Re: Intermittant GPO failure to apply
- From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
- Date: Sat, 24 Sep 2005 17:12:06 +0100
Charles,
Do you know which registry entries these GPOs actually change?
Thanks,
Nick
"NickC" <NoSpam@xxxxxxxxxxxxxx> wrote in message
news:uz4uJJvuFHA.2948@xxxxxxxxxxxxxxxxxxxxxxx
> 1). ADS user properties Dial-In tab reports 'Could not load Dial-in
> profile for this user because: Access is denied'.
> 2). Trend Micro Scammail 'cannot logon to server'.
> 3). We are now getting a lot of these in the Application log:
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1030
> Date: 16/09/2005
> Time: 19:37:43
> User: NT AUTHORITY\SYSTEM
> Computer: OURSERVER
> Description:
> Windows cannot query for the list of Group Policy objects. Check the event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.
>
> 4). Cannot edit any GPOs because 'You do not have permission to perform
> this operation - Access is denied'.
>
> The SMB GPOs are set back to the original defaults (which I wrote down
> before changing them) as follows:
> Default Domain policy
> Network Client digitally sign communications (always): Not Defined
> Network Client digitally sign communications (if server agrees): Not
> Defined
> Network Server digitally sign communications (always): Not Defined
> Network Server digitally sign communications (if client agrees): Not
> Defined
> Default Domain Controllers policy
> Network Client digitally sign communications (always): Not Defined
> Network Client digitally sign communications (if server agrees): Not
> Defined
> Network Server digitally sign communications (always): Enabled
> Network Server digitally sign communications (if client agrees):
> Enabled
>
> Others have suggested that changing these may have altered some registry
> settings that need to be set back to their previous defaults again.
>
> Any ideas, do I need to restore from tape again?
>
> Nick
>
>
> ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5uW8ArluFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
>> HI Nick,
>>
>> Due to the issue you have referred, could you help me check your event
>> view
>> to see if there are any other error events.
>>
>> Could you describe the issue more clearly, could you tell me what is the
>> "AD dial in access properties" not available, is there any error message
>> when you access it.
>>
>> For the trend software, please make sure that you have client software to
>> be the same setting as the server side.
>>
>> For the attachments, it should be the problem of our newsgroup server, I
>> could not open it. If there are some information contains in it, please
>> paste it as possible.
>>
>> I am glad to help you. Thanks a lot for your effort.
>>
>>
>>
>> Best regards,
>>
>> Charles Yang (MSFT)
>>
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
>> corresponding
>> newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> =====================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> =====================================================
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>> | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
>> | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
>> <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
>> <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
>> <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
>> <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
>> <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
>> <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>> <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
>> <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
>> <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
>> <QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> <#iSY7DJuFHA.1364@xxxxxxxxxxxxxxxxxxxx>
>> <NJlagMZuFHA.896@xxxxxxxxxxxxxxxxxxxxx>
>> | Subject: Re: Intermittant GPO failure to apply
>> | Date: Thu, 15 Sep 2005 17:55:37 +0100
>> | Lines: 957
>> | X-Priority: 3
>> | X-MSMail-Priority: Normal
>> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
>> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>> | X-RFC2646: Format=Flowed; Original
>> | Message-ID: <efvRZZhuFHA.1572@xxxxxxxxxxxxxxxxxxxx>
>> | Newsgroups: microsoft.public.windows.server.sbs
>> | NNTP-Posting-Host: host81-130-24-138.in-addr.btopenworld.com
>> 81.130.24.138
>> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153713
>> | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> |
>> | I have now set according to the following which is what I thing we had
>> by
>> | default:
>> |
>> | Default Domain Controllers policy, both Network Server Digitally Sign
>> | Communications items should be ENABLED.
>> | The Network Client: Digitally Sign Communications items are NOT
>> DEFINED.
>> | Default Domain policy, all four should be set to NOT DEFINED
>> | as per the attached message.
>> |
>> | Problem is that something is still not correct, now Trend Micro
>> Scanmail
>> | cannot logon to the server also Active Directory Dial-in access
>> properties
>> | are not available.
>> |
>> | Nick
>> |
>> |
>> | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
>> message
>> | news:NJlagMZuFHA.896@xxxxxxxxxxxxxxxxxxxxxxxx
>> | > Hi Nick,
>> | >
>> | > This problem should relate to SMB signing, as we checked it on our
>> SBS
>> | > test
>> | > machine, all are set to not defined. So it should be your SBS domain
>> need
>> | > special setting.
