这是我在 ServerFault 中的第一个问题,嘿呀 :)
在我们的域中使用 Microsoft Active Directory 管理所有服务器和客户端计算机。我们有 13 台虚拟机服务器。域\管理员用户是域管理员。我在域中随处使用它(IIS Web 服务、远程登录、任务计划、Veeam 备份等),没有任何权限问题。
今天我配置了一个策略直流并将其分配给服务器 OU其中包含所有服务器。然后尝试右键单击此欧亚, 选择组策略更新。9 项失败,4 项成功。我附上了结果。
4 成功服务器
1 Windows Server 2012 R2
2 Windows Server 2008 R2 标准版
1 Windows 10 专业版 21H1
9 台服务器故障
6 Windows 服务器 2016
2 Windows Server 2012 R2
1 Windows 10 专业版 21H1
我在网上搜索并尝试了很多解决方案,但都没有办法。我比较了一台成功和失败的机器的防火墙规则,域\管理员用户权限,一些注册表设置等,它们是相同的。
也可以 Invoke-GPUpdate -computer SERVERNAMEHERE -force
从执行命令直流返回以下错误;
Invoke-GPUpdate : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
Invoke-GPUpdate -computer SERVERNAMEHERE -force
CategoryInfo : NotSpecified: (:) [Invoke-GPUpdate], UnauthorizedAccessException
FullyQualifiedErrorId : Unspecified,Microsoft.GroupPolicy.Commands.InvokeGPUpdateCommand
执行上述 GpUpdate 命令后,我转到目标服务器并在事件查看器中检查 Windows 安全日志并查看以下条目;
Special privileges assigned to new logon.
Subject:
Security ID: DOMAIN\administrator
Account Name: administrator
Account Domain: DOMAIN
Logon ID: 0x26A9C63
Privileges: SeLoadDriverPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: DOMAIN\administrator
Account Name: administrator
Account Domain: DOMAIN
Logon ID: 0x26A9C63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: SERVER-DCHERE
Source Network Address: DC.IP.H.ERE
Source Port: 50691
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
所以我被困在了这一点上。成功远程登录,4 台机器成功远程执行,同一个用户让我大开眼界 :( 任何想法都值得赞赏。提前致谢。
--- 编辑 1 ---
我在发生故障的机器上启用了组策略调试日志记录。然后Invoke-GPUpdate -computer SERVERNAMEHERE -force
从 DC 执行命令。在目标机器 %WINDIR%\debug\UserMode gpsvc.log 中创建以下行;
GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 000000000000012C
GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 0000000000000128
GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
我也尝试了第二次,但没有生成日志。我认为这些日志不属于我的远程 gpupdate 执行。