| Author |
Message |
Charles Yang [MSFT]
Guest
|
 Posted:
Mon Aug 29, 2005 6:56 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
This error should be a common error that point to GPO is updates correctly,
it should be blocked by some things else.
By the ways, do you install ISA 2004 on your SBS domain, if so please also
disable IP fragments as a test to see if the issue can be resolved.
I will be here waiting for your updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
 |
Charles Yang [MSFT]
Guest
|
| Posted:
Wed Aug 31, 2005 12:51 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
As you referred, you have enabled the roaming profiles and folder
redirection on SBS domain. Also in your userenv log we found it still refer
to the same problem in ntuser.pol, by default this files will be recreate
when logon the domain again, it seems the files is corrupt and the registry
is not correct.
Please temporally delete that files or rename the files to see if the issue
can be clear. If you using roaming profiles, please check it on the server.
More info:
269378 Differences in the User Profiles in Windows
http://support.microsoft.com/?id=269378
Hope the above information helpful. I will be here waiting for your
updates. Thanks a lot for your effort in this issue.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Wed Aug 31, 2005 12:51 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Nick,
Thanks for your effort.
I am currently researching on your log. I will return to you as soon as
possible.
Thanks for your understanding.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Thu Sep 01, 2005 8:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Charles,
I can't find any .pol files anywhere, neither locally nor on the server. I
cannot find any <user>.pol files anywhere in the shared profiles directory.
By the way I noticed that Administrator does not have access to the profiles
directory, each user directory in there is owned by the user, I had to take
ownership as administrator to be able to look in there for these <user>.pol
files.
Nick |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Thu Sep 01, 2005 8:51 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Charles,
As the SMB signing doesn't seem to make any difference I would like to set
them back to their defaults. Could you tell me what the default settings
were for the 'Default Domain Policy' and 'Default Domain Controllers Policy'
GPOs for:
Network Client digitally sign communications (always)
Network Client digitally sign communications (if server agrees)
Network Server digitally sign communications (always)
Network Server digitally sign communications (if client agrees)
Thanks,
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Fri Sep 02, 2005 12:50 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
The default setting of these GPO is "not defined" for all the policy below:
Network Client digitally sign communications (always)
Network Client digitally sign communications (if server agrees)
Network Server digitally sign communications (always)
Network Server digitally sign communications (if client agrees)
In addition, have you tried my steps in previous reply, I will also post
here:
As you referred, you have enabled the roaming profiles and folder
redirection on SBS domain. Also in your userenv log we found it still refer
to the same problem in ntuser.pol, by default this files will be recreate
when logon the domain again, it seems the files is corrupt and the registry
is not correct.
Please temporally delete that files or rename the files to see if the issue
can be clear. If you using roaming profiles, please check it on the server.
More info:
269378 Differences in the User Profiles in Windows
http://support.microsoft.com/?id=269378
Hope the above information helpful.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Fri Sep 02, 2005 4:51 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Thanks Charles, see inline below:
| Quote: | The default setting of these GPO is "not defined" for all the policy
below:
Network Client digitally sign communications (always)
Network Client digitally sign communications (if server agrees)
Network Server digitally sign communications (always)
Network Server digitally sign communications (if client agrees)
|
Are you sure that the defaults for _both_ the 'Default Domain Policy' and
'Default Domain Controllers Policy' are not defined, before I changed them I
noted that a couple of them were set to Enabled, unfortunately I didn't note
exactly which ones they were.
| Quote: | In addition, have you tried my steps in previous reply, I will also post
here:
As you referred, you have enabled the roaming profiles and folder
redirection on SBS domain. Also in your userenv log we found it still
refer
to the same problem in ntuser.pol, by default this files will be recreate
when logon the domain again, it seems the files is corrupt and the
registry
is not correct.
Please temporally delete that files or rename the files to see if the
issue
can be clear. If you using roaming profiles, please check it on the
server.
|
Cannot find any NTUser.pol files anywhere; none on workstations, none in the
shared Profiles directory on the Server, none in the redirected MyDocuments
directory on the server!
By the way I noticed that Administrator does not have access to the profiles
directory, each user directory in there is owned by the user, I had to take
ownership as administrator to be able to look in there for these ntuser.pol
files.
