RE: domain controller security policy disabled

Hi Song,

Thanks for updating.

I'd like to give you some information about SMB signing.

SMB signing is designed to prevent against Man-in-the-middle attacks but
will reduce network performance because every packet has to be signed, and
every packet has to be decrypted.

To disable SMB signing in Windows 2003, perform the following steps.

1. Open gpmc.MSC
2. Open the "Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options" folder.
3. Locate the "Microsoft network server: Digitally sign communications
(always)" policy setting, and then click "Disabled" or "Do Not Configure".

You can also modify the following key to disable SMB signing.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000

Please also try the following:

Step 1: Run the net share command, can you see the following:

SYSVOL C:\WINDOWS\SYSVOL\sysvol Logon server share

Step 2: Take the steps in the following KB:

Group Policy Error Message When Appropriate Sysvol Contents Are Missing
http://support.microsoft.com/kb/253268

294257 "Failed to Open the Group Policy Object" Error Message Occurs When
You
http://support.microsoft.com/?id=294257

Step 3: Run dcgpofix to repair the default domain policy.

DCGPOFIX.EXE will restore the Default Domain Policy and the Default Domain
Controller Policy to original default settings. It does not affect other
GPOs on SBS server.

Note: This tool can restore default domain policy and default domain
controllers policy. When you run dcgpofix, you will lose any changes made
to these Group Policy objects. So please perform a complete backup first.

To restore Domain only , Domain Controller only or both at the same time,
the commands are as follows:

dcgpofix /target:domain

or

dcgpofix /target:dc

or

dcgpofix /target:both

For more information, please refer to:

Restore Default Group Policy Objects
http://www.microsoft.com/resources/documentation/windowsserv/2003/enterprise
/proddocs/en-us/dcgpofix.asp

