Re: 10 winxp computer locked by Software Restrictions
From: charles (na_at_aol.com)
Date: 02/06/05
- Next message: Admiral Q: "Re: Login to other user profile.."
- Previous message: Steven L Umbach: "Re: Need Verification for 2003 Policy"
- In reply to: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Next in thread: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Reply: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 6 Feb 2005 00:48:38 -0300
The safe mode with networking does not start network services in these
computers. Network connections window is blank, ipconfig /all shows the
Network adaptor without an IP address configured. If I force it to renew an
IP from the DHCP server it gives an RPC service error (gpresult gives a
similar error), no network services can be started. There's just possible to
logon as the local administrator (not as a domain user), there's no way to
remove them from the domain from the system properties.
I'll enable the exemption you mentioned, Secedit tool would allow me to copy
that policy from other computer (one without this problem). Do you think
it's the right way?
Regards,
CA
"Steven L Umbach" <n9rou@nospam-comcast.net> escribió en el mensaje
news:OdFMEA9CFHA.2676@TK2MSFTNGP12.phx.gbl...
> If they are not starting network services then there is some major problem
> with SRP - I guess I don't have to tell you that. You might try booting
into
> safe mode with networking if you have not tried such yet. I believe you
> should still be able to remove a computer from the domain if you logon as
> the local administrator - not using a domain account. When you configure
SRP
> you will see the "enforcement" configuration icon right under the
additional
> rules folder. When you open it you will see there is an option to exempt
> local administrators from SRP restrictions. However from what you describe
> with computers networking not working correctly, they more than likely
will
> not be able to receive updates from Group Policy changes anyhow. --- Steve
>
>
> "charles" <na@aol.com> wrote in message
> news:%23o51fs8CFHA.2600@TK2MSFTNGP09.phx.gbl...
> > Hello Steve,
> >
> > Computers are not starting network services (they even do not respond a
> > ping), so there's currently no communication between them and the dns
> > server. Those computers cannot be unjoined from the domain for the same
> > reason (option is in color gray)
> > So, the first step is to allow a local administrator logon. What's the
> > enforcement rule you mentioned to allow local administrators to not have
> > the
> > policies applied to them?
> >
> > Thanks,
> > Charles
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> escribió en el mensaje
> > news:efKE5w7CFHA.328@tk2msftngp13.phx.gbl...
> >> If you can logon in safe mode then that means it is NOT a problem with
> >> security policy but sounds like a problem with Software Restriction
> >> Policies. SRP can be configured via the enforcement rule to allow local
> >> administrators to not have the policy applied to them. If the computer
> >> automatically logs you off in regular mode it sounds like the SRP is
> >> restricting access to needed system files for the user to be able to
> > logon.
> >> I don't know offhand why it is affecting only some computers unless
there
> >> was a change to SRP, either good or bad, and it has not propagated to
all
> >> computers which is often a problem with dns configuration in the domain
> >> or
> >> replication between domain controllers. The support tool netdiag can
be
> > run
> >> on a domain computer to see if it can find the domain controllers,
> >> communicate with them, and has a proper "secure channel" to them. I
don't
> >> know how well netdiag will work in safe mode but make sure the problem
> >> computers are pointing ONLY to domain controllers running dns with the
> >> domain zone as their preferred dns servers. If worse comes to worse,
try
> > to
> >> logon in safe mode and unjoin one of the problem computers from the
> >> domain
> >> which hopefully will not allow domain policy to apply to it until you
> >> sort
> >> things out, though first I would try to remove those computers from the
> >> OU
> >> [ assuming computer configuration] where the SRP is configured and
reboot
> >> them. The tool gpresult can also help in determining what Group Policy
is
> >> applied to a computer, that last time it was applied, and from what
> >> domain
> >> controller. It may work in safe mode. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
> > make
> >> sure your dns is correct in the domain.
> >>
> >> "Charles" <na@aol.com> wrote in message
> >> news:e4nC0R5CFHA.4004@tk2msftngp13.phx.gbl...
> >> >I cannot get control of 10 computers. If I login to the domain I get a
> >> > netlogon error. If I login to the computername it automatically logs
me
> >> > off,
> >> > without visual errors. I can only login in protected mode. Most of
> >> > features
> >> > are blocked by software restrictions (no start bar, cannot view
> >> > events;just
> >> > browse them, cannot start services, etc.).
> >> > The apps event log is full of id 865 errors (software restriction
> >> > policies).
> >> > It seems that something happened with the default domain policy; Now
> > it's
> >> > no
> >> > longer happening since I have other 70 winxp pc's without problems in
> > the
> >> > same OU with the same policies applied.
> >> >
> >> > I already tried Q313222 article, it work as it's described but when I
> >> > restart nothing changes
> >> > (secedit /configure /cfg %windir%\repair\secsetup.inf /db
secsetup.sdb
> >> > /verbose /overwrite)
> >> > I also exported (secedit /export /mergedpolicy....) and imported a
> >> > template from good
> >> > computer with no changes.
> >> >
> >> > I cannot change any template or policy directly from those computers.
> >> >
> >> > Do you have any idea how to get the control again (without
reinstalling
> > th
> >> > whole OS)?
> >> >
> >> > Regards,
> >> > CA
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Admiral Q: "Re: Login to other user profile.."
- Previous message: Steven L Umbach: "Re: Need Verification for 2003 Policy"
- In reply to: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Next in thread: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Reply: Steven L Umbach: "Re: 10 winxp computer locked by Software Restrictions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
