Solved

Error 1053!  Can not figuer out!!!!!!! HELP ASAP!!!!!

Posted on 2003-12-08
39
2,653 Views
Last Modified: 2012-06-27
I keep having a error 1053: Windows cannot determine the user or computer name. (%1). Group Policy processing aborted.

I have tried the following....
At the command prompt, type gpupdate, and then check Event Viewer to see if the Userenv 1053 event is logged again.
To verify that the domain controller can be contacted through Domain Name System (DNS), try to access \\mydomain.com\sysvol\mydomain.com, where mydomain.com is the fully qualified DNS name of your domain.
Verify that you can access the domain controller by using tools such as the Active Directory Users and Computers snap-in.
Check to see whether other computers on your network are having the same problem.


All of which passed.  The only way I can get computers to recieve the full group policy is to put them in the admin group, but make the primary group the pc lockdown policy.  Even when they do get the full policy, the workstations still have a 1053 error.

Also, my other domain controller will not replicate.  It keeps posting errors about failing, but yet, it logs in and you can manipulate and OU or GPO.

All I can say is WTF????

0
Comment
Question by:JamesN1830
  • 21
  • 18
39 Comments
 
LVL 6

Expert Comment

by:Casca1
ID: 9902297
For the PC's, what is the context? Are they in the default computer container, or have you moved them to a different OU? Where are you applying the GPO?
This is really two questions; You might be better servered to ask for help on the DC issue seperately.
What are the errors listed in event viewer for FRS?
0
 

Author Comment

by:JamesN1830
ID: 9904473
All workstations are still in the default computer container.  
I am applying the gpo from the domain controller.... I don't quite follow that question or the context question.  What are you asking?

Let's focus on the error 1053.  I did get the dc replocating, but I will have to change the way I did it soon.

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9904870
You answered the context question; They are in the default container.
The reason I asked had to do more with where you applied the GPO. Since there is no issue there, check this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;262958&Product=winxp
According to this, you may have removed some vital permissions.

Aside; How did you get the DC replicating? This might all be related...
0
 

Author Comment

by:JamesN1830
ID: 9905810
I got the DC replicating by adding that server into the domain admin account.  I know that is a dumb idea as far as security goes, but I needed a temporary fix.

Thankyou for the article.  I had looked at that before.

Something happened to my system this morning that might have caused a fix.  This morning out of the blue I get this error message on all non admin workstations "local policy does not allow interactive logon"  This blocked everyone from getting on.  I did some research and logged on locally as admin.  checked the local policy and found the gpo had set the user rights\log on locally to everything but domain users and auth users.  I went to the dc and found the same policy under "default domain controllers policy".  I added auth user and domain users...... People can now log in and no more 1053 on the half dozen workstations I've looked at.  This may have even fixed the replication if  I remove the domain admin.  The only thing is the local group policies are not replicating over the wan????  Even when I do a gpupdate /force.  I'm going to give it a few minutes and try again...

Thoughts on this solution?
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9906033
Hmmm; Yeah, the Policy needs to have rights on both the DC and local PC, so that was certainly AN issue, if not THE issue. Seems you may have resolved that.
When you say it will not replicate across the WAN, is this to another server, or just a mixed metaphor? 8-)
Are clients unable to receive the policy, or is it another DC not getting the replication at all?
0
 

Author Comment

by:JamesN1830
ID: 9907867
I am having clients not recieve the gpo.  The clients on site with the DC's updated their gpo's just fine.  I have a few other sites that go across the wan to where the domain controllers are located to be authenticated.  No off site DC's.  Sorry for the mixing...  Here is what is weird... I have a fresh pc I just built as a test machine that is off site that was not yet added to the domain.  I added it to the domain (remotely) and it will log on just fine.  Now when I check to see what policy it is acting on it is going off local policy.  What I mean is you have the ability on it to change local policy settings, more specifically, who can log on locally.  For all the other workstations, I could only effect that at the domain controller editing the default domain controller policy as mentioned earlier.  Other computers at that site will not refresh their gpo's???  However if you make a change in AD to a user account, it immediately takes effect.  

I hope that makes since.  

BTW, you definately got the points, but any more help would be greatly appreciated since we kinda got off topic.


0
 
LVL 6

Expert Comment

by:Casca1
ID: 9908377
Hmmm, check your Policy links...
That's weird. Do you possibly have the computers in a group? Since you added the new test PC and it's running on it's local policy, that tells us there is no other policy affecting the mix. So the other PC's have to be getting it from somewhere,,, How about sites? Groups in a container with the policy will be effected, or if you had moved the PC's out of the default container. Odd. Somewhere in there you have a strange setting.
So, check your GPO links. It has to be there; Either that, or they aren't logging in properly (WAN Links can do that)
and they are using cached credentials, which just might also include the security settings.
Good luck.
0
 

Author Comment

by:JamesN1830
ID: 9912471
About an hour after my last message to you my off site computer did update the gpo finally.  No clue as to why it took so long.  Also, the test workstation that I did add today is still using local policy when an admin logs in, but if a test account logs in then it loads the locked down desktop policy which is tied to that test user.  I am getting 1053 error on the test machine though????

