Re: 10 winxp computer locked by Software Restrictions
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/06/05
- Next message: Spin: "GPO refresh?"
- Previous message: Steven L Umbach: "Re: Login to other user profile.."
- In reply to: charles: "Re: 10 winxp computer locked by Software Restrictions"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 6 Feb 2005 00:10:52 -0600
I was under the impression that the SRP were enforced via domain policy and
if that is the case it most likely will not help to try and apply a security
template to the locked out computers. But with what you are faced with it
would be easy enough to try as stranger things have happened. If that does
not help I think reinstalls will be your option with your description of
what is going on with no network connectivity, etc. --- Steve
"charles" <na@aol.com> wrote in message
news:efMv76$CFHA.3740@TK2MSFTNGP09.phx.gbl...
> The safe mode with networking does not start network services in these
> computers. Network connections window is blank, ipconfig /all shows the
> Network adaptor without an IP address configured. If I force it to renew
> an
> IP from the DHCP server it gives an RPC service error (gpresult gives a
> similar error), no network services can be started. There's just possible
> to
> logon as the local administrator (not as a domain user), there's no way to
> remove them from the domain from the system properties.
> I'll enable the exemption you mentioned, Secedit tool would allow me to
> copy
> that policy from other computer (one without this problem). Do you think
> it's the right way?
>
> Regards,
> CA
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> escribió en el mensaje
> news:OdFMEA9CFHA.2676@TK2MSFTNGP12.phx.gbl...
>> If they are not starting network services then there is some major
>> problem
>> with SRP - I guess I don't have to tell you that. You might try booting
> into
>> safe mode with networking if you have not tried such yet. I believe you
>> should still be able to remove a computer from the domain if you logon as
>> the local administrator - not using a domain account. When you configure
> SRP
>> you will see the "enforcement" configuration icon right under the
> additional
>> rules folder. When you open it you will see there is an option to exempt
>> local administrators from SRP restrictions. However from what you
>> describe
>> with computers networking not working correctly, they more than likely
> will
>> not be able to receive updates from Group Policy changes anyhow. ---
>> Steve
>>
>>
>> "charles" <na@aol.com> wrote in message
>> news:%23o51fs8CFHA.2600@TK2MSFTNGP09.phx.gbl...
>> > Hello Steve,
>> >
>> > Computers are not starting network services (they even do not respond a
>> > ping), so there's currently no communication between them and the dns
>> > server. Those computers cannot be unjoined from the domain for the same
>> > reason (option is in color gray)
>> > So, the first step is to allow a local administrator logon. What's the
>> > enforcement rule you mentioned to allow local administrators to not
>> > have
>> > the
>> > policies applied to them?
>> >
>> > Thanks,
>> > Charles
>> >
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> escribió en el mensaje
>> > news:efKE5w7CFHA.328@tk2msftngp13.phx.gbl...
>> >> If you can logon in safe mode then that means it is NOT a problem with
>> >> security policy but sounds like a problem with Software Restriction
>> >> Policies. SRP can be configured via the enforcement rule to allow
>> >> local
>> >> administrators to not have the policy applied to them. If the computer
>> >> automatically logs you off in regular mode it sounds like the SRP is
>> >> restricting access to needed system files for the user to be able to
>> > logon.
>> >> I don't know offhand why it is affecting only some computers unless
> there
>> >> was a change to SRP, either good or bad, and it has not propagated to
> all
>> >> computers which is often a problem with dns configuration in the
>> >> domain
>> >> or
>> >> replication between domain controllers. The support tool netdiag can
> be
>> > run
>> >> on a domain computer to see if it can find the domain controllers,
>> >> communicate with them, and has a proper "secure channel" to them. I
> don't
>> >> know how well netdiag will work in safe mode but make sure the problem
>> >> computers are pointing ONLY to domain controllers running dns with the
>> >> domain zone as their preferred dns servers. If worse comes to worse,
> try
>> > to
>> >> logon in safe mode and unjoin one of the problem computers from the
>> >> domain
>> >> which hopefully will not allow domain policy to apply to it until you
>> >> sort
>> >> things out, though first I would try to remove those computers from
>> >> the
>> >> OU
>> >> [ assuming computer configuration] where the SRP is configured and
> reboot
>> >> them. The tool gpresult can also help in determining what Group Policy
> is
>> >> applied to a computer, that last time it was applied, and from what
>> >> domain
>> >> controller. It may work in safe mode. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
>> > make
>> >> sure your dns is correct in the domain.
>> >>
>> >> "Charles" <na@aol.com> wrote in message
>> >> news:e4nC0R5CFHA.4004@tk2msftngp13.phx.gbl...
>> >> >I cannot get control of 10 computers. If I login to the domain I get
>> >> >a
>> >> > netlogon error. If I login to the computername it automatically logs
> me
>> >> > off,
>> >> > without visual errors. I can only login in protected mode. Most of
>> >> > features
>> >> > are blocked by software restrictions (no start bar, cannot view
>> >> > events;just
>> >> > browse them, cannot start services, etc.).
>> >> > The apps event log is full of id 865 errors (software restriction
>> >> > policies).
>> >> > It seems that something happened with the default domain policy; Now
>> > it's
>> >> > no
>> >> > longer happening since I have other 70 winxp pc's without problems
>> >> > in
>> > the
>> >> > same OU with the same policies applied.
>> >> >
>> >> > I already tried Q313222 article, it work as it's described but when
>> >> > I
>> >> > restart nothing changes
>> >> > (secedit /configure /cfg %windir%\repair\secsetup.inf /db
> secsetup.sdb
>> >> > /verbose /overwrite)
>> >> > I also exported (secedit /export /mergedpolicy....) and imported a
>> >> > template from good
>> >> > computer with no changes.
>> >> >
>> >> > I cannot change any template or policy directly from those
>> >> > computers.
>> >> >
>> >> > Do you have any idea how to get the control again (without
> reinstalling
>> > th
>> >> > whole OS)?
>> >> >
>> >> > Regards,
>> >> > CA
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Spin: "GPO refresh?"
- Previous message: Steven L Umbach: "Re: Login to other user profile.."
- In reply to: charles: "Re: 10 winxp computer locked by Software Restrictions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
