Re: Restricted Groups Not Working
- From: "Nick Finco [MSFT]" <nfinco@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Apr 2005 15:36:04 -0700
Can you work with the C:\WINDOWS\security\templates\policies\gpt00000.dom
template manually via secedit /validate, /import, or /configure? If the
template is the issue, you can edit it and it will contain the GUID of the
GPO from which it came so you can fix manually in the sysvol or via gpedit.
If the template is fine, %windir%\security\database\secedit.sdb might be
corrupt. You might be able to try using "esentutl /r edb" while in the
%windir%\security directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm
"Jody Stoll" <jo@xxxxxxxxxxxxxxxx> wrote in message
news:ug%23AfLFPFHA.3880@xxxxxxxxxxxxxxxxxxxxxxx
> Hi ,
> I'm trying through Group policy to add a Security Group which I have
> created called Notts-xpadmins to the local administrators group on my xp
> workstations. I have created the group in ad and have assigned the users
> to the group through the 'Members of this Group' section in the Restricted
> groups and specified 'administrators' in the 'This group is a member of '
>
> So far nothing is working although the rest of the GP is working.
> I have researched this slighly and have turned on debugging so that I can
> see the winlogon.log file in the security folder. I am getting scecli 1202
> events in the eventlog but cannot seem to see what the problem is. The MS
> article refers to the users/group being recently deleted in AD but this
> is definately not the case.
>
> Could it be a corrupted GP? If so then it would be 2 separate GPs which
> are corrupted as this is occuring with at least 2 GP's that I have tried.
>
> Although previously I have had this working by using the Domain Users
> group to the local administrators group I do not want to add domain users
> to local admins for obvious reasons.
>
> Please find below a copy of the winlog.log file i have taken from my win
> xp sp2 workstation
> The MS KB article I have been using to troubleshoot is Q324383.
>
> The Domain is Win2k3 running in full Native mode.
>
> Any help would be most gratefully recieved.
>
> cheers
>
>
>
> **************************
>
> No template is defined in GPO
> \\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
>
> Make a local copy of
> \\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>
> Make a local copy of
> \\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>
> Process GP template gpt00000.dom.
>
> This is not the last GPO.
> -------------------------------------------
> 08 April 2005 16:25:59
> Administrative privileged user logged on.
> Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
> Error 1208: An extended error has occurred.
> Error creating database.
> ----Configuration engine was initialized with one or more errors.----
>
>
> ----Un-initialize configuration engine...
> **************************
>
> No template is defined in GPO
> \\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
>
> Make a local copy of
> \\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>
> Make a local copy of
> \\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>
> Process GP template gpt00000.dom.
>
> This is not the last GPO.
> -------------------------------------------
> 08 April 2005 16:26:05
> Administrative privileged user logged on.
> Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
> Error 1208: An extended error has occurred.
> Error creating database.
> ----Configuration engine was initialized with one or more errors.----
>
>
> ----Un-initialize configuration engine...
.
- Follow-Ups:
- Re: Restricted Groups Not Working
- From: Roger
- Re: Restricted Groups Not Working
- References:
- Restricted Groups Not Working
- From: Jody Stoll
- Restricted Groups Not Working
- Prev by Date: Re: Remove Journal from Outlook
- Next by Date: Re: Controlling User Policy via Computer account
- Previous by thread: Restricted Groups Not Working
- Next by thread: Re: Restricted Groups Not Working
- Index(es):
Relevant Pages
|
