戻る
-
タイトル
No Group Policy Tier Zero objects added by Security Guardian when using the Security Guardian Tier Zero provider -
説明
When using Security Guardian as the Tier Zero provider, there are Group Policy objects in the Active Directory environment that meet the criteria for Group Policy objects listed in the "How Tier Zero Objects are Identified" section of the Security Guardian User guide but there are no Group Policy objects automatically detected and listed on Tier Zero Objects page. Group Policy objects added by "User" are displayed on Tier Zero Objects page without issue but there are not Group Policy objects listed as added by "Security Guardian". -
原因
There is more than one Group Policy object with the same Name (CN) in Active Directory.
Note: This a GUID value from the GroupPolicyContainer object, not the displayName value that is visible in Group Policy Manager. -
対策
More than one Group Policy object with the same Name (CN) in Active Directory does not occur through typical Group Policy operations. The duplicate Group Policy objects we likely created by a product such as Quest Active Administrator which can create an "(Offline)" copy of a Group Policy object in a repository in Active Directory.
1. On a Domain Controller, run the following PS Command to locate the groupPolicyContainer objects in Active Directory:
import-module activedirectory
Get-ADObject -LDAPFilter "(objectClass=groupPolicyContainer)"
2. From the list of groupPolicyContainer objects, identify any objects that have the same "Name" value. ("Name" values are case sensitive so both values must have the exact same case)
3. The groupPolicyContainer objects that are considered duplicates will have a DistinguishedName that is different from "CN=Policies,CN=System,DC=<domain_root>".
4. Investigate the source of the duplicate groupPolicyContainer object and, if appropriate, remove the duplicate using the application that created. Alternatively, delete or rename the duplicate Group Policy object directly in Active Directory. It is not recommended to remove or modify any Group policy object in Active Directory if you are unaware of the source or why it was created.