Re: Security policy cannot be propagated

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 02/10/04 

Date: Tue, 10 Feb 2004 11:44:23 -0700

Henry,

Looks like you have a good one here!
After a quick search, I came up with this article: 827012. This is talking
about a mismatch in where the security template came from. I am guessing it
might be your issue too. maybe you can reconfigure a GPO from the same
version to see if you can get ANY security settings to apply from the
security templates of that same OS? 

-- 
Derek Melber
"Henry Halter" <info.extnet@adelphia.net> wrote in message
news:A3A5B1BF-1F3C-4E15-A6E4-2E489E952F72@microsoft.com...
> I have just built a new 2003 AD domain with a single server and use an
very large set of GPOs with the intent of administering XP clients. All the
client-side extensions are processing the group policies correctly except
for the Security extension. I have loaded from scratch 3 seperate XP Pro
clients and they each have this same problem. Running GPRESULT and RSOP.MSC
on each of the clients I have verified that all the layers of group policies
have been applied correctly expect for the parts that are processed by the
client-side Security extension. Every time I reboot the clients or execute a
GPUPDATE /FORCE I get the following pair of messages in the Application Log:
>
>
> First:
>
> Event Type: Error
> Event Source: SceCli
> Event Category: None
> Event ID: 1001
> Date: 2/9/2004
> Time: 8:09:51 PM
> User: N/A
> Computer: ENT-LT-001
> Description:
> Security policy cannot be propagated. Cannot delete GP
> cache.
>
>
> Immediately followed by:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1085
> Date: 2/9/2004
> Time: 8:09:51 PM
> User: NT AUTHORITY\SYSTEM
> Computer: ENT-LT-001
> Description:
> The Group Policy client-side extension Security failed to
> execute. Please look for any errors reported earlier by
> that extension.
>
>
> Running RSOP.MSC on a client there is a yellow warning indicator on the
Computer Configuration and the Error Information shows that the Security
Component has a Failed Status with the following:
>
> Monday, February 09, 2004 9:37:55 PM
>
> Security failed due to the error listed below.
> The I/O operation has been aborted because of either a
> thread exit or an application request.
>
> Additional Information:
> Security policy cannot be propagated.
> Cannot delete GP cache.
>
>
> Turning on UserEnvDebugLevel = 0x00010002 the following is
> recorded in UserEnv.log:
>
> USERENV(1ec.52c) 21:37:54:457 ProcessGPOList: Entering for extension
Security
> USERENV(1ec.52c) 21:37:54:457 MachinePolicyCallback: Setting status UI to
Applying Security policy...
> USERENV(1ec.52c) 21:37:54:477 GetWbemServices: CoCreateInstance succeeded
> USERENV(1ec.52c) 21:37:54:787 ConnectToNameSpace: ConnectServer returned
0x0
> USERENV(1ec.52c) 21:37:55:128 LogExtSessionStatus: Successfully logged
Extension Session data
> USERENV(1ec.52c) 21:37:55:208 MachinePolicyCallback: Setting status UI to
Applying computer settings...
> USERENV(1ec.52c) 21:37:55:208 ProcessGPOList: Extension Security returned
0x3e3.
> USERENV(1ec.52c) 21:37:55:208 ProcessGPOList: Extension Security was able
to log data. RsopStatus = 0x0, dwRet =  995, Clearing the dirty bit
> USERENV(1ec.52c) 21:37:55:228 ProcessGPOs: Extension Security
ProcessGroupPolicy failed, status 0x3e3.
>
>
> In case matters I should say that the Domain Functional Level is Windows
2003, but the Forest Function Level is still at Windows 2000.
>
> I cannot find anything on how to fix or overcome this "Cannot delete GP
cache" issue on the XP clients. I have check all over Technet, Microsoft.com
and elsewhere on the web. I can't even seem to find anything that even
mentions anything about deleting a GP cache!
>
> This 2003 AD domain is vertually the same configuration and GPO
configuration I had for a 2000 AD domain and never experienced anything like
this.
>
> I would sure appreciate any suggestions because at the moment I cannot add
any XP clients to this domain that will get their security settings from the
Active Directory GPOs.
>
> Thanks in advance for any help,
>
> Henry Halter
>

Relevant Pages

  • Re: Windows 98 clients
    ... In your domain controller security policy, computer config, windows ... settings, security settings, local policies, security options disable the ... clients, it allows the clients to be able to authenticate to any DC that is ...
    (microsoft.public.windows.server.networking)
  • Event Log losing settings
    ... Windows 2003 Small Business Server ... Clients - Win XP SP2 ... I have an annoying little problem with the security event log on the ... but these settings are not working on ...
    (microsoft.public.windows.group_policy)
  • RE: Dhcp security
    ... Setting up a 802.1x wired network requires: ... vendors, including Cisco, provide solutions to ensure that only properly ... trust agent collects security state information from multiple security ... software clients, such as anti-virus clients, and then communicates this ...
    (Focus-Microsoft)
  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
    (Full-Disclosure)
  • Re: Shared Win98 Printing in 2003 Mixed Domain
    ... are a lot of security settings - particularly security options in security ... network access:do not allow anonymous access to sam and sam and shares, ... manager authentication level to send ntlmv2 responses only, ... make sure that the W2003 servers are also wins clients. ...
    (microsoft.public.win2000.printing)