Group Policy isn't working after Ransomware Attack
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
We didn't restore the DC's fully, just sysvol. Once we stopped the spread we spun up a new DC and took FSMO roles. Then on the weekend we built all new domain controllers.
Which ransomware was it?
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
Enforced by non IT? huh? what gives them the right to enforce anything?
And just because you have a server there, doesn't mean it has to be a DC.
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
Enforced by non IT? huh? what gives them the right to enforce anything?
And just because you have a server there, doesn't mean it has to be a DC.
Not going to argue if they are doing it right because they obviously aren't. I am not going to change policy. This is a technical problem I'm working on. Someone else can run the company into the ground
-
So where are you at with the problem?
-
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
Yeah I'm working through it slowly. It's applying most. I just see some errors I am trying to diagnose
-
Delete the Group Policies that do not exist any longer, maybe look for backups (Which I assume you don't have at the moment). You can also recreate the Group Policies like below
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix -
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
That's all "no". A decision in the past isn't a decision in the future. Someone deciding to use RAID 5 in 1999 because it made sense then, and then other people enforcing it ten or twenty years later because they aren't doing good evaluation of current needs, cannot claim that the decision was made long ago. The person long ago wasn't evaluating the current situation, current needs, current tech, etc.
That's a bit like saying that the last time someone drove the car that we turned right and then going the wrong direction later and trying to blame the last driver.
That decision is 100% on the current people.
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
Enforced by non IT? huh? what gives them the right to enforce anything?
And just because you have a server there, doesn't mean it has to be a DC.
The people who made them the ACTUAL IT.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
We didn't restore the DC's fully, just sysvol. Once we stopped the spread we spun up a new DC and took FSMO roles. Then on the weekend we built all new domain controllers.
So there might be parts that were encrypted and just left that way?
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
Yeah I'm working through it slowly. It's applying most. I just see some errors I am trying to diagnose
Manual rebuild might be necessary.
-
@scottalanmiller said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
Yeah I'm working through it slowly. It's applying most. I just see some errors I am trying to diagnose
Manual rebuild might be necessary.
Working with a vendor we use for special projects like this today. Definitely possible