Re: GPO causing client security logs to fill?

Ok,

So you've seen the list.

Several questions/comments.

1) Ok in the previous post there was a comment to the effect of the settings
as applied by the wizard cannot be trusted or that is why the default
domain/default domain controller policies where edited. Do you disagree with
this comment

2) If so, should I go back and undo the changes and set it the way you are
suggesting or leave it?

3) You are correct. An actual linking change was not suggested. I mistated
that part. The suggested change was to the password complexity setting. I
added the link because I saw that this was the location of that specific
setting in the actual GPO's, in otherwords I was trying to follow the same
model. My mistake.

4) Is there an audit log somewhere so that we can undo the changes of the
last several days. I have taken notes but perhaps it would be good to verify.

5) Based on what you have seen from the list that I posted would this
account for the added items in the security logs?

Thanks so much.

"kj" wrote:

LDD15 wrote:
In answer to both of your questions, I am pasting the text from a
previous thread below. In summary we were having a sudden issue with
client logon failures. In this same newsgroup I posted a thread
titled "Client Logon Failure". Below are two sections of text that
result from that thread and from an email which was external to the
thread. I am under the impression that all of this work was for not
as I believe the actual problem was a result of Time32 issues.

In summary, the following was changed. I modified the account lockout
policies as instructed below. This was done in the Group Policy
Objects. I realize that as a rule you are only supposed to change the
linked GPO's as opposed to the actual GPO's themselves. However, I
did find an article in the MS KB that said that account/password
items should be changed in the actual GPO's.

So basically, the Account lockout threshold, account lockout duration
and the account lockout reset where changed. I believe this was
changed in both the Default Domain Policy and the Default Domain
Controller Policy.

Also, per recommendations a linked GPO was made to the Default Domain
Controller Policy to set the "required password complexity
requirements" to enabled.

If this is not enough info please let me know.

First, Password policy (in SBS) should be set using the wizard and only is
effective when linked on the Domain (Small Business Domain Password Policy,
Small Business Server Lockout Policy). Second adding another policy link
probably changed the GPO precedence. Also, it is not really a good idea to
modify "default (domain or domain controller) policy settings. It's better
to add additional Group Policy Objects then link accordingly and order
precedence.

Unfortunately the recommendations are not Small Business Server specific
rather a generic Windows 2003 / AD. I may be missing it, but I don't see
where any GPO linking change was suggested.

If you have the details of what new GPO links were made, I'd consider
undoing (unlinking) the new links.

Btw, Audit log settings for the client computers are set in the "Small
Business Client Computers" Group Policy Object and I beleive should be at
link precendece order 3 in the domain policy list. Perhaps post a list what
policies you have linked there and what order they are in.


Thank you both.
_________________________________________________________________________
From: Terence Liu (CS&S) [mailto:v-terliu@xxxxxxxxxxxxx]
Sent: Thursday, June 14, 2007 7:01 AM
To: Don Emerson
Subject: RE: Client Logon Failure (39270465-Client Logon Failure)

Hello Don,

Thank you for kind update.

In your client even log, I find many error message 1053:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 2007-2-10
Time: 14:06:27
User: NT AUTHORITY\SYSTEM
Computer: MARMAC1

Description:

Windows cannot determine the user or computer name. (An internal error
occurred. ). Group Policy processing aborted.

1. I agree with you. This is mostly a virus related issue. The other 2
workstations may infected by virus from this problematic client.

Therefore, how about the step 1#? Do you find any virus from the
client?

Please try to install the antivirus on all client computers and SBS,
update the virus definition to latest and perform full virus scan on
the computers. If you do not have anti-virus application installed,
you may try: http://housecall.trendmicro.com/.

2. When you do clean boot on the client computer, you have to logon as
Administrators member account. I suggest you logon the problematic
client with local administrator and then do the clean boot to test.

3. You can try to reboot the client and enter to Safe Mode (with
network), then try to logon domain. Is it fine?

Based on my research, the behavior can happen when the virus activity
that guessed the password, or the machine password is not properly
sync between SBS and internal clients. I suggest we try the following
steps to see if we can resolve this issue:

1. Enable complicated password policy.

Note: The Password Policy need to be configured in Default Domain
policy.

