One of the things a colleague of mine encountered in the past, and which I stumbled upon lately is the following. Sometimes people want to have the Local Administrator account disabled on their servers. There has been a GPO to do this for ages. It’s located below Computer Settings > Windows Settings > Security Settings > Local Policies > Security Options. The setting is “Accounts: Administrator Account Status”: Disabled.

The screenshot shown below is from the security policy on a server which has the policy (Administrator Status: disabled) applied. You can see that A group policy is setting the setting to enabled. Which is in fact the opposite of what I have configured through the GPO.

One could think I have another GPO being applied later. But using gpresult /H:report.html I can clearly see “my” GPO is winning and that the setting in fact should be set to disabled…

Also a regular Resultant Set Of Policy shows the setting as disabled…

But the account is Active and remains in this state…

So, Group Policy Preferences to the rescue! It’s not a real answer as to why things are going wrong, but it’s definitely a doable workaround. This policy works flawless.

You can’t always get to the bottom of things…

I’m not going to be explain something new today, but I’m just writing this article to explain how I established I was having this issue. Above that I want to make sure people find the explanation easier. This article references a PPT which has some great info on the issue.

It all started with a perfectly fine FIM deployment in a lab environment. One of the things we do from time to time is migrate the configuration to the Acceptance environment. To do this we use the FIM Configuration Migration scripts. After one of the migrations our User Edit RCDC in the Acceptance environment was broken. The RCDC defaulted to the Admin view and stated: There is an error in the synchronizationRule display configuration. Please contact your system administrator.

As I recently reviewed a RCDC troubleshooting article I knew what I had to do:

• Troubleshooting RCDC Configuration Issues Using FIM Portal Tracing

Make sure to change the level from “Error” to “Verbose”. This will give you the following entry in the event log:

In words:

The Resource Management Portal detected an error using the Resource Control Display Configuration (RCDC).  This prevented the portal from displaying the object as expected and the portal switched over to Admin View.

The failure is due to a incorrect configuration file.  The file does not validate against the configuration file schema.

Verify that the configuration file is valid XML and matches the configuration file schema. Either upload a new file or modify the existing file in the Resource Management Portal directory.  Afterward, reset IIS.

So now we get directed to an invalid RCDC XML. No worries: Craig Martin to the rescue: RCDC Troubleshooting He explains how you can use Visual Studio to validate the RCDC XML against the MS schema for RCDCs. The RCDC seemed fine. So eventually we logged a PSS case and got pointed to the following MS PPT:

• FIM Portal Troubleshooting - Default RCDCs Not Recognized After Replacement through FIM Service Configuration Migration.

The PPT is a must read. It clearly states how you end up in this situation and what to do to avoid it. For a fix, without having to wipe your database you’ll have to log a PSS case. The PSS people can give you a SQL procedure which can fix the guid of a given RCDC.

Related forums posts:

• Error in the synchronizationRule display configuration

P.S. Taking a backup from your FIM Service database is a not a luxury when migration configurations. Make sure you have that safety net available!