When you say policy links, you just mean where what gpo goes to what object right?  How do I check it to be certain.  I'm still in NT days :)

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9912578
Go into AD users and computers, I believe you said this is a default domain policy, so right click the domain, select properties, group policy, and choose the porperties button. There is a links tab. That will show you what and where you are linked for that policy.
 You might need to check each OU, as wel, to insure you have no GPO's applied seperately, just to be safe.
Somewhere, somehow, there is a GPO being applied, that much is certain. If it was a local security policy (Machine policy) it would affect everyone.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9912607
Hey, do you have a default domain controller policy applied? Check the security tab on that, make sure your DC has the read and apply rights to it. That should allow your DC's to replicate without any issues.
Have you locked your user rights down on local policies on that DC? if you messed with the system account, that might have something to do with it, as well.
0
 

Author Comment

by:JamesN1830
ID: 9915015
I did check the link like you described.  When I hit "find now" on the link tab screen I get "village.local/"  (my domain name).  That's it.  Nothing else.  I have another policy called "lock desktop" which I have placed every non admin user in.  When I hit the find now button I also get "village.local/".  In fact it is that way for all my policies.
The second part of that was to check all the ou's links.  How would I do that?

Yes I do have default domain controllers policy loaded.  I did not have it applied like you said though.  It is now.  
My user policies are locked down via the "lock desktop" policy.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9915438
Hmmm, Something in the policy, then, is preventing the user from finishing the upload. Have you got the plicy locked so tight it kills some of the mappings, or possiblyhave you got it to prevent certain users (Domain users, or everyone groups) from having certain access?
We have it narrowed down to the policy, it looks like.
Double check and verify the DC's are replicating, and then I think you are going to have to go through the policy line by line and find which settings is killing the connection.
Have you prevented the users from domain browsing for instance, or being able to browse the server?
Hmmm, I'll check around in my policy sets, and see if I can find something that might be it.
Good Luck!
0
 

Author Comment

by:JamesN1830
ID: 9916203
Users can browse the domain and even browse the server (shared folders only of course).  I'll do a gpresult on my test machine that is not dragging down the policy and see which policy it needs then go through that one line by line.... hopefully something will turn up.  GPO's can be enough to make you loose it.  I even initially intended to model them in a very simple scheme.  I can't even imagine some of the big boy networks with a 50,000+ users and thoughs rights....

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9918400
Well, policies are best kept simple, as in few. Applying multiple settings in one is not too bad, but if you aren't documenting it, you are shooting yourself in the foot... 8-)
I'm still pursuing my MCSE ( 2 more tests); currently I'm on AD Design, and that happens to be a chapter I just finished. Everything, books, instructor videos, facilitators (Self paced course); they all say DOCUMENT!!!!!!
You would think after 14 years in the business, I would have that one down pat. 8-)
0
 

Author Comment

by:JamesN1830
ID: 9920794
In retrospect I wish I would have documented changes.  I have been going back through and wondering what in the world I was thinking when I gave rights to this or turned this function off... that type of thing.  How often does the DC's replicate?  I thought every 7 seconds.  Doesn't it tell you if it went succesffuly in the event log?  Also, what is the recommended way to document the AD and GPO?

You've got 11 yrs on me in business.  I document everything usually and test thuroughly... except this...doh.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9921630
DOH!
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9921681
Your best bet?
Delte it all, reset the values for your Default domaina and Default Domain controllers to Not Defined. Then, make up a spread sheet, make your fields for your columns, and then start by creating a test policy, preferably in a lab. If not, start it by only applying it to yourself/test user, and play around with it until you get it right. Then do a limted roll out and watch what happens. Then, if everything works right, deply to everyone.
Also, I would suggest creating two default policies for your domain. In one, disable the Computer node, and the other, disable the user node.
Apply computer settings in the computer node enabled poicy, and call it something like Default Computer Config, and do the same thing for the users.
The reason I recommend this has to do with the GPO processing. By disabling the unused protion, you allow processing of the GPO to speed up. Since Computers process their GPO at startup, it will go first, and quickly, and then the user login, and your system will be tight. Additionally, GPO process synchroneously, so there will be no SNAFUs to cause you issues with users getting logged in before the computer state is set.
Bear in mond, however, that the policy can be loading while the user is already logged in, and therefore the user can begin doing things WHILE THE GPO IS PROCESSING. As long as you keep things tight, it shouldn't be that big an issue, though.
Good luck, and sorry I had to bear the bad news to you. 8-)
0
 

Author Comment

by:JamesN1830
ID: 9921847
so your saying create a new lock desktop policy that will be linked to a test account.  Take my exsisting default domain and domain controller policy and set all options to not configuered?  

