?
Solved

URGENT: Security policy cannot be propagated

Posted on 2003-03-27
14
Medium Priority
?
510 Views
Last Modified: 2010-04-13
Hi all,

I have a serious problem with my 2k setup.
A brief overview of my network to help you understand my
problem
I'm running 1 DC (Windows 2000 Server) with 50 XP clients
& 30 (98 Clients).

I first setup the server as clean 2k install with AD
running as DC with 1 NIC.  I have configured GPO to setup policies
for my XP machines and they work fine. (No Policy's For the 98 Clients)
As soon as I add a 98 client to the domain and logon it gives me the
following errors in the event log on the Server:
-----------------------------------------------------------
Windows cannot access the registry information at
\\smc.qld.edu.au\sysvol\smc.qld.edu.au\Policies\{31B2F340-
016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with
(1351).     Error 1000 - userenv
-----------------------------------------------------------
Security policy cannot be propagated. Cannot access the
template. Error code = 3.
     \\smc.qld.edu.au\sysvol\smc.qld.edu.au\Policies\{31
B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf. - Error
SceCli - 1001
-----------------------------------------------------------
The Group Policy client-side extension Security was passed
flags (17) and returned a failure status code of (3).  –
Error 1000 - userenv
-----------------------------------------------------------
During this period of time it then stops any other 98 client from
logging onto the server, giving the "No Domain Controller Available Error"

I have looked up every possible knowledge base article and
tried their solutions but non have prevailed.
I have also reinstalled the system again 2nd Time clean;
And As soon as I have configured my XP policies in AD, and
try to add a 98 client to the domain the problem starts
again.

I have also had 3 other Tech's look at my system including
my self which are running systems very similar except not
using XP clients but 2000 clients. They seem to believe
its some sort of bug in the 2k server OS.

I have XP Templates in my GPO setup but this should not be
a concern to the 98 computers as they don't use such
policy configuration.

It would be greatly appreciated if some one can help me
with my issue as every one i have tried dosent know how to fix it.
 
Regards
Jason Bursztynowicz

Network Administrator
Catholic Education Office
Cairns Qld 4870
Tech@ceo.cairns.catholic.edu.au

0
Comment
Question by:BBQ_1878
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
14 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 8222539
First off, it appears you are using a legitimate Domain name internally.  Make sure that your DNS is set to forward unresolved queries to the ISP's DNS servers.

Secondly, it also appears as if your GPO is linked high enough up the tree to affect the users logging into the 98 boxes.  What you need to do is create an OU specifically for the XP users and move those User and Computer accounts into it.  If the GPO you are using is the Default Domain Policy then re-create a new Policy with the desired settings for the XP crowd and link it only to the OU where those XP users and computers exist.  Remove all the settings you made in the Default Domain Policy that were replicated in the new OU by toggling them to the opposite of what they are set to (in other words, simply selecting Not Configured does not necessarily undo the policy - it must be "hard" undone).

Let me know what your situation is.

0
 

Author Comment

by:BBQ_1878
ID: 8222819
Netman66,

Thanks for the help but....

The windows 98 clients don't use intellimirror (as far as I know) For policy delegation.  So now matter how far up the tree the GPO is it shouldn't effect any 98 box.
Also the idea of creating different OU's for each user and Xp machine won't work. Because this is a school Environment students log onto Xp clients and 98 clients so they have to have cross-platform accounts and not just one dedicated xp account and one 98 account.

In terms of GPO's i'm running each year leave with a seperate policy to allow me to restrict different applications for differnt grades.

And for DNS, I'm not actually running my network with a link for the web so the DC is as high as DNS resolution goes.

If you can think of anything else please help me cause i'm pretty stuck on this one :)

Thanks
Jason


0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8224351
Netman66 is correct, I have done a lot of school consulting.  You need a OU for your XP worksations and one for your 98 workstations.  Do not set a GPO any higher than tha or you will have the same issue.  So they only workstations that will get any GPO policies wil be in the XP OU.  You may create the OU now, move your XP objects into the OU.  Disable the GPO at domain level and any other you have in place, apply GPO to XP OU.

When you get the Wn9x boxes joined to the domain, you can still use a poledit to create a main.pol file and place that on the netlogon share, that ay you can still lockdown the Win9x boxes.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 51

Expert Comment

by:Netman66
ID: 8224426
Are you using the AD client for the 9x boxes?

0
 

Author Comment

by:BBQ_1878
ID: 8224594
Netman66,

I'm not running the AD client for the 98 clients.
Do you think i should?
Jason
0
 
LVL 51

Expert Comment

by:Netman66
ID: 8224610
Try one PC and see if there is any change.

0
 

Author Comment

by:BBQ_1878
ID: 8280588
The idea's you gave me didn't work.  I had to remove the default domain policy and setup policies for each OU / Year level and the error stopped stright away.
Also the AD client for 9x didn't do anything to help the problem.  I tested a few machines with it, while my server was still in broken state and it only seemed to work once i made the change with the root level policy.

Thanks for the help
Cheers
º¿º
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8280609
BBQ... any additional information about what you think occured here or what really soleved the problem vesrsus what didn't would be more helpful for the knowledge base.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 8280665
MSGeek - he was using the Default Domain Policy instead of one lower down.  

BBQ - Glad you were able to get things up and running.

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8280686
Netman66, thanks.  I have been out of the loop for a few days.  Out of power since 4/3 due to massive ices storm.

I guess Iknew tha looking back at my post
"Do not set a GPO any higher than tha or you will have the same issue. "

I don't think the grade of C was deserved.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 8280708
It's OK.  If you look at his response then at the accepted answer, I had told him that right off - but he stated nothing worked then proceeded to tell us what he did.  Turns out it was pretty much the same as the answer he accepted.

Anyway, it's fixed.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8280733
Still you answered in good faith, it's obvious he has not read the the grading policy/guide.  I usually reject C's or get them reviewed if I think they are not warranted.
0
 

Author Comment

by:BBQ_1878
ID: 8282778
Comment from Netman66
 04/06/2003 05:20PM PST
 
MSGeek - he was using the Default Domain Policy instead of one lower down.
 
Just a quick note.  I wasn’t using the default domain policy; it wasn't configured at any stage during set-up.  As I have 3 - 4 policies for each OU.  That’s why I couldn't figure out why it was affecting only my 98 boxes as the xp's didn't pick up any policy when I didn't specify one.  But reported that error in the event log.

But thanks all for the help, much appreciated.
Sorry I haven’t read the rating guide lines as I’m too busy when you have to take care of 27 schools :( ahh well some ones got to do it :)
cheers

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8283134
Sounds like you work for BOCES.  :)
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question