| Author |
Message |
Robert Zahm
Guest
|
 Posted:
Wed Oct 26, 2005 8:50 pm Post subject:
Password Expiration |
|
|
Some of our users like to remain logged into our SBS domain and never log
out. I understand that this is not a very good security practice, but the
behavior is unlikely to change.
I've been seeing a few events logged recently related to applying group
policy (events are included at the bottom of this email), and I'm wondering
if this could be caused by users who are logged in with passwords that have
since expired. If I run "gpupdate" from the command line, I don't see any
error messages appear in the logs, which leads me to believe that it is not
the passwords causing it. Anyone have any ideas for troubleshooting this
error?
If this is being caused by expired passwords, is there any way I can be
notified when a user's password expires so that I can have them log out and
then log back in?
Thanks,
Rob
Event Type: Information
Event Source: SceCli
Event Category: None
Event ID: 1704
Date: 10/26/2005
Time: 6:05:55 AM
User: N/A
Computer: BRADFORDDC01
Description:
Security policy in the Group policy objects has been applied successfully.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
(the fact that this event is logged, and no errors are logged when I
manually run gpupdate leads me to believe that I might have a problem other
than the users logged in with expired passwords).
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 10/26/2005
Time: 10:26:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BRADFORDDC01
Description:
Windows cannot bind to BradfordRealEstateServicesCorp.local domain. (Local
Error). Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 10/26/2005
Time: 10:26:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BRADFORDDC01
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp. |
|
| Back to top |
|
 |
Charles Yang [MSFT]
Guest
|
| Posted:
Thu Oct 27, 2005 7:48 am Post subject:
RE: Password Expiration |
|
|
HI Robert.
Thanks for using SBS newsgroup.
Issue description:
===============
I understand that you are worry about the security issue on SBS domain, due
to some users seems to logon SBS domain and never log off.
Analyzing and suggestions:
================
Before we go any further, could you clarify from what event you determine
the user logon to SBS domain and never log off? So that we can identify the
detailed problem.
Generally speaking, the event you paste is not related to security issue,
it seems to be the group policy issue. Let me explain it one by one:
Event 1704
If the event did not occur very often, you do not need to care it, it just
means the group policy is refresh, if it occurs frequently, please refer to
the suggestion below:
This issue may occur if the registry information regarding Group Policy
refresh has been set inappropriately. Please perform the following steps:
1. Open Registry Editor.
2. Locate to the following key:
a) HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}
2. Modify the Value MaxNoGPOListChangesInterval to 3c0
This is the default value and it will reset "forced policy" re-application
to 16 hours (960 minutes).
For more detailed information regarding this value, please refer to the
following KB article:
277543 How to delay security policies from being applied
http://support.microsoft.com/?id=277543
Error 1006 and 1030:
Before we go any further, please make sure Do not do the same things to the
computers which are not getting this events.
1. Please rejoin the domain follow my steps below, I understand that you
have do it but please double check it to make sure that you follow the
steps below to do it:
Actually this issue can occur if the computer accounts for the computers
are corrupted. To resolve the issue, you should try the following steps to
quit and rejoin in the domain (disjoining and joining):
A. Quit the clients from the domain and join in a workgroup (workgroups).
B. Open the "Active Directory Users and Computers" snap-in (dsa.msc).
C. Open the Computers or My Business\Computers\SBSComputers container.
Right click on a computer account and choose Delete. Do this for all the
problematic computers.
D. Join the clients into the domain again.
You should make sure all clients point to the SBS server's internal IP
address as their ONLY DNS server. Also both network adapters on the SBS
server are pointing to the SBS internal IP address of the only DNS server.
In DNS, use forwarder to forward all name resolution requests to the ISP's
DNS server. For more information, please refer to the following Microsoft
Knowledge Base article:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
Regarding how to check DNS for Dynamic Update, please run DNSMGMT.MSC to
open the DNS management console, right click on the "server.domain.local"
forward lookup zone and choose Properties and then make sure the "Dynamic
Updates" is set as "Secure Only". If you made change to the settings in
DNS, you should restart the DNS Server service (right click on the server
name and choose All Tasks->Restart).
Regarding the event 1030 problem, please make sure the "Distributed File
System" service is started on the server. Also make sure DFS Client is
turned on on the clients using the following steps:
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
1. Click Start, and then click Run.
2. In the Open box, type "regedt32" (without the quotation marks), and then
click OK.
3. In the Registry Editor window, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
4. In the right details pane, check if you see the "DisableDFS" value. If
you cannot find it, DFS Client should be enabled. If you see it,
double-click DisableDFS. The DFS client is turned off if the value in the
"Value data" box is 1. The DFS client is turned on if the value in the
"Value data" box is 0.
5. In the Edit DWORD Value dialog box that appears, type "0" (without the
quotation marks) in the "Value data" box, and then click OK.
6. On the File menu, click Exit to quit Registry Editor.
Please do not hesitate to let me know if you have any further concerns. I
will be here waitting for your updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Robert Zahm" <robzahm@hotmail.com>
| Subject: Password Expiration
| Date: Wed, 26 Oct 2005 11:58:16 -0500
| Lines: 72
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164757
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Some of our users like to remain logged into our SBS domain and never log
| out. I understand that this is not a very good security practice, but
the
| behavior is unlikely to change.
|
| I've been seeing a few events logged recently related to applying group
| policy (events are included at the bottom of this email), and I'm
wondering
| if this could be caused by users who are logged in with passwords that
have
| since expired. If I run "gpupdate" from the command line, I don't see
any
| error messages appear in the logs, which leads me to believe that it is
not
| the passwords causing it. Anyone have any ideas for troubleshooting this
| error?
|
| If this is being caused by expired passwords, is there any way I can be
| notified when a user's password expires so that I can have them log out
and
| then log back in?
|
| Thanks,
|
| Rob
|
| Event Type: Information
| Event Source: SceCli
| Event Category: None
| Event ID: 1704
| Date: 10/26/2005
| Time: 6:05:55 AM
| User: N/A
| Computer: BRADFORDDC01
| Description:
| Security policy in the Group policy objects has been applied successfully.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| (the fact that this event is logged, and no errors are logged when I
| manually run gpupdate leads me to believe that I might have a problem
other
| than the users logged in with expired passwords).
|
|
| Event Type: Error
| Event Source: Userenv
| Event Category: None
| Event ID: 1006
| Date: 10/26/2005
| Time: 10:26:08 AM
| User: NT AUTHORITY\SYSTEM
| Computer: BRADFORDDC01
| Description:
| Windows cannot bind to BradfordRealEstateServicesCorp.local domain.
(Local
| Error). Group Policy processing aborted.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| Event Type: Error
| Event Source: Userenv
| Event Category: None
| Event ID: 1030
| Date: 10/26/2005
| Time: 10:26:08 AM
| User: NT AUTHORITY\SYSTEM
| Computer: BRADFORDDC01
| Description:
| Windows cannot query for the list of Group Policy objects. Check the
event
| log for possible messages previously logged by the policy engine that
| describes the reason for this.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| |
|
| Back to top |
|
|
Robert Zahm
Guest
|
| Posted:
Fri Oct 28, 2005 12:50 am Post subject:
Re: Password Expiration |
|
|
Charles,
I am able to determine that they don't log out because I know that they
don't physically log out when leaving for the day, and don't have to log in
when they arrive in the morning. They generally only log out when their
passwords have expired and they can no longer access domain resources.
There isn't a particular event that leads me to believe they aren't logging
out - I know for a fact that they don't, and I'm wondering if that is why I
am seeing the 1006 and 1030 errors on the domain controller.
Event 1704 does not occur all that often on the DC, I included it so that
you could see that it is capable of applying the domain security sometimes,
and it normally occurs a few hours before the other errors.
Events 1006 and 1030 are occurring on the domain controller, not the client
machines, so the suggestion of removing them from the domain and adding them
back in doesn't seem to apply.
I'm not sure why you included information regarding DNS updates, I ran
"gpupdate" thinking that it would reapply the global policy, am I incorrect
in thinking this? Just the same, under "Forward Lookup Zones" I don't see
server.domain.local, but I do see _msdcs.domain local and domain.local.
Both have "Dynamic Updates" set to "Secure Only."
The "Distributed File System" service is running on the SBS2003 SP1 domain
controller. I also do not see a "DisableDFS" value in the registry for the
client machines (WinXP SP2).
Thanks for your help!
Rob
""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in message
news:Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl...
| Quote: |
HI Robert.
Thanks for using SBS newsgroup.
Issue description:
===============
I understand that you are worry about the security issue on SBS domain,
due
to some users seems to logon SBS domain and never log off.
Analyzing and suggestions:
================
Before we go any further, could you clarify from what event you determine
the user logon to SBS domain and never log off? So that we can identify
the
detailed problem.
Generally speaking, the event you paste is not related to security issue,
it seems to be the group policy issue. Let me explain it one by one:
Event 1704
If the event did not occur very often, you do not need to care it, it just
means the group policy is refresh, if it occurs frequently, please refer
to
the suggestion below:
This issue may occur if the registry information regarding Group Policy
refresh has been set inappropriately. Please perform the following steps:
1. Open Registry Editor.
2. Locate to the following key:
a) HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}
2. Modify the Value MaxNoGPOListChangesInterval to 3c0
This is the default value and it will reset "forced policy" re-application
to 16 hours (960 minutes).
For more detailed information regarding this value, please refer to the
following KB article:
277543 How to delay security policies from being applied
http://support.microsoft.com/?id=277543
Error 1006 and 1030:
Before we go any further, please make sure Do not do the same things to
the
computers which are not getting this events.
1. Please rejoin the domain follow my steps below, I understand that you
have do it but please double check it to make sure that you follow the
steps below to do it:
Actually this issue can occur if the computer accounts for the computers
are corrupted. To resolve the issue, you should try the following steps to
quit and rejoin in the domain (disjoining and joining):
A. Quit the clients from the domain and join in a workgroup (workgroups).
B. Open the "Active Directory Users and Computers" snap-in (dsa.msc).
C. Open the Computers or My Business\Computers\SBSComputers container.
Right click on a computer account and choose Delete. Do this for all the
problematic computers.
D. Join the clients into the domain again.
You should make sure all clients point to the SBS server's internal IP
address as their ONLY DNS server. Also both network adapters on the SBS
server are pointing to the SBS internal IP address of the only DNS server.
In DNS, use forwarder to forward all name resolution requests to the ISP's
DNS server. For more information, please refer to the following Microsoft
Knowledge Base article:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
Regarding how to check DNS for Dynamic Update, please run DNSMGMT.MSC to
open the DNS management console, right click on the "server.domain.local"
forward lookup zone and choose Properties and then make sure the "Dynamic
Updates" is set as "Secure Only". If you made change to the settings in
DNS, you should restart the DNS Server service (right click on the server
name and choose All Tasks->Restart).
Regarding the event 1030 problem, please make sure the "Distributed File
System" service is started on the server. Also make sure DFS Client is
turned on on the clients using the following steps:
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
1. Click Start, and then click Run.
2. In the Open box, type "regedt32" (without the quotation marks), and
then
click OK.
3. In the Registry Editor window, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
4. In the right details pane, check if you see the "DisableDFS" value. If
you cannot find it, DFS Client should be enabled. If you see it,
double-click DisableDFS. The DFS client is turned off if the value in the
"Value data" box is 1. The DFS client is turned on if the value in the
"Value data" box is 0.
5. In the Edit DWORD Value dialog box that appears, type "0" (without the
quotation marks) in the "Value data" box, and then click OK.
6. On the File menu, click Exit to quit Registry Editor.
Please do not hesitate to let me know if you have any further concerns. I
will be here waitting for your updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "Robert Zahm" <robzahm@hotmail.com
| Subject: Password Expiration
| Date: Wed, 26 Oct 2005 11:58:16 -0500
| Lines: 72
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164757
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Some of our users like to remain logged into our SBS domain and never
log
| out. I understand that this is not a very good security practice, but
the
| behavior is unlikely to change.
|
| I've been seeing a few events logged recently related to applying group
| policy (events are included at the bottom of this email), and I'm
wondering
| if this could be caused by users who are logged in with passwords that
have
| since expired. If I run "gpupdate" from the command line, I don't see
any
| error messages appear in the logs, which leads me to believe that it is
not
| the passwords causing it. Anyone have any ideas for troubleshooting
this
| error?
|
| If this is being caused by expired passwords, is there any way I can be
| notified when a user's password expires so that I can have them log out
and
| then log back in?
|
| Thanks,
|
| Rob
|
| Event Type: Information
| Event Source: SceCli
| Event Category: None
| Event ID: 1704
| Date: 10/26/2005
| Time: 6:05:55 AM
| User: N/A
| Computer: BRADFORDDC01
| Description:
| Security policy in the Group policy objects has been applied
successfully.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| (the fact that this event is logged, and no errors are logged when I
| manually run gpupdate leads me to believe that I might have a problem
other
| than the users logged in with expired passwords).
|
|
| Event Type: Error
| Event Source: Userenv
| Event Category: None
| Event ID: 1006
| Date: 10/26/2005
| Time: 10:26:08 AM
| User: NT AUTHORITY\SYSTEM
| Computer: BRADFORDDC01
| Description:
| Windows cannot bind to BradfordRealEstateServicesCorp.local domain.
(Local
| Error). Group Policy processing aborted.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| Event Type: Error
| Event Source: Userenv
| Event Category: None
| Event ID: 1030
| Date: 10/26/2005
| Time: 10:26:08 AM
| User: NT AUTHORITY\SYSTEM
| Computer: BRADFORDDC01
| Description:
| Windows cannot query for the list of Group Policy objects. Check the
event
| log for possible messages previously logged by the policy engine that
| describes the reason for this.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
|
|
|
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Fri Oct 28, 2005 7:01 am Post subject:
Re: Password Expiration |
|
|
HI Robert,
Thanks for your detailed updates.
Let me clarify it, the group policy error mostly been caused by the DNS is
not set up correctly, that why I suggest you check if the DNS on the TCP/IP
properties on all the network interface of SBS domain computer is point to
SBS internal NIC or you will encounter some problem.
In order to make the issue more clearly, could you send the me all event
log so that we can identify the issue more clearly, please send to my
mailbox v-chayan@microsoft.com
Thanks for your understanding and effort on this issue. I will be here
waiting for your updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Robert Zahm" <robzahm@hotmail.com>
| References: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
<Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Password Expiration
| Date: Thu, 27 Oct 2005 16:43:35 -0500
| Lines: 314
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OyWz89z2FHA.3788@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165255
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Charles,
|
| I am able to determine that they don't log out because I know that they
| don't physically log out when leaving for the day, and don't have to log
in
| when they arrive in the morning. They generally only log out when their
| passwords have expired and they can no longer access domain resources.
| There isn't a particular event that leads me to believe they aren't
logging
| out - I know for a fact that they don't, and I'm wondering if that is why
I
| am seeing the 1006 and 1030 errors on the domain controller.
|
| Event 1704 does not occur all that often on the DC, I included it so that
| you could see that it is capable of applying the domain security
sometimes,
| and it normally occurs a few hours before the other errors.
|
| Events 1006 and 1030 are occurring on the domain controller, not the
client
| machines, so the suggestion of removing them from the domain and adding
them
| back in doesn't seem to apply.
|
| I'm not sure why you included information regarding DNS updates, I ran
| "gpupdate" thinking that it would reapply the global policy, am I
incorrect
| in thinking this? Just the same, under "Forward Lookup Zones" I don't
see
| server.domain.local, but I do see _msdcs.domain local and domain.local.
| Both have "Dynamic Updates" set to "Secure Only."
|
| The "Distributed File System" service is running on the SBS2003 SP1
domain
| controller. I also do not see a "DisableDFS" value in the registry for
the
| client machines (WinXP SP2).
|
| Thanks for your help!
|
| Rob
|
|
| ""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in message
| news:Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl...
| >
| > HI Robert.
| >
| > Thanks for using SBS newsgroup.
| >
| > Issue description:
| > ===============
| >
| > I understand that you are worry about the security issue on SBS domain,
| > due
| > to some users seems to logon SBS domain and never log off.
| >
| > Analyzing and suggestions:
| > ================
| >
| > Before we go any further, could you clarify from what event you
determine
| > the user logon to SBS domain and never log off? So that we can identify
| > the
| > detailed problem.
| >
| > Generally speaking, the event you paste is not related to security
issue,
| > it seems to be the group policy issue. Let me explain it one by one:
| >
| > Event 1704
| >
| > If the event did not occur very often, you do not need to care it, it
just
| > means the group policy is refresh, if it occurs frequently, please
refer
| > to
| > the suggestion below:
| >
| > This issue may occur if the registry information regarding Group Policy
| > refresh has been set inappropriately. Please perform the following
steps:
| >
| > 1. Open Registry Editor.
| > 2. Locate to the following key:
| >
| > a) HKLM\SOFTWARE\Microsoft\Windows
| >
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
| > A}
| >
| > 2. Modify the Value MaxNoGPOListChangesInterval to 3c0
| >
| > This is the default value and it will reset "forced policy"
re-application
| > to 16 hours (960 minutes).
| >
| > For more detailed information regarding this value, please refer to the
| > following KB article:
| >
| > 277543 How to delay security policies from being applied
| > http://support.microsoft.com/?id=277543
| >
| > Error 1006 and 1030:
| >
| > Before we go any further, please make sure Do not do the same things to
| > the
| > computers which are not getting this events.
| >
| > 1. Please rejoin the domain follow my steps below, I understand that you
| > have do it but please double check it to make sure that you follow the
| > steps below to do it:
| >
| > Actually this issue can occur if the computer accounts for the computers
| > are corrupted. To resolve the issue, you should try the following steps
to
| > quit and rejoin in the domain (disjoining and joining):
| >
| > A. Quit the clients from the domain and join in a workgroup
(workgroups).
| >
| > B. Open the "Active Directory Users and Computers" snap-in (dsa.msc).
| >
| > C. Open the Computers or My Business\Computers\SBSComputers container.
| > Right click on a computer account and choose Delete. Do this for all the
| > problematic computers.
| >
| > D. Join the clients into the domain again.
| >
| > You should make sure all clients point to the SBS server's internal IP
| > address as their ONLY DNS server. Also both network adapters on the SBS
| > server are pointing to the SBS internal IP address of the only DNS
server.
| > In DNS, use forwarder to forward all name resolution requests to the
ISP's
| > DNS server. For more information, please refer to the following
Microsoft
| > Knowledge Base article:
| >
| > 825763 How to configure Internet access in Windows Small Business Server
| > 2003
| > http://support.microsoft.com/?id=825763
| >
| > Regarding how to check DNS for Dynamic Update, please run DNSMGMT.MSC to
| > open the DNS management console, right click on the
"server.domain.local"
| > forward lookup zone and choose Properties and then make sure the
"Dynamic
| > Updates" is set as "Secure Only". If you made change to the settings in
| > DNS, you should restart the DNS Server service (right click on the
server
| > name and choose All Tasks->Restart).
| >
| > Regarding the event 1030 problem, please make sure the "Distributed File
| > System" service is started on the server. Also make sure DFS Client is
| > turned on on the clients using the following steps:
| >
| > WARNING: If you use Registry Editor incorrectly, you may cause serious
| > problems that may require you to reinstall your operating system.
| > Microsoft
| > cannot guarantee that you can solve problems that result from using
| > Registry Editor incorrectly. Use Registry Editor at your own risk.
| >
| > 1. Click Start, and then click Run.
| >
| > 2. In the Open box, type "regedt32" (without the quotation marks), and
| > then
| > click OK.
| >
| > 3. In the Registry Editor window, locate the following registry key:
| >
| > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
| >
| > 4. In the right details pane, check if you see the "DisableDFS" value.