>> | >
>> | > You can check to make sure that the policy for SMB signing is same on
>> the
>> | > client side and server side, then you can successfully authorize with
>> the
>> | > shared folder browsing.
>> | >
>> | > You can either enable or disable the SMB signing on both server and
>> client
>> | > side. Please also edit the group policy setting on the client side.
>> (using
>> | > gpedit.msc to configure the policy setting.)
>> | >
>> | > I also check your event log, I only found some warring which cause by
>> the
>> | > third party tools. For the warning 5008 for exchange, I am currently
>> on
>> | > researching now.
>> | >
>> | > Thanks for your understanding.
>> | >
>> | >
>> | >
>> | > Best regards,
>> | >
>> | > Charles Yang (MSFT)
>> | >
>> | > Microsoft CSS Online Newsgroup Support
>> | >
>> | > Get Secure! - www.microsoft.com/security
>> | >
>> | > ======================================================
>> | > This newsgroup only focuses on SBS technical issues. If you have
>> issues
>> | > regarding other Microsoft products, you'd better post in the
>> corresponding
>> | > newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> | > You can locate the newsgroup here:
>> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> | >
>> | > When opening a new thread via the web interface, we recommend you
>> check
>> | > the
>> | > "Notify me of replies" box to receive e-mail notifications when there
>> are
>> | > any updates in your thread. When responding to posts via your
>> newsreader,
>> | > please "Reply to Group" so that others may learn and benefit from
>> your
>> | > issue.
>> | >
>> | > Microsoft engineers can only focus on one issue per thread. Although
>> we
>> | > provide other information for your reference, we recommend you post
>> | > different incidents in different threads to keep the thread clean. In
>> | > doing
>> | > so, it will ensure your issues are resolved in a timely manner.
>> | >
>> | > For urgent issues, you may want to contact Microsoft CSS directly.
>> Please
>> | > check http://support.microsoft.com for regional support phone
>> numbers.
>> | >
>> | > Any input or comments in this thread are highly appreciated.
>> | > ======================================================
>> | > This posting is provided "AS IS" with no warranties, and confers no
>> | > rights.
>> | >
>> | >
>> | > =====================================================
>> | > When responding to posts, please "Reply to Group" via your newsreader
>> so
>> | > that others may learn and benefit from your issue.
>> | > =====================================================
>> | >
>> | > This posting is provided "AS IS" with no warranties, and confers no
>> | > rights.
>> | >
>> | > --------------------
>> | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
>> | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
>> | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
>> | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
>> | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
>> | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
>> | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
>> | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>> | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> | > <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
>> | > <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
>> | > <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
>> | > <QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> | > | Subject: Re: Intermittant GPO failure to apply
>> | > | Date: Tue, 13 Sep 2005 19:28:25 +0100
>> | > | Lines: 680
>> | > | X-Priority: 3
>> | > | X-MSMail-Priority: Normal
>> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
>> | > | X-RFC2646: Format=Flowed; Original
>> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>> | > | Message-ID: <#iSY7DJuFHA.1364@xxxxxxxxxxxxxxxxxxxx>
>> | > | Newsgroups: microsoft.public.windows.server.sbs
>> | > | NNTP-Posting-Host: host81-130-40-182.in-addr.btopenworld.com
>> | > 81.130.40.182
>> | > | Path:
>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>> | > | Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.windows.server.sbs:153008
>> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> | > |
>> | > | Charles, could you please check these settings. If I set all these
>> for
>> | > both
>> | > | 'Default Domain Policy' and 'Default Domain Controllers Policy' to
>> 'not
>> | > | defined' it causes the serious server lock-out as described in the
>> | > newsgroup
>> | > | message attached and requires a restore from tape to fix it.
>> | > |
>> | > | Thanks,
>> | > | Nick
>> | > |
>> | > |
>> | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
>> message
>> | > | news:QGRcwO1rFHA.1208@xxxxxxxxxxxxxxxxxxxxxxxx
>> | > | > HI Nick,
>> | > | >
>> | > | > Thanks for updates.
>> | > | >
>> | > | > The default setting of these GPO is "not defined" for all the
>> policy
>> | > | > below:
>> | > | >
>> | > | > Network Client digitally sign communications (always)
>> | > | > Network Client digitally sign communications (if server
>> agrees)
>> | > | > Network Server digitally sign communications (always)
>> | > | > Network Server digitally sign communications (if client
>> agrees)
>> | > | > In addition, have you tried my steps in previous reply, I will
>> also
>> | > post
>> | > | > here:
>> | > | >
>> | > | > As you referred, you have enabled the roaming profiles and folder
>> | > | > redirection on SBS domain. Also in your userenv log we found it
>> still
>> | > | > refer
>> | > | > to the same problem in ntuser.pol, by default this files will be
>> | > recreate
>> | > | > when logon the domain again, it seems the files is corrupt and
>> the
>> | > | > registry
>> | > | > is not correct.
>> | > | >
>> | > | > Please temporally delete that files or rename the files to see if
>> the
>> | > | > issue
>> | > | > can be clear. If you using roaming profiles, please check it on
>> the
>> | > | > server.
>> | > | >
>> | > | > More info:
>> | > | >
>> | > | > 269378 Differences in the User Profiles in Windows
>> | > | > http://support.microsoft.com/?id=269378
>> | > | >
>> | > | >
>> | > | > Hope the above information helpful.
>> | > | >
>> | > | >
>> | > | >
>> | > | > Best regards,
>> | > | >
>> | > | > Charles Yang (MSFT)
>> | > | >
>> | > | > Microsoft CSS Online Newsgroup Support
>> | > | >
>> | > | > Get Secure! - www.microsoft.com/security
>> | > | >
>> | > | > ======================================================
>> | > | > This newsgroup only focuses on SBS technical issues. If you have
>> | > issues
>> | > | > regarding other Microsoft products, you'd better post in the
>> | > corresponding
>> | > | > newsgroups so that they can be resolved in an efficient and
>> timely
>> | > manner.
>> | > | > You can locate the newsgroup here:
>> | > | >
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> | > | >
>> | > | > When opening a new thread via the web interface, we recommend you
>> | > check
>> | > | > the
>> | > | > "Notify me of replies" box to receive e-mail notifications when
>> there
>> | > are
>> | > | > any updates in your thread. When responding to posts via your
>> | > newsreader,
>> | > | > please "Reply to Group" so that others may learn and benefit from
>> your
>> | > | > issue.
>> | > | >
>> | > | > Microsoft engineers can only focus on one issue per thread.
>> Although
>> | > we
>> | > | > provide other information for your reference, we recommend you
>> post
>> | > | > different incidents in different threads to keep the thread
>> clean.
>> In
>> | > | > doing
>> | > | > so, it will ensure your issues are resolved in a timely manner.
>> | > | >
>> | > | > For urgent issues, you may want to contact Microsoft CSS
>> directly.
>> | > Please
>> | > | > check http://support.microsoft.com for regional support phone
>> numbers.
>> | > | >
>> | > | > Any input or comments in this thread are highly appreciated.
>> | > | > ======================================================
>> | > | > This posting is provided "AS IS" with no warranties, and confers
>> no
>> | > | > rights.
>> | > | >
>> | > | >
>> | > | > =====================================================
>> | > | > When responding to posts, please "Reply to Group" via your
>> newsreader
>> | > so
>> | > | > that others may learn and benefit from your issue.
>> | > | > =====================================================
>> | > | >
>> | > | > This posting is provided "AS IS" with no warranties, and confers
>> no
>> | > | > rights.
>> | > | >
>> | > | > --------------------
>> | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
>> | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
>> | > | > <yK#Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | Subject: Re: Intermittant GPO failure to apply
>> | > | > | Date: Thu, 1 Sep 2005 20:21:32 +0100
>> | > | > | Lines: 465
>> | > | > | X-Priority: 3
>> | > | > | X-MSMail-Priority: Normal
>> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
>> | > | > | X-RFC2646: Format=Flowed; Original
>> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>> | > | > | Message-ID: <#ba#kpyrFHA.260@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | Newsgroups: microsoft.public.windows.server.sbs
>> | > | > | NNTP-Posting-Host: host81-130-59-23.in-addr.btopenworld.com
>> | > 81.130.59.23
>> | > | > | Path:
>> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
>> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
>> | > microsoft.public.windows.server.sbs:150019
>> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> | > | > |
>> | > | > | Hi Charles,
>> | > | > |
>> | > | > | As the SMB signing doesn't seem to make any difference I would
>> like
>> | > to
>> | > | > set
>> | > | > | them back to their defaults. Could you tell me what the
>> default
>> | > | > settings
>> | > | > | were for the 'Default Domain Policy' and 'Default Domain
>> Controllers
>> | > | > Policy'
>> | > | > | GPOs for:
>> | > | > | Network Client digitally sign communications (always)
>> | > | > | Network Client digitally sign communications (if server
>> agrees)
>> | > | > | Network Server digitally sign communications (always)
>> | > | > | Network Server digitally sign communications (if client
>> agrees)
>> | > | > |
>> | > | > | Thanks,
>> | > | > | Nick
>> | > | > |
>> | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote
>> in
>> | > message
>> | > | > | news:yK%23Vz$dqFHA.3800@xxxxxxxxxxxxxxxxxxxxxxxx
>> | > | > | > Hi Nick,
>> | > | > | >
>> | > | > | > Thanks for updates.
>> | > | > | >
>> | > | > | > I will waiting for your results, as I mentioned we could not
>> | > | > troubleshoot
>> | > | > | > the root cause of this problem via newsgroup, it might be a
>> | > complex
>> | > | > | > problem, as I referred many factors might blocked the GPO
>> updates,
>> | > | > | > firewall
>> | > | > | > anti-virus software or SMB signing.
>> | > | > | >
>> | > | > | > Sorry for inconvenience, and thanks for your efforts.
>> | > | > | >
>> | > | > | >
>> | > | > | >
>> | > | > | > Best regards,
>> | > | > | >
>> | > | > | > Charles Yang (MSFT)
>> | > | > | >
>> | > | > | > Microsoft CSS Online Newsgroup Support
>> | > | > | >
>> | > | > | > Get Secure! - www.microsoft.com/security
>> | > | > | >
>> | > | > | > ======================================================
>> | > | > | > This newsgroup only focuses on SBS technical issues. If you
>> have
>> | > | > issues
>> | > | > | > regarding other Microsoft products, you'd better post in the
>> | > | > corresponding
>> | > | > | > newsgroups so that they can be resolved in an efficient and
>> timely
>> | > | > manner.
>> | > | > | > You can locate the newsgroup here:
>> | > | > | >
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> | > | > | >
>> | > | > | > When opening a new thread via the web interface, we recommend
>> you
>> | > | > check
>> | > | > | > the
>> | > | > | > "Notify me of replies" box to receive e-mail notifications
>> when
>> | > there
>> | > | > are
>> | > | > | > any updates in your thread. When responding to posts via your
>> | > | > newsreader,
>> | > | > | > please "Reply to Group" so that others may learn and benefit
>> from
>> | > your
>> | > | > | > issue.
>> | > | > | >
>> | > | > | > Microsoft engineers can only focus on one issue per thread.
>> | > Although
>> | > | > we
>> | > | > | > provide other information for your reference, we recommend
>> you
>> | > post
>> | > | > | > different incidents in different threads to keep the thread
>> clean.
>> | > In
>> | > | > | > doing
>> | > | > | > so, it will ensure your issues are resolved in a timely
>> manner.
>> | > | > | >
>> | > | > | > For urgent issues, you may want to contact Microsoft CSS
>> directly.
>> | > | > Please
>> | > | > | > check http://support.microsoft.com for regional support phone
>> | > numbers.
>> | > | > | >
>> | > | > | > Any input or comments in this thread are highly appreciated.
>> | > | > | > ======================================================
>> | > | > | > This posting is provided "AS IS" with no warranties, and
>> confers
>> | > no
>> | > | > | > rights.
>> | > | > | >
>> | > | > | >
>> | > | > | > =====================================================
>> | > | > | > When responding to posts, please "Reply to Group" via your
>> | > newsreader
>> | > | > so
>> | > | > | > that others may learn and benefit from your issue.
>> | > | > | > =====================================================
>> | > | > | >
>> | > | > | > This posting is provided "AS IS" with no warranties, and
>> confers
>> | > no
>> | > | > | > rights.
>> | > | > | >
>> | > | > | > --------------------
>> | > | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
>> | > | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > <frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | Subject: Re: Intermittant GPO failure to apply
>> | > | > | > | Date: Thu, 25 Aug 2005 17:40:34 +0100
>> | > | > | > | Lines: 305
>> | > | > | > | X-Priority: 3
>> | > | > | > | X-MSMail-Priority: Normal
>> | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
>> | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>> | > | > | > | X-RFC2646: Format=Flowed; Original
>> | > | > | > | Message-ID: <#SZQAPZqFHA.3540@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
>> | > | > | > | NNTP-Posting-Host: 194.164.85.19
>> | > | > | > | Path:
>> | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>> | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
>> | > | > microsoft.public.windows.server.sbs:147801
>> | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> | > | > | > |
>> | > | > | > | Hi Charles,
>> | > | > | > |
>> | > | > | > | Disabling the rename administrator account GPO and others
>> didn't
>> | > | > seem
>> | > | > to
>> | > | > | > | help so have now re-enabled them.
>> | > | > | > |
>> | > | > | > | All SMB signing GPO settings are now set to disabled so
>> will
>> | > wait
>> | > | > and
>> | > | > | > see
>> | > | > | > | what effect that has (must remember to reboot the server a
>> few
>> | > | > times).
>> | > | > | > |
>> | > | > | > | Workstations do indeed have Trend Micro CSM for SMB
>> remotely
>> | > | > installed
>> | > | > | > and
>> | > | > | > | updating from the SBS server. Problem is these
>> workstations
>> are
>> | > all
>> | > | > | > live
>> | > | > | > so
>> | > | > | > | I cannot safely leave virus checking disabled. Do you have
>> any
>> | > more
>> | > | > | > | information about this possible Trend Micro problem?
>> | > | > | > |
>> | > | > | > | UPHClean is installed and reports the following error but I
>> | > can't
>> | > | > see
>> | > | > | > how
>> | > | > | > to
>> | > | > | > | identify which application is actually causing this:
>> | > | > | > | The following handles opened in user profile hive
>> | > | > | > <DOMAINNAME>\<username>
>> | > | > | > | (S-1-5-21-3513629081-3873135916-3088626867-1364) are
>> preventing
>> | > the
>> | > | > | > profile
>> | > | > | > | from unloading:
>> | > | > | > | svchost.exe (888)
>> | > | > | > | HKCU (0x3a0)
>> | > | > | > |
>> | > | > | > |
>> | > | > | > | Regards,
>> | > | > | > | Nick
>> | > | > | > |
>> | > | > | > |
>> | > | > | > |
>> | > | > | > | Hi,
>> | > | > | > |
>> | > | > | > | Thanks for updates.
>> | > | > | > |
>> | > | > | > | From the information you gave to me, we can not identify
>> the
>> | > root
>> | > | > cause,
>> | > | > | > | have you try my suggestion in my last reply, I would like
>> to
>> | > paste
>> | > | > them
>> | > | > | > | again:
>> | > | > | > |
>> | > | > | > |
>> | > | > | > | FYI:
>> | > | > | > |
>> | > | > | > | What I means about Trend is to disable it on the client
>> computer
>> | > if
>> | > | > you
>> | > | > | > | have also deploy it on client computer, as I know there is
>> some
>> | > | > problem
>> | > | > | > on
>> | > | > | > | this software if you deploy it on client computer.
>> | > | > | > |
>> | > | > | > | As this is an intermittent issue, so it might need some
>> time
>> to
>> | > | > | > | troubleshoot. in my previous reply, I suggest you disable
>> all
>> | > the
>> | > | > SMB
>> | > | > | > | signing on both client computer and server, please also
>> make
>> | > sure
>> | > | > that
>> | > | > | > you
>> | > | > | > | have disable all the SMB signing on the group policy. You
>> can
>> | > refer
>> | > | > to
>> | > | > | > the
>> | > | > | > | article below to disable it.
>> | > | > | > |
>> | > | > | > | Please refer to the following link to disable the SMB
>> signing
>> to
>> | > see
>> | > | > if
>> | > | > | > the
>> | > | > | > | slow network access issue will be resolved:
>> | > | > | > | http://www.smallbizserver.net/Default.aspx?tabid=98
>> | > | > | > |
>> | > | > | > | I appreciate your effort on this issue.
>> | > | > | > |
>> | > | > | > |
>> | > | > | > |
>> | > | > | > | Best regards,
>> | > | > | > |
>> | > | > | > | Charles Yang (MSFT)
>> | > | > | > |
>> | > | > | > |
>> | > | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx>
>> wrote
>> in
>> | > | > message
>> | > | > | > | news:frb2Q85pFHA.1208@xxxxxxxxxxxxxxxxxxxxxxxx
>> | > | > | > | > Hi,
>> | > | > | > | >
>> | > | > | > | > Thanks for updates.
>> | > | > | > | >
>> | > | > | > | > From the information you gave to me, we can not identify
>> the
>> | > root
>> | > | > | > cause,
>> | > | > | > | > have you try my suggestion in my last reply, I would like
>> to
>> | > paste
>> | > | > | > them
>> | > | > | > | > again:
>> | > | > | > | >
>> | > | > | > | >
>> | > | > | > | > FYI:
>> | > | > | > | >
>> | > | > | > | > What I means about Trend is to disable it on the client
>> | > computer
>> | > | > if
>> | > | > | > you
>> | > | > | > | > have also deploy it on client computer, as I know there
>> is
>> | > some
>> | > | > | > problem
>> | > | > | > on
>> | > | > | > | > this software if you deploy it on client computer.
>> | > | > | > | >
>> | > | > | > | > As this is an intermittent issue, so it might need some
>> time
>> | > to
>> | > | > | > | > troubleshoot. in my previous reply, I suggest you disable
>> all
>> | > the
>> | > | > SMB
>> | > | > | > | > signing on both client computer and server, please also
>> make
>> | > sure
>> | > | > that
>> | > | > | > you
>> | > | > | > | > have disable all the SMB signing on the group policy. You
>> can
>> | > | > refer
>> | > | > to
>> | > | > | > the
>> | > | > | > | > article below to disable it.
>> | > | > | > | >
>> | > | > | > | > Please refer to the following link to disable the SMB
>> signing
>> | > to
>> | > | > see
>> | > | > | > if
>> | > | > | > | > the
>> | > | > | > | > slow network access issue will be resolved:
>> | > | > | > | > http://www.smallbizserver.net/Default.aspx?tabid=98
>> | > | > | > | >
>> | > | > | > | > I appreciate your effort on this issue.
>> | > | > | > | >
>> | > | > | > | >
>> | > | > | > | >
>> | > | > | > | > Best regards,
>> | > | > | > | >
>> | > | > | > | > Charles Yang (MSFT)
>> | > | > | > | >
>> | > | > | > | > Microsoft CSS Online Newsgroup Support
>> | > | > | > | >
>> | > | > | > | > Get Secure! - www.microsoft.com/security
>> | > | > | > | >
>> | > | > | > | > ======================================================
>> | > | > | > | > This newsgroup only focuses on SBS technical issues. If
>> you
>> | > have
>> | > | > | > issues
>> | > | > | > | > regarding other Microsoft products, you'd better post in
>> the
>> | > | > | > corresponding
>> | > | > | > | > newsgroups so that they can be resolved in an efficient
>> and
>> | > timely
>> | > | > | > manner.
>> | > | > | > | > You can locate the newsgroup here:
>> | > | > | > | >
>> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> | > | > | > | >
>> | > | > | > | > When opening a new thread via the web interface, we
>> recommend
>> | > you
>> | > | > | > check
>> | > | > | > | > the
>> | > | > | > | > "Notify me of replies" box to receive e-mail
>> notifications
>> | > when
>> | > | > there
>> | > | > | > are
>> | > | > | > | > any updates in your thread. When responding to posts via
>> your
>> | > | > | > newsreader,
>> | > | > | > | > please "Reply to Group" so that others may learn and
>> benefit
>> | > from
>> | > | > your
>> | > | > | > | > issue.
>> | > | > | > | >
>> | > | > | > | > Microsoft engineers can only focus on one issue per
>> thread.
>> | > | > Although
>> | > | > | > we
>> | > | > | > | > provide other information for your reference, we
>> recommend
>> you
>> | > | > post
>> | > | > | > | > different incidents in different threads to keep the
>> thread
>> | > clean.
>> | > | > In
>> | > | > | > | > doing
>> | > | > | > | > so, it will ensure your issues are resolved in a timely
>> | > manner.
>> | > | > | > | >
>> | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
>> | > directly.
>> | > | > | > Please
>> | > | > | > | > check http://support.microsoft.com for regional support
>> phone
>> | > | > numbers.
>> | > | > | > | >
>> | > | > | > | > Any input or comments in this thread are highly
>> appreciated.
>> | > | > | > | > ======================================================
>> | > | > | > | > This posting is provided "AS IS" with no warranties, and
>> | > confers
>> | > | > no
>> | > | > | > | > rights.
>> | > | > | > | >
>> | > | > | > | >
>> | > | > | > | > =====================================================
>> | > | > | > | > When responding to posts, please "Reply to Group" via
>> your
>> | > | > newsreader
>> | > | > | > so
>> | > | > | > | > that others may learn and benefit from your issue.
>> | > | > | > | > =====================================================
>> | > | > | > | >
>> | > | > | > | > This posting is provided "AS IS" with no warranties, and
>> | > confers
>> | > | > no
>> | > | > | > | > rights.
