Re: GPOs not being applied
anonymous_at_discussions.microsoft.com
Date: 05/19/04
- Next message: Julien: "It says the installation completed but in fact not! (Internet Explorer 6 Service Pack 1 (SP1) Setup MSI Wrapper)"
- Previous message: David D: "RE: Tool to analyze group policy"
- In reply to: Derek Melber [MVP]: "Re: GPOs not being applied"
- Next in thread: Derek Melber [MVP]: "Re: GPOs not being applied"
- Reply: Derek Melber [MVP]: "Re: GPOs not being applied"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 19 May 2004 01:57:58 -0700
I fixed it!!! :-0
Thanks for all your suggestions.
After several tests using netdiag, one result came up with
the trust relationship b/n domain and the server as
failed. The obvious solution was to remove the server
from the domain and rejoin it. Which about two weeks ago,
I DID!
However, the one step that I didn't do was after I removed
the server from the domain to actually delete the computer
account from AD and replicate. Then, re-add the computer
account and replicate. Only then did I re-join the domain.
I am still wondering what caused the trust relationship to
break. But, being that I didn't build the server from
scratch...I'll never know.
Thanks Derek!
>-----Original Message-----
>See if any of these steps help
>
>http://www.kbalertz.com/Feedback_832215.aspx
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
><anonymous@discussions.microsoft.com> wrote in message
>news:c61401c438de$543681d0$a401280a@phx.gbl...
>> Thanks! After more research, I also
>> added: "RunDiagnosticLoggingGroupPolicy"
>> under
>> "HKLM\Software\Microsoft\Windows
>> NT\CurrentVersion\Diagnostics"
>>
>>
>> After rebooting here is what the userenv.log logged (see
>> below):
>>
>> I can't find anything worth while on the net with the
>> following: USERENV(10c.3d0) 13:23:15:476
GetMachineToken:
>> AcceptSecurityContext failed with 0x8009030c
>> USERENV(10c.3d0) 13:23:15:476 GetGPOInfo: Failed to get
>> the machine token with -2146893044
>>
>> Complete list:
>> SERENV(2f0.a24) 13:23:15:304 LibMain: Process Name:
>> C:\WINNT\system32\secedit.exe
>> USERENV(2f0.a24) 13:23:15:320 RefreshPolicy: Entering
with
>> 1
>> USERENV(2f0.a24) 13:23:15:320 RefreshPolicy: Leaving.
>> USERENV(10c.3d0) 13:23:15:320 ProcessGPOs:
>> USERENV(10c.3d0) 13:23:15:351 ProcessGPOs:
>> USERENV(10c.3d0) 13:23:15:351 ProcessGPOs: Starting
>> computer Group Policy processing...
>> USERENV(10c.3d0) 13:23:15:367 ProcessGPOs:
>> USERENV(10c.3d0) 13:23:15:367 ProcessGPOs:
>> USERENV(10c.3d0) 13:23:15:382 ProcessGPOs: Verbose
output
>> to eventlog requested.
>> USERENV(10c.3d0) 13:23:15:382
EnterCriticalPolicySection:
>> Machine critical section has been claimed. Handle =
0x538
>> USERENV(10c.3d0) 13:23:15:398 ProcessGPOs: Machine role
>> is 2.
>> USERENV(10c.3d0) 13:23:15:398 PingComputer:
PingBufferSize
>> set as 2048
>> USERENV(10c.3d0) 13:23:15:414 PingComputer: First
time: 0
>> USERENV(10c.3d0) 13:23:15:414 PingComputer: Fast link.
>> Exiting.
>> USERENV(10c.3d0) 13:23:15:429 ProcessGPOs: User name
is:
>> CN=SERVERNAME,CN=TEST,DC=ROOT DC=COM, Domain name is:
>> DOMAIN
>> USERENV(10c.3d0) 13:23:15:429 ProcessGPOs: Domain
>> controller is: \\DC.root.com Domain DN is root.com
>> USERENV(10c.3d0) 13:23:15:445 ProcessGPOs: Calling
>> GetGPOInfo for normal policy mode
>> USERENV(10c.3d0) 13:23:15:445 GetGPOInfo:
>> ********************************
>> USERENV(10c.3d0) 13:23:15:460 GetGPOInfo: Entering...
