Viewing some settings in GPO requires role installation

  • 113 Views
  • Last Post 04 May 2017
BrianB posted this 03 May 2017

All:   We are using Server Core everywhere that it supports the role that we install. We have dedicated, secured management stations that are full gui when the need arises and we have to use a graphical tool. We have found over the years that we have to install a role on the management server in order to see the values for certain settings in GPO console.

  I would love to do away with having to install a role so the proper DLL’s and files are loaded to make the information in the GPMC legible. Has anyone figured out a way to use to use the GPMC without having to install the roles to view all of the Settings?   Brian Britt    

Order By: Standard | Newest | Votes
BrianB posted this 03 May 2017

Apologies,

 

We manage the AD and LDAP for my institution. So, I am using Server Core for DC’s and any supporting servers. I have to install the AD-Domain-Service role on the management station in order to see some settings

for creating policy for the DC’s.

 

 

Brian Britt

 

show

darren posted this 03 May 2017

Brian-

I’m  curious as to what settings you can’t see without that role installed? I presume you have the Group Policy Management feature installed—are you saying that even with that feature, you still have to install AD-Domain-Service in order

to see settings within GPMC and GP Editor?

 

Darren

 

show

BrianB posted this 03 May 2017

Hi Darren,

 

Yes, My techs complain that firewall rules for DNS and AD specific are not enumerated properly unless the role is installed. If the, in this case, AD-Domain-Services Role is installed, then the enumeration happens

and it is understandable. This appears in the GPMC reporting as well as when you edit the GPO and open the setting for the Advanced firewall.



 

If the DC were full GUI, this would not be a problem, but since it is Sever Core, we use dedicated Admin stations that manage the GPO’s for Domain Controllers.  

 































Name



Description



@ntdsmsg.dll,-1031



@ntdsmsg.dll,-1032

















This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module





 

 

show

darren posted this 03 May 2017

Ah interesting. Ok. So there are a number of DLLs related to GP that hold the resource strings that are used by editing and reporting. You should be able to simply take that one below from a system where it’s installed and copy it to system32

on another system of the same version and resolve that issue.

 

Darren

 

show

BrianB posted this 03 May 2017

I will try that now and let you know if it works.



 

Brian

 

show

BrianB posted this 03 May 2017

Darren,

 

Copying the ntdsmsg.dll did not fix the problem. I thought about registering it with regsvr32 but was a little unsure. I did try to register on a test system and got an error, “The module 'ntdsmsg.dll' was loaded

but the entry-point 'DllRegisterServer' was not found.

 

I did not pursue and further as it seems to require an application which leads me to believe that the role is required.



 

Brian

 

show

darren posted this 03 May 2017

Curious. That DLL doesn’t look like it has other dependencies but as you say—could be some other part of that role package that is required. I also tried regsvr32 and got the same message, which is not too surprising since I don’t think

it’s a COM component.

 

I will try to investigate further if I get some spare time.

 

Darren

 

show

BrianB posted this 03 May 2017

Awesome Darren, Thank you.



 

I have racked my brain trying to get this to work without installing the role, to no avail. Hopefully this will help others, too.

 

Brian Britt

 

show

kurtbuff posted this 03 May 2017

Can you clarify what you mean by installing the role?
Wouldn't this be solved by installing the RSAT tools?
Kurt


show

darren posted this 03 May 2017

I don’t think so Kurt. As an example, I have RSAT installed on a Win 10 machine and it doesn’t include that DLL below. And, if I look in GP Editor for the pre-defined AD rules

under Windows Firewall policy, they don’t exist on that Win10 RSAT machine but do on a DC.



 

Darren

 

show

kurtbuff posted this 03 May 2017

Ah. I think I can understand that.
Not enabling the ability to craft GPOs for a role without having the role enabled/installed might be considered a form of security, I suppose.
Definitely inconvenient, though.
Kurt


show

BrianB posted this 04 May 2017

Darren is correct. If you install the DC role, “add-windowsfeature –name ad-domain-services” you get part of the way there to installing a DC. All that is left

is to promote it. If I leave it at the halfway point, I can enumerate the AD rules in the GP Editor or in the Advanced Firewall config. Otherwise, if the role is not installed the rules are cryptic as seen below:

 

































Name





Description





@ntdsmsg.dll,-1031





@ntdsmsg.dll,-1032



















This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module





 

This appears to be true for DNS role as well.



 

Maybe I am scratching at a phantom itch, but installing a role to enumerate a FW rule seems overkill and potentially dangerous to me. I can’t cite a specific

“Don’t do this” rule, but if you have to install a role you increase your footprint and the potential for an admin to miss-configure something by accident.

 

Brian Britt

 

 

show

michael1 posted this 04 May 2017

I would suggest this be bugged.

 

I don’t remember this happening in the past.

 

show

darren posted this 04 May 2017

<Chuckle>--oh Michael, Michael, Michael… Given the .001 developers currently working on GP, good luck with that

😊.  That said, I just confirmed that it’s been an issue since at least 2008-R2, so probably nothing they would

fix. Frankly, this is not uncommon in the history of GP. For example, installing IE 10 totally nuked IE Maintenance policy from both editing and reporting, or earlier scenarios with the customized MSS:* security settings that required a specific version of

wsecedit.dll. Anyway, there is likely a path to just getting the files needed to properly enumerate these settings. If I could get process explorer working correctly, it might show up easily.

 

Darren

 

show

michael1 posted this 04 May 2017

Yeah, I hadn’t realized it had gotten so bad. A couple of people responded off list.

 

However, you can at least get it on the list in case anyone ever pays attention to GP again…

 

show

darren posted this 04 May 2017

Agreed. I’ve reported a number of broken items over the years—and in general the answer has been—“not a priority”—but it never hurts.

 

Darren

 

show

BrianB posted this 04 May 2017

An update from my Tech…

 

He installed AD-Domain-Services and then uninstalled it and he can still see the firewall rules for AD with RSAT for AD services and GPMC console. SO it may be

that we just need to install > Uninstall the role to get the visibility.

 

Brian Britt

 

show

darren posted this 04 May 2017

Good to know! Thanks Brian. Curious though—that implies to me that uninstalling the role doesn’t really uninstall it. For example, is the ntdsmsg.dll file still there

in system32 after uninstalling the role?

 

Darren

 

show

BrianB posted this 04 May 2017

I will verify. I am out of the office at the Microsoft office here in Nashville at the moment. :).






Funny, there is no one here to aks about this issue though.







Brian Britt









Get Outlook for Android

show

michael1 posted this 04 May 2017

…and whether or not he rebooted in between his tests.

 

show

Close