>> | > | > | > | >
>> | > | > | > | > --------------------
>> | > | > | > | > | From: "NickC" <NoSpam@xxxxxxxxxxxxxx>
>> | > | > | > | > | References: <#0yb8FPlFHA.1608@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <qk#JxlllFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <u$KSRhnlFHA.1412@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <lF03VAwlFHA.3672@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <eyM9CI1lFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <3NgMzq8lFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <bdNyKYNmFHA.940@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <OUgO7kOmFHA.1232@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > <LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > | Subject: Re: Intermittant GPO failure to apply
>> | > | > | > | > | Date: Mon, 22 Aug 2005 12:17:58 +0100
>> | > | > | > | > | Lines: 120
>> | > | > | > | > | X-Priority: 3
>> | > | > | > | > | X-MSMail-Priority: Normal
>> | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
>> | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE
>> V6.00.3790.1830
>> | > | > | > | > | X-RFC2646: Format=Flowed; Original
>> | > | > | > | > | Message-ID: <eInxpswpFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>> | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
>> | > | > | > | > | NNTP-Posting-Host: mail.stkittsnevisregistry.net
>> | > 194.164.85.19
>> | > | > | > | > | Path:
>> | > | > | >
>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>> | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
>> | > | > | > microsoft.public.windows.server.sbs:146589
>> | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> | > | > | > | > |
>> | > | > | > | > | Hi Charles,
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | UPHClean now installed and logging the following
>> errors:
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | Event Type: Information
>> | > | > | > | > |
>> | > | > | > | > | Event Source: UPHClean
>> | > | > | > | > |
>> | > | > | > | > | Event Category: None
>> | > | > | > | > |
>> | > | > | > | > | Event ID: 1501
>> | > | > | > | > |
>> | > | > | > | > | Date: 18/08/2005
>> | > | > | > | > |
>> | > | > | > | > | Time: 16:32:11
>> | > | > | > | > |
>> | > | > | > | > | User: <DOMAINNAME>\<username>
>> | > | > | > | > |
>> | > | > | > | > | Computer: <DOMAINNAME>5
>> | > | > | > | > |
>> | > | > | > | > | Description:
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | The following handles opened in user profile hive
>> | > | > | > | > <DOMAINNAME>\<username>
>> | > | > | > | > | (S-1-5-21-3513629081-3873135916-3088626867-1364) are
>> | > preventing
>> | > | > the
>> | > | > | > | > profile
>> | > | > | > | > | from unloading:
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | svchost.exe (888)
>> | > | > | > | > |
>> | > | > | > | > | HKCU (0x3a0)
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | How can I tell what application is causing this?
>> | > | > | > | > |
>> | > | > | > | > | Thanks,
>> | > | > | > | > | Nick
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx>
>> | > wrote
>> | > in
>> | > | > | > message
>> | > | > | > | > | news:LEzjLcVmFHA.944@xxxxxxxxxxxxxxxxxxxxxxxx
>> | > | > | > | > | > HI NICK,
>> | > | > | > | > | >
>> | > | > | > | > | > Thanks for quickly updates.
>> | > | > | > | > | >
>> | > | > | > | > | > After researching the error 1517, I found it might
>> relate
>> | > to
>> | > | > group
>> | > | > | > | > policy
>> | > | > | > | > | > is not update, you can refer to my suggestion below:
>> | > | > | > | > | >
>> | > | > | > | > | > Many system and service processes do work on behalf
>> of
>> | > users.
>> | > | > | > When
>> | > | > | > | > the
>> | > | > | > | > | > work is done the system or service process is
>> responsible
>> | > for
>> | > | > | > | > releasing
>> | > | > | > | > | > handles it has to the user profile hive. If this is
>> not
>> | > done
>> | > | > by
>> | > | > | > the
>> | > | > | > | > | > service as the user logs off the profile cannot be
>> | > unloaded.
>> | > | > | > | > | >
>> | > | > | > | > | > This problem in code can be caused by improper coding
>> | > either
>> | > | > in
>> | > | > | > | > Microsoft
>> | > | > | > | > | > software or 3rd party software (e.g. printer drivers,
>> | > virus
>> | > | > | > scanner
>> | > | > | > | > | > service, etc). With the information provided by the
>> | > system
>> | > | > there
>> | > | > | > is
>> | > | > | > | > no
>> | > | > | > | > | > way
>> | > | > | > | > | > to find out what software needs to be corrected to
>> allow
>> | > | > profiles
>> | > | > | > to
>> | > | > | > | > | > unload.
>> | > | > | > | > | >
>> | > | > | > | > | > Why we use UPHCLEAN
>> | > | > | > | > | > ====================
>> | > | > | > | > | > In the past these issues have been fixed by code
>> changes
>> | > to
>> | > | > | > release
>> | > | > | > | > the
>> | > | > | > | > | > registry handle. The disadvantage of this approach
>> is
>> | > that
>> | > in
>> | > | > | > many
>> | > | > | > | > cases
>> | > | > | > | > | > multiple issues (different code paths) are causing
>> the
>> | > | > profiles
>> | > | > to
>> | > | > | > not
>> | > | > | > | > | > unload. Unless all problem code paths are fixed
>> profiles
>> | > do
>> | > | > not
>> | > | > | > | > unload.
