Active Directory Hardening

Somewhere along the way, while trying to “harden” a bunch of servers using a GPO that i built, one of the servers has a little hick-up.

In the security tab of any folder on this Server 2012 R2 server, the top section has a “UAC” icon as part of the “Edit” button, but the bottom part doesn’t have the “UAC” icon as part of the “Advanced” button.

Other servers do not have the “UAC” icon and that’s the way I want it for both.

Why is one server getting it and any way to reset all the setting on the server? Seems even if I pull the server out of the GPO and reboot, it doesn’t fix this issue.

Thoughts?

Why 1 server out of 5 that are getting the hardening GPO? This was one of the original 2 servers to initially get it but the other one doesn’t have the issues [like the other added after].

Note that while I know GPO stuff I am not an expert.

Thanks

Conversation 2 comments

  • kevin_costa

    25 October, 2019 - 10:24 pm

    <p>I'm not an expert either, but let me help you.</p><p><br></p><p>Are these folders part of a DFS Share? If yes, this behavior is not normal, I believe. If not, check if the server in question is getting the GPOs that you want (run a gpresult /h as a admin); block the GPO inheritance; or move the server to a OU that is "GPOless". Do a 'gpupdate /force' to guarantee a refresh, and see how it goes.</p><p>If these steps do not resolve your problem, maybe your server is "dirty" somehow, with something inside the registry messing up with the folder permissions. Run a 'dcdiag' command to see if your domain has any replication problems; Run a 'dism /Online /Cleanup-Image /RestoreHealth' and then 'sfc /scannow' afterwards, reboot the server, see if that works.</p><p><br></p><p>Hope this helps.</p>

    • ebraiter

      29 October, 2019 - 1:06 pm

      <blockquote><em><a href="#483529">In reply to Kevin_Costa:</a></em></blockquote><p>No DFS. I did pull the server out of the hardening OU which just have default policies as well as WSUS settings and it didn't help. Did the /force. </p><p>Will get back to you on the others….</p><p>Thanks</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC