Re: Intermittant GPO failure to apply
- From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
- Date: Fri, 16 Sep 2005 20:09:59 +0100
1). ADS user properties Dial-In tab reports 'Could not load Dial-in profile
for this user because: Access is denied'.
2). Trend Micro Scammail 'cannot logon to server'.
3). We are now getting a lot of these in the Application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 16/09/2005
Time: 19:37:43
User: NT AUTHORITY\SYSTEM
Computer: OURSERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
4). Cannot edit any GPOs because 'You do not have permission to perform this
operation - Access is denied'.
The SMB GPOs are set back to the original defaults (which I wrote down
before changing them) as follows:
Default Domain policy
Network Client digitally sign communications (always): Not Defined
Network Client digitally sign communications (if server agrees): Not
Defined
Network Server digitally sign communications (always): Not Defined
Network Server digitally sign communications (if client agrees): Not
Defined
Default Domain Controllers policy
Network Client digitally sign communications (always): Not Defined
Network Client digitally sign communications (if server agrees): Not
Defined
Network Server digitally sign communications (always): Enabled
Network Server digitally sign communications (if client agrees): Enabled
Others have suggested that changing these may have altered some registry
settings that need to be set back to their previous defaults again.
Any ideas, do I need to restore from tape again?
Nick
""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:5uW8ArluFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
> HI Nick,
>
> Due to the issue you have referred, could you help me check your event
> view
> to see if there are any other error events.
>
> Could you describe the issue more clearly, could you tell me what is the
> "AD dial in access properties" not available, is there any error message
> when you access it.
>
> For the trend software, please make sure that you have client software to
> be the same setting as the server side.
>
> For the attachments, it should be the problem of our newsgroup server, I
> could not open it. If there are some information contains in it, please
> paste it as possible.
>
> I am glad to help you. Thanks a lot for your effort.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
> <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
> <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
> <QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> <#iSY7DJuFHA.1364@xxxxxxxxxxxxxxxxxxxx>
> <NJlagMZuFHA.896@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: Intermittant GPO failure to apply
> | Date: Thu, 15 Sep 2005 17:55:37 +0100
> | Lines: 957
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <efvRZZhuFHA.1572@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: host81-130-24-138.in-addr.btopenworld.com
> 81.130.24.138
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153713
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | I have now set according to the following which is what I thing we had
> by
> | default:
> |
> | Default Domain Controllers policy, both Network Server Digitally Sign
> | Communications items should be ENABLED.
> | The Network Client: Digitally Sign Communications items are NOT DEFINED.
> | Default Domain policy, all four should be set to NOT DEFINED
> | as per the attached message.
> |
> | Problem is that something is still not correct, now Trend Micro Scanmail
> | cannot logon to the server also Active Directory Dial-in access
> properties
> | are not available.
> |
> | Nick
> |
> |
> | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | news:NJlagMZuFHA.896@xxxxxxxxxxxxxxxxxxxxxxxx
> | > Hi Nick,
> | >
> | > This problem should relate to SMB signing, as we checked it on our SBS
> | > test
> | > machine, all are set to not defined. So it should be your SBS domain
> need
> | > special setting.
> | >
> | > You can check to make sure that the policy for SMB signing is same on
> the
> | > client side and server side, then you can successfully authorize with
> the
> | > shared folder browsing.
> | >
> | > You can either enable or disable the SMB signing on both server and
> client
> | > side. Please also edit the group policy setting on the client side.
> (using
> | > gpedit.msc to configure the policy setting.)
> | >
> | > I also check your event log, I only found some warring which cause by
> the
> | > third party tools. For the warning 5008 for exchange, I am currently
> on
> | > researching now.
> | >
> | > Thanks for your understanding.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> | > <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
> | > <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
> | > <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
> | > <QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> | > | Subject: Re: Intermittant GPO failure to apply
> | > | Date: Tue, 13 Sep 2005 19:28:25 +0100
> | > | Lines: 680
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | Message-ID: <#iSY7DJuFHA.1364@xxxxxxxxxxxxxxxxxxxx>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: host81-130-40-182.in-addr.btopenworld.com
> | > 81.130.40.182
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:153008
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Charles, could you please check these settings. If I set all these
> for
> | > both
> | > | 'Default Domain Policy' and 'Default Domain Controllers Policy' to
> 'not
> | > | defined' it causes the serious server lock-out as described in the
> | > newsgroup
> | > | message attached and requires a restore from tape to fix it.