>> USERENV(10c.3d0) 13:23:15:476 GetMachineToken:
>> AcceptSecurityContext failed with 0x8009030c
>> USERENV(10c.3d0) 13:23:15:476 GetGPOInfo: Failed to get
>> the machine token with -2146893044
>> USERENV(10c.3d0) 13:23:15:492 GetGPOInfo: Leaving with
0
>> USERENV(10c.3d0) 13:23:15:492 GetGPOInfo:
>> ********************************
>> USERENV(10c.3d0) 13:23:15:507 ProcessGPOs: GetGPOInfo
>> failed.
>> USERENV(10c.3d0) 13:23:15:507
LeaveCriticalPolicySection:
>> Critical section 0x538 has been released.
>> USERENV(10c.3d0) 13:23:15:523 ProcessGPOs: Computer
Group
>> Policy has been applied.
>> USERENV(10c.3d0) 13:23:15:523 ProcessGPOs: Leaving with
0.
>> USERENV(10c.3d0) 13:23:15:539 GPOThread: Next refresh
>> will happen in 98 minutes
>>
>>
>>
>> >-----Original Message-----
>> >start here:
>> >http://support.microsoft.com/default.aspx?scid=kb;EN-
>> US;221833
>> >
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >derekm@braincore.net
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:bf5201c4382c$3891eb20$a601280a@phx.gbl...
>> >> I tried your suggestion. The user policy was
applied to
>> >> Joe, but the computer policy was not applied to
>> >> the "problem" computer.
>> >>
>> >> I used ntdsutil to check for duplicate SIDs and found
>> >> none. I used nbtstat -n and checked WINS to look for
>> >> duplicate names and found none. And nslookup
verifies
>> the
>> >> srv records... hmm... :-(
>> >>
>> >> What logging are you talking about?
>> >>
>> >> Thanks!
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >how about the user side of things? Try this:
>> >> >
>> >> >1) create a new OU
>> >> >2) create a new user named Joe in the OU
>> >> >3) create a new GPO and link it to the new OU
>> >> >4) configure the GPO to remove the run command
>> >> >5) log in as Joe to the "problem" computer
>> >> >6) if the run command is removed, then move
>> the "problem
>> >> computer to the new
>> >> >OU
>> >> >7) configure the GPO linked to the new OU to
now "not
>> >> show the last logged
>> >> >in user" (this is a computer configuration)
>> >> >8) restart the "problem" computer and log on as Joe
>> >> >9) logoff as Joe and now when you hit Ctrl-Alt-Del,
>> there
>> >> should not be any
>> >> >name in the username box.
>> >> >
>> >> >if this works, then there is something odd happening
>> with
>> >> the original OU.
>> >> >If this fails for Joe and the "problem" computer,
then
>> >> the computer is
>> >> >having trouble with the domain in some way, most
>> likely a
>> >> SID or name
>> >> >duplication. If it is a SID problem, my guess is
that a
>> >> tool like ghost or
>> >> >drive image was used on this computer, or another
>> >> computer on the network.
>> >> >If Joe works and the "problem" computer still
fails, I
>> >> would still lean
>> >> >towards the SID, name duplication, or DNS area.
>> >> >
>> >> >If all of this fails, I would turn on verbose
logging
>> and
>> >> see what I can
>> >> >find in the logs. If you need help tracking those
>> down, I
>> >> can help you with
>> >> >those settings.
>> >> >
>> >> >Let me know.
>> >> >
>> >> >--
>> >> >Derek Melber
>> >> >BrainCore.Net
>> >> >derekm@braincore.net
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:b15e01c4374d$ceab9fa0$a401280a@phx.gbl...
>> >> >> Derek,
>> >> >>
>> >> >> Thanks a bunch for your help!!!
>> >> >>
>> >> >> I checked if it were a DNS problem. I ran
netdiag in
>> >> >> verbose, I double-checked that all SRV records
were
>> >> >> present and I ran nslookup on the SRV records from
>> the
>> >> >> problem server, and all tests passed. I'm more
than
>> >> >> confused now. If I am missing some tests, please
let
>> me
>> >> >> know.
