Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #1 
Application is SolarWinds Web Page Monitoring (WPM).  This is NOW a Stand Alone Application and in this case is NOT being added or installed on top of their Network Performance Monitor (NPM)  I cannot stress that enough...


Service Account Configuration-

Domain Service Account  BigDog\SVC01 thru BigDog\SVC09

These are nested in a Local Domain Security Group (LDSG)  SVCGROUP

That LDSG has been placed into the Local Security Policy of the Player Servers running the WPM application "Allow Log On Locally"

There is a User Defined GP Setting to have Users use a DAT file for Internet Explorer when accessing Both Internal and External Sites.

   "Use Automatic Configuration Script"
      Address: http://Big.Dog.Net/wpad.dat


When we log into the Player Servers with our normal User Account the IE settings are being applied correctly and the sites we are targeting can be accessed within milliseconds...

However, when the Service Accounts are used on the Player we are seeing delays of 45 to 60 seconds and in some cases the site will timeout which will result in Alerts even though the site is actually up and accessible...

So my curiosity was spiked yesterday when trying to pull GPRESULTS for the Service Accounts being used - Yes they have Profiles on the Player Server in the C:\Users Folder - and they all failed...

So do Service Accounts have User Defined GP Settings Applied?

Do they have to be added to more Local Security Policies such as Run As Batch or anything like that..?

I also noticed that depending on who created the Server Image made a difference on which OU it was placed in.  

It "Appears" that two of the Player Servers that "Seem" to be working with minimal issues are in the same OU.  I am getting the others moved to that OU NOW!!!



Thanks In Advance!!






__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 179
Reply with quote  #2 
> So do Service Accounts have User Defined GP Settings Applied?

For user accounts to have GPO applied they need an interactive logon. A service or network logon does not count.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 167
Reply with quote  #3 
I didn't know that.  Thanks, Willem!  So you can't use GPs on a service account?  What about the ones introduced in 2008R2?
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 179
Reply with quote  #4 
Hi Mark,

Managed service accounts of any kind do not process GPO either.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 167
Reply with quote  #5 
Thanks!  Dunno where I got the idea that they did.  Much appreciated.
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #6 
Great!  Thats what I was thinking...  SO...  Polices that are Computer Side WILL take effect regardless correct..?  OR Do I have to set the Application Service that is running as to Allow Service To Interact With Desktop..?

Here is why I am asking.


I found that -
  • "Some" of the New Server builds (2012 R2) are being placed into what is considered the "Correct OU".  Those Player Servers are having issues.
  • "Some" of the New Server builds (2012 R2) are being left in the Default Computer Container and are NOT moved.  Those Player Servers are NOT having any issues.


After some digging I found that the Servers in the "Correct OU" are having some Domain GP's applied to the Computer Side.  Nothing that stands out really, just your basic disable cookies third party Active X etc...

Those Domain GP's applied to the Computer Side are NOT being applied to the Servers in the Default Computer Container...


So,,, even though the Service Account is not an interactive logon thus no Domain Level Policies (or local) will apply, the Computer Side GP's will still be enforce.  Correct..?








__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 179
Reply with quote  #7 
> even though the Service Account is not an interactive logon thus no Domain Level Policies (or local) will apply, the Computer Side GP's will still be enforce.

Sure. Processing of computer GPOs is unrelated to user or service logon.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #8 
Thanks Willem!  Will peel this onion today if possible...
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #9 
Apologies in advance for having to ask this...

I'm so flustered that I need a second set of eyes...

It has been suggested by the powers that be as far as the settings are designed and documented there is no difference between a server and workstation. “  Which is resulting in Several Computer Side GP's being applied for every server...

Since the Service Accounts are Non Interactive they are not getting the User GP's with the proxy settings etc... to allow them to access the hundreds of web sites the Web Page Scanning Application is trying to scan.

It was suggested that -
  1. Add the Service Accounts (7) to the Local Admin of each Scanning Server (100's)
  2. Manually RDP into each Scanning Server (100's) with Each Service Account (7) creating an Interactive Logon Profile
  3. Remove the Service Accounts from the Local Admin of each Scanning Server
  4. Then the Service Account even though its Non Interactive will use those User Side GPs from the above Logon Profile...


I am trying to explain how Non Interactive works and why you use it in the first place but am not getting through...  The above method is obviously NOT something I even want to pursue and am hoping Willem or Mark can provide me with the info to just say no...

 

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 179
Reply with quote  #10 
Madness. Cowboy behavior of the worst kind. Get out of there while you still can!
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 177
Reply with quote  #11 
Tim,

viewing this at a slightly different angle: Is the ultimate goal of this whole excercise to monitor the uptime of those pages or their availability to your users?

Because if it's the former, putting a proxy in front of the scanning server sort of negates the whole concept, doesn't it? So instead of arguing about GPO application, you should maybe try to have those machines put into the DMZ where they can reach the websites more directly.

And if it's indeed the latter, SolarWinds themselves suggest that you configure the proxy settings per machine rather than per user... https://support.solarwinds.com/Success_Center/Web_Performance_Monitor_(WPM)/Configure_a_web_proxy_for_the_player

FWIW,

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #12 
Quote:
Originally Posted by cj_berlin
Tim,

viewing this at a slightly different angle: Is the ultimate goal of this whole excercise to monitor the uptime of those pages or their availability to your users?

Because if it's the former, putting a proxy in front of the scanning server sort of negates the whole concept, doesn't it? So instead of arguing about GPO application, you should maybe try to have those machines put into the DMZ where they can reach the websites more directly.

And if it's indeed the latter, SolarWinds themselves suggest that you configure the proxy settings per machine rather than per user... https://support.solarwinds.com/Success_Center/Web_Performance_Monitor_(WPM)/Configure_a_web_proxy_for_the_player

FWIW,



There is not a single Proxy, they use a DAT file with 5 URLs.  So yes, we tried setting it to Computer however we have 0 control over GP Settings being applied to either Server or User.

Web Servers are located in various places not just in DMZs.


I am hoping to have more info on Tuesday on which IE11 Setting is causing our issues with the connection time spiking to over 60 seconds.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
donoli

Senior Member
Registered:
Posts: 459
Reply with quote  #13 
Quote:
I am hoping to have more info on Tuesday on which IE11 Setting is causing our issues with the connection time spiking to over 60 seconds.


If IE11 is causing a problem, wouldn't Edge be a logical substitute? Is there another reason why that wouldn't work?
0
jsclmedave

Administrator
Registered:
Posts: 417
Reply with quote  #14 
Quote:
Originally Posted by donoli


If IE11 is causing a problem, wouldn't Edge be a logical substitute? Is there another reason why that wouldn't work?


Already getting complaints from internal sites that are not compatible with IE11  Forcing compliance for EDGE is not an option...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 165
Reply with quote  #15 
That's what enterprise mode is for in IE
__________________
Have SpaceSuit, Will Travel

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: