Authentication issue preventing Group Policy from applying to user

[Guest]

I have inherited an existing Win2k domain and I am having big problems
getting group policy to apply to my users and I believe it stems from an
authentication issue. Group Policy is not applying to any of my domain user
accounts. However, if I make that user a member of the Domain Admin group,
the policy will then apply to them. Not only that, but I can then remove the
user from the Domain Admin group, and the policy will still apply.

I've been using GPMC to work with policy settings and using the group policy
results wizard to try and help me make sense of the problem and it shows
another example of the problem I'm having. If I log in with a basic user with
normal user rights, and then I run the GP results wizard using my admin accnt
and point the wizard to my PC and then try and select that basic user to see
the results of its policy settings, it doesn't show up on the list of users
to run the wizard on. But again, if I make that user a member of Domain
admins first, log them in, and then remove the domain admin right, that user
then shows up in the list with the group policy applied properly.Also this is
a domain wide issued effecting all my normal users. When I run the GP results
wizard on these user's computer and user accnts, in the Policy Events tab,
all of them are getting EventID:1053 Windows cannot determine the user or
computer name (the specifed user does not exist). Group policy processing
aborted. These users are able to see the \\mydomain\SYSVOL\mydomain files so
that isn't it, any help on this issue would be much appreciated.

 

[Herb Martin]

I have inherited an existing Win2k domain and I am having big problems
getting group policy to apply to my users and I believe it stems from an
authentication issue.

Well, that will do it.

Group Policy is not applying to any of my domain user
accounts. However, if I make that user a member of the Domain Admin group,
the policy will then apply to them. Not only that, but I can then remove
the
user from the Domain Admin group, and the policy will still apply.

Then it is NOT authentication but more likely something like
permissions or having the GPO linked in the 'wrong' place.

Assuming you can authenticate one user from a machine, then
another user of that same domain WILL be authenticated IF
they are logged on (at all.)

I've been using GPMC to work with policy settings and using the group
policy
results wizard to try and help me make sense of the problem and it shows
another example of the problem I'm having. If I log in with a basic user
with
normal user rights, and then I run the GP results wizard using my admin
accnt
and point the wizard to my PC and then try and select that basic user to
see
the results of its policy settings, it doesn't show up on the list of
users
to run the wizard on. But again, if I make that user a member of Domain
admins first, log them in, and then remove the domain admin right,

Right? How did that get in there?

'Rights' are NOT "group membership" nor even "permissions".

that user
then shows up in the list with the group policy applied properly.Also this
is
a domain wide issued effecting all my normal users.

What are the permissions on the GPOs?

They should be READ and APPLY POLICY for "everyone" or
whoever is to be affected.

You need both permissions, not just APPLY POLICY as one
might naively guess.

When I run the GP results
wizard on these user's computer and user accnts, in the Policy Events tab,
all of them are getting EventID:1053 Windows cannot determine the user or
computer name (the specifed user does not exist). Group policy processing
aborted. These users are able to see the \\mydomain\SYSVOL\mydomain files
so
that isn't it, any help on this issue would be much appreciated.

Now, that is weird, since they GET LOGGED ON, but you are claiming
it says they don't EXIST?

 

[Guest]

I have inherited an existing Win2k domain and I am having big problems
getting group policy to apply to my users and I believe it stems from an
authentication issue.

Well, that will do it.

Group Policy is not applying to any of my domain user
accounts. However, if I make that user a member of the Domain Admin group,
the policy will then apply to them. Not only that, but I can then remove
the
user from the Domain Admin group, and the policy will still apply.

Then it is NOT authentication but more likely something like
permissions or having the GPO linked in the 'wrong' place.

Assuming you can authenticate one user from a machine, then
another user of that same domain WILL be authenticated IF
they are logged on (at all.)

I've been using GPMC to work with policy settings and using the group
policy
results wizard to try and help me make sense of the problem and it shows
another example of the problem I'm having. If I log in with a basic user
with
normal user rights, and then I run the GP results wizard using my admin
accnt
and point the wizard to my PC and then try and select that basic user to
see
the results of its policy settings, it doesn't show up on the list of
users
to run the wizard on. But again, if I make that user a member of Domain
admins first, log them in, and then remove the domain admin right,

Right? How did that get in there?

'Rights' are NOT "group membership" nor even "permissions".

that user
then shows up in the list with the group policy applied properly.Also this
is
a domain wide issued effecting all my normal users.

What are the permissions on the GPOs?

They should be READ and APPLY POLICY for "everyone" or
whoever is to be affected.

You need both permissions, not just APPLY POLICY as one
might naively guess.

When I run the GP results
wizard on these user's computer and user accnts, in the Policy Events tab,
all of them are getting EventID:1053 Windows cannot determine the user or
computer name (the specifed user does not exist). Group policy processing
aborted. These users are able to see the \\mydomain\SYSVOL\mydomain files
so
that isn't it, any help on this issue would be much appreciated.

Now, that is weird, since they GET LOGGED ON, but you are claiming
it says they don't EXIST?


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Then it is NOT authentication but more likely something like
permissions or having the GPO linked in the 'wrong' place.

