Re: secedit or group policy issues?

From: Patrick (patl_at_reply.newsgroup.msn.com)
Date: 08/24/04

• Next message: Resonate: "Re: Disabling ports"
• Previous message: Sankar Nemani: "Re: how to view built-in accounts"
• In reply to: Steven L Umbach: "Re: secedit or group policy issues?"
• Next in thread: Steven L Umbach: "Re: secedit or group policy issues?"
• Reply: Steven L Umbach: "Re: secedit or group policy issues?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 24 Aug 2004 22:56:53 +0100

No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

"Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
news:7ZLWc.225411$eM2.33568@attbi_s51...
> The user right for logon locally is a computer configuration - not user
and
> would apply to only computers in that OU. You need to configure that user
> right on the computer where users need the right to logon locally and that
> can be done either in Local Security Policy or at the OU level where that
> computer is located.
>
> Dns misconfiguration is also the main cause of Group Policy an AD
problems.
> Your domain controller [I believe you have one] must point only to itself
as
> it's preferred dns server via it's static IP address. W2K/XP Pro domain
> computers must point only to AD domain controllers as their preferred dns
> server and NEVER an ISP dns server. It is also a good idea to not have
your
> domain controllers to be multi homed with multiple network adapters.
Netdiag
> and dcdiag are very helpful in checking for proper domain configuration
for
> domain controllers and domain members. The link below explains more on AD
> dns. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
>
>
> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> > I just did the following
> > 1) Created a new OU in AD on a Win2K Server SP4
> > 2) Created a new Group Policy Object under this OU. Objectives:
> > 2.1) The only reason why these users are in AD under this OU is purely
for
> > IIS Authentication, and because it looks like those users need "Log on
> > locally right" for Basic Authentication or Integrated Windows
> authentication
> > to work (otherwise with auditing, a failure audit is generated when I
try
> > to log on with the correct username/password pair)
> > 2.2) I try to set up a GPO under this OU so users under this OU can't do
> > anything destructive even if they try to log on (which they would be
> allowed
> > to do so)
> > 3) at command prompt:
> > 3.1) secedit /refreshpolicy user_policy /enforce
> > 3.2) secedit /refreshpolicy machine_policy /enforce
> > 3.3) secedit /refreshpolicy machine_policy
> >
> > 4) Wait a few minutes
> >
> > 5) Try to logon to the console (of the one and only one Domain
Controller
> > for the domain) as those users under this OU, and I get the following
> logged
> > in event viewer:
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot query for the list of Group Policy objects . A message
that
> > describes the reason for this was previously logged by this policy
engine.
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot establish a connection to myweb.local with (0).
> >
> > How could I rectify this?
> >
> >
>
>

---

• Next message: Resonate: "Re: Disabling ports"
• Previous message: Sankar Nemani: "Re: how to view built-in accounts"
• In reply to: Steven L Umbach: "Re: secedit or group policy issues?"
• Next in thread: Steven L Umbach: "Re: secedit or group policy issues?"
• Reply: Steven L Umbach: "Re: secedit or group policy issues?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Domain Controller not resolving name ... Make sure the domain controller is also a DNS server. ... IP running DNS, WINS, and DHCP. ... (microsoft.public.windowsxp.general) Re: DHCP box and Windows 2003 Server Domain Controller documentati ... Changing the configuration of the Domain Controller will take some ... We installed the DNS services in our Domain Controller (Windows ... DNS server should use forwarders to your ISP's DNS servers ... And you should really use DHCP for this - DHCP running on your DC, ... (microsoft.public.windows.server.general) [LONG - PLS HELP] Issues on DNS ... Active Directory successfully replicated using the NetBIOS ... or fully qualified computer name of the source domain controller. ... DNS Server: ... The DNS server was unable to open zone mydomain.local in the Active ... (microsoft.public.windows.server.dns) Remote Branch DC wont Replicate With Corporate DC ... Active Directory could not resolve the following DNS host name of the source ... domain controller to an IP address. ... 'Event' is not recognized as an internal or external command, ... operable program or batch file. ... (microsoft.public.windows.server.dns) Re: Security Policy Is not opening. ... We are not using ISP IP as DNS server ... Security Policy in Domain Controller or Additional Domain Controller. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)