Thursday 23 September 2010

Group Policy Processing - Refresh intervals

Worth having this information to hand as I always tend to forget the default refresh intervals.
They are:

Standard computers - every 90 minutes with a random offset of 0 to 30 minutes. GPO for computers is also updated whenever a restart is performed.

Domain Controllers - every 5 minutes.

This can then be configured differently using GPO:
  • Computer Configuration - Administrative Templates - System - Group Policy- Group Policy refresh interval for computers
  • Computer Configuration - Administrative Templates - System - Group Policy - Group Policy refresh interval for domain controllers

The refresh interval can be as small as 0 minutes (which means it refreshes every 7 seconds), and as large as 45 days.

Refresh offset times can also be changed for between 0 minutes and 24 hours.

Posted by at No comments:

Monday 13 September 2010

Starting an interactive command prompt as the local system

Occasionally you need to run some operations under the credentials of the operating system itself. For instance, if you lock yourself out of a service security descriptor by emptying the DACL, you'll only be able to run sc sdset .... under the SYSTEM account.

Under XP/2003 and before this could be done by running an interactive command prompt under that account via
at

Under Vista/2008 this was perceived as a security hole and so running the command prompt interactively was stopped.

The easiest way to accomplish this now is to use psexec.
Once downloaded you can run:
psexec -i -s -d cmd

You can confirm that the subsequent command prompt is running under the SYSTEM account by typing whoami /user in it.
Posted by at No comments:
Labels:

Thursday 9 September 2010

Group Policy Troubleshooting

Windows 7/2008 has a specific event viewer for Group Policy where you can see events focused solely on this.
If you click on the details tab for one of these events, and expand out the System part, you will see an Activity ID. An Activity is defined as something that may spark off several different events. For example, when group policy processing is refreshed, this is a single activity so by filtering on that specific Activity ID you can get all of the events associated with that activity.
Within a single Activity ID you will then see events for each of the GPOs that were processed.

If this is not enough information, you can create log files of all of the GPO processing information.
In the following example I'll set up logging of just group policy preference registry settings:

  • Open up local group policy on a machine (this does not appear to feature in domain GPOs).
  • Navigate to Computer Configuration - System - Group Policy - Logging.
  • Double click the "Configure Registry preference logging and tracing".
Here you can define whether you want informational, warning or error messages (or all 3), where the trace files will be kept and their max size. Remember though that the folder path to the trace files is not automatically created so you need to ensure that the specified folder structure exists for anything to be captured.

Once configured all GPO activity relating to the registry part of GPP will be logged.

From this log file it is easy to see details such as when WMI filters apply or get ignored.

For instance, you will see something like this when a WMI filter is passed:
Starting filter [AND FilterWmi].
Adding child elements to RSOP.
Passed filter [FilterWmi].
Filters passed.

If it fails you'll instead see:
Starting filter [AND FilterWmi].
Adding child elements to RSOP.
Failed filter [FilterWmi].
Filters not passed.
Posted by at No comments:
Subscribe to: Posts (Atom)