If
| > you cannot find it, DFS Client should be enabled. If you see it,
| > double-click DisableDFS. The DFS client is turned off if the value in
the
| > "Value data" box is 1. The DFS client is turned on if the value in the
| > "Value data" box is 0.
| >
| > 5. In the Edit DWORD Value dialog box that appears, type "0" (without
the
| > quotation marks) in the "Value data" box, and then click OK.
| >
| > 6. On the File menu, click Exit to quit Registry Editor.
| >
| >
| > Please do not hesitate to let me know if you have any further concerns.
I
| > will be here waitting for your updates.
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "Robert Zahm" <robzahm@hotmail.com>
| > | Subject: Password Expiration
| > | Date: Wed, 26 Oct 2005 11:58:16 -0500
| > | Lines: 72
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | Message-ID: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164757
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Some of our users like to remain logged into our SBS domain and never
| > log
| > | out. I understand that this is not a very good security practice, but
| > the
| > | behavior is unlikely to change.
| > |
| > | I've been seeing a few events logged recently related to applying
group
| > | policy (events are included at the bottom of this email), and I'm
| > wondering
| > | if this could be caused by users who are logged in with passwords that
| > have
| > | since expired. If I run "gpupdate" from the command line, I don't see
| > any
| > | error messages appear in the logs, which leads me to believe that it
is
| > not
| > | the passwords causing it. Anyone have any ideas for troubleshooting
| > this
| > | error?
| > |
| > | If this is being caused by expired passwords, is there any way I can
be
| > | notified when a user's password expires so that I can have them log
out
| > and
| > | then log back in?
| > |
| > | Thanks,
| > |
| > | Rob
| > |
| > | Event Type: Information
| >| Event Source: SceCli
| > | Event Category: None
| > | Event ID: 1704
| > | Date: 10/26/2005
| > | Time: 6:05:55 AM
| > | User: N/A
| > | Computer: BRADFORDDC01
| > | Description:
| > | Security policy in the Group policy objects has been applied
| > successfully.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > | (the fact that this event is logged, and no errors are logged when I
| > | manually run gpupdate leads me to believe that I might have a problem
| > other
| > | than the users logged in with expired passwords).
| > |
| > |
| > | Event Type: Error
| > | Event Source: Userenv
| > | Event Category: None
| > | Event ID: 1006
| > | Date: 10/26/2005
| > | Time: 10:26:08 AM
| > | User: NT AUTHORITY\SYSTEM
| > | Computer: BRADFORDDC01
| > | Description:
| > | Windows cannot bind to BradfordRealEstateServicesCorp.local domain.
| > (Local
| > | Error). Group Policy processing aborted.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > | Event Type: Error
| > | Event Source: Userenv
| > | Event Category: None
| > | Event ID: 1030
| > | Date: 10/26/2005
| > | Time: 10:26:08 AM
| > | User: NT AUTHORITY\SYSTEM
| > | Computer: BRADFORDDC01
| > | Description:
| > | Windows cannot query for the list of Group Policy objects. Check the
| > event
| > | log for possible messages previously logged by the policy engine that
| > | describes the reason for this.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > |
| >
|
|
| |
|
| Back to top |
|
|
Charles Yang [MSFT]
Guest
|
| Posted:
Mon Oct 31, 2005 9:50 am Post subject:
Re: Password Expiration |
|
|
Hi,
Thanks for updates.
From your log files, we found every thing should be run in a normal
situation. Your user have logon and log off session normally, For your
convenience, I suggest you refer to the information below about security
fields on Windows 2003:
For Event ID 528, I recommend you to check the following KB articles:
287537 Using Basic authentication to generate Kerberos tokens
http://support.microsoft.com/default.aspx?scid=kb;en-us;287537
274176 Security Event for Associating Service Account Logon Events
http://support.microsoft.com/default.aspx?scid=kb;en-us;274176
For Event ID 529, these KB articles may help:
328720 Calls to the Server.CreateObject method on separate ASP pages may
fail if you store a remote COM+ object in a session variable and you are
using IIS 5.0
http://support.microsoft.com/default.aspx?scid=kb;en-us;328720
811082 Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;811082
Kerberos Event ID: 529 is logged when you use a local user account to
verify security access or group membership on a Windows Server 2003-based
Kerberos client
http://support.microsoft.com/default.aspx?scid=kb;en-us;890477
272594 Problems logging on to a Windows 2000-based server or a Windows
2003-based server
http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
Cannot Automatically Log on Remotely to Terminal Server with Long User Name
or Password
http://support.microsoft.com/default.aspx?scid=kb;en-us;290706
305822 Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;305822
Personally, I think if the SBS computer is connected to the internet, many
hacker activities may cause Event ID 529 etc. I recommend you to read the
following white paper and make sure your server is secure.
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
Sometimes, third party application/services and virus/Spyware may also
cause such issue; however, it will be difficult to isolate the root cause
if this is the point. (I recommend you to check a clean installed SBS with
secure settings applied.)
