Group Policy isn't working after Ransomware Attack
-
We've rebuilt all of our domain controllers after we got hit with ransomware. A pretty big metadata cleanup needs to occur.
I ran
gpupdate /force
to see what errors it threw outThe processing of Group Policy failed. Windows attempted to read the file \\Domain.local\SysVol\Domain.local\Policies\{unique identifier}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. User Policy could not be updated successfully. The following errors were encountered:
There are some shares in sysvol that don't exist anymore upon our restore. Would that cause the entirety of group policy to shutdown or just the application of said GPO's that are being referenced?
-
repadmin /showrepl
came back successful for all
repadmin /syncall
was successful for all
repadmin /kcc
was successful
-
you mean you didn't just kill the old domain and make a new one?
-
Did you ensure the Group Policy client was enabled and started on the workstation you are testing on?
-
Could also be a permissions issue on the folders/locations that are referenced.
-
@coliver said in Group Policy isn't working after Ransomware Attack:
Did you ensure the Group Policy client was enabled and started on the workstation you are testing on?
Yes I did
-
I resolve the above and now I am getting the below error:
The following warnings were encountered during computer policy processing: Windows failed to apply the Scripts settings. Scripts settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the "More information" link. User Policy update has completed successfully. The following warnings were encountered during user policy processing: The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance. For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. Certain user policies are enabled that can only run during logon. OK to log off? (Y/N)
-
-
-
@JasGot said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
How many DCs?
lol.
like 30+
-
Right now I am working on a script to compare all of the files contained within sysvol between all dc's
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@JasGot said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
How many DCs?
lol.
like 30+
30 AD Domain controllers?
-
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@JasGot said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
How many DCs?
lol.
like 30+
30 AD Domain controllers?
Over 30
-
@wirestyle22 Problems with all of them? or just the one(s) that was/were hit with Ransomware?
-
@JasGot said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 Problems with all of them? or just the one(s) that was/were hit with Ransomware?
Everything has the same error including workstations when you
gpupdate
-
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
-
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
-
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
-
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
huh - who asked about that earlier?
-
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
-
We didn't restore the DC's fully, just sysvol. Once we stopped the spread we spun up a new DC and took FSMO roles. Then on the weekend we built all new domain controllers.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
We didn't restore the DC's fully, just sysvol. Once we stopped the spread we spun up a new DC and took FSMO roles. Then on the weekend we built all new domain controllers.
Which ransomware was it?
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
Enforced by non IT? huh? what gives them the right to enforce anything?
And just because you have a server there, doesn't mean it has to be a DC.
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
@wrx7m said in Group Policy isn't working after Ransomware Attack:
@dafyre said in Group Policy isn't working after Ransomware Attack:
This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?
Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.
Nuke and pave is always a good answer... but jeez... Why do you need so many DCs to start with?
Our AD infrastructure here has nearly 40k people in it and we only have 6.
We ask that question every day
Wait - who's making the decision? Is someone not in your department acting as IT?
Yes and no. Someone in IT long ago made this decision to put DC's in every office, which is not required. That became policy. So it's being enforced by people who aren't IT, but it was decided by former IT.
Enforced by non IT? huh? what gives them the right to enforce anything?
And just because you have a server there, doesn't mean it has to be a DC.
Not going to argue if they are doing it right because they obviously aren't. I am not going to change policy. This is a technical problem I'm working on. Someone else can run the company into the ground
-
So where are you at with the problem?
-
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
-
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
-
@Dashrender said in Group Policy isn't working after Ransomware Attack:
@wirestyle22 said in Group Policy isn't working after Ransomware Attack:
@Dashrender GP is working, but I get errors. Some of which I believe are related to syntax changes from 2008 to 2016.
How about rebuilding one of the GPs, then disable the old one and enable the new one, and test?
Yeah I'm working through it slowly. It's applying most. I just see some errors I am trying to diagnose