Re: User GPO doesn't replicate on one of my workstations

• Previous message: olaf: "Local access right problems"
• In reply to: Guillaume Tamisier: "Re: User GPO doesn't replicate on one of my workstations"
• Next in thread: Guillaume Tamisier: "Re: User GPO doesn't replicate on one of my workstations"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 20 Jul 2004 06:09:24 GMT

Hi Guillaume,

Thank you for posting back! I understand that you must search a lot in
Knowledge base articles:

I have posted two troubleshooting steps in my message dated July 14, 2004.
However, it seems that they do not help. So I made some research in
Knowledge base articles... The below are some other troubleshooting method
on Event ID 1058, 1030, and I hope that they are helpful.

*Step 3: Make sure that the TCP/IP NetBIOS Helper service is started on all
computers*

All computers on the network must run the TCP/IP NetBIOS Helper service. To
check the TCP/IP NetBIOS Helper service, follow these steps:

1. Click Start, point to Settings, and then click Control Panel.

2. On Windows XP, if Control Panel is in Category View, click Switch to
Classic View.

3. Double-click Administrative Tools.

4. Double-click Services.

5. In the Services console, check the Status and the Startup Type value for
the TCP/IP NetBIOS Helper service. The Status should be Started, and the
Startup Type should be Automatic.

6. If the Status and the Startup Type are not Started and Automatic,
right-click TCP/IP NetBIOS Helper service, and then click Properties.

7. In the TCP/IP NetBIOS Helper Properties, click to select Automatic in
the "Startup type" box.

8. If the service is not started, click Start to start the service, and
then click OK.

Also make sure that the Netlogon, Remote Procecure Call (RPC), and Remote
Registry services are Started and Automatic on all computers. The Remote
Procedure Call (RPC) Locator service should be Stopped and Manual.

Finally, make sure that you have not disabled any of the required system
services using group policy objects. These policy settings are under
Computer Configuration/Windows Settings/Security Settings/System Services.
On Windows Server 2003 and Windows XP, you can use the Resultant Set of
Policy MMC snap-in (rsop.msc) to check all applied policy settings. On
Windows 2000, install gpresult.exe from the Windows 2000 Resource Kit, and
then run the command, "gpresult /scope computer". The "Applied Group Policy
Objects" section of this command's output will list all of the group policy
objects that are applied to the computer account. Once you have this list,
check the System Services policy settings in all of the applied group
policy objects.

*Step 4: Make sure that the settings for SMB signing do not conflict*

The SMB signing settings define whether or not the computers on the network
digitally sign communications. If the SMB signing settings conflict, the
conflict may cause group policy application or group policy replication to
fail with Userenv errors. For example, if the domain controllers are
configured to require SMB signing for all server communication, but SMB
signing is disabled for client communication on the client computers, the
settings will conflict.

*Step 5: Check the contents and the permissions of the Sysvol folder*

By default, the Sysvol folder is located in the %systemroot% folder. Syvol
contains the domain's group policy objects, the Sysvol and Netlogon shares,
and the file replication service (FRS) staging folder. If the permissions
on the Sysvol folder
or the Sysvol share are too restrictive, this can cause group policies to
fail with Userenv errors. Additionally, Userenv errors can occur if the
Sysvol share or group policy objects are missing.

To make sure the Sysvol share is available, run the "net share" command on
the DC. SYSVOL should appear in the list of shares. Also, make sure that
the Netlogon share is listed. Repeat this step on all domain controllers on
the network. If the Sysvol or Netlogon share is missing from one or more
domain controllers, see the following articles for information about
troubleshooting this problem:

327781 How to Troubleshoot Missing SYSVOL and NETLOGON Shares on Windows
Server 2003 Domain Controllers
http://support.microsoft.com/?id=327781

257338 Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000
http://support.microsoft.com/?id=257338

After you make sure the Sysvol share is available, make sure that the
Sysvol folder, the Sysvol share, and the root of the volume that contains
the Sysvol folder are configured with the the correct permissions.

On Windows 2000 Server, the Everyone group should have Full Control on the
root of the volume that contains the Sysvol folder. On Windows Server 2003,
the Everyone group should have the Read & Execute special permission
applied to "This folder only", and the domain\Users group should have the
following standard permissions:

Read & Execute
List Folder Contents
Read

Additionally, on Windows Server 2003, the domain\Users group should have
the following special permissions:

Read & Execute applied to "This folder, subfolders and files"
Create Folder / Append Data applied to "This folder and subfolders"
Create Files / Write Data applied to "Subfolders only"

For the permissions required for the Sysvol folder and the Sysvol share,
see the following KB article:

290647 Event ID 1000, 1001 Is Logged Every Five Minutes in the
Applicationhttp://support.microsoft.com/?id=290647

After you check the Sysvol permissions, make sure that the Sysvol folder
contains the required group policy objects. Use gpotool.exe from the
Windows 2000 Resource Kit to check for these. The gpotool.exe file is
located in the netmgmt.cab file on the resource kit CD. If you run the tool
without any options, it will check for all the group policy objects on all
domain controllers in the domain. If you include the /checkacl option, the
tool additionally will check the Sysvol access control list (ACL). Use the
/verbose option for more detailed information.

If you determine that the Sysvol folder is missing one or more group policy
objects, you can run the Windows Server 2003 Default Group Policy Restore
Utility (DcGPOFix.exe) or the Windows 2000 Default Group Policy Restore
Tool (RecreateDefpol.exe) to recreate the default group policy objects. The
DcGPOFix.exe program is included on Windows Server 2003. For help on using
this program, run the command "dcgpofix /?" in a command prompt window. For
information about the RecreateDefpol.exe program, visit the following Web
site:

Windows 2000 Default Group Policy Restore Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-
ab2a-976d6873129d&DisplayLang=en

Finally, make sure that you are not scanning the Sysvol folder with
anti-virus software. AV scanning can block access to the required files,
such as the gpt.ini file. For more information about virus scanning on
Windows Server domain controllers, see the following KB article:

822158 Virus scanning recommendations on a Windows 2000 or on a Windows
Server 2003 domain controller
http://support.microsoft.com/?id=822158

*Step 6: Make sure that the "Bypass traverse checking" right is granted to
the required groups*

To check the "Bypass traverse checking" right, follow these steps:

1. On a DC, click Start, point to Programs or All Programs, point to
Administrative Tools, and then click Domain Controller Security Policy.

2. Expand Security Settings, expand Local Policies, and then click User
Rights Assignment.

3. Double-click the "Bypass traverse checking" policy setting.

4. Click to check the "Define these policy settings" box, if the option is
not enabled already.

5. The following groups should be listed for this policy setting:

Administrators
Authenticated Users
Everyone
Pre-Windows 2000 Compatible Access

If any of these groups are missing, click Add, type the name of the missing
group, and then click OK.

6. Click OK to close the policy setting.

7. On Windows Server 2003, run the "gpupdate /force" command. On Windows
2000, run "secedit /refreshpolicy machine_policy /enforce".

*Step 7: Run the "dfsutil /PurgeMupCache" coI haemmand*

To work around this problem, run the dfsutil.exe program from the Windows
Server 2003 Support Tools with the /PurgeMupCache option. This option will
flush the local DFS/MUP cached information. For additional information
about this issue, see the following KB article:

830676 Group Policy processing fails with Events 1058 and 1030 in Windows
Server 2003
http://support.microsoft.com/?id=830676

*Step 8: Apply the Secure DC policy template*

If the issue is not resolved after following steps 1 through 8, you can
apply the predefined Secure DC policy template (securedc.inf) as a last
resort. Be aware that this policy template will remove any custom policy
settings that you have defined. For more information about how to apply a
predefined policy template, see the following KB article:

816585 HOW TO: Apply Predefined Security Templates in Windows Server 2003
http://support.microsoft.com/?id=816585

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

• Previous message: olaf: "Local access right problems"
• In reply to: Guillaume Tamisier: "Re: User GPO doesn't replicate on one of my workstations"
• Next in thread: Guillaume Tamisier: "Re: User GPO doesn't replicate on one of my workstations"
• Messages sorted by: [ date ] [ thread ]