| Author |
Message |
NickC
Guest
|
 Posted:
Sat Sep 24, 2005 4:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Charles,
Do you know which registry entries these GPOs actually change?
Thanks,
Nick |
|
| Back to top |
|
 |
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Sep 26, 2005 12:50 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
It seems you have resolved the issue by changing the
Enablesecuirtysginature from 0 to 1.
I have found the article, in this article it did refer that how to disable
SMB signing on Windows 2003 system, you have to change the registry that
you referred to.
842792 An "ERROR_ACCESS_DENIED" error occurs when you try to write to a file
http://support.microsoft.com/?id=842792
I also found a detailed steps about how to disable SMB signing, you can
refer to it for reference, please note that you need to updates the policy
by force if you did not restart the computer.
1. At the server, open the Server Management console.
2. Expand Advanced Management.
3. Expand Group Policy Management.
4. Expand the Forest.
5. Expand Domain Controllers.
6. The SBS policy objects will display in the right-hand pane along with
the
Default Domain Controllers Policy.
7. Right-click the domain controllers in the console tree and select Create
and
Link a GPO Here.
8. Enter "SMB Signing Disabled" (without the quotations marks) for the GPO
Name and click OK.
9. Right-click on the new GPO in the right-hand pane and select Edit to
open the Group Policy Object Editor.
10. Under Computer Configuration, expand Windows Settings.
11. Expand Security Settings.
12. Expand Local Policies.
13. Select Security Options.
14. In the right-hand pane, scroll down to "Microsoft network server:
Digitally sign communications (always)" and double-click on the policy
object.
15. Select the Disabled radio button and make sure the checkbox is enabled
for
Define this policy setting.
16. In the right-hand pane, scroll down to "Microsoft network client:
Digitally sign communications (always)" and double-click on the policy
object.
17. Select the Disabled radio button and make sure the checkbox is enabled
for
Define this policy setting.
18. Click OK.
19. Close the Group Policy Object Editor.
20. Right-click on the SMB Signing Disabled policy object and select
Enforced. In the Linked Group Policy Objects window, the SMB Signing
Disabled object should show
Yes under both Enforced and Link Enabled.
21. Move the SMB Signing Disabled policy just above the Default Domain
Controllers Policy in the window. The SMB Signing Disabled policy object
should above the
Default Domain Controller Policy.
22. Open a command prompt window on the server.
23. Type "gpupdate /force" (without the quotation marks) and press Enter.
24. When the policy update completes, close the command prompt window.
It will change the registry when the policy is updates.
Hope the above information helpful.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Sat Oct 01, 2005 8:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Latest observations:
We have a new workstation, exactly the same as all the others, which does
not seem to suffer from this problem. The only difference that I can see is
that it has not had MSN messenger installed on it! Is there anyway that MSN
messenger could be causing these GPO problems?
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Oct 03, 2005 6:32 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
MSN will not cause that problem, as I know this kinds of problem should be
caused by the firewall or third party anti-virus software, in the meantime,
could you check on your SBS 2003, does the event 1030 and 1058 still occurs
or not. If only the error 1030 occurs you did not need to anxious about it,
if the problem still occurs on many workstation and impact the network
connection, it should be caused by the firewall is blocked the GPO, if ISA
2004 is applied you need to make sure that IP fragments is not enabled on
the ISA server.
Please feel free to post back, I appreciated your understanding, as the
issue is complexity so we might have to trouble shoot for a little long
time.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Fri Oct 14, 2005 12:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Thanks Charles,
| Quote: | Currently, we have a workaround on our side, you can run gpupdate /force
on
the logon script for every user so that the GPO will be updated no matter
the network is fully ready or not?
But sometimes the GPO will apply correctly at startup but at some point |
later in the day it gets un-applied and the problems start again.
| Quote: | Please also check the binding order on the client computer to make sure
that the LAN NIC is list at the first place.
OK next time I am connected I will check this but I think they are the only |
network device on these machines.
| Quote: | Additional information:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
You can do this by adding a DWORD value of
GpNetworkStartTimeoutPolicyValue
with a number of seconds between 30 and 600.
|
Already have one workstation which has
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon\GpNetworkStartTimeoutPolicyValue DWORD value=500 but that
doesn't seem to make any difference, does this other registry entry need to
be changed as well?
Rgds,
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Oct 17, 2005 12:50 am Post subject:
RE: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
Just as I referred, this issue will sometime occurs and relate to hardware
design issue. Although you have updates the NIC drivers, but it should be
the hardware design issue, so we can not resolve the issue from our side.
The root cause of the issue should be the network package failed to pass
the NIC interface because of the hardware problem. It will not occur all
the time as some time the NIC will work on normal but some time not, that
why we consider as a pure hardware design issue.
So we suggest you add the gpupdate on the logon script, if you still have
concerns on this issue, it is your best interest to call CSS. It might help
resolve the issue more clearly:
To obtain the phone numbers for specific technology request please take a
look at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.
Thanks for your understanding on this issue.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Tue Oct 18, 2005 8:50 am Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Charles,
Just noticed a couple of application event log errors which might be
relevant these only occur very rarely but when they do they appear twice.
The GPO they refer to is the one that changed the name of the Administrator
account.
Do you think these are important or should I just ignore them?
Nick |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
HI Nick,
Thanks for updates.
Thanks a lot for your effort on this issue, I really appreciate your
understand on this issue.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Thanks Charles, I will try that and see if that solves the problem or
whether it comes back again during the 90 minute GPO refreshes.
For the archive and anyone else reading this I created an input file called
'No.txt' which contains N<enter> and put the following at the end of our
SBS_LOFIN_SCRIPT.bat:
GPUpdate /force <No.txt
Nick |
|
| Back to top |
|
|
NickC
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 pm Post subject:
Re: Intermittant GPO failure to apply |
|
|
Hi Charles,
Just wanted to keep you up to date with the latest progress on this issue.
Things have now got much better, not completely solved but at least most now
work 90% of the time. Allow me to explain what I found:
I noticed that the newer machines virtually never suffered from the GPO
problem but the older machines did. They were all using the same (latest)
NIC driver, the only difference being that the older machines had been
upgraded from the old driver to the new ome whereas the newer machines went
direct to the newer driver.
Investigation showed that not only did the older version of the NIC driver
still exist in System32\drivers but it was also still being used. Just
going on a hunch I uninstalled MSN messenger which seemed to stop this being
accessed, I have also deleted these old driver files just to be sure. It
feels like having MSN messenger installed somehow prevented the NIC driver
update from working correctly, even though device manager indicated that it
had!
All the best,
Nick |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in