Default Domain Controller GPO went nuts with version number changes

Tom Andersen 96 Reputation points
2021-04-29T11:22:01.227+00:00

Yesterday, for about 45 minutes, I kept getting notifications that my Default Domain Controller GPO was changing. Investigating, the only thing that was changing was the version number. No other changes were made to it. The version number ended up going up by about 20 when all was said and done. Any idea what could have caused this?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,798 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-04-30T09:53:54.597+00:00

    Hello @Tom Andersen ,

    Thank you for posting on our Q&A forum.

    Based on my knowledge, we can understand version number as below.

    1.When we create a new GPO, the version number is 0. After we edit this new GPO and configure one GPO setting, the version number will increase to 1.
    92916-t1.png

    For example 1:
    The version number is 46 currently about “Default Domain Controller Policy” object, after I edit the two GPO settings within “Default Domain Controller Policy” object at the same time, the version number will be increased to 48 (because I edit two settings).

    Tip: Here are the two GPO settings I edited this GPO:
    1.I add domain user A\daisy to “Allow log on locally”.
    2.And add the user account A\Daisy1 to “Allow log on through Remote Desktop Services”.

    92810-t2.png

    92876-t3.png

    2.If I edit the "Default Domain Controller Policy” object above again and undo a previous setting, the version number will still be increased by 1.

    For example 2:
    I edit this GPO by removing the user account A\Daisy1 from “Allow log on through Remote Desktop Services”, the version number on "Default Domain Controller Policy” will be 49.

    92917-t4.png

    92906-t5.png

    Here is the possible cause of your question.
    Q: Yesterday, for about 45 minutes, I kept getting notifications that my Default Domain Controller GPO was changing. Investigating, the only thing that was changing was the version number. No other changes were made to it. The version number ended up going up by about 20 when all was said and done. Any idea what could have caused this?
    A: During that 45 minutes yesterday, someone (maybe he/she is other domain admin) was editing the Default Domain Controller Policy GPO, so some GPO settings within Default Domain Controller Policy GPO may be configured/changed.
    However, as the example 2 above, if he/she undo all the configured GPO settings he/she configured during 45 minutes within Default Domain Controller Policy GPO, maybe there is no GPO setting changes within Default Domain Controller Policy GPO.

    Here are my suggestions:

    1.Try to find who edited this GPO, maybe he/she is your colleague.

    2.We can export all the GPO settings on the DC and try to check if there is any change.

    Log on one DC with domain Administrator.
    Open CMD (run as Administrator).
    Type gpresult /h C:\report.html and click Enter.
    Check all the settings under “Computer Details” and within “Default Domain Controller Policy”.

    For example:

    92934-t6.png

    3.By the way, would you please tell me where you got notifications about GPO changing?
    Whether you can find some information about GPO changes from the notifications.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Tom Andersen 96 Reputation points
    2021-04-30T11:06:43.533+00:00

    No, this is not the answer. NO ONE was touching the GPOs. I also use auditing tools which confirmed there were NO CHANGES to the GPO. I get the information about changes from the Quest Auditing tool. It also showed that there were NO changes other then the version number. Something else must be going on. More help please?

  3. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-05-06T08:34:47.767+00:00

    Hello @Tom Andersen ,

    Thank you for your update.

    If no changes are made in the GPO, and we can whether AD is healthy.

    1. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
    2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on PDC.
    3. Check if both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.

    I am sorry, we are not very familiar with Quest Auditing tool.

    Based on our knowledge and test in our lab, if someone edits the GPO, the corresponding of this GPO will increase.

    If everything goes well, I suggest you can ignore it.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments