Re: Permissions on SYSVOL Directory

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/14/05 

Date: Sun, 13 Nov 2005 22:34:04 -0600

I have never actually tried to audit that directory but are those client
computers failing to have Group Policy applied to them which among other
things would be evidenced by errors/warnings for userenv in the application
log and errors when running gpresult?? You also might want to enable debug
logging of userenv to see what is going on with GP processing by looking at
the userenv.log file. --- Steve

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:d_-dnXBdtegfaereRVn-hQ@giganews.com...
> I'm getting an EventID 560 from machines on our network trying to access
> SYSVOL, and in examining the detail of the message I'm confused by what is
> happening. On our domain controller, the sysvol *share* is located at
> %SYSTEMROOT%\sysvol\sysvol. I've never understood why there is a sysvol
> share under the directory named sysvol. Maybe someone can explain that
> one
> to me as well.
>
> What I am seeing in the security section of eventviewer is that machines
> are
> trying to apply group policy by directory accessing the
> %SYSTEMROOT%\sysvol
> directory and NOT using the sysvol share. A typical event 560 error is
> as
> follows:
>
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name:
> \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\WINNT\SYSVOL\DOMAIN
> \POLICIES\{61A2F...}\MACHINE\MICROSOFT\WINDOWS NT\SECEDIT\GPTTMPL.INF
> New Handle ID: -
> Operation ID: {0,67842636}
> Process ID: 8
> Primary User Name: DOMAIN-CONTROLLERA$
> Primary Domain: CORPORATE
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: CLIENT-WORKSTATIONC$
> Client Domain: CORPORATE
> Client Logon ID: (0x0,0x55B231A)
> Accesses READ_CONTROL
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
>
> Privileges -
>
>
> I'm confused by a number of things here:
>
> 1) Why are machines attempting to apply group policy through a location
> that
> does not travel through the SYSVOL share?
>
> 2) Even once I explicitly give Read and Read & Execute permission to all
> Domain Users and Domain Computers to access the specific path they are
> traversing, I still get the event id 560.
>
> Any help understanding this is appreciated.
>
> --
> Will
>
>

Relevant Pages

  • Re: Userenv 1030 + 1006
    ... I have checked the SYSVOL share and it does have GUID named folders, ... the Windows Group Policy Guide is out from Microsoft Press!!! ... between client and DC, improper DNS config on the client, invalid ...
    (microsoft.public.windows.group_policy)
  • Re: Permissions on SYSVOL Directory
    ... gpresult reports no errors, but it's quite clear looking at the output for ... computers that it is not grabbing most of the group policy. ... the sysvol *share* is located at ... >> Client User Name: CLIENT-WORKSTATIONC$ ...
    (microsoft.public.windows.server.security)
  • Re: Problem connection XP SP2 Workstation after installing SBS 2k3
    ... Thanks for updates. ... I find some issue that will blocked the group policy applied properly to ... the special client computer, except the XP firewall. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: User GPO doesnt replicate on one of my workstations
    ... On Windows XP, if Control Panel is in Category View, click Switch to ... The "Applied Group Policy ... the Sysvol folder is located in the %systemroot% folder. ...
    (microsoft.public.windows.group_policy)
  • Re: Windows SBS 2003 SP1 /w ISA Server 2004
    ... Have you run the CEICW to configure your network settings? ... Are you able to open Group Policy snap-ins such as the Domain Controller ... Make sure that the antivirus is not scanning the sysvol folder. ...
    (microsoft.public.windows.server.sbs)
Quantcast