Re: Intermittant GPO failure to apply
- From: Games and SBS 2003 <GamesandSBS2003@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Aug 2005 23:46:02 -0700
Hi,
I seem to having a similar problem with my gpo settings. how do you check
the permissions of the sysvol ?
""Charles Yang [MSFT]"" wrote:
>
> Hi Nick,
>
> I will be here waiting for your updates. Please feel free to post here.
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> <#Qh4wE1nFHA.3304@xxxxxxxxxxxxxxxxxxxx>
> <YRZaEsWoFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: Intermittant GPO failure to apply
> | Date: Tue, 16 Aug 2005 10:53:58 +0100
> | Lines: 2110
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <#zyl7hkoFHA.3316@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: mail.stkittsnevisregistry.net 194.164.85.19
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:144804
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi Charles,
> |
> | > 1. Please kindly tell us if you have installed CRM on SBS 2003.
> |
> | Don't know what you mean by CRM so I guess no we don't have that
> installed.
> |
> | > 2. Please make sure that the updates that is specially for XP SP2 on SBS
> | > domain is applied. (KB 872769)
> |
> | Yes that is installed, in fact I have installed that a couple of times
> now
> | just to be sure.
> |
> | > 3. Make sure that client computers are pointing to the SBS server for
> DNS
> | > IP address. (You can check it in TCP/IP properties on client computers''
> | > NIC)
> |
> | DNS server addresses are obtained automatically via DHCP; every time I
> have
> | checked these with IPConfig they point to the server (192.168.16.2)
> |
> | > 4. Make sure that the TCP/IP NetBIOS Helper service is started on all
> | > computers. (You can check it by click Start -> Run, type Services.msc
> and
> | > click OK. Then locate the TCP/IP NetBios helper service)
> |
> | Yep starting automatically.
> |
> | > 5. Please also try to stop SMB signing on SBS domain,
> |
> | Working remotely at the moment so will try this later in the week when I
> am
> | on-site.
> |
> | If possible, could you tell us more detailed about the policy on renaming
> | > administrator account policy. Could you disable this policy as test to
> see
> | > if the issue can be resolved.
> |
> | Administrator account renamed as per
> | http://support.microsoft.com/default.aspx?scid=kb;en-us;816109. As with
> all
> | other GPOs the default Security Filtering is Authenticated Users, is this
> ok
> | or does this GPO need some other user group here? Surely if the local
> | Administrators group is being renamed that would happen before any users
> had
> | logged on, that being the case why does this not fail all the time?
> |
> | I will disable this GPO as you suggest and see how it goes.
> |
> | Regards,
> | Nick
> |
> |
> |
> | >
> | > --------------------
> | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> | > | Subject: Re: Intermittant GPO failure to apply
> | > | Date: Fri, 12 Aug 2005 16:19:05 +0100
> | > | Lines: 1729
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | Message-ID: <#Qh4wE1nFHA.3304@xxxxxxxxxxxxxxxxxxxx>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: mail.stkittsnevisregistry.net 194.164.85.19
> | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143722
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Hi Charles,
> | > |
> | > | I have installed UPHClean on all the workstrations and the following
> | > events
> | > | now appear on the server:
> | > |
> | > | Event Source: Userenv
> | > | Event Category: None
> | > | Event ID: 1058
> | > | Date: 12/08/2005
> | > | Time: 09:29:47
> | > | User: NT AUTHORITY\SYSTEM
> | > | Computer: SERVER1
> | > | Description:
> | > | Windows cannot access the file gpt.ini for GPO
> | > |
> | >
> cn={AD7A18BD-280C-4B29-A9F2-8F491BE55657},cn=policies,cn=system,DC=OurDomain
> | > ,DC=local.
> | > | The file must be present at the location
> | > |
> | >
> <\\OurDomain.local\SysVol\OurDomain.local\Policies\{AD7A18BD-280C-4B29-A9F2-
> | > 8F491BE55657}\gpt.ini>.
> | > | (Configuration information could not be read from the domain
> controller,
> | > | either because the machine is unavailable, or access has been denied.
> ).
> | > | Group Policy processing aborted.