> | > |
> | > | Thanks,
> | > | Nick
> | > |
> | > |
> | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
> message
> | > | news:QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > HI Nick,
> | > | >
> | > | > Thanks for updates.
> | > | >
> | > | > The default setting of these GPO is "not defined" for all the
> policy
> | > | > below:
> | > | >
> | > | > Network Client digitally sign communications (always)
> | > | > Network Client digitally sign communications (if server agrees)
> | > | > Network Server digitally sign communications (always)
> | > | > Network Server digitally sign communications (if client agrees)
> | > | > In addition, have you tried my steps in previous reply, I will
> also
> | > post
> | > | > here:
> | > | >
> | > | > As you referred, you have enabled the roaming profiles and folder
> | > | > redirection on SBS domain. Also in your userenv log we found it
> still
> | > | > refer
> | > | > to the same problem in ntuser.pol, by default this files will be
> | > recreate
> | > | > when logon the domain again, it seems the files is corrupt and the
> | > | > registry
> | > | > is not correct.
> | > | >
> | > | > Please temporally delete that files or rename the files to see if
> the
> | > | > issue
> | > | > can be clear. If you using roaming profiles, please check it on
> the
> | > | > server.
> | > | >
> | > | > More info:
> | > | >
> | > | > 269378 Differences in the User Profiles in Windows
> | > | > http://support.microsoft.com/?id=269378
> | > | >
> | > | >
> | > | > Hope the above information helpful.
> | > | >
> | > | >
> | > | >
> | > | > Best regards,
> | > | >
> | > | > Charles Yang (MSFT)
> | > | >
> | > | > Microsoft CSS Online Newsgroup Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | >
> | > | > ======================================================
> | > | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | > regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | > newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | > You can locate the newsgroup here:
> | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | >
> | > | > When opening a new thread via the web interface, we recommend you
> | > check
> | > | > the
> | > | > "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | > any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | > please "Reply to Group" so that others may learn and benefit from
> your
> | > | > issue.
> | > | >
> | > | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | > provide other information for your reference, we recommend you
> post
> | > | > different incidents in different threads to keep the thread clean.
> In
> | > | > doing
> | > | > so, it will ensure your issues are resolved in a timely manner.
> | > | >
> | > | > For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | > check http://support.microsoft.com for regional support phone
> numbers.
> | > | >
> | > | > Any input or comments in this thread are highly appreciated.
> | > | > ======================================================
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | >
> | > | > =====================================================
> | > | > When responding to posts, please "Reply to Group" via your
> newsreader
> | > so
> | > | > that others may learn and benefit from your issue.
> | > | > =====================================================
> | > | >
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> | > | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
> | > | > <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | Subject: Re: Intermittant GPO failure to apply
> | > | > | Date: Thu, 1 Sep 2005 20:21:32 +0100
> | > | > | Lines: 465
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | Message-ID: <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
> | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | NNTP-Posting-Host: host81-130-59-23.in-addr.btopenworld.com
> | > 81.130.59.23
> | > | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:150019
> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > |
> | > | > | Hi Charles,
> | > | > |
> | > | > | As the SMB signing doesn't seem to make any difference I would
> like
> | > to
> | > | > set
> | > | > | them back to their defaults. Could you tell me what the default
> | > | > settings
> | > | > | were for the 'Default Domain Policy' and 'Default Domain
> Controllers
> | > | > Policy'
> | > | > | GPOs for:
> | > | > | Network Client digitally sign communications (always)
> | > | > | Network Client digitally sign communications (if server
> agrees)
> | > | > | Network Server digitally sign communications (always)
> | > | > | Network Server digitally sign communications (if client
> agrees)
> | > | > |
> | > | > | Thanks,
> | > | > | Nick
> | > | > |
> | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
> | > message
> | > | > | news:yK%23Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > Hi Nick,
> | > | > | >
> | > | > | > Thanks for updates.
> | > | > | >
> | > | > | > I will waiting for your results, as I mentioned we could not
> | > | > troubleshoot
> | > | > | > the root cause of this problem via newsgroup, it might be a
> | > complex
> | > | > | > problem, as I referred many factors might blocked the GPO
> updates,
> | > | > | > firewall
> | > | > | > anti-virus software or SMB signing.