I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: domain controller security policy disabled
<thread-index: Acei1a64yyoUqaFFS1itJW3kuuxayg==
<X-WBNR-Posting-Host: 207.46.19.168
<From: =?Utf-8?B?U29uZyBUYW4=?= <SongTan@xxxxxxxxxxxxxxxxxxxxxxxxx>
<References: <6B98BE77-B600-4453-BD78-ECBBB50FC236@xxxxxxxxxxxxx>
<ps49U$igHHA.4332@xxxxxxxxxxxxxxxxxxxxxx>
<Mxll8MnnHHA.1428@xxxxxxxxxxxxxxxxxxxxxx>
<Subject: RE: domain controller security policy disabled
<Date: Wed, 30 May 2007 09:15:04 -0700
<Lines: 298
<Message-ID: <A9E12943-4E60-41FF-A381-032882037555@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:40391
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<
<I am lost here. Can you elaborate please
<
<NOTE: The polices are under ''Windows Settings'' -> ''Security Settings''
<-> ''Local Policies'' -> ''Security Options''
<
<Song
<
<
<"Robert Li [MSFT]" wrote:
<
<> Hi Song,
<>
<> Thanks for sending MPS Report to me.
<>
<> I am sorry for the delay.
<>
<> I researched your MPS Report, I found lots of Event ID: 1030 and 1058.
<> Please take the following steps to see if the problem can be resolved:
<>
<> 1. Close your Windows Firewall or Third-part Firewall to see if the
issue
<> reoccurs.
<>
<> 2.Check the following services to see if they are started.
<>
<> 1) Netlogon services.
<> 2) Remote Registry.
<> 3) IPSec Services.
<>
<> 3. Sometimes, the SMB signing enabled on the network will cause this
issue.
<> I suggest you to disable SMB signing and test the issue again.
<>
<> A. On the SBS server, run "gpmc.msc" and make sure the following
policies
<> (10 in total) are all ''Disable'' (instead of ''Not defined'') in BOTH
<> ''Default Domain Security Policy'' and ''Default Domain Controller
Security
<> Policy'':
<>
<> NOTE: The polices are under ''Windows Settings'' -> ''Security
Settings''
<> -> ''Local Policies'' -> ''Security Options''.
<>
<> 1) Microsoft network client: Digitally sign communications (always):
<> Disabled
<> 2) Microsoft network client: Digitally sign communications (if server
<> agrees): Disabled
<> 3) Microsoft network server: Digitally sign communications (always):
<> Disabled
<> 4) Microsoft network server: Digitally sign communications (if client
<> agrees): Disabled
<> 5) Network security: LAN Manager authentication level: Send LM & NTLM -
use
<> NTLMv2 session security if negotiated
<> 6) Run gpupdate /force forced all the group policies
<>
<> 3. Download and install UPHClean
<>
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-
<> B570-42470E2F3582, then make a reboot.
<>
<> 4. Install Dfsutil.exe Tool.
<>
<> To install this tool, run \\SUPPORT\TOOLS\SUPTOOLS.MSI from your Windows
<> Server 2003 CD-ROM. You can also extract the support tools directly from
<> the \\SUPPORT\TOOLS\SUPPORT.CAB file.
<>
<> To run the Dfsutil.exe file, follow these steps:
<>
<> 1)Click Start, click Run, type cmd in the Open box, and then click OK.
<>
<> 2)At the command prompt, type dfsutil /PurgeMupCache, and then press
ENTER.
<>
<> For more information, please refer to User Profile Hive Cleanup Service
<>
<>
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-
<> B570-42470E2F3582&displaylang=en
<>
<> Group Policy processing does not work and events 1030 and 1058 are
logged
<> in the Application log of a domain controller
<>
<> http://support.microsoft.com/kb/842804
<>
<> Hope the information helps.
<>
<> If you have further help, please don't hesitate to let me know.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
the
<> "Notify me of replies" box to receive e-mail notifications when there
are
<> any updates in your thread. When responding to posts via your
newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly.
Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
rights.
<>
<> --------------------
<> <X-Tomcat-ID: 52222125
<> <References: <6B98BE77-B600-4453-BD78-ECBBB50FC236@xxxxxxxxxxxxx>
<> <MIME-Version: 1.0
<> <Content-Type: text/plain
<> <Content-Transfer-Encoding: 7bit
<> <From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
<> <Organization: Microsoft
<> <Date: Thu, 19 Apr 2007 03:07:11 GMT
<> <Subject: RE: domain controller security policy disabled
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <Message-ID: <ps49U$igHHA.4332@xxxxxxxxxxxxxxxxxxxxxx>
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <Lines: 147
<> <Path: TK2MSFTNGHUB02.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:31250
<> <NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
<> <
<> <Hi Song,
<> <
<> <Thanks for posting in our newsgroup.
<> <
<> <From your description, I know that when you try to open "domain
controller
<> <security policy" and "domain security policy", you get error "Failed to
<> <open Group Policy Object. You may not have appropriate rights." If I
am
<> <off-base, please don't hesitate to let me know.
<> <
<> <Please let me know the following to make the situation more clearly:
<> <
<> <1. Logon as another domain administrator, will the same issue occur?
<> <2. Do you have an additional DC in the network?
<> <
<> <Please take the following steps to see if the problem can be resolved:
<> <
<> <Step 1: Check the services status
<> <
<> <1) Run ''services.msc'' to bring up the Services console.
<> <2) In the right pane, make sure the following services are started, if
<> not,
<> <change ''Service Status'' to ''Automatic'', and then restart the System
