Re: secedit or group policy issues?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/25/04

  • Next message: Rockitman: "Seeing who has what file open"
    Date: Tue, 24 Aug 2004 22:12:20 GMT
    
    

    If this is a domain controller then add the users or global group that you want to
    have logon locally user right in the Domain Controller Security Policy and then it
    should show as the "effective" setting in Local Security Policy of the domain
    controller after a refresh. You can also run gpresult while logged onto the domain
    controller and see the GPO's applied to that computer and logged on user and the last
    time they were refreshed. The /v switch will give much more detailed info on the
    GPO's being applied. Since you are having problems. I would also run first netdiag
    and then dcdiag on the domain controller looking for any failed tests/errors/warnings
    that may indicate if there is a problem even if it is the only domain
    ontroller. --- Steve

    "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
    news:eX6pEViiEHA.2764@TK2MSFTNGP11.phx.gbl...
    > No joy
    > 1) The machine which is experiencing the problem where GPO is not loaded is
    > the Domain Controller itself. On this DC, under Networking settings, DNS is
    > set to use its own DNS (i.e. the IP address of the server)
    >
    > 2) The User Rights "Logon Locally" is set at a Domain Controller level
    > (under Domain Controller Security Policy) which overwrites Local/Domain
    > security policies.
    >
    > "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
    > news:7ZLWc.225411$eM2.33568@attbi_s51...
    >> The user right for logon locally is a computer configuration - not user
    > and
    >> would apply to only computers in that OU. You need to configure that user
    >> right on the computer where users need the right to logon locally and that
    >> can be done either in Local Security Policy or at the OU level where that
    >> computer is located.
    >>
    >> Dns misconfiguration is also the main cause of Group Policy an AD
    > problems.
    >> Your domain controller [I believe you have one] must point only to itself
    > as
    >> it's preferred dns server via it's static IP address. W2K/XP Pro domain
    >> computers must point only to AD domain controllers as their preferred dns
    >> server and NEVER an ISP dns server. It is also a good idea to not have
    > your
    >> domain controllers to be multi homed with multiple network adapters.
    > Netdiag
    >> and dcdiag are very helpful in checking for proper domain configuration
    > for
    >> domain controllers and domain members. The link below explains more on AD
    >> dns. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
    >>
    >>
    >>
    >> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
    >> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
    >> > I just did the following
    >> > 1) Created a new OU in AD on a Win2K Server SP4
    >> > 2) Created a new Group Policy Object under this OU. Objectives:
    >> > 2.1) The only reason why these users are in AD under this OU is purely
    > for
    >> > IIS Authentication, and because it looks like those users need "Log on
    >> > locally right" for Basic Authentication or Integrated Windows
    >> authentication
    >> > to work (otherwise with auditing, a failure audit is generated when I
    > try
    >> > to log on with the correct username/password pair)
    >> > 2.2) I try to set up a GPO under this OU so users under this OU can't do
    >> > anything destructive even if they try to log on (which they would be
    >> allowed
    >> > to do so)
    >> > 3) at command prompt:
    >> > 3.1) secedit /refreshpolicy user_policy /enforce
    >> > 3.2) secedit /refreshpolicy machine_policy /enforce
    >> > 3.3) secedit /refreshpolicy machine_policy
    >> >
    >> > 4) Wait a few minutes
    >> >
    >> > 5) Try to logon to the console (of the one and only one Domain
    > Controller
    >> > for the domain) as those users under this OU, and I get the following
    >> logged
    >> > in event viewer:
    >> >
    >> > Event Type: Error
    >> > Event Source: Userenv
    >> > Event Category: None
    >> > Event ID: 1000
    >> > Date: 24/08/2004
    >> > Time: 17:28:20
    >> > User: MyWEB\SiteAdmin
    >> > Computer: MyWEBServer
    >> > Description:
    >> > Windows cannot query for the list of Group Policy objects . A message
    > that
    >> > describes the reason for this was previously logged by this policy
    > engine.
    >> >
    >> > Event Type: Error
    >> > Event Source: Userenv
    >> > Event Category: None
    >> > Event ID: 1000
    >> > Date: 24/08/2004
    >> > Time: 17:28:20
    >> > User: MyWEB\SiteAdmin
    >> > Computer: MyWEBServer
    >> > Description:
    >> > Windows cannot establish a connection to myweb.local with (0).
    >> >
    >> > How could I rectify this?
    >> >
    >> >
    >>
    >>
    >
    >


  • Next message: Rockitman: "Seeing who has what file open"