More Info:
174073 Auditing User Authentication
http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
174074 Security Event Descriptions
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
318253 Logoff event messages are not logged in the security log when you
use the Audit Logon Events feature in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;318253
326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
Hope the above information helpful on your issue, please feel free to post
back if you still have concerns. I am glad to be of further assistance.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| X-Tomcat-ID: 35395219
| References: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
<Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl>
<OyWz89z2FHA.3788@tk2msftngp13.phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-chayan@online.microsoft.com ("Charles Yang [MSFT]")
| Organization: Microsoft
| Date: Fri, 28 Oct 2005 02:01:54 GMT
| Subject: Re: Password Expiration
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| Message-ID: <LKEsVO22FHA.1144@TK2MSFTNGXA01.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| Lines: 394
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165348
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| HI Robert,
|
| Thanks for your detailed updates.
|
| Let me clarify it, the group policy error mostly been caused by the DNS
is
| not set up correctly, that why I suggest you check if the DNS on the
TCP/IP
| properties on all the network interface of SBS domain computer is point
to
| SBS internal NIC or you will encounter some problem.
|
| In order to make the issue more clearly, could you send the me all event
| log so that we can identify the issue more clearly, please send to my
| mailbox v-chayan@microsoft.com
| Thanks for your understanding and effort on this issue. I will be here
| waiting for your updates.
|
|
|
| Best regards,
|
| Charles Yang (MSFT)
|
| Microsoft CSS Online Newsgroup Support
|
| Get Secure! - www.microsoft.com/security
|
| ======================================================
| This newsgroup only focuses on SBS technical issues. If you have issues
| regarding other Microsoft products, you'd better post in the
corresponding
| newsgroups so that they can be resolved in an efficient and timely
manner.
| You can locate the newsgroup here:
| http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
|
| When opening a new thread via the web interface, we recommend you check
the
| "Notify me of replies" box to receive e-mail notifications when there are
| any updates in your thread. When responding to posts via your newsreader,
| please "Reply to Group" so that others may learn and benefit from your
| issue.
|
| Microsoft engineers can only focus on one issue per thread. Although we
| provide other information for your reference, we recommend you post
| different incidents in different threads to keep the thread clean. In
doing
| so, it will ensure your issues are resolved in a timely manner.
|
| For urgent issues, you may want to contact Microsoft CSS directly. Please
| check http://support.microsoft.com for regional support phone numbers.
|
| Any input or comments in this thread are highly appreciated.
| ======================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
| =====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| =====================================================
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| --------------------
| | From: "Robert Zahm" <robzahm@hotmail.com>
| | References: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
| <Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl>
| | Subject: Re: Password Expiration
| | Date: Thu, 27 Oct 2005 16:43:35 -0500
| | Lines: 314
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| | X-RFC2646: Format=Flowed; Original
| | Message-ID: <OyWz89z2FHA.3788@tk2msftngp13.phx.gbl>
| | Newsgroups: microsoft.public.windows.server.sbs
| | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165255
| | X-Tomcat-NG: microsoft.public.windows.server.sbs
| |
| | Charles,
| |
| | I am able to determine that they don't log out because I know that they
| | don't physically log out when leaving for the day, and don't have to
log
| in
| | when they arrive in the morning. They generally only log out when
their
| | passwords have expired and they can no longer access domain resources.
| | There isn't a particular event that leads me to believe they aren't
| logging
| | out - I know for a fact that they don't, and I'm wondering if that is
why
| I
| | am seeing the 1006 and 1030 errors on the domain controller.
| |
| | Event 1704 does not occur all that often on the DC, I included it so
that
| | you could see that it is capable of applying the domain security
| sometimes,
| | and it normally occurs a few hours before the other errors.
| |
| | Events 1006 and 1030 are occurring on the domain controller, not the
| client
| | machines, so the suggestion of removing them from the domain and adding
| them
| | back in doesn't seem to apply.
| |
| | I'm not sure why you included information regarding DNS updates, I ran
| | "gpupdate" thinking that it would reapply the global policy, am I
| incorrect
| | in thinking this? Just the same, under "Forward Lookup Zones" I don't
| see
| | server.domain.local, but I do see _msdcs.domain local and domain.local.
| | Both have "Dynamic Updates" set to "Secure Only."
| |
| | The "Distributed File System" service is running on the SBS2003 SP1
| domain
| | controller. I also do not see a "DisableDFS" value in the registry for
| the
| | client machines (WinXP SP2).
| |
| | Thanks for your help!
| |
| | Rob
| |
| |
| | ""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in
message
| | news:Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl...
| | >
| | > HI Robert.
| | >
| | > Thanks for using SBS newsgroup.
| | >
| | > Issue description:
| | > ===============
| | >
| | > I understand that you are worry about the security issue on SBS
domain,
| | > due
| | > to some users seems to logon SBS domain and never log off.
| | >
| | > Analyzing and suggestions:
| | > ================
| | >
| | > Before we go any further, could you clarify from what event you
| determine
| | > the user logon to SBS domain and never log off? So that we can
identify
| | > the
| | > detailed problem.
| | >
| | > Generally speaking, the event you paste is not related to security
| issue,
| | > it seems to be the group policy issue. Let me explain it one by one:
| | >
| | > Event 1704
| | >
| | > If the event did not occur very often, you do not need to care it, it
| just
| | > means the group policy is refresh, if it occurs frequently, please
| refer
| | > to
| | > the suggestion below:
| | >
| | > This issue may occur if the registry information regarding Group
Policy
| | > refresh has been set inappropriately. Please perform the following
| steps:
| | >
| | > 1. Open Registry Editor.
| | > 2. Locate to the following key:
| | >
| | > a) HKLM\SOFTWARE\Microsoft\Windows
| | >
|
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
| | > A}
| | >
| | > 2. Modify the Value MaxNoGPOListChangesInterval to 3c0
| | >
| | > This is the default value and it will reset "forced policy"
| re-application
| | > to 16 hours (960 minutes).
| | >
| | > For more detailed information regarding this value, please refer to
the
| | > following KB article:
| | >
| | > 277543 How to delay security policies from being applied
| | > http://support.microsoft.com/?id=277543
| | >
| | > Error 1006 and 1030:
| | >
| | > Before we go any further, please make sure Do not do the same things
to
| | > the
| | > computers which are not getting this events.
| | >
| | > 1. Please rejoin the domain follow my steps below, I understand that
you
| | > have do it but please double check it to make sure that you follow the
| | > steps below to do it:
| | >
| | > Actually this issue can occur if the computer accounts for the
computers
| | > are corrupted. To resolve the issue, you should try the following
steps
| to
| | > quit and rejoin in the domain (disjoining and joining):
| | >
| | > A. Quit the clients from the domain and join in a workgroup
| (workgroups).
| | >
| | > B. Open the "Active Directory Users and Computers" snap-in (dsa.msc).
| | >
| | > C. Open the Computers or My Business\Computers\SBSComputers container.
| | > Right click on a computer account and choose Delete. Do this for all
the
| | > problematic computers.
| | >
| | > D. Join the clients into the domain again.
| | >
| | > You should make sure all clients point to the SBS server's internal IP
| | > address as their ONLY DNS server. Also both network adapters on the
SBS
| | > server are pointing to the SBS internal IP address of the only DNS
| server.