> | > | > | >
> | > | > | > Sorry for inconvenience, and thanks for your efforts.
> | > | > | >
> | > | > | >
> | > | > | >
> | > | > | > Best regards,
> | > | > | >
> | > | > | > Charles Yang (MSFT)
> | > | > | >
> | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | >
> | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | >
> | > | > | > ======================================================
> | > | > | > This newsgroup only focuses on SBS technical issues. If you
> have
> | > | > issues
> | > | > | > regarding other Microsoft products, you'd better post in the
> | > | > corresponding
> | > | > | > newsgroups so that they can be resolved in an efficient and
> timely
> | > | > manner.
> | > | > | > You can locate the newsgroup here:
> | > | > | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | >
> | > | > | > When opening a new thread via the web interface, we recommend
> you
> | > | > check
> | > | > | > the
> | > | > | > "Notify me of replies" box to receive e-mail notifications
> when
> | > there
> | > | > are
> | > | > | > any updates in your thread. When responding to posts via your
> | > | > newsreader,
> | > | > | > please "Reply to Group" so that others may learn and benefit
> from
> | > your
> | > | > | > issue.
> | > | > | >
> | > | > | > Microsoft engineers can only focus on one issue per thread.
> | > Although
> | > | > we
> | > | > | > provide other information for your reference, we recommend you
> | > post
> | > | > | > different incidents in different threads to keep the thread
> clean.
> | > In
> | > | > | > doing
> | > | > | > so, it will ensure your issues are resolved in a timely
> manner.
> | > | > | >
> | > | > | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | > | > Please
> | > | > | > check http://support.microsoft.com for regional support phone
> | > numbers.
> | > | > | >
> | > | > | > Any input or comments in this thread are highly appreciated.
> | > | > | > ======================================================
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | >
> | > | > | > =====================================================
> | > | > | > When responding to posts, please "Reply to Group" via your
> | > newsreader
> | > | > so
> | > | > | > that others may learn and benefit from your issue.
> | > | > | > =====================================================
> | > | > | >
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | > --------------------
> | > | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | > | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | Subject: Re: Intermittant GPO failure to apply
> | > | > | > | Date: Thu, 25 Aug 2005 17:40:34 +0100
> | > | > | > | Lines: 305
> | > | > | > | X-Priority: 3
> | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | Message-ID: <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | NNTP-Posting-Host: 194.164.85.19
> | > | > | > | Path:
> | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > microsoft.public.windows.server.sbs:147801
> | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > |
> | > | > | > | Hi Charles,
> | > | > | > |
> | > | > | > | Disabling the rename administrator account GPO and others
> didn't
> | > | > seem
> | > | > to
> | > | > | > | help so have now re-enabled them.
> | > | > | > |
> | > | > | > | All SMB signing GPO settings are now set to disabled so will
> | > wait
> | > | > and
> | > | > | > see
> | > | > | > | what effect that has (must remember to reboot the server a
> few
> | > | > times).
> | > | > | > |
> | > | > | > | Workstations do indeed have Trend Micro CSM for SMB remotely
> | > | > installed
> | > | > | > and
> | > | > | > | updating from the SBS server. Problem is these workstations
> are
> | > all
> | > | > | > live
> | > | > | > so
> | > | > | > | I cannot safely leave virus checking disabled. Do you have
> any
> | > more
> | > | > | > | information about this possible Trend Micro problem?
> | > | > | > |
> | > | > | > | UPHClean is installed and reports the following error but I
> | > can't
> | > | > see
> | > | > | > how
> | > | > | > to
> | > | > | > | identify which application is actually causing this:
> | > | > | > | The following handles opened in user profile hive
> | > | > | > <DOMAINNAME>\<username>
> | > | > | > | (S-1-5-21-3513629081-3873135916-3088626867-1364) are
> preventing
> | > the
> | > | > | > profile
> | > | > | > | from unloading:
> | > | > | > | svchost.exe (888)
> | > | > | > | HKCU (0x3a0)
> | > | > | > |
> | > | > | > |
> | > | > | > | Regards,
> | > | > | > | Nick
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > | Hi,
> | > | > | > |
> | > | > | > | Thanks for updates.
