Re: USERENV error - Group Policy

Err... No it isn't.

The problem has returned. Although I'm now sure that the problem lies in the
permissions of either the GPO or the SYSVOL\domain\policies\{guid} folder. Or
both.

However, as per instructions, I've set these permissions correctly. I can't
leave this as everyone/full control, so what to do?



"Nadia" wrote:

SORTED!

In a further attempt to narrow down the location of the problem, I gave
Everyone/Full Control to the SYSVOL\domain\policies\{guid} folder and to the
policy object in AD (followed by a GP /force on both machines).

Of course this worked, so then I removed the Everyone/Full Control from the
folder and GPO, returning the security to normal settings, did another GP
/force on both machines and it still works. Certificate auto enrollment seems
to have kicked off on the offending machine too.

I hope this stays fixed! If anyone has an explanation of this, I'd be
interested, otherwise thanks for the help.

Nadia :)

"Nadia" wrote:

Thx AJ,

Certainly... it's 90k chars though, so instead of posting it here in 4
pieces, you can view it at http://www.netcom.hr/chris/netdiag.txt

Nadia


"AJ" wrote:

oops, i think you have already tried that.. Could u run a netdiag /v &
pasteit here ?

~Cheers,

Ajay Sarkaria

AJ wrote:
Hi,

This can be anything starting from DNS configuration. I hope you have
already checked it. Try this on the command prompt of the affected
server

DFSUTIL /PURGEMUPCACHE

Then run gpupdate /force to see if you get a 1704

~Cheers,

Ajay Sarkaria

Nadia wrote:
Thanks for your reply Jorge,
-Netlogon and DFS were already started
-Domain controllers have read/apply on DC policy (this policy includes the
correct bypass traverse settings)
-SYSVOL share/NTFS permissions are set correctly (inc. special permissions
and subfolders)
-EventID 1000/1001 is not logged in the App Log.
-DNS records for Domain Controllers is correct
-dfsutil /purgemupcache performed several times with no effect.
-latest SP & latest updates installed.
-I added the WaitForNetwork setting to the registry with no effect
-I've also examined the SMB signing settings, added the registry settings
with no effect.

I've also confirmed it isn't a problem with the policy itself, I've created
new policies all with the same result.

Anything else I should have looked at?


"Jorge Silva" wrote:

Hi
If Domain Controller
*Make sure that the following components are started:
-Netlogon and DFS services are started.
-Domain controllers have the read and apply rights to the Domain Controllers
Policy.
-NTFS file system permissions and share permissions are set correctly on the
Sysvol share.
Event ID 1000, 1001 is logged every five minutes in the Application event
log
http://support.microsoft.com/Default.aspx?id=290647
-DNS entries are correct for the domain controllers
-From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
Make sure that you've the latest Service Pack Installed.
http://support.microsoft.com/kb/889100/
Also take a look ate Registry Change (WaitForNetwork) as described here
Group Policy processing does not work and events 1030 and 1058 are logged in
the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us
Some situations a warning is also logged in Event Viewer:
Event ID: 3019
Source: MRxSmb
Description: The redirector failed to determine the connection type.
Error message: "The redirector failed to determine the connection type"
http://support.microsoft.com/kb/315244/en-us
-------------------------------------------------
If Clients Windows 2003,Xp,2000:
Applying Group Policy causes Userenv errors and events to occur on your
computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/887303
Group policies are not applied the way you expect; "Event ID 1058" and
"Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us
-------------------------------------------------
SBSSmall Business Server 2003 computer
http://support.microsoft.com/kb/888943/en-us
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"Nadia" <Nadia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@xxxxxxxxxxxxxxxx
I'm getting the following error on two of my domain member

servers (both win2k3sp1):

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 6.12.2006
Time: 9:01:57
User: NT AUTHORITY\SYSTEM
Computer: RIVER03
Description:
Windows cannot access the file gpt.ini for GPO

CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
The file must be present at the location
<\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

I've checked numerous settings as follows:

- that the folder is actually accessible, and the file actually exists
- registry settings on these client machines pertaining to SMB signing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
enablesecuritysignature 1
requiresecuritysignature 0
- SMB signing group policy at
Computer Configuration/Windows Settings/Security Settings/Local
Policies/Security Options
- DNS settings
- Permissions on the SYSVOL share
- NetBIOS helper service


Everything appears to be in order, but I'm still getting the USERENV error
either every 1.5 hours or so, or when I force a GP update.

Please help!






.

Relevant Pages

  • Re: Automated logoff using Winexit.scr
    ... New OU - New Policy ... Settings: Configure this key then Propogate inheritable permissions to ... Permissions granted: Authenticated Users: Read/Special ... test GPO linked to it trying to accomplish that and move a couple computers ...
    (microsoft.public.windows.group_policy)
  • Re: Default Domain password policy issue
    ... The domain controllers are members of authenticated users. ... as for applied Group Policy objects for computer settings. ... Policy replication/version problems. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.windows.group_policy)
  • Re: Default Domain Policy Doesnt Apply
    ... Also to add that Group Policies are by default applied in this ... level will be overriden by any defined settings at the site, domain, OU ... account policies] are not being applied to the domain controllers since they ... > password and lockout policy can ony be set at the domain level for domain ...
    (microsoft.public.win2000.group_policy)
  • Re: Permissions to GPO for Enterprise Domain Controllers
    ... have only seen a GPMC launch of the GPO editor popup message ... that "permissions are incorrect, click here to have this corrected" ... selecting either Default Domain Policy or Default Domain Controllers ... "The Enterprise Domain Controllers group does not have read access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Automated logoff using Winexit.scr
    ... Permissions on Existing Subkeys" radio button, ... New OU - New Policy ... Settings: Configure this key then Propogate inheritable permissions to ... Permissions(Set Value and Create Subkey) on This key and subkeys. ...
    (microsoft.public.windows.group_policy)