RE: Can't set Local Security policies. They fail to save
- From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
- Date: Tue, 08 Nov 2005 11:28:18 GMT
Hi,
Thanks for your information. After research the capture files I can not
find information I need, please kindly help me collect it again. Please
follow below steps to capture:
1. Please reboot the server box in clean boot mode (please refer to the
previous post to get steps to perform clean boot. Regarding to your capture
files, there is not any file that is captured in clean boot situation).
2. Please run command "gpmc.msc" (no quotation marks) to open Group Policy
Management console and right click the Default Domain Policy to open Group
Policy Object Editor console.
3. Locate User Configuration -> Administrative Templates -> Start Menu and
Taskbar node, please double click Add Logoff to the Start Menu item to open
it Properties page. Please check "Enabled" checkbox and then please leave
the GPO Editor console for a moment.
4. Please launch the File Monitor, click "Options" button on the menu and
choose "Filter/Highlight.." item to open filters settings configuration
page, input "sysvol" (no quotation marks) in the blank of "Include" and
ensure monitor all logs by check all checkboxes of "Log opens". Then click
Ok.
5. Switch to the GPO Editor console, click "Apply" button to apply the
change. Then you will find records in the File Monitor, please save that
and send it to me.
And also please check the group policy permissions using ADSI Edit. You can
refer to the following steps to check:
1. Please ensure that the Support Tool has been installed. The ADSI Edit
utility is located in the Support Tools folder on the Windows Server 2003
CD-ROM.
2. Click "Start", and then click "Run". In the "Open" box, type
"adsiedit.msc" (without the quotation marks), and then click "OK".
3. In the left pane, please locate ADSI Edit -> domainname -> CN = system
-> CN=Policies -> CN= {31B2F340-016D-11D2-945F-00C04FB984F9} node and right
click it and choose Properties to open Properties page, under Security tab,
please ensure appropriate user groups list here and they have proper
permissions. If not, please verify it and then try to test.
I appreciate your time and efforts to perform test and collect information.
I am happy to be further assistance of you and look forward to your reply!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Can't set Local Security policies. They fail to save
>thread-index: AcXjvEiUpyY2RdzKSPGA0FjqSRepag==
>X-WBNR-Posting-Host: 196.3.183.254
>From: "=?Utf-8?B?QWwtQW1pbg==?=" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <524324AD-BD69-47E0-B1F5-1DD131613BE7@xxxxxxxxxxxxx>
<6wdjMLH2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
<69F5C0BD-DB81-4E08-8FF5-F10AD70F525E@xxxxxxxxxxxxx>
<YG8yOiU2FHA.3104@xxxxxxxxxxxxxxxxxxxxx>
<461D7B7C-3963-42A5-AD51-4A5EF4754345@xxxxxxxxxxxxx>
<WIkO7ij2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
<4C1A8805-1DB9-4D63-A25C-1700C206EAB1@xxxxxxxxxxxxx>
<US7YId72FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
<33GdTl72FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
<76C2C2C4-F971-4909-8736-5359CE2B763D@xxxxxxxxxxxxx>
<cjwiwRt3FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: Can't set Local Security policies. They fail to save
>Date: Mon, 7 Nov 2005 08:57:06 -0800
>Lines: 318
>Message-ID: <D9E3CD0E-847A-48C1-8F34-DFB31B892C67@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:168324
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Jenny.
>Sorry for the delay in replying. I had problems with my internet access.
>1. I created new GPO's and configured some settings. They work well until
i
>reboot then i'm back to the same problem.
>2. When i try to change settings for default domain policy it gives the
same
>error "An extended error has occurred. Failed to save
>\\AIPDC.local\sysvol\AIPDC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB9
8
>3. I did a clean boot and the problem still persisted.
>
>I have downloaded the Filemon monitoring utility and ran it as directed. I
>have e-mailed the results to you. Hope it's of help. Thanks and don't
>hesitate to let me know if there are any more tests you want me to do.
>--
>AIP Admin
>
>
>""Jenny wu [MSFT]"" wrote:
>
>> Hi,
>>
>> Thanks for your update!
>>
>> I am sorry for the delayed response due to weekend. Please understand
that
>> the newsgroups are staffed weekdays by Microsoft Support professionals
to
>> answer your systems and applications questions. Your understanding is
>> greatly appreciated!
>>
>> For time critical issues (not business down), we encourage you to
contact
>> CSS directly for more immediate assistance:
>> International Support (non-US/Canada):
>> http://support.microsoft.com/common/international.aspx
>>
>> US and Canada:
>> http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone
>>
>> To continue working with me in the newsgroups, please see the following:
>>
>> 1. Please try to create a new GPO and configure some settings to test,
how
>> about the result?
>> 2. Please try to change settings of Security Settings and Administrative
>> Templates settings, does the issue happen? Also please try to change
some
>> settings of the Default Domain Policy, how about the result?
>> 3. Please try to perform a clean boot to check if there is any
application
>> conflict.
>>
>> A Clean Boot will allow us to isolate any device drivers or programs
that
>> are loading at startup that may be causing a conflict with other device
>> drivers or programs that are installed in your computer.
>>
>> 1) Run MSCONFIG.EXE.
>> 2) In the Services tab, click "Hide All Microsoft Services" and click
>> "Disable All".
>> 3) In the Startup tab, click "Disable All". Click OK. (This will
>> temporarily prevent third-party programs from running automatically
during
>> start-up.)
>> 4) Restart the computer and check whether the problem still persists.
>>
>> If the problem does not occur, it indicates that the problem is related
to
>> one application or service we have disabled. You can use the MSCONFIG
tool
>> again to re-enable the disabled item one by one to find out the culprit.
>>
>> If the issue persists, please try to use Regmon and Filemon to monitor
the
>> issue and try to find the exact cause:
>>
>> Filemon and Regmon are free monitoring utilities from
www.sysinternals.com
>> available for download. They allow you to monitor file and registry
access
>> on a machine. When you start either one of these utilities
>> (Filemon.exe,Regmon.exe), you will notice that they start monitoring
>> activity on your machine right away. Are goal in running these
utilities
>> is to capture file and registry activity during the sequence of events
that
>> causes the problem you are experiencing. Please use the following steps
to
>> capture data with these utilities. You will need to follow the steps
below
>> for both utilities.
>>
>> Download page:
>>
>> http://www.sysinternals.com/ntw2k/utilities.shtml
>>
>> 1. Familiarize yourself with the Capture and Clear buttons below the
menu
>> bar. You can alternatively use Ctrl+E and Ctrl+X.
>>
>> 2. Stop the capture and clear the current events. This will allow us to
>> capture minimal activity. There will be some activity that will be
>> extraneous, but that's okay. We would rather have to much data then not
>> capture the correct events.
>>
>> 3. Make sure your application is in a state where you are ready to
>> reproduce the problem (change some settings of GPO).
>>
>> NOTE: In order to see minimal traffic from the utilities close all other
>> applications that are not involved in the test.
>>
>> 4. Click the capture button or use Ctrl+E to start capturing data.
>>
>> 5. Reproduce the problem. (close the GPO snap in)
>>
>> 6. Stop the capture by clicking the 'Capture' button or use Ctrl+E.
>>
>> 7. Save each capture to a file, zip them up and send them to me for
review,
>> my mailbox is: v-yanniw@xxxxxxxxxxxxx
>>
>> Have a nice day!
>>
>> Sincerely,
>>
>> Jenny Wu
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Thread-Topic: Can't set Local Security policies. They fail to save
>> >thread-index: AcXd/PqS5RvQYzYCRZCzNYQuLEoyhg==
>> >X-WBNR-Posting-Host: 62.173.36.24
>> >From: "=?Utf-8?B?QWwtQW1pbg==?=" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >References: <524324AD-BD69-47E0-B1F5-1DD131613BE7@xxxxxxxxxxxxx>
>> <6wdjMLH2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>> <69F5C0BD-DB81-4E08-8FF5-F10AD70F525E@xxxxxxxxxxxxx>
>> <YG8yOiU2FHA.3104@xxxxxxxxxxxxxxxxxxxxx>
>> <461D7B7C-3963-42A5-AD51-4A5EF4754345@xxxxxxxxxxxxx>
>> <WIkO7ij2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>> <4C1A8805-1DB9-4D63-A25C-1700C206EAB1@xxxxxxxxxxxxx>
>> <US7YId72FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
>> <33GdTl72FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
>> >Subject: RE: Can't set Local Security policies. They fail to save
>> >Date: Mon, 31 Oct 2005 01:25:05 -0800
>> >Lines: 338
>> >Message-ID: <76C2C2C4-F971-4909-8736-5359CE2B763D@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 8bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:166145
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Hi Jenny Hope you had a nice weekend.
>> >I imported the default Group Policies from a fresh SBS Installation as
per
>> >your instructions.
>> >Afterwards I was able to set the Local Security Policies for the Domain
>> and
>> >Domain controller which it finally allowed me to do. All the problems I
>> was
>> >having were resolved until I rebooted the server box and we went back
to
>> how
>> >its was before. The settings were saved but I can't re-define them. It
>> gives
>> >me the error
>> >" An extended error has occurred. Failed to save
>>
\\AIPDC.local\sysvol\AIPDC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
>> 4F9}\Machine\Microsoft\WindowsNT\SecEdit\GptTmpl.inf"
>> >
>> >I thought that maybe it didn't save properly so i did the import of
>> default
>> >policies again. Just for the same thing to happen after re-booting.
>> >
>> >Also whenever I reboot the server i find this error in the application
log
>> >Source Userenv
>> >Category None
>> >Event ID 1030
>> >User Admin
>> >Computer Server
>> >"Windows cannot query for the list of Group Policy objects. Check the
>> event
>> >log for possible messages previously logged by the policy engine that
>> >describes the reason for this."
