Re: Authentication issue preventing Group Policy from applying to



"Herb Martin" wrote:

> "CGrillo" <CGrillo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:3B402628-B716-42D5-AE38-C680830AF6F1@xxxxxxxxxxxxxxxx
> >I have inherited an existing Win2k domain and I am having big problems
> > getting group policy to apply to my users and I believe it stems from an
> > authentication issue.
>
> Well, that will do it.
>
> > Group Policy is not applying to any of my domain user
> > accounts. However, if I make that user a member of the Domain Admin group,
> > the policy will then apply to them. Not only that, but I can then remove
> > the
> > user from the Domain Admin group, and the policy will still apply.
>
> Then it is NOT authentication but more likely something like
> permissions or having the GPO linked in the 'wrong' place.
>
> Assuming you can authenticate one user from a machine, then
> another user of that same domain WILL be authenticated IF
> they are logged on (at all.)
>
> > I've been using GPMC to work with policy settings and using the group
> > policy
> > results wizard to try and help me make sense of the problem and it shows
> > another example of the problem I'm having. If I log in with a basic user
> > with
> > normal user rights, and then I run the GP results wizard using my admin
> > accnt
> > and point the wizard to my PC and then try and select that basic user to
> > see
> > the results of its policy settings, it doesn't show up on the list of
> > users
> > to run the wizard on. But again, if I make that user a member of Domain
> > admins first, log them in, and then remove the domain admin right,
>
> Right? How did that get in there?
>
> 'Rights' are NOT "group membership" nor even "permissions".
>
> > that user
> > then shows up in the list with the group policy applied properly.Also this
> > is
> > a domain wide issued effecting all my normal users.
>
> What are the permissions on the GPOs?
>
> They should be READ and APPLY POLICY for "everyone" or
> whoever is to be affected.
>
> You need both permissions, not just APPLY POLICY as one
> might naively guess.
>
> > When I run the GP results
> > wizard on these user's computer and user accnts, in the Policy Events tab,
> > all of them are getting EventID:1053 Windows cannot determine the user or
> > computer name (the specifed user does not exist). Group policy processing
> > aborted. These users are able to see the \\mydomain\SYSVOL\mydomain files
> > so
> > that isn't it, any help on this issue would be much appreciated.
>
> Now, that is weird, since they GET LOGGED ON, but you are claiming
> it says they don't EXIST?
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
> Then it is NOT authentication but more likely something like
>permissions or having the GPO linked in the 'wrong' place.


Can you be more specific?

>Right? How did that get in there?
>'Rights' are NOT "group membership" nor even "permissions".

Could you not infer that I meant remove them from the Domain Admin Group?

>What are the permissions on the GPOs?

>They should be READ and APPLY POLICY for "everyone" or
>whoever is to be affected.

>You need both permissions, not just APPLY POLICY as one
>might naively guess.

The permissions were "Authenticated Users": Read and Apply Policy
(unlike one who guesses naively)
and the policy is set to apply to Authenticated Users.
However just to check I also added 'Everyone': Read and Apply Policy but
that didn't do any good either.

>Now, that is weird, since they GET LOGGED ON, but you are claiming
>it says they don't EXIST?

Yes Herb, I agree, that is wierd, which brings me to here...still seeking
answers.
.

Relevant Pages

  • RE: Locking down a stand-alone 2000 Server with Group Policy
    ... policy from applying to them. ... you won't be able to change the permissions - so make sure ... Locking down a stand-alone 2000 Server with Group Policy ...
    (Security-Basics)
  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Assistance not working
    ... I have tried these settings you recommend with no results. ... I have yet to get the offer remote assistance to work when launched from the ... The Group Policy on the computer of the novice user must be configured ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)
  • RE: Group Policy Connundrum - Stick with it, its confusing!!!
    ... Group Policy Connundrum - Stick with it, ... Small Business Server Internet Connection Firewall ... Import the current Content Ratings Settings: ...
    (Security-Basics)