域管理员的远程组策略更新失败(拒绝访问)

域管理员的远程组策略更新失败(拒绝访问)

这是我在 ServerFault 中的第一个问题,嘿呀 :)

在我们的域中使用 Microsoft Active Directory 管理所有服务器和客户端计算机。我们有 13 台虚拟机服务器。域\管理员用户是域管理员。我在域中随处使用它(IIS Web 服务、远程登录、任务计划、Veeam 备份等),没有任何权限问题。

今天我配置了一个策略直流并将其分配给服务器 OU其中包含所有服务器。然后尝试右键单击此欧亚, 选择组策略更新。9 项失败,4 项成功。我附上了结果。

4 成功服务器

1 Windows Server 2012 R2

2 Windows Server 2008 R2 标准版

1 Windows 10 专业版 21H1

9 台服务器故障

6 Windows 服务器 2016

2 Windows Server 2012 R2

1 Windows 10 专业版 21H1

组策略更新结果

我在网上搜索并尝试了很多解决方案,但都没有办法。我比较了一台成功和失败的机器的防火墙规则,域\管理员用户权限,一些注册表设置等,它们是相同的。

也可以 Invoke-GPUpdate -computer SERVERNAMEHERE -force从执行命令直流返回以下错误;

Invoke-GPUpdate : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
Invoke-GPUpdate -computer SERVERNAMEHERE -force

CategoryInfo          : NotSpecified: (:) [Invoke-GPUpdate], UnauthorizedAccessException
FullyQualifiedErrorId : Unspecified,Microsoft.GroupPolicy.Commands.InvokeGPUpdateCommand 

执行上述 GpUpdate 命令后,我转到目标服务器并在事件查看器中检查 Windows 安全日志并查看以下条目;

Special privileges assigned to new logon.

Subject:
    Security ID:        DOMAIN\administrator
    Account Name:       administrator
    Account Domain:     DOMAIN
    Logon ID:       0x26A9C63

Privileges:     SeLoadDriverPrivilege
            SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
            SeDelegateSessionUserImpersonatePrivilege
An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        DOMAIN\administrator
    Account Name:       administrator
    Account Domain:     DOMAIN
    Logon ID:       0x26A9C63
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   SERVER-DCHERE
    Source Network Address: DC.IP.H.ERE
    Source Port:        50691

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V2
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

所以我被困在了这一点上。成功远程登录,4 台机器成功远程执行,同一个用户让我大开眼界 :( 任何想法都值得赞赏。提前致谢。

--- 编辑 1 ---

我在发生故障的机器上启用了组策略调试日志记录。然后Invoke-GPUpdate -computer SERVERNAMEHERE -force从 DC 执行命令。在目标机器 %WINDIR%\debug\UserMode gpsvc.log 中创建以下行;

GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 000000000000012C

GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0

GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 0000000000000128

GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0

我也尝试了第二次,但没有生成日志。我认为这些日志不属于我的远程 gpupdate 执行。

相关内容