molecule-alternate-01-1024x768-1024x585

Tech Blog #2: Meraki Group Policy not working

For a few weeks, I’m struggling with the problem of a group of end-users who aren’t allowed to access the internet. In the situation, there is a Meraki MX 100 as Firewall behind this device an L3 Core Switch and then some L2 Switches and clients.

Meraki Group Policy and AD Security Group

We had a Group Policy within the Meraki: This Group Policy had a certain name however, it wasn’t clear that this group should have also the same name within the Active Directory

How to create a Group Policy:
https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Policies

Meraki Group Policy

We renamed the AD Group to the same name as the Policy in the Meraki. We thought this was good. but still, no systems which got blocked. Or in the event log of the Meraki. After having several calls with Meraki support and every time we got some different answers.

After following the following post of meraki several times.

Meraki Article:
https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Directory_with_MX_Security_Appliances

We and contact with the support we had to look to the AD / Group Policy settings. I noticed that one thing wasn’t possible to change on the Domain Controllers. You don’t expect this on a fairly new installed Windows Server 2016, This made me check the settings more carefully. I noticed that the settings within the Default Domain Controller Policy were configured for a Windows server 2003 or older domain.

The Current domain and forest level is 2012R2. This was done after all old domain controllers were gone from the network. In this case, you need to change the audit settings on a different location, within the default domain controller policy.

To Change this you need to edit the Default Domain Controller Policy.

Default domain controller policy advanced audit settings
What do you need to change for these settings are the following:
  • Open Group Policy Management Console(GPMC).
  • Edit “Default Domain Controllers Policy”.
  • Configure required,
  • Advanced Audit Polices required for Active Directory auditing (recommended for 2k8 and above Domain Controllers)
  1. Audit Logon Events: Select Account Logon
    1. Audit ‘Kerberos Authentication Service’ (Success & Failure).
  2. Audit User, Group, Computer: Select Account Management
    1. Audit ‘Computer Account Management’ (Success),
    2. Audit ‘Distribution Group Management’ (Success),
    3. Audit ‘Security Group Management’ (Success),
    4. Audit ‘User Account Management’ (Success & Failure).
  3. Audit Tracking Processes: Select Detailed Tracking
    1. Audit Process Creation (Success),
    2. Audit Process Termination (Success).
  4. Audit GPO, OU, Configuration, Schema, Contacts, Containers, Sites, DNS: Select DS Access
    1. Audit Directory Services Changes (Success),
    2. Audit Directory Service Access (Success).
  5. Audit Logon / Logoff: Select Logon / Logoff
    1. Audit Logon (Success & Failure),
    2. Audit Logoff (Success),
    3. Audit Network Policy Server (Success & Failure),
    4. Audit Other Logon / Logoff Events (Success).
  6. Audit Scheduled Tasks: Select Object Access
    1. Audit Other Object Access Events (Success).
  7. Audit Local Policy Changes: Select Policy Change
    1. Audit Authentication Policy Change (Success),
    2. Audit Authorization Policy Change (Success).
  8. Audit System Events: Select System
    1. Audit Security State Change (Success).

After you configured this you need to use the command gpupdate / force to force the change of the policy to the domain controllers within the network.

When you changed it, you will see within a notable time changes on the client page as well in the event log with warnings that sites are blocked for certain users.

Event log blocked content clients