Can you be more specific?

Right? How did that get in there?
'Rights' are NOT "group membership" nor even "permissions".

Could you not infer that I meant remove them from the Domain Admin Group?

What are the permissions on the GPOs?

They should be READ and APPLY POLICY for "everyone" or
whoever is to be affected.

You need both permissions, not just APPLY POLICY as one
might naively guess.

The permissions were "Authenticated Users": Read and Apply Policy
(unlike one who guesses naively)
and the policy is set to apply to Authenticated Users.
However just to check I also added 'Everyone': Read and Apply Policy but
that didn't do any good either.

Now, that is weird, since they GET LOGGED ON, but you are claiming
it says they don't EXIST?

Yes Herb, I agree, that is wierd, which brings me to here...still seeking
answers.

 

[Herb Martin]

Then it is NOT authentication but more likely something like

Can you be more specific?

Linking a GPO to a container other than the one where the
user accounts are located. People have linked GPOs to the
one with the "Groups" (which are irrelevant for LINKING)
or the one for the Computer when the policy was for Users
(or vice versa.)

Permissions are just that -- make sure the "Groups" to which
you want to apply the policy have READ and APPLY_POLICY

Standard mistake there is to think that only (wrong) APPLY
is necessary.

Could you not infer that I meant remove them from the Domain Admin Group?

I can guess many things but when you have a weird
problem it is very important to make sure that we are
VERY EXPLICIT.

Being explicit is the heart of troubleshooting at an
advanced level.

The more obscure the problem the more we must focus
on removing assumptions and clearly stating all issues.

The permissions were "Authenticated Users": Read and Apply Policy
(unlike one who guesses naively)

Good. The other is a common mistake.

and the policy is set to apply to Authenticated Users.

I don't understand the difference in the last two items unless you
were just saying the same thing twice. It worries me because the
second line doesn't mention "read".

However just to check I also added 'Everyone': Read and Apply Policy but
that didn't do any good either.

Shouldn't be necessary so that makes sense (that it didn't help).

Authenticated User and Everyone are the same under this context
since they would have to be Authenticated to get this far.

Yes Herb, I agree, that is wierd, which brings me to here...still seeking
answers.

Just out of curiosity, can you run GPResult (preferably from XP)
on one of the problem client machines and see what the results for
these users is.

I don't expect it to solve the problem but it removes the extra
complications of RSoP and running over the network...

 

[Guest]

Linking a GPO to a container other than the one where the

user accounts are located. People have linked GPOs to the
one with the "Groups" (which are irrelevant for LINKING)
or the one for the Computer when the policy was for Users
(or vice versa.)

The structure for linking the policy is as follows. I have a department OU
and all the departments live in individual OU's inside t he Dept. OU. The
policy is applied to the Dept. OU and filters down to the indiviual
departments themselves. When I look at the Group Policy Inheritance tab
within GPMC, I see the lockdown policy that I am trying to enforce as #1 in
precedence order, and Default Domain Policy as #2 in the precedence order. Of
course, neither apply, which is my problem, but that is how my Linking
structure is laid out, just in case I've done something wrong there.

Permissions are just that -- make sure the "Groups" to which
you want to apply the policy have READ and APPLY_POLICY

In regards to permissions, again, both of those policies above have
Authenticated Users receiving Read and Apply Policy applied.

I don't understand the difference in the last two items unless you
were just saying the same thing twice. It worries me because the
second line doesn't mention "read".

What I meant by "and the policy is set to apply to Authenticated Users" was
in the GPMC, on the Scope tab, under Security Filtering, it reads: The
setting in the GPO can only apply to the following groups, users, and
computers: Authenticated Users

Just out of curiosity, can you run GPResult (preferably from XP)
on one of the problem client machines and see what the results for
these users is.

I don't expect it to solve the problem but it removes the extra
complications of RSoP and running over the network...

Ok, this is where it gets complicated and confusing to explain, so I'll do
my best, just let me know what isn't specific enough: I have GPMC installed
on my XP domain workstation. I go into Active Directory Users and Computers
remotely to my 2000 Server and create a new user whose sole group membership
is Domain Users along with the standard Security Permissions that Windows
defaults the user with. I then log into the domain with that user's
credentials. The login succeeds and I browse a few network locations to
verify that I am authenticated to the domain. I then log off and log back in
as my own account and start GPMC. I then run the Group Policy Results wizard.
I select the "this computer" radio button and hit next. I then hit the
"Select a specific user" radio button, but the new user that I JUST logged
into the domain as, does not show up in the list of users to select for
running the wizard on. THAT is why I thought it might have something to do
with authentication. Now if I connect to the server again and in Active
Directory Users and Computers I make that user a Domain Administrator and log
out and log back on with that same new users credentials, the policy
correctly applies. I then log back on as myself and I can see that user now
in the Group Policy Results wizard, where before I could not. In addition, I
can take that new user account and REMOVE it from the Domain Administrators
group, yet the policy will continue to be applied to that user, until I
delete the local account stored on my workstation.