Something to think about is all workstations are processing the "default domain controller policy" and not the domain policy....???  

That is bad news....
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9922855
Well, that means they are certainly linked to the policy. Yeah, reset all your policies, either create a new one or whatever, document this implementation.
 This way you can get rid of the policies causing your issues, start from scratch, and then test each new policy as you implement. Doing it that way will give you a good feel for what is going on, and give you a step by step for how to tighten your security, here and at the next job. 8-)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:JamesN1830
ID: 9923093
How about this...

I found that I do not get the error 1053 when I have my second DC on, but the group policies are all fubar.  When I turn that DC off I get the 1053 but my policies are back to normal???  The would have to be a replication issue.

Also if I do start from scratch, could I simply create a new default domain controller and domain policy, and have only my test work station use them.  Then when it is right, disable the current ones and turn on the new ones to everyone else?

Even if I do do that, it still does not get rid of my replication problem..... this sucks.

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9923374
Well, It's possible that your replication problem is related, as in a no access. Yeah, you could do that, or just hit every tab in each policy location and set to disable.
Your policies aren't really back to normal, I don't think. The 1053 indicates an error processing the policies in the first place.
That's the main reason I recommend shutting down all the policies, and checking both GPO's in the domain, and any local policies that are in effect. For the clients, it should be easy; Just run the default security template. That should straighten out any client side settings. I think you can use secureDC.inf to reset the policies on the domain controllers. That would get you to a decent default setting. Then modify up as needed.
BTW, set your PW policies to the domain. They only apply there, anyway, and it's an extra step you can skip, once you are reset to values. If you need different PW policies, I hate to say it, but you are going to need another domain.
0
 

Author Comment

by:JamesN1830
ID: 9923538
Sorry for so many questions, I just want to get this straight before I start disabling things.  It is my job afterall...

Ok, so
1.  go through and disable ALL policies in AD -ie Default domain policy and default domain controller policy.

2.  Run a security template to bring the clients and the DC back to default settings (No clue on how to do this one???)

3.  Modify default policies as needed.

I should not have to remake my users should I?

Is PW policy the Password policy????  My password policy is just complex and 7 characters... nothing special.

If I go this route I think I'll make backup's of the polices and do a good system backup before hand just in case.  

 
0
 

Author Comment

by:JamesN1830
ID: 9923755
I did find the "dcgpofix" command.  I think with a good backup and during downtime hours I really have nothing to loose.  I can temporarily grant everyone rights to a few key folders (or atleast group rights) and try it.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9924003
These are cut and pastes from the MSKB. I provided the link for you at the end. 8-)

Starting Security Templates
Decide whether to add security templates to an existing console or create a new console:
To create a new console, click Start, click Run, type mmc, and then click OK.
To add security templates to an existing console, open the console.
On the Console menu, click Add/Remove Snap-in, and then click Add.
Click Security Templates, click Add, click Close, and then click OK.
On the Console menu, click Save.
Type the name that you want to assign to this console, and then click Save.

This opens the Security Configuration and Analysis tool.

Applying a Security Template to a Local Computer
In the Security Configuration and Analysis snap-in, right-click Security Configuration and Analysis.
If a working database is not already set, click Open Database to set a working database.
Click Import Template.
Click a security template file, and then click Open.
Repeat the previous step for each template that you want to merge into the database.
Right-click Security Configuration and Analysis, and then click Configure System Now. Note that the security settings take effect immediately.

This runs the tool, and applies the template. I recommend you don't adjust anything, just yet. You want to get this onto all your systems and working to clear up any errors. I would apply this, and leave it in place for a day or two, and see if your 1053 error goes away.
This tool will allow you to more or less reset your domain to the default.

Here's the link.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321679&Product=win2000

Here is a MUCH better article. This one tells you how to apply the various administrative templates. This is the one I recommend you use.
http://support.microsoft.com/default.aspx?scid=kb;en-us;309689&Product=win2000
Here are the predefined templates defined and explained:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_SCEdefaultpols.htm
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9924074
Sorry, I only gave you part of what you are looking for.
1) Disable the settings. By applying the information from above, it should reset all that for you, however.
2) see above... 8-)
3) from here, tighten up the security as needed.

No, you will not need to remake the user accounts, groups, or OU's. You have simply applied GPO's in an unorthodox fashion.

