolution failure on the current domain controller. | |
− | + | b) Active Directory Replication Latency (an account created on another domain | |
− | + | controller has not replicated to the current domain controller). | |
− | + | Computer Policy update has completed successfully. | |
− | + | To diagnose the failure, review the event log or invoke gpmc.msc to access infor | |
− | + | mation about Group Policy results. | |
− | |||
− | |||
− | To diagnose the failure, review the event log or invoke gpmc.msc to access | ||
− | Group Policy results. | ||
Log Name: System | Log Name: System | ||
Line 129: | Line 183: | ||
====Cause==== | ====Cause==== | ||
====Solution==== | ====Solution==== | ||
+ | |||
+ | ===Unable to Update Group Policy=== | ||
+ | ====Details==== | ||
+ | Log Name: Application | ||
+ | Source: SceCli | ||
+ | Date: 11/27/2006 11:50:35 AM | ||
+ | Event ID: 1202 | ||
+ | Task Category: None | ||
+ | Level: Warning | ||
+ | Keywords: Classic | ||
+ | User: N/A | ||
+ | Computer: epona.ece.ncsu.edu | ||
+ | Description: | ||
+ | Security policies were propagated with warning. 0x534 : No mapping between account | ||
+ | names and security IDs was done. | ||
+ | |||
+ | Advanced help for this problem is available on http://support.microsoft.com. Query | ||
+ | for "troubleshooting 1202 events". | ||
+ | |||
+ | Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) | ||
+ | could not be resolved to a SID. This error is possibly caused by a mistyped or | ||
+ | deleted user account referenced in either the User Rights or Restricted Groups | ||
+ | branch of a GPO. To resolve this event, contact an administrator in the domain to | ||
+ | perform the following actions: | ||
+ | |||
+ | 1. Identify accounts that could not be resolved to a SID: | ||
+ | |||
+ | From the command prompt, type: FIND /I "Cannot find" | ||
+ | %SYSTEMROOT%\Security\Logs\winlogon.log | ||
+ | |||
+ | The string following "Cannot find" in the FIND output identifies the problem account | ||
+ | names. | ||
+ | |||
+ | Example: Cannot find JohnDough. | ||
+ | |||
+ | In this case, the SID for username "JohnDough" could not be determined. This most | ||
+ | likely occurs because the account was deleted, renamed, or is spelled differently | ||
+ | (e.g. "JohnDoe"). | ||
+ | |||
+ | 2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source | ||
+ | GPOs that contain the problem accounts: | ||
+ | |||
+ | a. Start -> Run -> RSoP.msc | ||
+ | b. Review the results for Computer Configuration\Windows Settings\Security | ||
+ | Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows | ||
+ | Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged | ||
+ | with a red X. | ||
+ | c. For any User Right or Restricted Group marked with a red X, the corresponding | ||
+ | GPO that contains the problem policy setting is listed under the column entitled | ||
+ | "Source GPO". Note the specific User Rights, Restricted Groups and containing Source | ||
+ | GPOs that are generating errors. | ||
+ | |||
+ | 3. Remove unresolved accounts from Group Policy | ||
+ | |||
+ | a. Start -> Run -> MMC.EXE | ||
+ | b. From the File menu select "Add/Remove Snap-in..." | ||
+ | c. From the "Add/Remove Snap-in" dialog box select "Add..." | ||
+ | d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add" | ||
+ | e. In the "Select Group Policy Object" dialog box click the "Browse" button. | ||
+ | f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab | ||
+ | g. For each source GPO identified in step 2, correct the specific User Rights or | ||
+ | Restricted Groups that were flagged with a red X in step 2. These User Rights or | ||
+ | Restricted Groups can be corrected by removing or correcting any references to the | ||
+ | problem accounts that were identified in step 1. | ||
+ | |||
+ | FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log | ||
+ | |||
+ | ---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | Cannot find HelpAssistant. | ||
+ | |||
+ | ====Cause==== | ||
+ | Account HelpAssistant is defined in ECE-Enable Remote Assistance GPO but does not appear to exist in Vista. This causes an error in the Event Log. | ||
+ | ====Solution==== | ||
+ | Prevent this group policy from applying to Vista computers with a WMI filter and create a new Remote Assistance policy for Vista computers. |
Latest revision as of 13:02, 13 April 2007
Tasks
Licensing/Activation
Group Policies
Block Incompatible GPOs
Use WMI filters to block incompatible GPOs.
- ECE-Enable Remote Assistance - Will need separate Vista policy (HelpAssistant user doesn't exist in Vista).
- FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender.
- FW-NCSU-Microsoft-GPMC-1.0.2-20050217 - Vista already has the GPMC.
- FW-NCSU-Microsoft-UPHClean-1.6d-20060616
- FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207
- FW-NCSU-SWE von Schleusen-UltimateZip-2.7.1-20041028 - Not Vista compatible.
- FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has built-in defrag scheduling.
- SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible.
- SW-NCSU-MathWorks-MATLAB-7.4-20070306 - WinSxS Problem
- Fixed
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20060829 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible.
- SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible.
- Published SAV 10.2 for Vista
- SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible.
- Published SAV 10.2 for Vista
- SW-ECE-WolfTech-Support Icons-2.0-20060826 - MSI Install Issues
- SW-COE-National Instruments-LabVIEW-8.20-20061220 - WinSxS Problem
Domain Policy
Options
- Create separate domain policies for Vista and Windows 2000/XP/2003.