> | > | > | > |
> | > | > | > | From the information you gave to me, we can not identify the
> | > root
> | > | > cause,
> | > | > | > | have you try my suggestion in my last reply, I would like to
> | > paste
> | > | > them
> | > | > | > | again:
> | > | > | > |
> | > | > | > |
> | > | > | > | FYI:
> | > | > | > |
> | > | > | > | What I means about Trend is to disable it on the client
> computer
> | > if
> | > | > you
> | > | > | > | have also deploy it on client computer, as I know there is
> some
> | > | > problem
> | > | > | > on
> | > | > | > | this software if you deploy it on client computer.
> | > | > | > |
> | > | > | > | As this is an intermittent issue, so it might need some time
> to
> | > | > | > | troubleshoot. in my previous reply, I suggest you disable
> all
> | > the
> | > | > SMB
> | > | > | > | signing on both client computer and server, please also make
> | > sure
> | > | > that
> | > | > | > you
> | > | > | > | have disable all the SMB signing on the group policy. You
> can
> | > refer
> | > | > to
> | > | > | > the
> | > | > | > | article below to disable it.
> | > | > | > |
> | > | > | > | Please refer to the following link to disable the SMB
> signing
> to
> | > see
> | > | > if
> | > | > | > the
> | > | > | > | slow network access issue will be resolved:
> | > | > | > | http://www.smallbizserver.net/Default.aspx?tabid=98
> | > | > | > |
> | > | > | > | I appreciate your effort on this issue.
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > | Best regards,
> | > | > | > |
> | > | > | > | Charles Yang (MSFT)
> | > | > | > |
> | > | > | > |
> | > | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx>
> wrote
> in
> | > | > message
> | > | > | > | news:frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > | > Hi,
> | > | > | > | >
> | > | > | > | > Thanks for updates.
> | > | > | > | >
> | > | > | > | > From the information you gave to me, we can not identify
> the
> | > root
> | > | > | > cause,
> | > | > | > | > have you try my suggestion in my last reply, I would like
> to
> | > paste
> | > | > | > them
> | > | > | > | > again:
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > FYI:
> | > | > | > | >
> | > | > | > | > What I means about Trend is to disable it on the client
> | > computer
> | > | > if
> | > | > | > you
> | > | > | > | > have also deploy it on client computer, as I know there is
> | > some
> | > | > | > problem
> | > | > | > on
> | > | > | > | > this software if you deploy it on client computer.
> | > | > | > | >
> | > | > | > | > As this is an intermittent issue, so it might need some
> time
> | > to
> | > | > | > | > troubleshoot. in my previous reply, I suggest you disable
> all
> | > the
> | > | > SMB
> | > | > | > | > signing on both client computer and server, please also
> make
> | > sure
> | > | > that
> | > | > | > you
> | > | > | > | > have disable all the SMB signing on the group policy. You
> can
> | > | > refer
> | > | > to
> | > | > | > the
> | > | > | > | > article below to disable it.
> | > | > | > | >
> | > | > | > | > Please refer to the following link to disable the SMB
> signing
> | > to
> | > | > see
> | > | > | > if
> | > | > | > | > the
> | > | > | > | > slow network access issue will be resolved:
> | > | > | > | > http://www.smallbizserver.net/Default.aspx?tabid=98
> | > | > | > | >
> | > | > | > | > I appreciate your effort on this issue.
> | > | > | > | >
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > Best regards,
> | > | > | > | >
> | > | > | > | > Charles Yang (MSFT)
> | > | > | > | >
> | > | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | > | >
> | > | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | > | >
> | > | > | > | > ======================================================
> | > | > | > | > This newsgroup only focuses on SBS technical issues. If
> you
> | > have
> | > | > | > issues
> | > | > | > | > regarding other Microsoft products, you'd better post in
> the
> | > | > | > corresponding
> | > | > | > | > newsgroups so that they can be resolved in an efficient
> and
> | > timely
> | > | > | > manner.
> | > | > | > | > You can locate the newsgroup here:
> | > | > | > | >
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | > | >
> | > | > | > | > When opening a new thread via the web interface, we
> recommend
> | > you
> | > | > | > check
> | > | > | > | > the
> | > | > | > | > "Notify me of replies" box to receive e-mail notifications
> | > when
> | > | > there
> | > | > | > are
> | > | > | > | > any updates in your thread. When responding to posts via
> your
> | > | > | > newsreader,
> | > | > | > | > please "Reply to Group" so that others may learn and
> benefit
> | > from
> | > | > your
> | > | > | > | > issue.
> | > | > | > | >
> | > | > | > | > Microsoft engineers can only focus on one issue per
> thread.