>> | > | > | > | > | >
>> | > | > | > | > | > The concept of UPHClean is to deal with these the
>> same
>> way
>> | > the
>> | > | > | > | > operating
>> | > | > | > | > | > system deals with other resource issues: when a task
>> is
>> | > done
>> | > | > | > resources
>> | > | > | > | > | > (memory, handles, etc) are automatically reclaimed.
>> | > UPHClean
>> | > | > | > | > | > accomplishesthis simply by monitoring for users to
>> log
>> off
>> | > and
>> | > | > | > | > verifying
>> | > | > | > | > | > that unused resources are reclaimed. If they are not
>> it
>> | > | > reclaims
>> | > | > | > the
>> | > | > | > | > | > resource and logsits action. This approach is
>> superior
>> as
>> | > it
>> | > | > | > works
>> | > | > | > | > for
>> | > | > | > | > | > any
>> | > | > | > | > | > known reason that profiles do not unload and also
>> will
>> | > keep
>> | > | > | > working
>> | > | > | > to
>> | > | > | > | > | > address new unknown issues.
>> | > | > | > | > | >
>> | > | > | > | > | > Another advantage to UPHClean is that no computer
>> restart
>> | > is
>> | > | > | > required
>> | > | > | > | > to
>> | > | > | > | > | > install it or remove it (except on Windows NT 4).
>> You
>> can
>> | > | > install
>> | > | > | > and
>> | > | > | > | > | > remove UPHClean to find out whether it helps with a
>> | > profile
>> | > | > unload
>> | > | > | > | > problem
>> | > | > | > | > | > or not. You can do this without having to worry
>> about
>> | > what
>> | > | > | > hotfix,
>> | > | > | > | > | > service
>> | > | > | > | > | > pack, feature pack, etc has been installed. Set it
>> and
>> | > forget
>> | > | > is
>> | > | > | > the
>> | > | > | > | > goal
>> | > | > | > | > | > ofUPHClean.
>> | > | > | > | > | >
>> | > | > | > | > | > By default UPHClean takes action to allow profiles to
>> | > unload.
>> | > | > You
>> | > | > | > can
>> | > | > | > | > | > choose to have UPHClean only report what processes it
>> | > finds
>> | > | > | > preventing
>> | > | > | > | > | > profiles from unloading. To do this, install
>> UPHClean
>> and
>> | > use
>> | > | > the
>> | > | > | > | > | > registry
>> | > | > | > | > | > editor to set:
>> | > | > | > | > | >
>> | > | > | > | > | >
>> | > | > | >
>> | >
>> HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY
>> | > | > | > | > to
>> | > | > | > | > | > 1
>> | > | > | > | > | >
>> | > | > | > | > | > 837115 Troubleshooting profile unload issues
>> | > | > | > | > | > http://support.microsoft.com/?id=837115
>> | > | > | > | > | >
>> | > | > | > | > | > If possible please perform my steps above and paste
>> any
>> | > | > progress
>> | > | > | > to
>> | > | > | > | > | > newsgroup, thanks for your effort in this issue.
>> | > | > | > | > | >
>> | > | > | > | > | >
>> | > | > | > | > | >
>> | > | > | > | > | > Best regards,
>> | > | > | > | > | >
>> | > | > | > | > | > Charles Yang (MSFT)
>> | > | > | > | > | >
>> | > | > | > | > | > Microsoft CSS Online Newsgroup Support
>> | > | > | > | > | >
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | > |
>> | > | > | > | >
>> | > | > | > |
>> | > | > | > |
>> | > | > | > |
>> | > | > | >
>> | > | > |
>> | > | > |
>> | > | > |
>> | > | >
>> | > |
>> | > |
>> | > |
>> | >
>> |
>> |
>> |
>>
>
>
.
- Follow-Ups:
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- References:
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: "Charles Yang [MSFT]"
- Re: Intermittant GPO failure to apply
- From: NickC
- Re: Intermittant GPO failure to apply
- Prev by Date: Re: Serious domain problem
- Next by Date: Re: which server?
- Previous by thread: Re: Intermittant GPO failure to apply
- Next by thread: Re: Intermittant GPO failure to apply
- Index(es):
Relevant Pages
|