| | > In DNS, use forwarder to forward all name resolution requests to the
| ISP's
| | > DNS server. For more information, please refer to the following
| Microsoft
| | > Knowledge Base article:
| | >
| | > 825763 How to configure Internet access in Windows Small Business
Server
| | > 2003
| | > http://support.microsoft.com/?id=825763
| | >
| | > Regarding how to check DNS for Dynamic Update, please run DNSMGMT.MSC
to
| | > open the DNS management console, right click on the
| "server.domain.local"
| | > forward lookup zone and choose Properties and then make sure the
| "Dynamic
| | > Updates" is set as "Secure Only". If you made change to the settings
in
| | > DNS, you should restart the DNS Server service (right click on the
| server
| | > name and choose All Tasks->Restart).
| | >
| | > Regarding the event 1030 problem, please make sure the "Distributed
File
| | > System" service is started on the server. Also make sure DFS Client is
| | > turned on on the clients using the following steps:
| | >
| | > WARNING: If you use Registry Editor incorrectly, you may cause serious
| | > problems that may require you to reinstall your operating system.
| | > Microsoft
| | > cannot guarantee that you can solve problems that result from using
| | > Registry Editor incorrectly. Use Registry Editor at your own risk.
| | >
| | > 1. Click Start, and then click Run.
| | >
| | > 2. In the Open box, type "regedt32" (without the quotation marks),
and
| | > then
| | > click OK.
| | >
| | > 3. In the Registry Editor window, locate the following registry key:
| | >
| | > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
| | >
| | > 4. In the right details pane, check if you see the "DisableDFS"
value.
| If
| | > you cannot find it, DFS Client should be enabled. If you see it,
| | > double-click DisableDFS. The DFS client is turned off if the value in
| the
| | > "Value data" box is 1. The DFS client is turned on if the value in the
| | > "Value data" box is 0.
| | >
| | > 5. In the Edit DWORD Value dialog box that appears, type "0" (without
| the
| | > quotation marks) in the "Value data" box, and then click OK.
| | >
| | > 6. On the File menu, click Exit to quit Registry Editor.
| | >
| | >
| | > Please do not hesitate to let me know if you have any further
concerns.
| I
| | > will be here waitting for your updates.
| | >
| | >
| | > Best regards,
| | >
| | > Charles Yang (MSFT)
| | >
| | > Microsoft CSS Online Newsgroup Support
| | >
| | > Get Secure! - www.microsoft.com/security
| | >
| | > ======================================================
| | > This newsgroup only focuses on SBS technical issues. If you have
issues
| | > regarding other Microsoft products, you'd better post in the
| corresponding
| | > newsgroups so that they can be resolved in an efficient and timely
| manner.
| | > You can locate the newsgroup here:
| | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| | >
| | > When opening a new thread via the web interface, we recommend you
check
| | > the
| | > "Notify me of replies" box to receive e-mail notifications when there
| are
| | > any updates in your thread. When responding to posts via your
| newsreader,
| | > please "Reply to Group" so that others may learn and benefit from your
| | > issue.
| | >
| | > Microsoft engineers can only focus on one issue per thread. Although
we
| | > provide other information for your reference, we recommend you post
| | > different incidents in different threads to keep the thread clean. In
| | > doing
| | > so, it will ensure your issues are resolved in a timely manner.
| | >
| | > For urgent issues, you may want to contact Microsoft CSS directly.
| Please
| | > check http://support.microsoft.com for regional support phone numbers.
| | >
| | > Any input or comments in this thread are highly appreciated.
| | > ======================================================
| | > This posting is provided "AS IS" with no warranties, and confers no
| | > rights.
| | >
| | >
| | > =====================================================
| | > When responding to posts, please "Reply to Group" via your newsreader
so
| | > that others may learn and benefit from your issue.
| | > =====================================================
| | >
| | > This posting is provided "AS IS" with no warranties, and confers no
| | > rights.
| | >
| | > --------------------
| | > | From: "Robert Zahm" <robzahm@hotmail.com>
| | > | Subject: Password Expiration
| | > | Date: Wed, 26 Oct 2005 11:58:16 -0500
| | > | Lines: 72
| | > | X-Priority: 3
| | > | X-MSMail-Priority: Normal
| | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| | > | X-RFC2646: Format=Flowed; Original
| | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| | > | Message-ID: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl>
| | > | Newsgroups: microsoft.public.windows.server.sbs
| | > | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| | > | Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| | > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:164757
| | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| | > |
| | > | Some of our users like to remain logged into our SBS domain and
never
| | > log
| | > | out. I understand that this is not a very good security practice,
but
| | > the
| | > | behavior is unlikely to change.
| | > |
| | > | I've been seeing a few events logged recently related to applying
| group
| | > | policy (events are included at the bottom of this email), and I'm
| | > wondering
| | > | if this could be caused by users who are logged in with passwords
that
| | > have
| | > | since expired. If I run "gpupdate" from the command line, I don't
see
| | > any
| | > | error messages appear in the logs, which leads me to believe that
it
| is
| | > not
| | > | the passwords causing it. Anyone have any ideas for
troubleshooting
| | > this
| | > | error?
| | > |
| | > | If this is being caused by expired passwords, is there any way I
can
| be
| | > | notified when a user's password expires so that I can have them log
| out
| | > and
| | > | then log back in?
| | > |
| | > | Thanks,
| | > |
| | > | Rob
| | > |
| | > | Event Type: Information
| | >| Event Source: SceCli
| | > | Event Category: None
| | > | Event ID: 1704
| | > | Date: 10/26/2005
| | > | Time: 6:05:55 AM
| | > | User: N/A
| | > | Computer: BRADFORDDC01
| | > | Description:
| | > | Security policy in the Group policy objects has been applied
| | > successfully.
| | > |
| | > | For more information, see Help and Support Center at
| | > | http://go.microsoft.com/fwlink/events.asp.
| | > |
| | > | (the fact that this event is logged, and no errors are logged when I
| | > | manually run gpupdate leads me to believe that I might have a
problem
| | > other
| | > | than the users logged in with expired passwords).
| | > |
| | > |
| | > | Event Type: Error
| | > | Event Source: Userenv
| | > | Event Category: None
| | > | Event ID: 1006
| | > | Date: 10/26/2005
| | > | Time: 10:26:08 AM
| | > | User: NT AUTHORITY\SYSTEM
| | > | Computer: BRADFORDDC01
| | > | Description:
| | > | Windows cannot bind to BradfordRealEstateServicesCorp.local domain.
| | > (Local
| | > | Error). Group Policy processing aborted.
| | > |
| | > | For more information, see Help and Support Center at
| | > | http://go.microsoft.com/fwlink/events.asp.
