Link to home
Start Free TrialLog in
Avatar of jackflex
jackflex

asked on

Group Policy Infrastructure failing

I edited group policy   Computer\Windows Setting\security Settings\Local policies\User Rights Assignment\ Acces this computer from the network.

since then all computers that loaded this policy generate the error:

Group Policy Infrastructure failed due to the error listed below.
Access is denied.

Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available.

I disabled the GPO that I edited, but now, no machine will load new GPOs

Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

Was this one of the default policies or did you create a new one?  You should always create a new policy and not touch the defaults.  If you touched the defaults then please post the entire path.

-D-
Avatar of jackflex
jackflex

ASKER

Computer\Windows Setting\security Settings\Local policies\User Rights Assignment\ Acces this computer from the network.
is the full path. default policy is "not defined". I selected "assign this policy".  Everything broke so I diabled the GPO and gpupdate will not refresh my policy

Gpupdate generates.....
event id 1053

Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
Did you edit the "Default Domain Policy" computer settings?
I am going to assume you did :-)  Here is how you reset it back to the way it was:

http://support.microsoft.com/kb/226243

-D-
I tried the article above before. My Domain controllers are ok. RSOP and gpudate are working fine now on the DCs but still will not work on XP clients
Are they?  Have you done a DCDIAG /v > dcdiag.txt to find out?  You will have to use gpresult to see what is happening on the client side:


Here is an article for that:

http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html

Following these instructions you will find out why the GP is not applying.  Hang in there :-)

-D-
The DCDIAG /v > dcdiag.txt would be performed on your domain controller (assuming you have the support tools installed)

-D-



Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine JFK, is a DC.
   * Connecting to directory service on server JFK.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\JFK
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... JFK passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\JFK
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... JFK passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC JFK.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
            (Domain,Version 2)
         ......................... JFK passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\JFK\netlogon
         Verified share \\JFK\sysvol
         ......................... JFK passed test NetLogons
      Starting test: Advertising
         The DC JFK is advertising itself as a DC and having a DS.
         The DC JFK is advertising as an LDAP server
         The DC JFK is advertising as having a writeable directory
         The DC JFK is advertising as a Key Distribution Center
         The DC JFK is advertising as a time server
         The DS JFK is advertising as a GC.
         ......................... JFK passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         Role Domain Owner = CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         Role PDC Owner = CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         Role Rid Owner = CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         ......................... JFK passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4937 to 1073741823
         * JFK.fsl-nt.fsl.noaa.gov is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3937 to 4436
         * rIDPreviousAllocationPool is 3937 to 4436
         * rIDNextRID: 4183
         ......................... JFK passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC JFK on DC JFK.
         * SPN found :LDAP/JFK.fsl-nt.fsl.noaa.gov/fsl-nt.fsl.noaa.gov
         * SPN found :LDAP/JFK.fsl-nt.fsl.noaa.gov
         * SPN found :LDAP/JFK
         * SPN found :LDAP/JFK.fsl-nt.fsl.noaa.gov/FSL-NT
         * SPN found :LDAP/85abcf2c-f3c3-4d2c-aab2-2c54d1437392._msdcs.fsl-nt.fsl.noaa.gov
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/85abcf2c-f3c3-4d2c-aab2-2c54d1437392/fsl-nt.fsl.noaa.gov
         * SPN found :HOST/JFK.fsl-nt.fsl.noaa.gov/fsl-nt.fsl.noaa.gov
         * SPN found :HOST/JFK.fsl-nt.fsl.noaa.gov
         * SPN found :HOST/JFK
         * SPN found :HOST/JFK.fsl-nt.fsl.noaa.gov/FSL-NT
         * SPN found :GC/JFK.fsl-nt.fsl.noaa.gov/fsl-nt.fsl.noaa.gov
         ......................... JFK passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... JFK passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         JFK is in domain DC=fsl-nt,DC=fsl,DC=noaa,DC=gov
         Checking for CN=JFK,OU=Domain Controllers,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov in domain DC=fsl-nt,DC=fsl,DC=noaa,DC=gov on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov in domain CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov on 1 servers
            Object is up-to-date on all servers.
         ......................... JFK passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... JFK passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... JFK passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... JFK passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... JFK passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=JFK,OU=Domain Controllers,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov and

         backlink on

         CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=JFK,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov

         and backlink on

         CN=JFK,OU=Domain Controllers,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov are

         correct.
         The system object reference (serverReferenceBL)

         CN=JFK,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov

         and backlink on

         CN=NTDS Settings,CN=JFK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fsl-nt,DC=fsl,DC=noaa,DC=gov

         are correct.
         ......................... JFK passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : fsl-nt
      Starting test: CrossRefValidation
         ......................... fsl-nt passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fsl-nt passed test CheckSDRefDom
   
   Running enterprise tests on : fsl-nt.fsl.noaa.gov
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... fsl-nt.fsl.noaa.gov passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\JFK.fsl-nt.fsl.noaa.gov
         Locator Flags: 0xe00003fd
         PDC Name: \\JFK.fsl-nt.fsl.noaa.gov
         Locator Flags: 0xe00003fd
         Time Server Name: \\JFK.fsl-nt.fsl.noaa.gov
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\JFK.fsl-nt.fsl.noaa.gov
         Locator Flags: 0xe00003fd
         KDC Name: \\JFK.fsl-nt.fsl.noaa.gov
         Locator Flags: 0xe00003fd
         ......................... fsl-nt.fsl.noaa.gov passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
Have you tried this:
http://support.microsoft.com/kb/257346
Although not the same may help.
Also try re-enabling the policy and adding authenticated users to have access, to see if it reapplies,
Cheers
Stu
the problem has been traced back to the server. DNS is really slow so I ran dcdiag, and got the following error.....
The current DC is not in the domain controller's OU
...and sure enough my primary DC (and dns server) are not in any OU. I can do a search and "find" the server, but I can;t move it back to my DC's OU.
referred to http://support.microsoft.com/kb/833436
now I'm waiting for a hot fix.....
ASKER CERTIFIED SOLUTION
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
dcdiag pointed me in the right direction. Thanks