We can configure the settings under:

Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

2. Configure account lockout policy.

Generally, it is a best practices suggestion to set the Threshold
value to 10 or higher. This is high enough to rule out user error and
low enough to deter hackers, especially when the password complexity
policy is enabled.

For medium security requirement, the recommended configurations are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

3. Check your firewall to ensure that only the necessary ports are
opened.

4. Ensure the above settings have been successfully applied.

1) On the problematic SBS server, please run the following command to
refresh the group policy changes:

GPUPDAGE /FORCE

2) Run SECPOL.MSC and check the above changed password, Account
lockout and auditing policies to see their effective settings, and
ensure that the policies have been applied successfully.

If the policies have been applied successfully, we should have
enhanced the security protection of that server.

5. The issue may occur if the remote SBS server sends broadcast
packets to the network. I suggest you change the "nolmhash" value to
"0" in the following registry key on the SBS server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Reboot the server for this change to take effect and check if the
event
does not appear.

6. If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
and set "enablesecuritysignature" and "requiresecuritysignature" to
"0". Reboot the server and check if everything is OK.

7. There are several running processes on the computer that will
attempt to connect using the machine account.

This behavior can happen when the machine password is not properly
sync.

In order to reset the machine account password of a domain controller
use:

NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*

The syntax of this command is:

NETDOM RESETPWD /Server:domain-controller /UserD:user
/PasswordD:[password | *]

NETDOM RESETPWD Resets the machine account password for the domain
controller on which this command is run. Currently there is no
support for resetting the machine password of a remote machine or a
member server. All parameters must be specified.

/Server Name of a specific domain controller that should have
its

machine account password reset.

/UserD User account used to make the connection with the
domain

controller specified by the /Server argument.

/PasswordD Password of the user account specified with /UserD.
A * means

to prompt for the password

After completing the command, reboot the server.

If we can not resolve the issue after we perform the above steps,
please kindly help me collect some information for further
investigation:

Please send the Server Performance report to me.

Hope these steps will give you some help.

Thanks and have a nice day!

Terence Liu

________________________________________________________________________
Hello Customer,

Thank you for posting here.

According to your description, I understand that you notice that one
of the client computer have several logon failures through a day. If
I have misunderstood the problem, please don't hesitate to let me
know.

First, please let me know:

1. Does this problem happen every day?
2. How do you notice the logon failures?

Based on my research, the virus or 3rd-party software may relate to
this issue. I suggest we try the following steps to see if we can
resolve this issue:

1. Please try to install the antivirus on this client computer,
update the virus definition to latest and perform full virus scan on
the computers. If you do not have anti-virus application installed,
you may try: http://housecall.trendmicro.com/.

2. Please do a clean boot on the client computer to narrow down this
issue:

To clean boot the problematic computer, please use the steps below:
a. Click Start, click Run, and then in the Open box, type "MSCONFIG"
(without the quotation marks). Click OK.

b. In the System Configuration Utility (MSConfig) window, click to
select the Selective Startup button.

c. Click to clear the check mark from the "Load startup items" below
Selective Startup.

d. Click the Services tab, click to check the "Hide All Microsoft
Services" box, and remove all the check marks from the remained
Non-Microsoft Services.

e. Click OK to close the MSConfig window. Click Yes when you are
asked to restart your computer in order to enable the changes.

f. After restarting, please check whether this issue will reoccur.

g. If there are no more problems, please use the above steps to enable
services and startup items one by one in order to figure out the root
cause of this issue.

If we can not resolve the issue after we perform the above steps,
please kindly help me collect some information for further
investigation:

1. Save the application event log and system event log as evt files
on the problematic client machine and send to my mailbox:
v-terliu@xxxxxxxxxxxxx

2. Save the application event log and system event log as evt files
on the SBS and send to my mailbox: v-terliu@xxxxxxxxxxxxx

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have
issues regarding other Microsoft products, you'd better post in the
corresponding newsgroups so that they can be resolved in an efficient
and timely manner. You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you
check the "Notify me of replies" box to receive e-mail notifications
when there are any updates in your thread. When responding to posts
via your newsreader, please "Reply to Group" so that others may learn
and benefit from your issue.

.