Re: Logon failures reported by RSOP
- From: "David Trimboli" <trimboli@xxxxxxxx>
- Date: Fri, 13 Apr 2007 16:38:40 -0400
Can you use GPMC in real or even "what if" mode to see what
settings, especially the Services section or User Rights dealing
with logon of the different types, are or would be applied to one
of the computers in that OU?
The Group Policy Modeling Wizard works just fine, and doesn't show up
anything wrong. We don't limit services in any way in our policies (we
don't have anything defined in Services or User Rights).
XPs do not necessarily have all GPO settings applied immediately,
so this might be saying it sometimes takes waiting for the 16 hour
reapplication of Security Settings to carry Services or User Rights
settings down onto the machine for the first time.
Makes sense. We do have a couple of startup scripts which apply the DST
registry patch for Windows 2000 computers and check to see if an couple
of other hotfixes are installed. I don't think any of these are
responsible.
David
Stardate 7282.2
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eBW5AuWfHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx
"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:emvosFHfHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OFlySOAfHHA.5052@xxxxxxxxxxxxxxxxxxxxxxx
Have you asked that main admin ?
Err... I'd say he's likely to know less about it than I am! I'll see
what I can do, though.
fun
I am at a toss-up as to whether this is an access problem
for your account when running rsop but some other problem
that leads to the issue you were attempting to triage.
That's what I'm worried about too. A false lead.
Having read your further info, I would say that the issue
here is that a required service for running rsop is missing.
Check that Authenticated Users has read access on the
domain's sysvol shared policies to narrow down the
rsop issue.
Yes, Authenticated Users has Read and Execute access to the policies.
OK. That's out.
What are the symptoms you see on the clients, or is it only
that on some of them some services are not starting ??
The problem is starting to show up on other clients now.
The problem is first noticed when a user complains that he cannot
access a mapped network drive. We check and find that a bunch of
services, especially network-related have failed to start, including
Browser, Server, Automatic Updates, and Secondary Logon (I don't have
a complete list with me, but it's the same set of services every
time).
When the machine's computer object in Active Directory is moved into
an OU whose policy inheritance has been blocked, and the computer
rebooted, all of these services will have started normally.
Well, that makes me think you have a GPO that is defining the
services but it has incorrect settings in the permissions, which
can easily happen if an XP SP2 is used to edit the GPO Services
section, as there is a known error.
http://support.microsoft.com/kb/894794
If I add policy links to this inheritance-blocked OU one at a time,
and reboot the client after each one, the machine starts all of its
services normally. This continues until all four of the policies it
was receiving in its original OU are being obtained, without any
problem.
And that contradicts the assessment that it is a GPO setting Services
If I then move the computer object back to its original OU, the
problem returns.
At least it is predictable
Can you use GPMC in real or even "what if" mode to see what
settings, especially the Services section or User Rights dealing
with logon of the different types, are or would be applied to one
of the computers in that OU?
Disjoining the computer from the domain, deleting its computer
object, then re-adding it to the domain and moving its object into
the OU fixed the problem for about a day, but then it returned.
XPs do not necessarily have all GPO settings applied immediately,
so this might be saying it sometimes takes waiting for the 16 hour
reapplication of Security Settings to carry Services or User Rights
settings down onto the machine for the first time.
I've learned the above through testing since I posted my original
message. I've also found that the strange RSOP warnings only appear
when the problem occurs.
We're all stumped here, and appreciate your thoughts on the matter.
I am betting on the Services thing at this point, but do not know
how to discount the apparent contradicting evidence you present.
Roger
"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:OL6R855eHHA.1960@xxxxxxxxxxxxxxxxxxxxxxx
Scratch that. I do have access to the Event Viewer security log
remotely, but I don't know what to look for. I think the main admin
is auditing logon/logoff events, but nothing else.
David
Stardate 7273.8
"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:ukiRlq5eHHA.4868@xxxxxxxxxxxxxxxxxxxxxxx
I'm afraid I don't have login access to the DCs to check.
David
Stardate 7273.7
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:O%23mOkbEeHHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
Assuming you are logging Logon failure on the DCs, what
account is being seen as attempting these failed accesses?
"David Trimboli" <trimboli@xxxxxxxx> wrote in message
news:eZcD$44dHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
We've got several group policies applied to our domain
computers. Recently we've been seeing some odd problems, like
policies causing many network-related services to fail to start
on a couple of clients.
I've just run rsop.msc on a few machines (clients are Windows XP
Professional, servers are Windows Server 2003), and they're all
getting the same error:
wmplayer.adm
Location -
"\\cshl.edu\SysVol\cshl.edu\Policies\{934E85AD-1D0E-40D9-8495-737800C85CBC}\Adm\wmplayer.adm"
Error - Logon failure: unknown user name or bad password.
wuau.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\wuau.adm"
Error - Logon failure: unknown user name or bad password.
system.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\system.adm"
Error - Logon failure: unknown user name or bad password.
conf.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\conf.adm"
Error - Logon failure: unknown user name or bad password.
inetres.adm
Location -
"\\cshl.edu\sysvol\cshl.edu\Policies\{7F71AFC2-939C-4975-BDFE-F632DA35B076}\Adm\inetres.adm"
Error - Logon failure: unknown user name or bad password.
It looks like two of our policies are mysteriously not loading
fully. I've looked through the policies, and I've examined the
file permissions of the files listed, but I can find nothing
wrong. Is there something else I can do to figure out what the
problem is?
--
David
Stardate 7259.6
.
- References:
- Logon failures reported by RSOP
- From: David Trimboli
- Re: Logon failures reported by RSOP
- From: Roger Abell [MVP]
- Re: Logon failures reported by RSOP
- From: David Trimboli
- Re: Logon failures reported by RSOP
- From: David Trimboli
- Re: Logon failures reported by RSOP
- From: Roger Abell [MVP]
- Re: Logon failures reported by RSOP
- From: David Trimboli
- Re: Logon failures reported by RSOP
- From: Roger Abell [MVP]
- Logon failures reported by RSOP
- Prev by Date: Re: Workaround Needed to Enable IE Advanced Settings with Restricted G
- Next by Date: Re: GP Based on Machine and User.
- Previous by thread: Re: Logon failures reported by RSOP
- Next by thread: GPO newbie question
- Index(es):
Relevant Pages
|
