My first question in ServerFault heya :)
In our domain manage all server and client machines with Microsoft Active Directory. We have 13 Vm Server. Domain\administrator user is Domain admin. I use it in domain everywhere (IIS web services, Remote Logins, Task Schedule, Veeam Backups etc.) without any permission issue.
Today i config a policy under DC and assign it to Servers OU which all servers in it. And try Right Click on this OU, select Group Policy Update. 9 are Failed 4 are Succeeded. I attach the results.
4 Succeeded Servers
1 Windows Server 2012 R2
2 Windows Server 2008 R2 Standart
1 Windows 10 Pro 21H1
9 Failed Servers
6 Windows Server 2016
2 Windows Server 2012 R2
1 Windows 10 Pro 21H1
I search over internet and try many solutions but no way. I compare one of succeeded and failed machines firewall rules, Domain\administrator user rights, some registry settings etc. and they are same.
Also Invoke-GPUpdate -computer SERVERNAMEHERE -force command excuted from DC return below error;
Invoke-GPUpdate : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
Invoke-GPUpdate -computer SERVERNAMEHERE -force
CategoryInfo : NotSpecified: (:) [Invoke-GPUpdate], UnauthorizedAccessException
FullyQualifiedErrorId : Unspecified,Microsoft.GroupPolicy.Commands.InvokeGPUpdateCommand
After executed above GpUpdate command i go to target server and check the Windows Security Logs in Event Viewer and see below entries;
Special privileges assigned to new logon.
Subject:
Security ID: DOMAIN\administrator
Account Name: administrator
Account Domain: DOMAIN
Logon ID: 0x26A9C63
Privileges: SeLoadDriverPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: DOMAIN\administrator
Account Name: administrator
Account Domain: DOMAIN
Logon ID: 0x26A9C63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: SERVER-DCHERE
Source Network Address: DC.IP.H.ERE
Source Port: 50691
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So I am stuck at this point. Succesfully remote logon, 4 machine success remote excution with same user mix my brain :( Any idea appreciated. Thanks in advance.
--- EDIT 1 ---
I enable Group Policy debug logging on the failed machine. Than Execute Invoke-GPUpdate -computer SERVERNAMEHERE -force command from DC. Below lines created in target machine %WINDIR%\debug\UserMode gpsvc.log;
GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 000000000000012C
GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 0000000000000128
GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
Also i try second time but no logs genereated. These logs not belongs to my remote gpupdate execution i think.
winrm id -r:machinename\\ComputerName\admin$and folder opened directly. Not ask any credentials.winrm id -r:machinenameresult isIdentifyResponse ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor = Microsoft Corporation ProductVersion = OS: 10.0.14393 SP: 0.0 Stack: 3.0 SecurityProfiles SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos