Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

By default, domain users cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration due to insufficient permissions. Only users with local administrator rights on the target computer can remotely access Group Policy Results data.
Figure 1: Gpresult of a domain user
Figure 2: The warning of “Resultant Set of Policy
Figure 3: “Resultant Set of Policy” is being processed
Figure 4: The result of “Resultant Set of Policy
To allow domain users generating the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration, we can delegate the permission for domain users by using GPMC. The permission can be assigned in a domain or organization unit level.
Remark: To delegate the permission, make sure the forest functional level of the domain environment is Windows Server 2003 or later.
Goals
Allow the domain user,Terry, reading the “Group Policy Results” of Computer Configuration in “Win7 Workstations” OU.
Lab environment
  • 1 domain controller named DC02 which is installed Windows Server 2008
  • 1 workstation named W701 which is installed Windows 7 is under Win7 Workstation OU
  • 1 server named FS01 which is installed Windows Server 2008 R2 is under Computer container
  • 1 domain user account named Terry
1. On DC02, log in as Domain Administrator.
2. Launch “Group Policy Management Console“.
3. Expand “Forest > Domains > Domain Name > Win7 Workstations“.
4. Select “Delegation” tab.
5. Next to “Permission“, select “Read Group Policy Results data“.
6. Click “Add“.
7. In “Select User, Computer, or Group” window, enter “Terry“.
8. On “Add Group or User” window, next to “Permissions“, select “This container and all child containers“.
Remark: The child OU of “Win7 workstations” will inherit the permission because “This container and all child containers” is selected.
9. Click “OK“.
10. Click “Advanced“.
11. Next to “Security“, select “Terry“.
The “Generate resultant set of policy” permission is granted Terry.
12. Click “Cancel“.
Now, Terry can generates the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration on workstations which  is under “Win7 Workstations” OU.
Test result
1. On W701, log in as Terry.
2. Launch “Command Prompt“.
3. Perform “gpresult /r“.
The “Group Policy Results” of Computer Configuration can be generated by Terry.
4. Perform “rsop.msc“.
When the “Resultant Set of Policy” is being processed, there is no warning message. Terry can generate “Resultant Set of Policy” of Computer Configuration.
5. Log out W701.
6. On FS01, log in as Terry.

7. Launch “Command Prompt“.
8. Perform “gpresult /r“.

9. Perform “rsop.msc“.
Because the “Generate resultant set of policy” permission isn’t granted on domain level, Terry cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration.
For more information:
Delegation and policy-related permissions
Advertisements

DNS, Windows Event Log, AD Web Services not starting on Windows 2008 R2 DC

http://support.microsoft.com/kb/971256

 

When you try to start the Windows Event Log service from the Services console on Windows Server 2008, the Windows Event Log service fails. Additionally, you receive the following error message:

Error 5: Access denied

The Task Scheduler and Windows Event Collector services, which depend on Windows Event Log service, also fail.

Cause

This problem happens if any of the following conditions are true:

  • The built-in security group EventLog does not have permissions on the folder %SystemRoot%\System32\winevt\Logs
  • The Local Service account does not have default permissions on the following registry key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability

Resolution

Restore the default permissions on %SystemRoot%\System32\winevt\logs.

Authenticated user – List folder/read data, Read attributes, Read Extended attributes, Read permissions
Administrators – Full control
SYSTEM – Full control
EventLog – Full control

Method 1

To restore the default permissions on folder %SystemRoot%\System32\winevt\logs, follow these steps.

  1. Right-click on %SystemRoot%\System32\winevt\logs and select Properties.
  2. Select the Security tab.
  3. Click Edit button and click the Add button in the permissions dialog box.
  4. In Select users, computers, or Groups dialog box ensure that under object types Built in Security Principals and the location as local computer name is selected.
  5. Enter the object name as “NT SERVICE\EventLog” without quotes. And click OK. This group should have full control on the folder.
  6. Once EventLog group is added add the rest of the groups with above mentioned permissions.

Method 2

Identify a Windows Server 2008 machine with default permissions.

  1. Click Start, and then type cmd in the Start Search box.
  2. In the search results list, right-click Command Prompt, and then click Run as Administrator.
  3. When you are prompted by User Account Control, click Continue.
  4. Type the command CD %SystemRoot%\SYSTEM32.
  5. Once the working directory is changed to %SystemRoot%\SYSTEM32 type the command icacls winevt\* /save acl /T.
  6. This will save a file named ACL in %SystemRoot%\SYSTEM32. Copy this file to the C: drive on the problem computer.
  7. On the problem computer, open command prompt with administrator privileges (refer to previous steps 1-3).
  8. Change the working directory to %SystemRoot%\SYSTEM32.
  9. Execute the command icacls winevt\ /restore acl.

    Default permissions on the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability should be:

    CREATOR OWNER – Full control
    SYSTEM – Full control
    LOCAL SERVICE – Query Value, Set Value, Create Subkey, Notify and Delete
    Administrators – Full control
    Users – Read

    To set the permission on this registry key:

    1. Click the Start menu, select Run and type Regedit.
    2. Go to the location HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability.
    3. From the Edit menu click Permissions.
    4. Add the permissions for the accounts as listed above.

Finding AD & Exchange schema version

    Active Directory Schema Version

dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion

    Exchange Schema version

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

 

**replace bold with your domain name