Group Policy not loading due to GetMachineToken (ApplySecurityContext) failure

From: Daniel J. Reynolds (dan_at_highaspect.dot.net)
Date: 11/14/03 

Date: Fri, 14 Nov 2003 12:16:53 -0600

I posted this message in the Group Policy group several days ago
and have not received a response and thought it may be more of a
security issue. Any help with either problem would be appreciated.

Thanks,
Dan Reynolds

--------------------------------------------------------------------------------------------------------
I have a situation where Group Policy is not loading on 2 member
servers.

1) W2K native network (all SP4).
2) 1 domain controller, 2 workstations, several member servers.
3) The GPO in question is the Default Domain Policy.
4) GPO is filtered by a Servers Group (4 Members).
5) GPO is also filtered by a Workstations Group (2 members).
6) GPO loads on both workstaions and 2 of the 4 servers.
7) GPO does not load on the other two servers.
8) Logon account is the same for all (a member of Domain Admins).
9) \\MyDommain.com\\Sysvol is available in MyNetwork.
10) I can navigate to and open machine\registry.pol with Notepad.

Two different errors are being reported one for each
of the servers that is not loading Group policy.

First member server
===============
Event Log
----------------
Source: Userenv
Event ID:1000

Windows cannot query for the list of Group Policy objects .
A message that describes the reason for this was previously
logged by this policy engine.

Userenv.log
-------------------

USERENV(fc.274) GetMachineToken: AcceptSecurityContext failed with
0x8009030c
USERENV(fc.274) GetGPOInfo: Failed to get the machine token with
-2146893044
USERENV(fc.274) ProcessGPOs: GetGPOInfo failed.

Second Member Server
===================
Event Log
----------------
Source: Userenv
Eventy ID: 1000

Windows cannot access the registry information at
\\MyDomain.com\sysvol\MyDomain.com\Policies\
{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (53).

Userenv.log
-------------------

USERENV(100.2b8) ParseRegistryFile: CreateFile failed with 53
USERENV(100.2b8) ProcessGPORegistryPolicy: ParseRegistryFile failed.
USERENV(100.2b8) ProcessGPOList: ProcessGPORegistryPolicy failed.
USERENV(100.2b8) ProcessGPOs: Extension Registry ProcessGroupPolicy
failed, status 0x80004005.

Relevant Pages

  • 2003 R2 DCs and 2008 member servers
    ... Do we need to add any templates to AD to control 2008 member ... servers with group policy? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Terminal Server GPO Issue
    ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: applying group policy
    ... I cannot get the settings for group policy to ... Machine or user must be a domain member and authenticate with the domain ... User or machine is not in the container to which the GPO is linked. ... Kerberos authentication may not work if user is a member of many groups: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Terminal Server GPO Issue
    ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: Application error log
    ... Disclaimer: This posting is provided "AS IS" with no warranties, ... I have 3 servers in our office running win 2003 R2 servers ... I did not set any group policy in my servers. ...
    (microsoft.public.windows.server.networking)