> | > | > Although
> | > | > | > we
> | > | > | > | > provide other information for your reference, we recommend
> you
> | > | > post
> | > | > | > | > different incidents in different threads to keep the
> thread
> | > clean.
> | > | > In
> | > | > | > | > doing
> | > | > | > | > so, it will ensure your issues are resolved in a timely
> | > manner.
> | > | > | > | >
> | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | > directly.
> | > | > | > Please
> | > | > | > | > check http://support.microsoft.com for regional support
> phone
> | > | > numbers.
> | > | > | > | >
> | > | > | > | > Any input or comments in this thread are highly
> appreciated.
> | > | > | > | > ======================================================
> | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | > confers
> | > | > no
> | > | > | > | > rights.
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > =====================================================
> | > | > | > | > When responding to posts, please "Reply to Group" via your
> | > | > newsreader
> | > | > | > so
> | > | > | > | > that others may learn and benefit from your issue.
> | > | > | > | > =====================================================
> | > | > | > | >
> | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | > confers
> | > | > no
> | > | > | > | > rights.
> | > | > | > | >
> | > | > | > | > --------------------
> | > | > | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
> | > | > | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | Subject: Re: Intermittant GPO failure to apply
> | > | > | > | > | Date: Mon, 22 Aug 2005 12:17:58 +0100
> | > | > | > | > | Lines: 120
> | > | > | > | > | X-Priority: 3
> | > | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | > | Message-ID: <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | > | NNTP-Posting-Host: mail.stkittsnevisregistry.net
> | > 194.164.85.19
> | > | > | > | > | Path:
> | > | > | >
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > | > microsoft.public.windows.server.sbs:146589
> | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > | > |
> | > | > | > | > | Hi Charles,
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | UPHClean now installed and logging the following errors:
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | Event Type: Information
> | > | > | > | > |
> | > | > | > | > | Event Source: UPHClean
> | > | > | > | > |
> | > | > | > | > | Event Category: None
> | > | > | > | > |
> | > | > | > | > | Event ID: 1501
> | > | > | > | > |
> | > | > | > | > | Date: 18/08/2005
> | > | > | > | > |
> | > | > | > | > | Time: 16:32:11
> | > | > | > | > |
> | > | > | > | > | User: <DOMAINNAME>\<username>
> | > | > | > | > |
> | > | > | > | > | Computer: <DOMAINNAME>5
> | > | > | > | > |
> | > | > | > | > | Description:
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | The following handles opened in user profile hive
> | > | > | > | > <DOMAINNAME>\<username>
> | > | > | > | > | (S-1-5-21-3513629081-3873135916-3088626867-1364) are
> | > preventing
> | > | > the
> | > | > | > | > profile
> | > | > | > | > | from unloading:
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | svchost.exe (888)
> | > | > | > | > |
> | > | > | > | > | HKCU (0x3a0)
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | How can I tell what application is causing this?
> | > | > | > | > |
> | > | > | > | > | Thanks,
> | > | > | > | > | Nick
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx>
> | > wrote
> | > in
> | > | > | > message
> | > | > | > | > | news:LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > | > | > HI NICK,
> | > | > | > | > | >
> | > | > | > | > | > Thanks for quickly updates.
> | > | > | > | > | >
> | > | > | > | > | > After researching the error 1517, I found it might
> relate
> | > to
> | > | > group
> | > | > | > | > policy
> | > | > | > | > | > is not update, you can refer to my suggestion below:
> | > | > | > | > | >
> | > | > | > | > | > Many system and service processes do work on behalf of
> | > users.
> | > | > | > When
> | > | > | > | > the
> | > | > | > | > | > work is done the system or service process is
> responsible
> | > for
> | > | > | > | > releasing
> | > | > | > | > | > handles it has to the user profile hive. If this is
> not
> | > done
> | > | > by
> | > | > | > the
> | > | > | > | > | > service as the user logs off the profile cannot be
> | > unloaded.
> | > | > | > | > | >
> | > | > | > | > | > This problem in code can be caused by improper coding
> | > either
> | > | > in
> | > | > | > | > Microsoft
> | > | > | > | > | > software or 3rd party software (e.g. printer drivers,
> | > virus
> | > | > | > scanner
> | > | > | > | > | > service, etc). With the information provided by the
> | > system
> | > | > there
> | > | > | > is
> | > | > | > | > no
> | > | > | > | > | > way
> | > | > | > | > | > to find out what software needs to be corrected to
> allow
> | > | > profiles
> | > | > | > to
> | > | > | > | > | > unload.
