Re: Logon failures reported by RSOP

"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:emvosFHfHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OFlySOAfHHA.5052@xxxxxxxxxxxxxxxxxxxxxxx
Have you asked that main admin ?

Err... I'd say he's likely to know less about it than I am! I'll see what
I can do, though.


fun

I am at a toss-up as to whether this is an access problem
for your account when running rsop but some other problem
that leads to the issue you were attempting to triage.

That's what I'm worried about too. A false lead.


Having read your further info, I would say that the issue
here is that a required service for running rsop is missing.

Check that Authenticated Users has read access on the
domain's sysvol shared policies to narrow down the
rsop issue.

Yes, Authenticated Users has Read and Execute access to the policies.


OK. That's out.

What are the symptoms you see on the clients, or is it only
that on some of them some services are not starting ??

The problem is starting to show up on other clients now.

The problem is first noticed when a user complains that he cannot access a
mapped network drive. We check and find that a bunch of services,
especially network-related have failed to start, including Browser,
Server, Automatic Updates, and Secondary Logon (I don't have a complete
list with me, but it's the same set of services every time).

When the machine's computer object in Active Directory is moved into an OU
whose policy inheritance has been blocked, and the computer rebooted, all
of these services will have started normally.

Well, that makes me think you have a GPO that is defining the
services but it has incorrect settings in the permissions, which
can easily happen if an XP SP2 is used to edit the GPO Services
section, as there is a known error.
http://support.microsoft.com/kb/894794


If I add policy links to this inheritance-blocked OU one at a time, and
reboot the client after each one, the machine starts all of its services
normally. This continues until all four of the policies it was receiving
in its original OU are being obtained, without any problem.


And that contradicts the assessment that it is a GPO setting Services

If I then move the computer object back to its original OU, the problem
returns.


At least it is predictable

Can you use GPMC in real or even "what if" mode to see what
settings, especially the Services section or User Rights dealing
with logon of the different types, are or would be applied to one
of the computers in that OU?

Disjoining the computer from the domain, deleting its computer object,
then re-adding it to the domain and moving its object into the OU fixed
the problem for about a day, but then it returned.


XPs do not necessarily have all GPO settings applied immediately,
so this might be saying it sometimes takes waiting for the 16 hour
reapplication of Security Settings to carry Services or User Rights
settings down onto the machine for the first time.

I've learned the above through testing since I posted my original message.
I've also found that the strange RSOP warnings only appear when the
problem occurs.

We're all stumped here, and appreciate your thoughts on the matter.


I am betting on the Services thing at this point, but do not know
how to discount the apparent contradicting evidence you present.

Roger


"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:OL6R855eHHA.1960@xxxxxxxxxxxxxxxxxxxxxxx
Scratch that. I do have access to the Event Viewer security log
remotely, but I don't know what to look for. I think the main admin is
auditing logon/logoff events, but nothing else.

David
Stardate 7273.8

"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:ukiRlq5eHHA.4868@xxxxxxxxxxxxxxxxxxxxxxx
I'm afraid I don't have login access to the DCs to check.

David
Stardate 7273.7

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:O%23mOkbEeHHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
Assuming you are logging Logon failure on the DCs, what
account is being seen as attempting these failed accesses?


"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:eZcD$44dHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
We've got several group policies applied to our domain computers.
Recently we've been seeing some odd problems, like policies causing
many network-related services to fail to start on a couple of
clients.

I've just run rsop.msc on a few machines (clients are Windows XP
Professional, servers are Windows Server 2003), and they're all
getting the same error:




wmplayer.adm
Location -
"\\cshl.edu\SysVol\cshl.edu\Policies\{934E85AD-1D0E-40D9-8495-737800C85CBC}\Adm\wmplayer.adm"
Error - Logon failure: unknown user name or bad password.
wuau.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\wuau.adm"
Error - Logon failure: unknown user name or bad password.
system.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\system.adm"
Error - Logon failure: unknown user name or bad password.
conf.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\conf.adm"
Error - Logon failure: unknown user name or bad password.
inetres.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\inetres.adm"
Error - Logon failure: unknown user name or bad password.





It looks like two of our policies are mysteriously not loading fully.
I've looked through the policies, and I've examined the file
permissions of the files listed, but I can find nothing wrong. Is
there something else I can do to figure out what the problem is?

--
David
Stardate 7259.6













.

Relevant Pages
Quantcast