Re: Local authentication errors on Windows 2003 Server

Thanks for the suggestion Steve,

Still no joy, I'm afraid.

netdiag passes every test that is applicable to the servr (IP security
and WAN tests skipped). A verbose log revealed nothing unusual,
particularly any mention of the old domain XXXXXXXX.net (as opposed to
the XXXXXXXX.local it was changed to 18 months ago).

Since the original post I have questioned the validity of the GPOs, not
least because there was at least one .pol file missing. I bit the
bullet and tried DcGPOFix. This tells me:
====================
Unable to open the GPO due to access denied. Verify that permissions
on the file system path
C:\WINDOWS\sysvol\sysvol\XXXXXXXX.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
MACHINE\Registry.pol and the active directory path
LDAP://XXXXXXXX-server.XXXXXXXX.local/CN=
{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=XXXXXXXX,DC=local
are
sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the
Default Domain Policy GPO
Access is denied.
====================

Again this leads me to think it's some sort of ACL related problem. I
have checked the folder permissions and while it is not my forte the
LDAP permissions look acceptable too.

In case the Administrator user was somehow corrupted, I have created a
new user with full administrative group access and get exactly the same
errors...

I want to confirm the authentication process is operating correctly as
I suspect the authentication is either being subverted, misdirected or
misinterpreted somewhere. How would I go about tracing the
authentication process undertaken when a secured object is accessed,
such accessing a file share?

Note again that this only affects the server, not any of the client
machines therefore it is most likely, IMHO, to be a local setting as
opposed to a global domain issue...

Thanks,

Neil

.

Relevant Pages

  • Re: Loopback Processing
    ... As long as loopback is set in one GPO, ... >to be set in any other GPO that falls with the hierarchy? ... >why does it still apply the User Configuration settings. ... >>computer provided it has permissions to the GPO's. ...
    (microsoft.public.windows.group_policy)
  • Re: dns administration delegation
    ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ... these admins full access to their local dns servers (which are also domain ...
    (microsoft.public.windows.server.dns)
  • Re: dns administration delegation
    ... I'm more concerned about these admins to have the ... early in the deployment of DNS servers and then seldom if every ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ...
    (microsoft.public.windows.server.dns)
  • Re: Computer componet of GP not being applied
    ... would expect that anything in the Computer Configuration portion of the GPO ... By "non-standard permissions", I mean what are the permissions on the GPO? ... If you look at the properties of the OU in which the Terminal Server resides ... > It all seems to be linked to the local user groups on the terminal server. ...
    (microsoft.public.windows.group_policy)
  • Re: dns administration delegation
    ... I'm more concerned about these admins to have the ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ... but not access any other dns servers within the ...
    (microsoft.public.windows.server.dns)