> | > | > | > | > | >
> | > | > | > | > | > Why we use UPHCLEAN
> | > | > | > | > | > ====================
> | > | > | > | > | > In the past these issues have been fixed by code
> changes
> | > to
> | > | > | > release
> | > | > | > | > the
> | > | > | > | > | > registry handle. The disadvantage of this approach is
> | > that
> | > in
> | > | > | > many
> | > | > | > | > cases
> | > | > | > | > | > multiple issues (different code paths) are causing the
> | > | > profiles
> | > | > to
> | > | > | > not
> | > | > | > | > | > unload. Unless all problem code paths are fixed
> profiles
> | > do
> | > | > not
> | > | > | > | > unload.
> | > | > | > | > | >
> | > | > | > | > | > The concept of UPHClean is to deal with these the same
> way
> | > the
> | > | > | > | > operating
> | > | > | > | > | > system deals with other resource issues: when a task
> is
> | > done
> | > | > | > resources
> | > | > | > | > | > (memory, handles, etc) are automatically reclaimed.
> | > UPHClean
> | > | > | > | > | > accomplishesthis simply by monitoring for users to log
> off
> | > and
> | > | > | > | > verifying
> | > | > | > | > | > that unused resources are reclaimed. If they are not
> it
> | > | > reclaims
> | > | > | > the
> | > | > | > | > | > resource and logsits action. This approach is
> superior
> as
> | > it
> | > | > | > works
> | > | > | > | > for
> | > | > | > | > | > any
> | > | > | > | > | > known reason that profiles do not unload and also will
> | > keep
> | > | > | > working
> | > | > | > to
> | > | > | > | > | > address new unknown issues.
> | > | > | > | > | >
> | > | > | > | > | > Another advantage to UPHClean is that no computer
> restart
> | > is
> | > | > | > required
> | > | > | > | > to
> | > | > | > | > | > install it or remove it (except on Windows NT 4). You
> can
> | > | > install
> | > | > | > and
> | > | > | > | > | > remove UPHClean to find out whether it helps with a
> | > profile
> | > | > unload
> | > | > | > | > problem
> | > | > | > | > | > or not. You can do this without having to worry about
> | > what
> | > | > | > hotfix,
> | > | > | > | > | > service
> | > | > | > | > | > pack, feature pack, etc has been installed. Set it
> and
> | > forget
> | > | > is
> | > | > | > the
> | > | > | > | > goal
> | > | > | > | > | > ofUPHClean.
> | > | > | > | > | >
> | > | > | > | > | > By default UPHClean takes action to allow profiles to
> | > unload.
> | > | > You
> | > | > | > can
> | > | > | > | > | > choose to have UPHClean only report what processes it
> | > finds
> | > | > | > preventing
> | > | > | > | > | > profiles from unloading. To do this, install UPHClean
> and
> | > use
> | > | > the
> | > | > | > | > | > registry
> | > | > | > | > | > editor to set:
> | > | > | > | > | >
> | > | > | > | > | >
> | > | > | >
> | > HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY
> | > | > | > | > to
> | > | > | > | > | > 1
> | > | > | > | > | >
> | > | > | > | > | > 837115 Troubleshooting profile unload issues
> | > | > | > | > | > http://support.microsoft.com/?id=837115
> | > | > | > | > | >
> | > | > | > | > | > If possible please perform my steps above and paste
> any
> | > | > progress
> | > | > | > to
> | > | > | > | > | > newsgroup, thanks for your effort in this issue.
> | > | > | > | > | >
> | > | > | > | > | >
> | > | > | > | > | >
> | > | > | > | > | > Best regards,
> | > | > | > | > | >
> | > | > | > | > | > Charles Yang (MSFT)
> | > | > | > | > | >
> | > | > | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | > | > | >
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | >
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | >
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
.
- Follow-Ups:
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- References:
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- Prev by Date: Re: Applications for windows sharepoint services - companyweb
- Next by Date: Re: Kerberos Security Error 537 on log off
- Previous by thread: Re: Intermittant GPO failure to apply
- Next by thread: Re: Intermittant GPO failure to apply
- Index(es):
Relevant Pages
|