>> >
>> >Do you think this has anything to do with the problem.
>> >Thanks for everything and waiting for your reply. At least I'm half way
to
>> >breathing a sigh of relief
>> >
>> >
>> >
>> >
>> >I couldn't acce
>> >--
>> >AIP Admin
>> >
>> >
>> >""Jenny wu [MSFT]"" wrote:
>> >
>> >> Hi,
>> >>
>> >> I am sorry, but what is your valid mail address? You can mail me to
tell
>> >> the inforamtion, my mailbox is: v-yanniw@xxxxxxxxxxxxx
>> >>
>> >> Thanks!
>> >>
>> >> Have a nice weekend!
>> >>
>> >> Sincerely,
>> >>
>> >> Jenny Wu
>> >> Microsoft CSS Online Newsgroup Support
>> >> --------------------
>> >> >Newsgroups: microsoft.public.windows.server.sbs
>> >> >From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
>> >> >Organization: Microsoft
>> >> >Date: Fri, 28 Oct 2005 12:01:07 GMT
>> >> >Subject: RE: Can't set Local Security policies. They fail to save
>> >> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >> >MIME-Version: 1.0
>> >> >Content-Type: text/plain
>> >> >Content-Transfer-Encoding: 7bit
>> >> >
>> >> >Hi,
>> >> >
>> >> >Thanks for your update! I have attached the default group policy
backup
>> >> >file in mail, please try to import these files to reset your domain
>> group
>> >> >policy.
>> >> >
>> >> >Note: Before do this process, please take a full backup of SBS
server
>> box
>> >> >in case unexpected thing, you can restore:
>> >> >
>> >> >Backing Up and Restoring Windows Small Business Server 2003
>> >>
>>
>http://download.microsoft.com/download/b/d/8/bd8e1a40-d202-429a-8eb7-26300d
>> >> 6
>> >> >2bcc9/BKU_BkupRstr.doc
>> >> >
>> >> >You can refer to the following steps to import default group policy:
>> >> >1. Run command "gpmc.msc" (no quotation marks) to open Group Policy
>> >> >Management console.
>> >> >2. Locate Forest servername -> Group Policy Objects, right click
>> Default
>> >> >Domain Controllers Policy and choose Import Settings �¡� item
to
>> import
>> >> >appropriate group policy from backup file I sent you.
>> >> >3. Repeat step 2 to import these default group policies.
>> >> >4. After please check if these group policy object links to
appropriate
>> OU
>> >> >(still in the Group Policy Management console):
>> >> >
>> >> >a. Go to Forest servername -> Domains -> servername.local, there are
>> >> >following group policies links to it:
>> >> >+++Default Domain Policy
>> >> >+++Small Business Server Client Computer
>> >> >+++Small Business Server Domain Password Policy
>> >> >+++Small Business Server Internet Connection Firewall
>> >> >+++Small Business Server Lockout Policy
>> >> >+++Small Business Server Remote Assistance Policy
>> >> >+++Small Business Server Windows Firewall
>> >> >
>> >> >b. Go to Forest servername -> Domains -> Domain Controllers, there
are
>> >> >following group policies links to it:
>> >> >+++Default Domain Controllers Policy
>> >> >+++Small Business Server Auditing Policy
>> >> >
>> >> >c. Go to Forest servername -> Domains -> MyBusiness -> Security
Groups,
>> >> >there are following group policies links to it:
>> >> >+++Default Domain Policy
>> >> >
>> >> >If not, please try to correct, and then try to test to see if the
issue
>> be
>> >> >fixed.
>> >> >
>> >> >I appreciate your time and efforts to the issue. I am happy to be
>> >> >assistance of you and look forward to your reply!
>> >> >
>> >> >Have a nice day!
>> >> >
>> >> >Sincerely,
>> >> >
>> >> >Jenny Wu
>> >> >Microsoft CSS Online Newsgroup Support
>> >> >Get Secure! - www.microsoft.com/security
>> >> >======================================================
>> >> >This newsgroup only focuses on SBS technical issues. If you have
issues
>> >> >regarding other Microsoft products, you'd better post in the
>> corresponding
>> >> >newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> >> >You can locate the newsgroup here:
>> >> >http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> >> >
>> >> >When opening a new thread via the web interface, we recommend you
check
>> >> the
>> >> >"Notify me of replies" box to receive e-mail notifications when
there
>> are
>> >> >any updates in your thread. When responding to posts via your
>> newsreader,
>> >> >please "Reply to Group" so that others may learn and benefit from
your
>> >> >issue.
>> >> >
>> >> >Microsoft engineers can only focus on one issue per thread. Although
we
>> >> >provide other information for your reference, we recommend you post
>
.
- Prev by Date: RE: ISA 2004 and RRAS
- Next by Date: Cannot access companyweb
- Previous by thread: RE: "connect using terminal services" - small screen on server
- Next by thread: RE: Can't set Local Security policies. They fail to save
- Index(es):
Relevant Pages
|