| | > |
| | > |
| | > | Event Type: Error
| | > | Event Source: Userenv
| | > | Event Category: None
| | > | Event ID: 1030
| | > | Date: 10/26/2005
| | > | Time: 10:26:08 AM
| | > | User: NT AUTHORITY\SYSTEM
| | > | Computer: BRADFORDDC01
| | > | Description:
| | > | Windows cannot query for the list of Group Policy objects. Check the
| | > event
| | > | log for possible messages previously logged by the policy engine
that
| | > | describes the reason for this.
| | > |
| | > | For more information, see Help and Support Center at
| | > | http://go.microsoft.com/fwlink/events.asp.
| | > |
| | > |
| | > |
| | >
| |
| |
| |
|
| |
|
| Back to top |
|
|
Robert Zahm
Guest
|
| Posted:
Mon Oct 31, 2005 9:50 pm Post subject:
Re: Password Expiration |
|
|
Charles,
I am not too concerned about those 529 events, since there were only 2 of
them, and I think they were from mistyped passwords (since one of them was
mine).
The other thing that I failed to mention is that we had some issues when
moving the profiles over to our new SBS domain. Is it possible that profile
sharing issues might be responsible for these errors? It still doesn't make
sense to me that the DC cannot update the group policy though...
Thanks,
Rob
""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in message
news:j$wHGld3FHA.3220@TK2MSFTNGXA01.phx.gbl...
| Quote: | Hi,
Thanks for updates.
From your log files, we found every thing should be run in a normal
situation. Your user have logon and log off session normally, For your
convenience, I suggest you refer to the information below about security
fields on Windows 2003:
For Event ID 528, I recommend you to check the following KB articles:
287537 Using Basic authentication to generate Kerberos tokens
http://support.microsoft.com/default.aspx?scid=kb;en-us;287537
274176 Security Event for Associating Service Account Logon Events
http://support.microsoft.com/default.aspx?scid=kb;en-us;274176
For Event ID 529, these KB articles may help:
328720 Calls to the Server.CreateObject method on separate ASP pages may
fail if you store a remote COM+ object in a session variable and you are
using IIS 5.0
http://support.microsoft.com/default.aspx?scid=kb;en-us;328720
811082 Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;811082
Kerberos Event ID: 529 is logged when you use a local user account to
verify security access or group membership on a Windows Server 2003-based
Kerberos client
http://support.microsoft.com/default.aspx?scid=kb;en-us;890477
272594 Problems logging on to a Windows 2000-based server or a Windows
2003-based server
http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
Cannot Automatically Log on Remotely to Terminal Server with Long User
Name
or Password
http://support.microsoft.com/default.aspx?scid=kb;en-us;290706
305822 Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;305822
Personally, I think if the SBS computer is connected to the internet, many
hacker activities may cause Event ID 529 etc. I recommend you to read the
following white paper and make sure your server is secure.
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
Sometimes, third party application/services and virus/Spyware may also
cause such issue; however, it will be difficult to isolate the root cause
if this is the point. (I recommend you to check a clean installed SBS with
secure settings applied.)
More Info:
174073 Auditing User Authentication
http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
174074 Security Event Descriptions
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
318253 Logoff event messages are not logged in the security log when you
use the Audit Logon Events feature in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;318253
326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
Hope the above information helpful on your issue, please feel free to post
back if you still have concerns. I am glad to be of further assistance.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| X-Tomcat-ID: 35395219
| References: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl
Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl
OyWz89z2FHA.3788@tk2msftngp13.phx.gbl
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-chayan@online.microsoft.com ("Charles Yang [MSFT]")
| Organization: Microsoft
| Date: Fri, 28 Oct 2005 02:01:54 GMT
| Subject: Re: Password Expiration
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| Message-ID: <LKEsVO22FHA.1144@TK2MSFTNGXA01.phx.gbl
| Newsgroups: microsoft.public.windows.server.sbs
| Lines: 394
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165348
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| HI Robert,
|
| Thanks for your detailed updates.
|
| Let me clarify it, the group policy error mostly been caused by the DNS
is
| not set up correctly, that why I suggest you check if the DNS on the
TCP/IP
| properties on all the network interface of SBS domain computer is point
to
| SBS internal NIC or you will encounter some problem.
|
| In order to make the issue more clearly, could you send the me all event
| log so that we can identify the issue more clearly, please send to my
| mailbox v-chayan@microsoft.com
| Thanks for your understanding and effort on this issue. I will be here
| waiting for your updates.
|
|
|
| Best regards,
|
| Charles Yang (MSFT)
|
| Microsoft CSS Online Newsgroup Support
|
| Get Secure! - www.microsoft.com/security
|
| ======================================================
| This newsgroup only focuses on SBS technical issues. If you have issues
| regarding other Microsoft products, you'd better post in the
corresponding
| newsgroups so that they can be resolved in an efficient and timely
manner.
| You can locate the newsgroup here:
| http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
|
| When opening a new thread via the web interface, we recommend you check
the
| "Notify me of replies" box to receive e-mail notifications when there
are
| any updates in your thread. When responding to posts via your
newsreader,
| please "Reply to Group" so that others may learn and benefit from your
| issue.
|
| Microsoft engineers can only focus on one issue per thread. Although we
| provide other information for your reference, we recommend you post
| different incidents in different threads to keep the thread clean. In
doing
| so, it will ensure your issues are resolved in a timely manner.
|
| For urgent issues, you may want to contact Microsoft CSS directly.
Please
| check http://support.microsoft.com for regional support phone numbers.
|
| Any input or comments in this thread are highly appreciated.
| ======================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
| =====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| =====================================================
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| --------------------
| | From: "Robert Zahm" <robzahm@hotmail.com
| | References: <OcG325k2FHA.3420@TK2MSFTNGP15.phx.gbl
| <Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl
| | Subject: Re: Password Expiration
| | Date: Thu, 27 Oct 2005 16:43:35 -0500
| | Lines: 314
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| | X-RFC2646: Format=Flowed; Original
| | Message-ID: <OyWz89z2FHA.3788@tk2msftngp13.phx.gbl
| | Newsgroups: microsoft.public.windows.server.sbs
| | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
| | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165255
| | X-Tomcat-NG: microsoft.public.windows.server.sbs
| |
| | Charles,
| |
| | I am able to determine that they don't log out because I know that
they
| | don't physically log out when leaving for the day, and don't have to
log
| in
| | when they arrive in the morning. They generally only log out when
their
| | passwords have expired and they can no longer access domain resources.
