secedit or group policy issues?

  • Thread starter Thread starter Patrick
  • Start date Start date
P

Patrick

I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows authentication
to work (otherwise with auditing, a failure audit is generated when I try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
 
The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to itself as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
 
No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

Steven L Umbach said:
The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to itself as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



Patrick said:
I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows authentication
to work (otherwise with auditing, a failure audit is generated when I try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Click to expand...
Click to expand...
 
Also, the machine (a DC on a Win2K Server SP4) only has a single gigabit
ethernet card with a single IP.

Note once again, the GPO Loading error is happening when user in the
non-default OU try to logon to the DC itself (note once again there should
be no GPO progagation issues here, there is only 1 server which is the DC
itself!)

Steven L Umbach said:
The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to itself as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



Patrick said:
I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows authentication
to work (otherwise with auditing, a failure audit is generated when I try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Click to expand...
Click to expand...
 
If this is a domain controller then add the users or global group that you want to
have logon locally user right in the Domain Controller Security Policy and then it
should show as the "effective" setting in Local Security Policy of the domain
controller after a refresh. You can also run gpresult while logged onto the domain
controller and see the GPO's applied to that computer and logged on user and the last
time they were refreshed. The /v switch will give much more detailed info on the
GPO's being applied. Since you are having problems. I would also run first netdiag
and then dcdiag on the domain controller looking for any failed tests/errors/warnings
that may indicate if there is a problem even if it is the only domain
ontroller. --- Steve


Patrick said:
No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

Steven L Umbach said:
The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to itself as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



Patrick said:
I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows authentication
to work (otherwise with auditing, a failure audit is generated when I try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Click to expand...
Click to expand...
Click to expand...
 
Problem sorted...
the GPO Domain Controller Security Policies were too secure!!
It needs permission to
1) run essential *.exe like NETLOGON, etc.
2) Access computer from the network!!! (to access the GPO in the first
place!)

Steven L Umbach said:
If this is a domain controller then add the users or global group that you want to
have logon locally user right in the Domain Controller Security Policy and then it
should show as the "effective" setting in Local Security Policy of the domain
controller after a refresh. You can also run gpresult while logged onto the domain
controller and see the GPO's applied to that computer and logged on user and the last
time they were refreshed. The /v switch will give much more detailed info on the
GPO's being applied. Since you are having problems. I would also run first netdiag
and then dcdiag on the domain controller looking for any failed tests/errors/warnings
that may indicate if there is a problem even if it is the only domain
ontroller. --- Steve


Patrick said:
No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

Steven L Umbach said:
The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to
Click to expand...
itself
as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is
Click to expand...
purely
for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows
authentication
to work (otherwise with auditing, a failure audit is generated when
Click to expand...
I
try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be
allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following
logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Click to expand...
Click to expand...
Click to expand...
 
Great. Thanks for posting back what worked. Yes you can secure yourself out of access
if not careful. -- Steve

Patrick said:
Problem sorted...
the GPO Domain Controller Security Policies were too secure!!
It needs permission to
1) run essential *.exe like NETLOGON, etc.
2) Access computer from the network!!! (to access the GPO in the first
place!)

Steven L Umbach said:
If this is a domain controller then add the users or global group that you want to
have logon locally user right in the Domain Controller Security Policy and then it
should show as the "effective" setting in Local Security Policy of the domain
controller after a refresh. You can also run gpresult while logged onto the domain
controller and see the GPO's applied to that computer and logged on user and the last
time they were refreshed. The /v switch will give much more detailed info on the
GPO's being applied. Since you are having problems. I would also run first netdiag
and then dcdiag on the domain controller looking for any failed tests/errors/warnings
that may indicate if there is a problem even if it is the only domain
ontroller. --- Steve


Patrick said:
No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

The user right for logon locally is a computer configuration - not user
and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD
problems.
Your domain controller [I believe you have one] must point only to itself
as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have
your
domain controllers to be multi homed with multiple network adapters.
Netdiag
and dcdiag are very helpful in checking for proper domain configuration
for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely
for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows
authentication
to work (otherwise with auditing, a failure audit is generated when I
try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be
allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain
Controller
for the domain) as those users under this OU, and I get the following
logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message
that
describes the reason for this was previously logged by this policy
engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Click to expand...
Click to expand...
Click to expand...
 
Back
Top