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Sep 05, 2005 6:09 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Nick,
Thanks for updates.
From your description, it seems you could not find the files in
administrator's profiles.
As I know this should be created when establishing the profiles, could you
test if possible to create a new profiles to see if this issue still occur,
if you want to access other's profiles, you need to grant extra permission
for administrator in the folder redirection policy.
In order to make the issue more clear, we need to export all the policy and
import to my test machine, so that we can help reproduce the issue to see
if the we can find some solutions.
Backup all the group policy:
1. Right click group policy objects in the server management.
2. Choose backup all
3. Send the files to me v-chayan@microsoft.com( this should be a folder and
a files, please send it together)
We appreciate your understanding.
Best regards,
Charles Yang (MSFT) |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Mon Sep 05, 2005 12:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Charles,
GPO backup files and emailed to you.
With regard to the user profiles, I can't help but think that we are looking
in the wrong place for this error. When the GPOs work correctly the machine
is connected and pingable even before any users have logged on so that makes
me think that this is not related to user accounts, what do you think?
I have created a new user with roaming profile just like the rest but even
that doesn't have an ntuser.pol file anywhere, maybe roaming profiles don't
have this file? Logging on to a failed machine as the new user still
doesn't solve the problem, but log onto a spare machine as any user and that
spare machine is ok. This is looking much more like a machine/network
problem rather than a user account issue.
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Tue Sep 06, 2005 6:22 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Nick,
After checking your group policy, we also need to check your event log,
could you send me the application log and system event log in event view
for further research.
Thanks for understanding, Please send the log files to me.
v-chayan@microsoft.com
Best regards,
Charles Yang (MSFT) |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Wed Sep 07, 2005 6:27 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
After checking for your event log, we found the error 1030 and 1058 did not
occur every days, it seems just occur accidentally. It seems to be blocked
by the anti-virus software, as I know group policy will updates the
client's policy every hours, some time the package might be blocked by the
anti-virus software.
As you refer, I checked the userenv log and event log also your group
policy. We could not find any relative information relate to this error, as
it did not occur frequently. We may need to monitor it to see if this occur
every time, and when it occur does it impact your SBS network connections.
If you still want to know the root cause of this issue, you might have to
contact CSS, as newsgroup might not be suitable to deal with the complexity
problem.
Thanks for understanding. I am glad to help you.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Thu Sep 15, 2005 6:16 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Nick,
This problem should relate to SMB signing, as we checked it on our SBS test
machine, all are set to not defined. So it should be your SBS domain need
special setting.
You can check to make sure that the policy for SMB signing is same on the
client side and server side, then you can successfully authorize with the
shared folder browsing.
You can either enable or disable the SMB signing on both server and client
side. Please also edit the group policy setting on the client side. (using
gpedit.msc to configure the policy setting.)
I also check your event log, I only found some warring which cause by the
third party tools. For the warning 5008 for exchange, I am currently on
researching now.
Thanks for your understanding.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Fri Sep 16, 2005 6:05 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Due to the issue you have referred, could you help me check your event view
to see if there are any other error events.
Could you describe the issue more clearly, could you tell me what is the
"AD dial in access properties" not available, is there any error message
when you access it.
For the trend software, please make sure that you have client software to
be the same setting as the server side.
For the attachments, it should be the problem of our newsgroup server, I
could not open it. If there are some information contains in it, please
paste it as possible.
I am glad to help you. Thanks a lot for your effort.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Fri Sep 16, 2005 8:51 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
1). ADS user properties Dial-In tab reports 'Could not load Dial-in profile
for this user because: Access is denied'.
2). Trend Micro Scammail 'cannot logon to server'.
3). We are now getting a lot of these in the Application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 16/09/2005
Time: 19:37:43
User: NT AUTHORITY\SYSTEM
Computer: OURSERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
4). Cannot edit any GPOs because 'You do not have permission to perform this
operation - Access is denied'.
The SMB GPOs are set back to the original defaults (which I wrote down
before changing them) as follows:
Default Domain policy
Network Client digitally sign communications (always): Not Defined
Network Client digitally sign communications (if server agrees): Not
Defined
Network Server digitally sign communications (always): Not Defined
Network Server digitally sign communications (if client agrees): Not
Defined
Default Domain Controllers policy
Network Client digitally sign communications (always): Not Defined
Network Client digitally sign communications (if server agrees): Not
Defined
Network Server digitally sign communications (always): Enabled
Network Server digitally sign communications (if client agrees): Enabled
Others have suggested that changing these may have altered some registry
settings that need to be set back to their previous defaults again.