>> >> >>
>> >> >> Let me recap....All DNS configurations are correct
>> >> (client
>> >> >> side and server side), the problem server is
unique
>> (no
>> >> >> duplicate SIDs, IPAs or name). There are no Deny
>> ACLs
>> >> and
>> >> >> authenticated users have Read and Apply GP
>> permissions
>> >> on
>> >> >> the GPO. No LMHOSTS nor HOSTS file is being used.
>> The
>> >> >> GPO is not being blocked. All other servers in
>> >> >> the 'Computer' container have no problem.
>> >> >>
>> >> >> When the problem server is a member of a
workgroup,
>> the
>> >> >> local GPO is applied. However, once I join the
>> domain,
>> >> I
>> >> >> get Userenv 1000 errors:
>> >> >> Source: Userenv
>> >> >> Category: None
>> >> >> Event ID: 1000
>> >> >> User: NT Authority\System
>> >> >> Description:
>> >> >> Windows cannot query for the list of Group Policy
>> >> >> objects. A message that describes the reason for
>> >> >> this was previously logged by this computer.
>> >> >>
>> >> >> Am I missing something here? :-(
>> >> >>
>> >> >> You would think that it is a DNS issue, but oddly
>> enough
>> >> >> the problem server can resolve the SRV records.
>> >> >>
>> >> >> This one is turning out to be a real stumper. Any
>> other
>> >> >> ideas/suggestions?
>> >> >>
>> >> >> Thanks again for the help!
>> >> >>
>> >> >>
>> >> >> >-----Original Message-----
>> >> >> >that sure sounds like a DNS issue to me.
>> >> >> >
>> >> >> >--
>> >> >> >Derek Melber
>> >> >> >BrainCore.Net
>> >> >> >derekm@braincore.net
>> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> message
>> >> >> >news:908501c43340$7a8952c0$a501280a@phx.gbl...
>> >> >> >> I have removed the server from the domain and
>> >> rejoined
>> >> >> it
>> >> >> >> without any errors.
>> >> >> >>
>> >> >> >> When the server was in a workgroup, the local
>> policy
>> >> was
>> >> >> >> applied. However, once I joined the domain
>> Userenv
>> >> 1000
>> >> >> >> errors started appearing again.
>> >> >> >>
>> >> >> >> Thanks for the help!
>> >> >> >>
>> >> >> >> >-----Original Message-----
>> >> >> >> >see if there is a duplicate name, IP, or SID
on
>> the
>> >> >> >> network
>> >> >> >> >
>> >> >> >> >--
>> >> >> >> >Derek Melber
>> >> >> >> >BrainCore.Net
>> >> >> >> >derekm@braincore.net
>> >> >> >> ><anonymous@discussions.microsoft.com> wrote in
>> >> message
>> >> >> >> >news:786201c4310f$c0dac610$a301280a@phx.gbl...
>> >> >> >> >> This just keeps getting better...
>> >> >> >> >>
>> >> >> >> >> To answer Ken, there are no hosts and
lmhosts
>> >> file;
>> >> >> good
>> >> >> >> >> thought though!
>> >> >> >> >>
>> >> >> >> >> To answer Derek, I have not seen any Deny's
in
>> the
>> >> >> ACLs.
>> >> >> >> >>
>> >> >> >> >> An interesting developement. Friday night,
the
>> >> >> >> >> description changed for the Userenv 1000
error
>> to
>> >> >> >> >> read: "Windows cannot determine the user or
>> >> computer
>> >> >> >> name.
>> >> >> >> >> Return value (1326)."
>> >> >> >> >>
>> >> >> >> >> So, I removed the server from the domain,
and
>> >> >> rejoined
>> >> >> >> >> it. Once I rebooted after the rejoin,
EventID
>> >> 1704
>> >> >> >> >> (SceCli) was logged telling me the security
>> >> policy in
>> >> >> >> the
>> >> >> >> >> Group Policy objects are applied
>> successfully. :-0
>> >> >> >> >>
>> >> >> >> >> But wait, 7 minutes later, I am back to
square
>> one
>> >> >> with
>> >> >> >> >> Userenv 1000 again telling me ...Windows
cannot
>> >> >> query...
