-1

I'm fairly at home with Group Policy but this is sort of a strange one. I know security settings get applied every 16 hrs. I had a policy that added an AD group to the local admins (restricted groups). It would replace all other settings.

Now, we are migrating into a new domain structure and cleaning up our policies. I moved the computer to the new OU and it's accompanying policies. In the new env, there is no policy that sets the restricted groups.

To my surprise, when the computer was moved, some time after the move, all of the sudden admins no longer had admin rights. We obviously didn't remove them manually on the computer itself so this is somehow the result of moving the computerobject into the new env.

I would figure that a setting that has been set, stays set. Having said that, by moving the computer object and thus "removing the policy", i basically "change the setting". Maximum 16hrs later the settings get re-applied and the "empty" setting gets applied. On the other hand that doesn't make any sense. Cause the GPT doesn't contain any setting that gets "send" to the computer for processing.

So i'm confused as to why the group got removed from the computer. Can anyone explain this?

Snak3d0c
  • 101
  • 4

4 Answers4

1

This is the expected behaviour, when the computer receives the "Restricted Groups" policy, it store the previous state in a local cache.

When the GPO is not in the scope of the computer anymore, Windows reverts the local group membership to the previous value.

Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • Thank you for helping me out. Is this true for any setting being set by a policy or does this only hold true for security settings? – Snak3d0c Aug 20 '20 at 11:42
  • Also, i always figured GPO-caching was to cache the settings of a GPO (for faster processing), not the original state of the setting it targets? – Snak3d0c Aug 20 '20 at 12:16
  • I think it is more like "security principals that aren't recognized or valid are evicted from the group". I've seen this occur on a normal system during startup if there is a problem resolving the restricted group member security identifier, then they are re-added next time group policy applies if the problem is resolved. In this case, since the group used to grant membership was a Global group in the source domain, it isn't valid in the new domain. – Greg Askew Aug 20 '20 at 12:50
  • @Snak3d0c This is a special case, the cache you are talking about is another one. Windows don't needs to cache the original value of all the GPO settings to cancel the effect, they generally have 3 states Not configured(aka "Let something else decide")/ Enabled/Disabled and while they are stored in "Policies" key Windows can delete the values if GPOs is out of scope: So, yes, it's true that when a policy is not applied anymore, its effect is cancelled. The GPO editor will tell you if a registry setting persists after GPO removal(rare)("This registry setting is not stored in a policy key[...]") – Swisstone Aug 20 '20 at 16:21
  • @GregAskew I think both cases are true :) – Swisstone Aug 20 '20 at 16:23
0

Security settings in GPO are persistent. They "tattoo" the system, even when GPO is removed.

To revert, you have to apply default security policy of the system:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

See here https://support.microsoft.com/en-us/help/313222/how-do-i-restore-security-settings-to-a-known-working-state

Don Zoomik
  • 1,533
  • 9
  • 14
  • First of, thanks for helping. I'm sorry but the occurrence that i have, is in my opinion the exact opposite of tattooing. As far as i remember, tattooing is setting a setting via GPO, remove the GPO and the settings remains (like you explained). My situation is: I moved the computer to another OU where there is no such GPO (and setting) but the client lost it settings (without me actively removing\restoring the setting). – Snak3d0c Aug 20 '20 at 11:41
0

The Global Security group that was used is only valid in the original domain.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

So i figured it out myself. The reason is not tattooing but something called "Policy keys". When you create a GPO, in the GUI you'll see "Computer configuration", when you open it you'll see "Policies" & "Preferences".

Now, the Restricted Groups is located : "Computer configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups". The keyword in this is "Policies".

The difference between "Policies" & "Preferences" is the way they impact the system. With a "normal policy" the changes are put into a "Policy key" (that are guarded by the system) within the registry which thén get invoked by the "group policy engine".

Now, when the GPO becomes out of scope (in this case because I moved the computer object), the settings are reverted.

This is why this happend.

This is all explained in the third edition of Jeremy Moskowitz "Group policy Fundamentals, Security and the managed desktop", chapter 5, specifically on page 279.

I needed @Swisstone his input to get me on my way, the book to get the full understanding. Thanks again for that!

Snak3d0c
  • 101
  • 4