Any ideas, do I need to restore from tape again?
Nick
""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in message
news:5uW8ArluFHA.580@TK2MSFTNGXA01.phx.gbl...
[quote]HI Nick,
Due to the issue you have referred, could you help me check your event
view
to see if there are any other error events.
Could you describe the issue more clearly, could you tell me what is the
"AD dial in access properties" not available, is there any error message
when you access it.
For the trend software, please make sure that you have client software to
be the same setting as the server side.
For the attachments, it should be the problem of our newsgroup server, I
could not open it. If there are some information contains in it, please
paste it as possible.
I am glad to help you. Thanks a lot for your effort.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights. |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Sep 19, 2005 6:15 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
If you have backup your group policy before, you can restore it from the
tape, it should be the quick way to do that. If you have not backup the
group policy individually, we may troubleshoot the issue one by one:
1 Access denied: dial in properties:
I would like to let you follow the KB article below to double confirmit, as
I know the permission is relate to local services account, notthe
administrator account. Please refer to the article below:
842695 You may receive an error message when you try to open the Dial-intab
http://support.microsoft.com/?id=842695
If the permission is set correctly, please also check the followingregistry
to see if it set correctly:
HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg
HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg\AllowedPaths
The local services should also have read permission.
By default, if only error 1030 occurs, we may safely ignore, as this might
relate to cached credential issue:
I. You can configure this security setting by opening the appropriate
policy and expanding the console tree as such: Computer
Configuration\Windows
Settings\Security Settings\Local Policies\Security Options Network access:
Do not allow storage of credentials or .NET Passports for network
authentication
II. Following Registry value removes the "Remember My Password" option from
all prompts for authentication:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value Name: disabledomaincreds
Value Type: REG_DWORD
Values: 0 = allow domain credentials to be stored
1 = do not store domain credentials
Set the disabledomaincreds value to "0" to restore the "Remember My
Password" checkbox on the prompt for authentication.
III. Set Kerberos to use TCP
244474 How to force Kerberos to use TCP instead of UDP in Windows Server
2003,
http://support.microsoft.com/?id=244474
The steps #1 and #2 I introduced in my last reply are all used to delete
the store credential. The step #1 could be applied to group policy that
cover the SBS server such as domain controller policy and you will find the
policy below
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Network access: Do not allow storage of
credentials or .NET Passports for network authentication
The step #2 is used registry key way. The "0" is the default value. When
you set this key to 1, to purge the original credential to clear the store
and restart the machine.
If you do not want the above steps, you could use the following way to
delete the cached credential directly.
1. On the SBS server open control panel
2. Open 'Stored User Names and Passwords'
3. Remove all entries in the list, as the problem could be caused by the
incorrect credential cached here.
If the problem could not be resolved, we may need to set the Kerberos to
TCP only, because of the following reasons.
The Windows Kerberos authentication package is the default authentication
package in Microsoft Windows Server 2003. By default, the maximum size of
datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes.
Depending on a variety of factors including security identifier (SID)
history and group membership, some accounts will have larger Kerberos
authentication packet sizes. Depending on hardware of your SBS network,
these larger packets may have to be fragmented when going through. The
problem is caused by fragmentation of these large UDP Kerberos packets.
Because UDP is a connectionless protocol, fragmented UDP packets will be
dropped if they arrive at the destination out of order.
Then, this issue could be occur that you logon to the SBS server remotely,
and the UDP package is dropped at this situation. So, we could set the
Kerberos to use TCP only, as Kerberos is designed to work under both UDP
and TCP.
For the error, you could not edit group policy, it should relate to
updates, you have not applied, please refer to my suggestion below: (This
should be the article that refer to your issue)
839499 You cannot open file shares or Group Policy snap-ins when you disable
http://support.microsoft.com/?id=839499
For the trend software, please try to resolve the above the issue to see if
this issue can be clear.
Hope the above information helpful. I am glad to help you.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in