| | There isn't a particular event that leads me to believe they aren't
| logging
| | out - I know for a fact that they don't, and I'm wondering if that is
why
| I
| | am seeing the 1006 and 1030 errors on the domain controller.
| |
| | Event 1704 does not occur all that often on the DC, I included it so
that
| | you could see that it is capable of applying the domain security
| sometimes,
| | and it normally occurs a few hours before the other errors.
| |
| | Events 1006 and 1030 are occurring on the domain controller, not the
| client
| | machines, so the suggestion of removing them from the domain and
adding
| them
| | back in doesn't seem to apply.
| |
| | I'm not sure why you included information regarding DNS updates, I ran
| | "gpupdate" thinking that it would reapply the global policy, am I
| incorrect
| | in thinking this? Just the same, under "Forward Lookup Zones" I don't
| see
| | server.domain.local, but I do see _msdcs.domain local and
domain.local.
| | Both have "Dynamic Updates" set to "Secure Only."
| |
| | The "Distributed File System" service is running on the SBS2003 SP1
| domain
| | controller. I also do not see a "DisableDFS" value in the registry
for
| the
| | client machines (WinXP SP2).
| |
| | Thanks for your help!
| |
| | Rob
| |
| |
| | ""Charles Yang [MSFT]"" <v-chayan@online.microsoft.com> wrote in
message
| | news:Pt3yzDq2FHA.2904@TK2MSFTNGXA01.phx.gbl...
| |
| | > HI Robert.
| |
| | > Thanks for using SBS newsgroup.
| |
| | > Issue description:
| | > ===============
| |
| | > I understand that you are worry about the security issue on SBS
domain,
| | > due
| | > to some users seems to logon SBS domain and never log off.
| |
| | > Analyzing and suggestions:
| | > ================
| |
| | > Before we go any further, could you clarify from what event you
| determine
| | > the user logon to SBS domain and never log off? So that we can
identify
| | > the
| | > detailed problem.
| |
| | > Generally speaking, the event you paste is not related to security
| issue,
| | > it seems to be the group policy issue. Let me explain it one by one:
| |
| | > Event 1704
| |
| | > If the event did not occur very often, you do not need to care it,
it
| just
| | > means the group policy is refresh, if it occurs frequently, please
| refer
| | > to
| | > the suggestion below:
| |
| | > This issue may occur if the registry information regarding Group
Policy
| | > refresh has been set inappropriately. Please perform the following
| steps:
| |
| | > 1. Open Registry Editor.
| | > 2. Locate to the following key:
| |
| | > a) HKLM\SOFTWARE\Microsoft\Windows
| |
|
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
| | > A}
| |
| | > 2. Modify the Value MaxNoGPOListChangesInterval to 3c0
| |
| | > This is the default value and it will reset "forced policy"
| re-application
| | > to 16 hours (960 minutes).
| |
| | > For more detailed information regarding this value, please refer to
the
| | > following KB article:
| |
| | > 277543 How to delay security policies from being applied
| | > http://support.microsoft.com/?id=277543
| |
| | > Error 1006 and 1030:
| |
| | > Before we go any further, please make sure Do not do the same things
to
| | > the
| | > computers which are not getting this events.
| |
| | > 1. Please rejoin the domain follow my steps below, I understand that
you
| | > have do it but please double check it to make sure that you follow
the
| | > steps below to do it:
| |
| | > Actually this issue can occur if the computer accounts for the
computers
| | > are corrupted. To resolve the issue, you should try the following
steps
| to
| | > quit and rejoin in the domain (disjoining and joining):
| |
| | > A. Quit the clients from the domain and join in a workgroup
| (workgroups).
| |
| | > B. Open the "Active Directory Users and Computers" snap-in
(dsa.msc).
| |
| | > C. Open the Computers or My Business\Computers\SBSComputers
container.
| | > Right click on a computer account and choose Delete. Do this for all
the
| | > problematic computers.
| |
| | > D. Join the clients into the domain again.
| |
| | > You should make sure all clients point to the SBS server's internal
IP
| | > address as their ONLY DNS server. Also both network adapters on the
SBS
| | > server are pointing to the SBS internal IP address of the only DNS
| server.
| | > In DNS, use forwarder to forward all name resolution requests to the
| ISP's
| | > DNS server. For more information, please refer to the following
| Microsoft
| | > Knowledge Base article:
| |
| | > 825763 How to configure Internet access in Windows Small Business
Server
| | > 2003
| | > http://support.microsoft.com/?id=825763
| |
| | > Regarding how to check DNS for Dynamic Update, please run
DNSMGMT.MSC
to
| | > open the DNS management console, right click on the
| "server.domain.local"
| | > forward lookup zone and choose Properties and then make sure the
| "Dynamic
| | > Updates" is set as "Secure Only". If you made change to the settings
in
| | > DNS, you should restart the DNS Server service (right click on the
| server
| | > name and choose All Tasks->Restart).
| |
| | > Regarding the event 1030 problem, please make sure the "Distributed
File
| | > System" service is started on the server. Also make sure DFS Client
is
| | > turned on on the clients using the following steps:
| |
| | > WARNING: If you use Registry Editor incorrectly, you may cause
serious
| | > problems that may require you to reinstall your operating system.
| | > Microsoft
| | > cannot guarantee that you can solve problems that result from using
| | > Registry Editor incorrectly. Use Registry Editor at your own risk.
| |
| | > 1. Click Start, and then click Run.
| |
| | > 2. In the Open box, type "regedt32" (without the quotation marks),
and
| | > then
| | > click OK.
| |
| | > 3. In the Registry Editor window, locate the following registry key:
| |
| | > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
| |
| | > 4. In the right details pane, check if you see the "DisableDFS"
value.
| If
| | > you cannot find it, DFS Client should be enabled. If you see it,
| | > double-click DisableDFS. The DFS client is turned off if the value
in
| the
| | > "Value data" box is 1. The DFS client is turned on if the value in
the
| | > "Value data" box is 0.
| |
| | > 5. In the Edit DWORD Value dialog box that appears, type "0"
(without
| the
| | > quotation marks) in the "Value data" box, and then click OK.
| |
| | > 6. On the File menu, click Exit to quit Registry Editor.
| |
| |
| | > Please do not hesitate to let me know if you have any further
concerns.
| I
| | > will be here waitting for your updates.
| |
| |
| | > Best regards,
| |
| | > Charles Yang (MSFT)
| |
| | > Microsoft CSS Online Newsgroup S |
| |
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in