- Creates more complexity by having completely separate group policy environments for different OS's.
- OS's may have different security levels/inconsistent security policies.
- Reduces predictability.
- Complicates determining security compliance.
- Compatibility issues could vary on different OS's
- Use common domain policy for all OS's and create a separate domain policy for Vista only policies.
- This would prevent any unintended consequences on XP/2003 computers.
- Reduces complexity by having common security policies for all OS's.
- Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
- Use common domain policy for all OS's including Vista only policies.
- Will require testing to make sure Vista only policies don't cause problems on XP/2003 computers.
- Reduces complexity by having common security policies for all OS's.
- Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
- Create pre-Vista, Vista, and common domain policies.
- Will have to split the current Default Domain Policy to pull out pre-Vista group policies.
- May be necessary because firewall rules are different in Vista and XP. If the new Vista policies work for XP, this may not be necessary.
Observations
- Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation and the extended firewall.
Policies
- Desktop Policy
- Very similar to XP/2003 Desktop Policy.
- Some new features specific to Vista.
- Firewall management is different.
- Port/Application rules are fine, but special rules are different, such as remote administration.
- Not sure yet if the Vista policies would work on XP/2003 machines instead of the old policies.
- Outgoing firewall rules???
- Todo
- Laptop Policy
- No changes from the existing laptop policy are necessary.
- Domain Policy
- Defines user account password and lockout policies.
- No need for separate policies for XP/2003 and Vista.
- New settings were applied to the Domain-Domain Accounts Policy
- User Policy
- Added some new policies, mostly from IE7, to Default Domain Policy.
- Shouldn't cause problems for computers that don't support new group policies.
Plan A
A visual diagram is available.
- Rename Default Domain Policy to Default Domain Policy-XP/2003.
- Done
- Use WMI Filter to make Default Domain Policy-XP/2003 only apply to Windows 2000/XP/2003 Computers.
- Done
- Move user settings and common settings from Default Domain Policy to Default Domain Policy.
- Done
- Create Default Domain Policy-Vista from Vista Security Guide.
- Done
- Use WMI Filter to make Default Domain Policy-Vista only apply to Windows Vista Computers.
- Done
- Rectify Vista user settings with existing user settings.
- Edit/Audit Default Domain Policy-Vista.
- Create Default Domain Policy for settings common to all current and hopefully future Windows OS's.
Remote Assistance
- Created ECE-Enable Remote Assistance-Vista to enable unsolicited remote assistance for Vista computers.
Test Software
Compatible
Incompatible
Untested
Script Problems
- Local Admin Password Crawler (LAPCrawl) doesn't appear to work on Vista computers.
- Caused by the firewall blocking it. Resolved by firewall rules.
Firewall Rules
Migration Wizard
Deployment
WDS Server
- Brought up ECE00WDS.
- Created WDS GPO template.
- Created image.
- Installed Vista from WDS.
Todo:
- Apply Member Server template.
- Setup DFS Replication between WDS Servers
Create Unattended Image
- Created Image
- Make image actually install unattended.
Todo:
Resolve Errors
Unable to Update Group Policy
Details
When I run gpupdate /force
, I get the following error message and the following event is logged:
User policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). Computer Policy update has completed successfully. To diagnose the failure, review the event log or invoke gpmc.msc to access infor mation about Group Policy results.
Log Name: System Source: Microsoft-Windows-GroupPolicy Date: 11/22/2006 10:41:49 AM Event ID: 1055 Task Category: None Level: Error Keywords: User: WOLFTECH\pgmurphy.admin Computer: VPCVista.ece.ncsu.edu Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> <EventID>1055</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>1</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" /> <EventRecordID>1285</EventRecordID> <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" /> <Execution ProcessID="1044" ThreadID="2868" /> <Channel>System</Channel> <Computer>VPCVista.ece.ncsu.edu</Computer> <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" /> </System> <EventData> 1 1753 0 125 1317 The specified account does not exist. </EventData> </Event>
Group Policy Infrastructure failed due to the error listed below. The specified account does not exist. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Cause
Solution
Unable to Update Group Policy
Details
Log Name: Application Source: SceCli Date: 11/27/2006 11:50:35 AM Event ID: 1202 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: epona.ece.ncsu.edu Description: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done. Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events". Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions: 1. Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log The string following "Cannot find" in the FIND output identifies the problem account names. Example: Cannot find JohnDough. In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe"). 2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts: a. Start -> Run -> RSoP.msc b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X. c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors. 3. Remove unresolved accounts from Group Policy a. Start -> Run -> MMC.EXE b. From the File menu select "Add/Remove Snap-in..." c. From the "Add/Remove Snap-in" dialog box select "Add..." d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add" e. In the "Select Group Policy Object" dialog box click the "Browse" button. f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log ---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG Cannot find HelpAssistant. Cannot find HelpAssistant. Cannot find HelpAssistant. Cannot find HelpAssistant. Cannot find HelpAssistant. Cannot find HelpAssistant. Cannot find HelpAssistant.
Cause
Account HelpAssistant is defined in ECE-Enable Remote Assistance GPO but does not appear to exist in Vista. This causes an error in the Event Log.
Solution
Prevent this group policy from applying to Vista computers with a WMI filter and create a new Remote Assistance policy for Vista computers.