Re: Not all GPO settings not applied to client
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/27/04
- Next message: Michael Feld: "Re: Not all GPO settings not applied to client"
- Previous message: Michael Feld: "Re: Not all GPO settings not applied to client"
- In reply to: Michael Feld: "Not all GPO settings not applied to client"
- Next in thread: Michael Feld: "Re: Not all GPO settings not applied to client"
- Reply: Michael Feld: "Re: Not all GPO settings not applied to client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Nov 2004 13:06:38 -0600
The policy should show as being enabled on the domain client in Local
Security Policy for XP Pro computer after the policy has been applied. I
would reboot and try again. If that does not work double check your dns
[being sure to NEVER list an ISP dns server as a preferred dns server] and
run the netdiag support tool on both the domain controller and the client
computer and dcdiag on the domain controller. On the client computer when
running netdiag in particular look for errors/warnings/failed tests for dns,
dc discovery, kerberos, and trust/secure channel.
There are still some problems with XP clients and SMB signing on certain
configurations of XP Pro. While you are testing I would make sure the built
in ICF firewall for XP Pro is disabled [assuming other firewall protecting
the network] and disable mandatory smb signing in Domain Controller Security
Policy. Go to security options and the option for Microsoft network
server:digitally sign communications(always), set to DISABLED and run
gpudate /force on the domain controller. I really don't understand how
administrator names could be an issue as the setting you are trying to
implement is "computer configuration". --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools. Be sure to use the install disk for the
correct operating system.
"Michael Feld" <mfeld@t-online.de> wrote in message
news:uJN$FfJ1EHA.1652@TK2MSFTNGP11.phx.gbl...
> Hello everyone,
>
> I have a problem with Group policies. I'm running a Win2K3 server in a
> test environment with an XP client. I have set up a policy on the server
> that should disable the "To log on, press CTRL+ALT+DEL" dialog on the
> client, but it doesn't work (the dialog is still displayed). I have
> searched through the internet and read several KB articles, but wasn't
> able to find the cause of this problem.
>
> I have not created any OUs yet and modified the Default Domain Policy
> directly. It appears that the settings under "Windows Settings\Security
> settings\Account policies" are successfully applied, while those under
> "Windows Settings\Security settings\Local settings" are not.
>
> Using "GPResult.exe" on the client gave me something like this (I had to
> translate it):
>
> Applied GPOs:
> - Default Domain Policy
>
> The following group policies were not applied because they have been
> filtered out:
> - Policies for local group
> Filtering: Not applied (empty)
>
>
> Using the MMC Resultset viewer snap-in on the client, I have verified that
> the setting is "enabled". In the local security policy for the client, the
> setting is "not defined". I think that's how it should be.
>
> I have found one event log error entry on the client from "SceCli",
> stating the the group policy could not be applied due to an "extended
> error". Following a KB article I enabled logging, but I really didn't get
> any clues from what it says in "$sysroot%\SECURITY\LOGS\winlogon.log":
>
> Processing group policy template gpt00000.dom.
> -------------------------------------------
> <Date>
> Use with administrator privileges has logged on.
> Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
> Error 1208: An extended error has occured.
> Error creating database.
> ----Config module has been initialized with one or more errors.----
> ----Config module is being deinitialized...
>
>
> Another KB article mentioned possible conflicts with admin accounts names,
> so I have renamed all local admin accounts to something that certainly
> isn't in use in the domain, but still no success.
>
> And for completeness: DNS is also correctly configured.
>
>
> Does anyone have an idea what else might be the problem here?
>
> Thanks in advance!
>
> Michael
>
- Next message: Michael Feld: "Re: Not all GPO settings not applied to client"
- Previous message: Michael Feld: "Re: Not all GPO settings not applied to client"
- In reply to: Michael Feld: "Not all GPO settings not applied to client"
- Next in thread: Michael Feld: "Re: Not all GPO settings not applied to client"
- Reply: Michael Feld: "Re: Not all GPO settings not applied to client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