>> >> >> >> >>
>> >> >> >> >> Arrrgh!
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >do you have any denies on the ACL?
>> >> >> >> >> >
>> >> >> >> >> >--
>> >> >> >> >> >Derek Melber
>> >> >> >> >> >BrainCore.Net
>> >> >> >> >> >derekm@braincore.net
>> >> >> >> >> ><anonymous@discussions.microsoft.com>
wrote in
>> >> >> message
>> >> >> >> >> >news:6a2901c42ebf$e3306f50
$a501280a@phx.gbl...
>> >> >> >> >> >> That's what makes it all the more
>> >> interesting...
>> >> >> This
>> >> >> >> >> >> server points to the exact same DNS as
the
>> >> others.
>> >> >> >> >> >>
>> >> >> >> >> >> For kicks, I even explicity gave the
>> computer
>> >> >> object
>> >> >> >> >> read
>> >> >> >> >> >> and apply group policy 'allow' rights on
the
>> >> GPO
>> >> >> and
>> >> >> >> >> >> nothing.
>> >> >> >> >> >>
>> >> >> >> >> >> :-(
>> >> >> >> >> >>
>> >> >> >> >> >> >-----Original Message-----
>> >> >> >> >> >> >This almost sounds like a DNS issue...
is
>> this
>> >> >> >> server
>> >> >> >> >> set
>> >> >> >> >> >> >up the same as the others, with regards
to
>> >> DNS?
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> >>-----Original Message-----
>> >> >> >> >> >> >>I have a Win2K Ad Srvr (w/SP4) that
does
>> not
>> >> >> apply
>> >> >> >> any
>> >> >> >> >> >> >GPO
>> >> >> >> >> >> >>settings, local and/or domain level.
The
>> >> >> computer
>> >> >> >> >> >> >object
>> >> >> >> >> >> >>resides in the built-in 'computers'
>> >> container,
>> >> >> so
>> >> >> >> only
>> >> >> >> >> >> >the
>> >> >> >> >> >> >>local and Default-Domain Policies
should
>> >> apply.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>When I run the
>> >> >> >> >> >> >>'secedit /refreshpolicy
>> >> machine_policy /enforce'
>> >> >> >> >> >> >command,
>> >> >> >> >> >> >>I get an SRV 2000 error in the event
log:
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>Source: Userenv
>> >> >> >> >> >> >>Category: None
>> >> >> >> >> >> >>Event ID: 1000
>> >> >> >> >> >> >>User: NT Authority\System
>> >> >> >> >> >> >>Description:
>> >> >> >> >> >> >>Windows cannot query for the list of
Group
>> >> >> Policy
>> >> >> >> >> >> >>objects. A message that describes the
>> reason
>> >> >> for
>> >> >> >> this
>> >> >> >> >> >> >was
>> >> >> >> >> >> >>previously logged by this computer.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>It seems that the server has an old
>> version
>> >> of
>> >> >> the
>> >> >> >> >> >> >>policies (having ran gpresult), but the
>> new
>> >> >> >> versions
>> >> >> >> >> >> >never
>> >> >> >> >> >> >>get applied. I have checked and
>> the 'disable
>> >> >> >> >> >> >>computer/user configuration settings'
are
>> >> >> cleared.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>I have 20 others servers in
>> the 'computers'
>> >> >> >> container
>> >> >> >> >> >> >and
>> >> >> >> >> >> >>only this one gives me this problem,
so I
>> >> >> suspect
>> >> >> >> it
>> >> >> >> >> is
>> >> >> >> >> >> >>something local.
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>I am at my wits end. Please help :-0
>> >> >> >> >> >> >.
>> >> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >.
>> >> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >.
>> >> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Julien: "It says the installation completed but in fact not! (Internet Explorer 6 Service Pack 1 (SP1) Setup MSI Wrapper)"
- Previous message: David D: "RE: Tool to analyze group policy"
- In reply to: Derek Melber [MVP]: "Re: GPOs not being applied"
- Next in thread: Derek Melber [MVP]: "Re: GPOs not being applied"
- Reply: Derek Melber [MVP]: "Re: GPOs not being applied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