I know that was alot of information and is probably ambiguous in places and
if so I'm sorry, just let me know what did not make sense.

If I run the Group Policy Results Wizard on a different computer in the
domain and select the user assigned to that computer (for some reason they
ARE there under users to be selected in the GP results wizard which makes me
believe that this problem began AFTER the domain was created) and run the GP
results wizard on that user thse are the two errors that I see repeating:

Error: date and time, Source: Userenv, Category: none, Event ID: 1030, User:
NT Authority\system and the description is:Windows cannot query for the list
of Group Policy objects. A message that describes the reason for this was
previously logged by the policy engine.

Error: date and time, Source: Userenv, Category: none, Event ID: 1006, User:
NT Authority\system and the description is: Windows cannot bind to "mydomain
controller's name" domain. (Server Down). Group Policy aborted.

But the server isn't down, it's still up and functioning so it has me puzzled.

On a different user's computer this is the error I told you about before,
and its the only error that the pc has listed. And this is the error most of
the PC's in the domain return:

Error: time and date, Source: Userenv, Category: none, Event ID 1053, User:
NT Authority\system. And the description of the error is: Windows cannot
determine the user or computer name. (The specified user does not exist.)
Group policy processing aborted.

I assure that their accounts exist in Active Directory.


Again I apoligize for the oversized post, I just want to give you as much
information about the problem as I can. Thanks in advance.

 

[Herb Martin]

The structure for linking the policy is as follows. I have a department OU
and all the departments live in individual OU's inside t he Dept. OU. The
policy is applied to the Dept. OU and filters down to the indiviual
departments themselves. When I look at the Group Policy Inheritance tab
within GPMC, I see the lockdown policy that I am trying to enforce as #1
in
precedence order, and Default Domain Policy as #2 in the precedence order.

Ok: Be careful as the wording in this area is very conducive
to confusion: Link order is the order of application; but on
the next tab is the opposite. [It's really stupid for them to use
two conflicting terms on a subject that already confuses many
people.]

Of
course, neither apply, which is my problem, but that is how my Linking
structure is laid out, just in case I've done something wrong there.

So even the Default Domain Policy is not being applied.

In regards to permissions, again, both of those policies above have
Authenticated Users receiving Read and Apply Policy applied.



What I meant by "and the policy is set to apply to Authenticated Users"
was
in the GPMC, on the Scope tab, under Security Filtering, it reads: The
setting in the GPO can only apply to the following groups, users, and
computers: Authenticated Users

Ok. That is just a quick look at what amounts to the (actual)
permissions.

Ok, this is where it gets complicated and confusing to explain, so I'll do
my best, just let me know what isn't specific enough: I have GPMC
installed
on my XP domain workstation. I go into Active Directory Users and
Computers
remotely to my 2000 Server and create a new user whose sole group
membership
is Domain Users along with the standard Security Permissions that Windows
defaults the user with. I then log into the domain with that user's
credentials. The login succeeds and I browse a few network locations to
verify that I am authenticated to the domain. I then log off and log back
in
as my own account and start GPMC. I then run the Group Policy Results
wizard.
I select the "this computer" radio button and hit next. I then hit the
"Select a specific user" radio button, but the new user that I JUST logged
into the domain as, does not show up in the list of users to select for
running the wizard on. THAT is why I thought it might have something to do
with authentication.

I don't run this the way you are doing it but I BELIEVE that the
USER must be CURRENTLY logged on for the GPResults
wizard to work.

If they aren't logged on then there are no (current) results.

In any case, to determine if the user has had the GPOs APPLIED,
run the COMMAND LINE GPResult as the user while still logged
on.

I think you problem is strictly with the wizard.

 

[Guest]

The structure for linking the policy is as follows. I have a department OU

Ok: Be careful as the wording in this area is very conducive
to confusion: Link order is the order of application; but on
the next tab is the opposite. [It's really stupid for them to use
two conflicting terms on a subject that already confuses many
people.]

If I highlight one of my department OU's in the task pane (the OU's I spoke
of previously that should have the lockdown policy applied to them) in the
Linked Group Policy Objects tab, there is nothing listed at all. In the Group
Policy Inheritance tab my Software Lockdown Policy is precedence order #1,
and Default Domain Policy is precedence order #2.

So even the Default Domain Policy is not being applied.

That is absolutely correct, no policies are applying to anyone outside of
the Domain Administrators group.

I don't run this the way you are doing it but I BELIEVE that the
USER must be CURRENTLY logged on for the GPResults
wizard to work.

If they aren't logged on then there are no (current) results.

In any case, to determine if the user has had the GPOs APPLIED,
run the COMMAND LINE GPResult as the user while still logged
on.

I first tried logging in as the basic user and running the GPMC's Policy
Results Wizard and I first selected the "This Computer" radio button and hit
next, but on the next screen the "Display policy settings for: Current User
or Select a specific user" were all greyed out. The only thing selectable was
the "Do not display user policy settings in the results (display computer
policy settings only)"

Then I ran the Gpresults tool from the command prompt while logged in as
that same basic user and I recieved the message: "INFO: The policy object
does not exist."