pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard

Published 20 hours ago verified publisher icon vletoux

GPO from forest root domain doesn't seem to be detected at child domains

Open amferreira opened this issue 3 months ago • 0 comments

  • PingCastle 3.2.0.1
  • Running parameters: "--healthcheck --server domain.local,child.domain.local"
  • Environment: AD forest "domain.local" + child domain "child.domain.local", running PingCastle from a server on "domain.local". Running user is a Group Managed Service Account from domain.local, has read permissions on all GPOs referenced here.

Example:

  1. GPO created on domain.local to fix A-HardenedPaths
  2. Linked GPO to OU "Domain Controllers" on domain.local and also on child.domain.local
  3. Report from domain.local shows A-HardenedPaths has fixed
  4. Report from child.domain.local still doesn't show this as fixed: "No GPO Found". (gpresult shows policies applied on all DCs on all domains)

Noticed the same behavior for "Audit settings" rules.

Creating the exact same GPO on child.domain.local and linking to the DCs child OU fixed the issue but forces to duplicate GPOs.

I'll be happy to provide additional details, if needed.

amferreira avatar Mar 11 '24 10:03 amferreira