PW=Password policy. Not my business what your PW policy IS, just wanted you to know that there is only one place to set the password policy, which is at the domain. If you set this at any other place, the setting SHOULD be ignored.
Yes, backup. Early, often, here, there, and everywhere, SAM I am... 8-)
0
 

Author Comment

by:JamesN1830
ID: 9924271
Ok one more thing, once I reset these, what are my users going to see logging in for the first time?  They will still be connected to their respected goups, but I guess essentially they will be logged on to a pc as the local admin?

This will all go down on saturday, so tomarrow will be full of lots of reading :(
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9924445
Oh, no; They will login with whatever privileges you give them. That's one reason I suggest testing all this before implementing. To really be safe, implement the security templates on a test machine, login with your various users to ensure they aren't going to have any issues.
Hehehe; I have to drive to a distant town tomorrow and do some basic setup work on two new PC's (Contractor; I take what I can get!)
I'ld rather read... (I HATE driving, I suffer roadrage like some people suffer altitude sickness, right now and accute!)
0
 

Author Comment

by:JamesN1830
ID: 9929296
Thankyou again before I go on.

Here's the plan... let me know if I'm missing anything.

On a test workstation, impliment one of the secure templates.

Test with various users.

If tests go well, then reset domain policies with dcgpofix back to defaults.  

Impliment secure templates as gpo's.

Tweek GPO's to my likining over time at that point.

Did I miss anything?
0
 
LVL 6

Accepted Solution

by:
Casca1 earned 150 total points
ID: 9932003
Well, I wouldn't use the secure workstation, but if your environment and software will allow the user to work under those limitations, then by all means. Been my experience, however, that the normal user is unable to even properly use Office under the secure constraints! 8-)
Other than that, yes, that is the most excellent plan, except one thing. You forgot to mention document each step! 8-)

Good Luck!
0
 

Author Comment

by:JamesN1830
ID: 9941698
We had a huge snow storm this weekend and I was trapped at home, so no go as of yet.  Documentation...... doh again.  I'm always forgetting that when messing with GPO's.  I did find something on Friday that may interest you.  Here is the link.  

http://www.microsoft.com/downloads/details.aspx?FamilyId=C355B04F-50CE-42C7-A401-30BE1EF647EA&displaylang=en

It's GPMC at microsoft.  Nice little tool.
Thanks for the help again.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9942043
My Pleasure. Thanks for the points and grade. And for the link!
0
 

Author Comment

by:JamesN1830
ID: 10002098
Ok, I went through with it!  I did the dcgpofix.  Everything is working perfectly now EXCEPT I can not access my root domain controller shares from network neighborhood and I have access denied on the root DC whenever I try and view GPO's from active directory users.  I can edit them from the other DC's, but why in the world would I loose rights to it as the domain admin?

by the way, Merry Christmas.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 10003776
Secure DC. You probably used that, and in so doing locked access from the network. Loosen it up some! 8-)
0
 

Author Comment

by:JamesN1830
ID: 10010537
I didn't use any template.  Now I am completely locked out of the GPO editor on all dc's.  I can not do a dcgpofix again either because it won't work because the registry.pol is not there.  I got a copy from backup, bt it still won't do it.  I need it.  Things are starting not to work right!  

I tried the adsiedit.msc fix, but it isn't taking.  Ideas?
0
 
LVL 6

Expert Comment

by:Casca1
ID: 10011437
Ummm, apply a template. I would use the less restrictive templates, then tighten them up.
Do you have 2000 and XP/2003 mixed into this? Have you done the GPO editing from an XP machine?
There are some differences between 2000 and XP, and it can mutate on ya.
0
 

Author Comment

by:JamesN1830
ID: 10012009
Got it fixed.  Called Microsoft tech support.  I had a "policy collision" they said.

Had to go into regedit on all DC's.
went to to local machine......down to lanmanserver and lanmanworkstation.  HAd to change enablesecuritysigniture and enablesecuritysigning set to 0.  Changed Digitally Sign Server and Workstation Always in the default domain and domain controller policies to disable.

After that all worked.

Only took 3hours on the phone.  :)

Hope that helps someone else in the future.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 10012282
If nothing else, it will help ME... 8-)
Never know WHAT you will learn in here.
Glad you are resolved.
0
 

Author Comment

by:JamesN1830
ID: 10012391
Here is the exact problem and resolution for clearifacation.

PROBLEM
User attempting to open the Default Domain Controller Policy and receives the
following error:
"You do not have permission to perform this operation. Access is denied."
In the application logs, we noticed he was also getting Userenv 1030 and 1058 errors.
 
RESOLUTION
Set the following setting on the affected DCs.
Key: HKEY_LOCAL_MACHINE\System\CCS\Services\LanmanServer\Parameters
Value: RequireSecuritySignature
Data: 0
After making the change and we refreshed the policy using gpupdate /force, the
error went away and user was able to successfully open the group policy object.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 10012899
A quick cut and paste, and I have it. 8-)
Thanks.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now