Re: Permissions on SYSVOL Directory

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/14/05 

Date: Mon, 14 Nov 2005 09:05:02 -0600

Is there anything in the userenv.log that would indicate a problem finding
or accessing a domain controller, sysvol share, folder path or otherwise
indicate GP processing is not working right? If you change a setting in GP
does the change show for the computer/user once the GP settings have
refreshed? Any problems shown in netdiag output from the domain client or
domain controller used as shown in the gpresult report? --- Steve

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:r5adnff-edIFguXeRVn-iA@giganews.com...
>I see errors in the Application Log with details:
>
> Event ID 1000: The Group Policy client-side extension Security was
> passed flags (17) and returned a failure status code of (3).
>
> gpresult reports no errors, but it's quite clear looking at the output for
> computers that it is not grabbing most of the group policy.
>
> --
> Will
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:usHuQSN6FHA.3876@TK2MSFTNGP09.phx.gbl...
>> I have never actually tried to audit that directory but are those client
>> computers failing to have Group Policy applied to them which among other
>> things would be evidenced by errors/warnings for userenv in the
> application
>> log and errors when running gpresult?? You also might want to enable
>> debug
>> logging of userenv to see what is going on with GP processing by looking
> at
>> the userenv.log file. --- Steve
>>
>>
>> "Will" <DELETE_westes@earthbroadcast.com> wrote in message
>> news:d_-dnXBdtegfaereRVn-hQ@giganews.com...
>> > I'm getting an EventID 560 from machines on our network trying to
>> > access
>> > SYSVOL, and in examining the detail of the message I'm confused by what
> is
>> > happening. On our domain controller, the sysvol *share* is located
>> > at
>> > %SYSTEMROOT%\sysvol\sysvol. I've never understood why there is a
> sysvol
>> > share under the directory named sysvol. Maybe someone can explain
>> > that
>> > one
>> > to me as well.
>> >
>> > What I am seeing in the security section of eventviewer is that
>> > machines
>> > are
>> > trying to apply group policy by directory accessing the
>> > %SYSTEMROOT%\sysvol
>> > directory and NOT using the sysvol share. A typical event 560 error
>> > is
>> > as
>> > follows:
>> >
>> > Object Open:
>> > Object Server: Security
>> > Object Type: File
>> > Object Name:
>> >
> \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\WINNT\SYSVOL\DOMAIN
>> > \POLICIES\{61A2F...}\MACHINE\MICROSOFT\WINDOWS NT\SECEDIT\GPTTMPL.INF
>> > New Handle ID: -
>> > Operation ID: {0,67842636}
>> > Process ID: 8
>> > Primary User Name: DOMAIN-CONTROLLERA$
>> > Primary Domain: CORPORATE
>> > Primary Logon ID: (0x0,0x3E7)
>> > Client User Name: CLIENT-WORKSTATIONC$
>> > Client Domain: CORPORATE
>> > Client Logon ID: (0x0,0x55B231A)
>> > Accesses READ_CONTROL
>> > ReadData (or ListDirectory)
>> > ReadEA
>> > ReadAttributes
>> >
>> > Privileges -
>> >
>> >
>> > I'm confused by a number of things here:
>> >
>> > 1) Why are machines attempting to apply group policy through a location
>> > that
>> > does not travel through the SYSVOL share?
>> >
>> > 2) Even once I explicitly give Read and Read & Execute permission to
>> > all
>> > Domain Users and Domain Computers to access the specific path they are
>> > traversing, I still get the event id 560.
>> >
>> > Any help understanding this is appreciated.
>> >
>> > --
>> > Will
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Problem with SYSVOL replication after DCPROMO
    ... FRS starts to replicate SYSVOL and filles stageing area and the sysvol ... I tried the BurFlags=D2, resulting in a complete new replication of SYSVOL, ... initializing the system volume with data from another domain controller. ... Service completes the initialization process, ...
    (microsoft.public.win2000.active_directory)
  • SYSVOL replication stops after DCPROMO
    ... FRS starts to replicate SYSVOL and filles stageing area and the sysvol ... I tried the BurFlags=D2, resulting in a complete new replication of SYSVOL, ... initializing the system volume with data from another domain controller. ... Service completes the initialization process, ...
    (microsoft.public.windows.server.active_directory)
  • Nightmare on Active Directory Street, revisited.
    ... Active Directory Street whereby I had ignorantly mangled my SYSVOL ... was my first exposure to sysvol, and junction points. ... sprang up as a domain controller, I breathed a sigh of relief, and I ... reading a ton on NTFRS, GPO, and SYSVOL. ...
    (microsoft.public.win2000.active_directory)
  • Re: GPO unavailable after retiring single DC
    ... gpedit was looking for sysvol on the old server. ... > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA ... >> "The Domain Controller for Group Policy Operations is not available. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot access security settings in Win 2003
    ... > and domain controller as would verifying the existence of the sysvol share ... When you go to Network Neighborhood ... > policy is not linked to the domain or it has been deleted. ...
    (microsoft.public.windows.server.networking)