Up for a chalenge?

From: Kurt (kurtl_at_olypen.com)
Date: 10/01/04 

Date: Thu, 30 Sep 2004 19:58:39 -0700

OK, Here's a REAL case study for my fellow MCSE's and soon-to-be's. It's
long, so skip if you're not interested. I don't think you'll find this one
on any tests, but it's real and sure had me scratching my head for a good
hour. The names have been changed to protect the innocent.

I set up a single W2K3 DC in a one-domain new forest for a small medical
office. Pre-joined 4 XP clients and connected in a training room so their
software vendor could do training prior to the rollout. Created user
accounts, placed in an OU - "Staff". 2 GPOs linked to the OU, one runs a
logon script (nothing fancy, just maps drives and printers). The other
re-directs My Documents to the server for central backup. Server is
multi-homed, one connected to the LAN and the other to a wireless AP for 2
mobile tablet PCs. Their primary software vendor specified Terminal Services
for the wireless on a separate subnet, no routing, so all protocols except
TCP/IP are disabled on that interface. Everything fires up, workstations
join without problem, group policy is applied correctly, training goes off
without a hitch, mobile tablets connect with an RDP session - all is well,
life is good.

Then comes deployment in the office. I am asked to set it up so that users
can have the same application settings at any workstation (but not roaming
profiles). After a little research, I decided to use a GPO to redirect
"Application Settings" to the same directory as "My Documents" (Since it's
already being backed up). When I attempt to access the GPO cache for the OU,
I get the message:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=thisdomai
n,DC=local. The file must be present at the location
<\\thisdomain.local\sysvol\thisdomain.local\Policies\{31B2F340-016D-11D2-945
F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from
the domain controller, either because the machine is unavailable, or access
has been denied. ). Group Policy processing aborted.

The event ID is 1058.

Just to get you started, there are no SMB signing conflicts and the
"everyone" group has read and execute permissions to the root.

Give it your best shot, I'll post hints as required and tell you when you're
getting warmer!

Relevant Pages

  • Re: policy for only two computers
    ... a setting in a Domain-linked GPO then the setting in the Domain-linked GPO ... what happens if there are conflicting settings at the same level? ... go to the Group Policy tab and click on the New... ... the Computer Configuration half and the User Configuration ...
    (microsoft.public.win2000.group_policy)
  • Re: iNTERACTIVE LOGON welcome screen - make it go away
    ... I created a custom ADM file for these two settings ... and imported it into the GPO under the Computer Administritative templates. ... really great expertise in Group Policy often reply to posts including ... doing a gpupdate on that domain controller which ideally would be the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ...
    (microsoft.public.windows.group_policy)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... GPO security settings from the defauts. ... Restart the workstation computer and the Terminal server, ... I've chosen these settings only because the affect is easy to observe. ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Do Not Execute Group Policy for Admins Group
    ... so that the group policy will only apply to a certain group of users ... domain admins that logon to a computer in that OU). ... In this case the GPO would not ... it's intent is to change the user settings ...
    (microsoft.public.win2000.group_policy)