Re: Administrator rights to folder

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/12/04


Date: Thu, 11 Mar 2004 18:20:12 -0800

Ok. Next question: Can you see the share on the DC where the policy is from
your client?

I'm not a policy expert. Have you checked out any of the group policy
troubleshooting docs?

Evidently this can be caused by requiring SMB signing on XP SP1 machines. I
googled for "windows group policy not applying 1058 site:microsoft.com" and
found this (among others):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810907

I think I'm more than a little out of my depth now. There are a couple of
group policy newsgroups that might offer more help:
microsoft.public.win2000.group_policy
microsoft.public.windows.group_policy

---
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tomppa" <tofors99@hotmail.com> wrote in message
news:eEXyVSzBEHA.3132@TK2MSFTNGP11.phx.gbl...
> Yes I am an administrator.
> Here is my errors:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1030
> Date:  11.3.2004
> Time:  08:21:11
> User:  NT AUTHORITY\SYSTEM
> Computer: AB2000
> Description:
> Windows cannot query for the list of Group Policy objects. Check the event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date:  11.3.2004
> Time:  08:21:11
> User:  NT AUTHORITY\SYSTEM
> Computer: AB2000
> Description:
> Windows cannot access the file gpt.ini for GPO
>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nord,DC=l
> ocal. The file must be present at the location
>
<\\nord.local\sysvol\nord.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984
> F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
>
> Tomppa
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> news:unbFXlhBEHA.3928@TK2MSFTNGP09.phx.gbl...
> > Are you an administrator?  If not, that could explain the grey.
> > The 1030's and 1058's are probably from policy failing to apply.  What
are
> > the messages?
> > -- 
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Tomppa" <tofors99@hotmail.com> wrote in message
> > news:u6bVIPaBEHA.1796@TK2MSFTNGP12.phx.gbl...
> > > The Audit Object Access is grey and canīt be changed and I have a lot
of
> > > error 1030 and 1058 in the application log. Have tried to fix
1030,1058
> no
> > > luck.
> > >
> > > Any ideas?
> > >
> > > Tomppa
> > >
> > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> > > news:OqZQm9UBEHA.3852@TK2MSFTNGP10.phx.gbl...
> > > > There's pretty good documentation about how auditing works.  Here's
> one
> > > > example of the Win2k docs:
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/acl_audit_file_folder.htm
> > > >
> > > > Help and Support on XP/Server 2003 is actually helpful, too.  Or you
> can
> > > > always google for more information ("site:microsoft.com" will give
you
> > > only
> > > > hits from Microsoft).
> > > > -- 
> > > > Drew Cooper [MSFT]
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > >
> > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > news:Ope92FRBEHA.1600@tk2msftngp13.phx.gbl...
> > > > > Hi!
> > > > > Auditing sound like a good start. Have activated auting on a test
> > folder
> > > > for
> > > > > the administrator. But what do I have to do more, to get
> > success/failure
> > > > > events in the event log?
> > > > >
> > > > > Tomppa
> > > > >
> > > > >
> > > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
> meddelandet
> > > > > news:%23UatYqvAEHA.2800@tk2msftngp13.phx.gbl...
> > > > > > Regardless, a domain admin can install a keystroke logger or a
> > filter
> > > > > driver
> > > > > > that snoops files as they are opened.  Encryption doesn't really
> > stop
> > > an
> > > > > > admin if the file is ever opened again (or, perhaps if the user
> ever
> > > > logs
> > > > > > onto a domain machine again).
> > > > > > If you want to see what your admins do to files, use auditing.
> Even
> > > if
> > > > > they
> > > > > > clear the log, there will be a log of their clearing it.
> > > > > > If you don't trust them at all they probably shouldn't be
admins.
> > > > > > -- 
> > > > > > Drew Cooper [MSFT]
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > >
> > > > > > "Dusko Savatovic" <savatovic.removespam@hotmail.com> wrote in
> > message
> > > > > > news:e6E90$rAEHA.3352@TK2MSFTNGP09.phx.gbl...
> > > > > > > They can hide stuff if they use encryption.
> > > > > > > However, if they use EFS in domain environment, it might be
> > possible
> > > > for
> > > > > > > domain admins to recover encrypted content.
> > > > > > >
> > > > > > > In order to prevent casual recovery in domain environment, the
> > > > creation
> > > > > of
> > > > > > > recovery agents should be strictly monitored and EFS recovery
> > > > > certificate
> > > > > > > should be exported (with option "Delete private key if export
is
> > > > > > > successful") from the user Administrator of the
> > > > > > > First-root-domain-controller.
> > > > > > >
> > > > > > > Also, the security is not just setting permissions and
> encryption.
> > > It
> > > > is
> > > > > a
> > > > > > > process of constant monitoring, evaluation and adaptation to
new
> > > > > > situations.
> > > > > > > Think of it as leaving expensive, secure ATM full of money in
> the
> > > open
> > > > > > field
> > > > > > > without any supervision.
> > > > > > >
> > > > > > > Dusko Savatovic
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > > > news:O2DHX9nAEHA.1452@TK2MSFTNGP09.phx.gbl...
> > > > > > > > So the companyīs "leadgroup" canīt "hide" anything from the
> > domain
> > > > > > > > admin.......
> > > > > > > >
> > > > > > > > Tomppa
> > > > > > > >
> > > > > > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
> > > > meddelandet
> > > > > > > > news:ezdI5niAEHA.2316@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > You can't.  That's what it means to be a domain
> administrator.
> > > > > > > > > -- 
> > > > > > > > > Drew Cooper [MSFT]
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > confers
> > > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > > > > > news:OlLaG4eAEHA.1456@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > Hi
> > > > > > > > > >
> > > > > > > > > > Can I prevent a Domain admin to have access to a folder
on
> > the
> > > > DC?
> > > > > > > > > > If I only give access to user "Bill" the administra
still
> > can
> > > > > right
> > > > > > > > click
> > > > > > > > > > the folder and give himself more rights.
> > > > > > > > > >
> > > > > > > > > > Tomppa
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: lockdown desktop without Group Policy
    ... Group Policy settings. ... Logon as an administrator ... Right-click on the GroupPolicy folder and Properties - Security ... and enter "Edit Group Policy" for the name ...
    (microsoft.public.windows.terminal_services)
  • Re: Administrator is not the "Boss" on this machine.
    ... policy, I'd see two columns, one for "setting" ... > you can not run that command you may not be logged on as an administrator. ... > If you messed with Group Policy settings for user configuration the solution above ...
    (microsoft.public.win2000.security)
  • Re: Run application on remote login
    ... Found advanced and is it correct then now as administrator the default policy ... Policy in group policy management where administrators is listed, ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)