Re: Administrator rights to folder
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/12/04
- Next message: S. Pidgorny
: "Re: firewall/proxy options for home office" - Previous message: Drew Cooper [MSFT]: "Re: User Certificates"
- In reply to: Tomppa: "Re: Administrator rights to folder"
- Next in thread: tomppa: "Re: Administrator rights to folder"
- Reply: tomppa: "Re: Administrator rights to folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Mar 2004 18:20:12 -0800
Ok. Next question: Can you see the share on the DC where the policy is from
your client?
I'm not a policy expert. Have you checked out any of the group policy
troubleshooting docs?
Evidently this can be caused by requiring SMB signing on XP SP1 machines. I
googled for "windows group policy not applying 1058 site:microsoft.com" and
found this (among others):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810907
I think I'm more than a little out of my depth now. There are a couple of
group policy newsgroups that might offer more help:
microsoft.public.win2000.group_policy
microsoft.public.windows.group_policy
---
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tomppa" <tofors99@hotmail.com> wrote in message
news:eEXyVSzBEHA.3132@TK2MSFTNGP11.phx.gbl...
> Yes I am an administrator.
> Here is my errors:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1030
> Date: 11.3.2004
> Time: 08:21:11
> User: NT AUTHORITY\SYSTEM
> Computer: AB2000
> Description:
> Windows cannot query for the list of Group Policy objects. Check the event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 11.3.2004
> Time: 08:21:11
> User: NT AUTHORITY\SYSTEM
> Computer: AB2000
> Description:
> Windows cannot access the file gpt.ini for GPO
>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nord,DC=l
> ocal. The file must be present at the location
>
<\\nord.local\sysvol\nord.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984
> F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
>
> Tomppa
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> news:unbFXlhBEHA.3928@TK2MSFTNGP09.phx.gbl...
> > Are you an administrator? If not, that could explain the grey.
> > The 1030's and 1058's are probably from policy failing to apply. What
are
> > the messages?
> > --
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Tomppa" <tofors99@hotmail.com> wrote in message
> > news:u6bVIPaBEHA.1796@TK2MSFTNGP12.phx.gbl...
> > > The Audit Object Access is grey and canīt be changed and I have a lot
of
> > > error 1030 and 1058 in the application log. Have tried to fix
1030,1058
> no
> > > luck.
> > >
> > > Any ideas?
> > >
> > > Tomppa
> > >
> > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> > > news:OqZQm9UBEHA.3852@TK2MSFTNGP10.phx.gbl...
> > > > There's pretty good documentation about how auditing works. Here's
> one
> > > > example of the Win2k docs:
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/acl_audit_file_folder.htm
> > > >
> > > > Help and Support on XP/Server 2003 is actually helpful, too. Or you
> can
> > > > always google for more information ("site:microsoft.com" will give
you
> > > only
> > > > hits from Microsoft).
> > > > --
> > > > Drew Cooper [MSFT]
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > >
> > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > news:Ope92FRBEHA.1600@tk2msftngp13.phx.gbl...
> > > > > Hi!
> > > > > Auditing sound like a good start. Have activated auting on a test
> > folder
> > > > for
> > > > > the administrator. But what do I have to do more, to get
> > success/failure
> > > > > events in the event log?
> > > > >
> > > > > Tomppa
> > > > >
> > > > >
> > > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
> meddelandet
> > > > > news:%23UatYqvAEHA.2800@tk2msftngp13.phx.gbl...
> > > > > > Regardless, a domain admin can install a keystroke logger or a
> > filter
> > > > > driver
> > > > > > that snoops files as they are opened. Encryption doesn't really
> > stop
> > > an
> > > > > > admin if the file is ever opened again (or, perhaps if the user
> ever
> > > > logs
> > > > > > onto a domain machine again).
> > > > > > If you want to see what your admins do to files, use auditing.
> Even
> > > if
> > > > > they
> > > > > > clear the log, there will be a log of their clearing it.
> > > > > > If you don't trust them at all they probably shouldn't be
admins.
> > > > > > --
> > > > > > Drew Cooper [MSFT]
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > >
> > > > > > "Dusko Savatovic" <savatovic.removespam@hotmail.com> wrote in
> > message
> > > > > > news:e6E90$rAEHA.3352@TK2MSFTNGP09.phx.gbl...
> > > > > > > They can hide stuff if they use encryption.
> > > > > > > However, if they use EFS in domain environment, it might be
> > possible
> > > > for
> > > > > > > domain admins to recover encrypted content.
> > > > > > >
> > > > > > > In order to prevent casual recovery in domain environment, the
> > > > creation
> > > > > of
> > > > > > > recovery agents should be strictly monitored and EFS recovery
> > > > > certificate
> > > > > > > should be exported (with option "Delete private key if export
is
> > > > > > > successful") from the user Administrator of the
> > > > > > > First-root-domain-controller.
> > > > > > >
> > > > > > > Also, the security is not just setting permissions and
> encryption.
> > > It
> > > > is
> > > > > a
> > > > > > > process of constant monitoring, evaluation and adaptation to
new
> > > > > > situations.
> > > > > > > Think of it as leaving expensive, secure ATM full of money in
> the
> > > open
> > > > > > field
> > > > > > > without any supervision.
> > > > > > >
> > > > > > > Dusko Savatovic
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > > > news:O2DHX9nAEHA.1452@TK2MSFTNGP09.phx.gbl...
> > > > > > > > So the companyīs "leadgroup" canīt "hide" anything from the
> > domain
> > > > > > > > admin.......
> > > > > > > >
> > > > > > > > Tomppa
> > > > > > > >
> > > > > > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
> > > > meddelandet
> > > > > > > > news:ezdI5niAEHA.2316@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > You can't. That's what it means to be a domain
> administrator.
> > > > > > > > > --
> > > > > > > > > Drew Cooper [MSFT]
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > confers
> > > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > > > > > news:OlLaG4eAEHA.1456@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > Hi
> > > > > > > > > >
> > > > > > > > > > Can I prevent a Domain admin to have access to a folder
on
> > the
> > > > DC?
> > > > > > > > > > If I only give access to user "Bill" the administra
still
> > can
> > > > > right
> > > > > > > > click
> > > > > > > > > > the folder and give himself more rights.
> > > > > > > > > >
> > > > > > > > > > Tomppa
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: S. Pidgorny
: "Re: firewall/proxy options for home office" - Previous message: Drew Cooper [MSFT]: "Re: User Certificates"
- In reply to: Tomppa: "Re: Administrator rights to folder"
- Next in thread: tomppa: "Re: Administrator rights to folder"
- Reply: tomppa: "Re: Administrator rights to folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