> | > |
> | > |
> | > | Event Source: Userenv
> | > | Event Category: None
> | > | Event ID: 1030
> | > | Date: 12/08/2005
> | > | Time: 09:29:47
> | > | User: NT AUTHORITY\SYSTEM
> | > | Computer: SERVER1
> | > | Description:
> | > | Windows cannot query for the list of Group Policy objects. Check the
> | > event
> | > | log for possible messages previously logged by the policy engine that
> | > | describes the reason for this.
> | > |
> | > | This particuilar GPO is for renaming the Administrator account as per
> | > | Q816109. I have checked the seurity permissions of
> | > |
> | >
> \\OurDomain.local\SysVol\OurDomain.local\Policies\{AD7A18BD-280C-4B29-A9F2-8
> | > F491BE55657}\gpt.ini
> | > | and it appears to be the same as all other GPOs.
> | > |
> | > | Nick
> | > |
> | > |
> | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
> message
> | > | news:LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > HI NICK,
> | > | >
> | > | > Thanks for quickly updates.
> | > | >
> | > | > After researching the error 1517, I found it might relate to group
> | > policy
> | > | > is not update, you can refer to my suggestion below:
> | > | >
> | > | > Many system and service processes do work on behalf of users. When
> | > the
> | > | > work is done the system or service process is responsible for
> | > releasing
> | > | > handles it has to the user profile hive. If this is not done by the
> | > | > service as the user logs off the profile cannot be unloaded.
> | > | >
> | > | > This problem in code can be caused by improper coding either in
> | > Microsoft
> | > | > software or 3rd party software (e.g. printer drivers, virus scanner
> | > | > service, etc). With the information provided by the system there
> is
> | > no
> | > | > way
> | > | > to find out what software needs to be corrected to allow profiles to
> | > | > unload.
> | > | >
> | > | > Why we use UPHCLEAN
> | > | > ====================
> | > | > In the past these issues have been fixed by code changes to release
> | > the
> | > | > registry handle. The disadvantage of this approach is that in many
> | > cases
> | > | > multiple issues (different code paths) are causing the profiles to
> not
> | > | > unload. Unless all problem code paths are fixed profiles do not
> | > unload.
> | > | >
> | > | > The concept of UPHClean is to deal with these the same way the
> | > operating
> | > | > system deals with other resource issues: when a task is done
> resources
> | > | > (memory, handles, etc) are automatically reclaimed. UPHClean
> | > | > accomplishesthis simply by monitoring for users to log off and
> | > verifying
> | > | > that unused resources are reclaimed. If they are not it reclaims
> the
> | > | > resource and logsits action. This approach is superior as it works
> | > for
> | > | > any
> | > | > known reason that profiles do not unload and also will keep working
> to
> | > | > address new unknown issues.
> | > | >
> | > | > Another advantage to UPHClean is that no computer restart is
> required
> | > to
> | > | > install it or remove it (except on Windows NT 4). You can install
> and
> | > | > remove UPHClean to find out whether it helps with a profile unload
> | > problem
> | > | > or not. You can do this without having to worry about what hotfix,
> | > | > service
> | > | > pack, feature pack, etc has been installed. Set it and forget is
> the
> | > goal
> | > | > ofUPHClean.
> | > | >
> | > | > By default UPHClean takes action to allow profiles to unload. You
> can
> | > | > choose to have UPHClean only report what processes it finds
> preventing
> | > | > profiles from unloading. To do this, install UPHClean and use the
> | > | > registry
> | > | > editor to set:
> | > | >
> | > | >
> HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY
> | > to
> | > | > 1
> | > | >
> | > | > 837115 Troubleshooting profile unload issues
> | > | > http://support.microsoft.com/?id=837115
> | > | >
> | > | > If possible please perform my steps above and paste any progress to
.
- Follow-Ups:
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- References:
- Intermittant GPO failure to apply
- From: NickC
- RE: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: NickC
- Intermittant GPO failure to apply
- Prev by Date: RE: SBS 2003 Error when selecting "Monitoring and Reporting" Snap-in
- Next by Date: RE: OWA timeout
- Previous by thread: Re: Intermittant GPO failure to apply
- Next by thread: Re: Intermittant GPO failure to apply
- Index(es):
Relevant Pages
|