to
<> <take effect:
<> <
<> < TCP/IP NetBIOS Helper Service
<> < Messenger service
<> <
<> <Step 2: Check NetBIOS over TCP/IP setting:
<> <
<> <1) Open ''Network and Dial-up Connections''.
<> <2) Right click the LAN interface to choose Properties, double click
<> <''Internet Protocol (TCP/IP)'', and then click ''Advanced''.
<> <3) Switch to the ''WINS'' tab, and then make sure ''Enable NetBIOS over
<> <TCP/IP'' is checked. If not, enable it.
<> <4) Do the same thing to all the other network interfaces.
<> <
<> <Step 3: The problem occurs when the Domain Administrators group has
been
<> <denied access to the GPO. You can use the DSACLS tool that is included
in
<> <the Support Tools for Windows 2000 and Windows Server 2003, to remove
the
<> <Deny Access permissions from the Domain Administrators group. For the
<> <detailed steps, please refer to the KB 294257.
<> <
<> <"Failed to Open the Group Policy Object" Error Message Occurs When You
Try
<> <to Open a Policy As a Domain Administrator
<> <http://support.microsoft.com/kb/294257
<> <
<> <Step 4: Please check the following registry key:
<> <
<> <1. Open registry .
<> <2. Make sure HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command
<> <is set to %SystemRoot%\system32\mmc.exe "%1" %*
<> <
<> <For more information, please refer to:
<> <
<> <290647 Event ID 1000, 1001 Is Logged Every Five Minutes in the
<> <Application - http://support.microsoft.com/?id=290647
<> <
<> <If the problem still exists, please help me collect MPS Report on the
<> <problematic client computer.
<> <
<> <1. Visit
<>
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
<> 9
<> <15706/MPSRPT_NETWORK.EXE to download the file.
<> <2. Run the MPSRPT_NETWORK.EXE on the server box.
<> <3. Wait for 10~15 minutes.
<> <4. Open Windows explorer, navigate to
<> <%SYSTEMROOT%\MPSReports\Network\Reports\cab\
<> <5. Send the .cab file to v-robeli@xxxxxxxxxxxxx with subject:
<> <38812255-domain controller security policy disabled.
<> <
<> <If you need further assistance, please don't hesitate to let me know.
<> <
<> <Best regards,
<> <
<> <Robert Li(MSFT)
<> <
<> <Microsoft CSS Online Newsgroup Support
<> <
<> <Get Secure! - www.microsoft.com/security
<> <
<> <=====================================================
<> <
<> <This newsgroup only focuses on SBS technical issues. If you have issues
<> <regarding other Microsoft products, you'd better post in the
corresponding
<> <newsgroups so that they can be resolved in an efficient and timely
manner.
<> <You can locate the newsgroup here:
<> <http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<> <
<> <When opening a new thread via the web interface, we recommend you check
<> the
<> <"Notify me of replies" box to receive e-mail notifications when there
are
<> <any updates in your thread. When responding to posts via your
newsreader,
<> <please "Reply to Group" so that others may learn and benefit from your
<> <issue.
<> <
<> <Microsoft engineers can only focus on one issue per thread. Although we
<> <provide other information for your reference, we recommend you post
<> <different incidents in different threads to keep the thread clean. In
<> doing
<> <so, it will ensure your issues are resolved in a timely manner.
<> <
<> <For urgent issues, you may want to contact Microsoft CSS directly.
Please
<> <check http://support.microsoft.com for regional support phone numbers.
<> <
<> <Any input or comments in this thread are highly appreciated.
<> <
<> <=====================================================
<> <
<> <This posting is provided "AS IS" with no warranties, and confers no
rights.
<> <
<> <--------------------
<> <<Thread-Topic: domain controller security policy disabled
<> <<thread-index: AceB1kGWgkliJdxaSBiO5V9xlgdcbg==
<> <<X-WBNR-Posting-Host: 63.119.245.132
<> <<From: =?Utf-8?B?U29uZyBUYW4=?= <SongTan@xxxxxxxxxxxxxxxxxxxxxxxxx>
<> <<Subject: domain controller security policy disabled
<> <<Date: Wed, 18 Apr 2007 09:26:02 -0700
<> <<Lines: 19
<> <<Message-ID: <6B98BE77-B600-4453-BD78-ECBBB50FC236@xxxxxxxxxxxxx>
<> <<MIME-Version: 1.0
<> <<Content-Type: text/plain;
<> << charset="Utf-8"
<> <<Content-Transfer-Encoding: 7bit
<> <<X-Newsreader: Microsoft CDO for Windows 2000
<> <<Content-Class: urn:content-classes:message
<> <<Importance: normal
<> <<Priority: normal
<> <<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
<> <<Newsgroups: microsoft.public.windows.server.sbs
<> <<Path: TK2MSFTNGHUB02.phx.gbl
<> <<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:31099
<> <<NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
<> <<X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <<
<> <<Somehow our "domain controller security policy" and "domain security
<> <policy"
<> <<under the administrative tools were disabled. Dont when that happened
<> <until
<> <<yesterday I tried to open it.
<> <<
<> <<The error is as follow:
<> <<Failed to open Group Policy Object. You may not have appropriate
rights.
<> <<
<> <<Details
<> <<The system cannot find the path specified
<> <<
<> <<It had close button. When I clicked on closed the default domain
<> <controller
<> <<security settings showed up. Within the window it had Group Policy
Object
<> <<editor with a red "x".
<> <<
<> <<I would like to know how do I go about fixing this
<> <<
<> <<Thanks in advance for your response
<> <<
<> <<
<> <<
<> <
<> <
<>
<>
<

.

Loading