Solved

Windows 2000 Domain with Windows 7 Client

Posted on 2010-09-20
25
1,123 Views
Last Modified: 2012-06-21
Windows 2000 Domain with Windows 7 Client
Question: So here's the problem.......I can successfully add the windows 7 machine to the domain, HOWEVER group policies are not applied. I have looked around and adjusted the LAN Manager settings on both the client and server accordingly and most post point to this

Microsoft Technet Article

I have removed the client from the domain, deleted the object, and re-added in different ways...still no luck. Any ideas? An upgrade on the server is really a last resort for us so any suggestions would be helpful.
0
Comment
Question by:deisrobinson
  • 14
  • 11
25 Comments
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717244
Is anything coming up in the error logs when you run gpupdate /force on the Windows 7 system? I've heard of SID enumeration errors in a 2000 domain with Win7, but never experienced it myself. Can you give us some additional details?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717253
No errors come up the policy I'm testing is actually not even showing up in the list of applied or not applied group policies.
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717264
Also this is my original question here but I reposted to try to get more responeses:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_26481334.html
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717395
Are any policies being applied? What is the result of the RSAT tool?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717418
Sorry, I meant to say, what are the results of gpresult /r on the windows 7 box? Can you post please?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717456
The only policy being applied is the Default Domain Policy. Using the RSAT tool I was able to create a few group policies including the one in question which is not being applied. Thus far everything seemed to suggest a security related issues, however after a week of troubleshooting and testing the suggest fixes we are at a stand still.

This is the initial link I looked at for a possible fix:

http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/63b64d92-dc7a-44a3-80de-0cfee1bfd1c3/
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717684
So you've completed those steps and still no dice?

After creating the policies on the Windows 7 system, can you view them in Active Directory on the domain controller?

Can you post the gpresult /r results?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717713
I cannot view them on the domain controller but that was expected from my understanding I would not be able to see or edit the policy on the domain controller.


Here are the results :




OS Configuration:            Member Workstation

OS Version:                  6.1.7600

Site Name:                   N/A

Roaming Profile:             N/A

Local Profile:               C:\Users\drobinson

Connected over a slow link?: No





USER SETTINGS

--------------

    CN=Deidra Someone,OU=Admins Group,DC=gillespieassociates,DC=com

    Last time Group Policy was applied: 9/20/2010 at 10:43:10 AM

    Group Policy was applied from:      server1.gillespieassociates.com

    Group Policy slow link threshold:   500 kbps

    Domain Name:                        GANET

    Domain Type:                        Windows 2000



    Applied Group Policy Objects

    -----------------------------

        Default Domain Policy



    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        Local Group Policy

            Filtering:  Not Applied (Empty)



    The user is a part of the following security groups

    ---------------------------------------------------

        Everyone

        BUILTIN\Administrators

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        CONSOLE LOGON

        NT AUTHORITY\Authenticated Users

        This Organization

        LOCAL

        High Mandatory Level

Open in new window

0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717745
It's not applying any computer policy at all. Is the SID for the computer enumerating on the domain controller?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717826
The Default domain policy is being applied. How do I check for enumeration on the domain controller?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717862
Default Domain Policy is being applied for the user, but not necessarily for the Computer. When you run gpresult /r, you should see separate sections for the computer and the user.

See if you can find the computer in Active Directory. Make sure the name exists, not something like:

S-1-5-21-3623811015-3361044348-30300820-1013
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33717868
Ahh you are correct...I missed that. The computer is in active directory by name not SID.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33717917
Can you access other domain resources, such as file shares? Can you ping the domain controller?

Try running gpresult /scope computer /v - this should generate a LOT of information, this is the verbose results.
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33718079
I can access other resources and I can also ping the domain controller.

Here are the results.
C:\Windows\system32>gpresult /scope computer /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/20/2010 at 12:48:06 PM


RSOP data for GANET\someUser on STATIONXX : Logging Mode
----------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7600
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\SomeUser
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=STATIONXX,OU=Win 7 IT,DC=gillespieassociates,DC=com
    Last time Group Policy was applied: 9/20/2010 at 12:18:29 PM
    Group Policy was applied from:      server1.gillespieassociates.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        GANET
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  4

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            GPO: Default Domain Policy
                Policy:            ServiceLogonRight
                Computer Setting:  *S-1-5-21-1850994028-994360752-3975671931-1010

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59019
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\Sea
lSecureChannel
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59059
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59018
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\Req
uireSignOrSeal
                Computer Setting:  0

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

Open in new window

0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33718127
Well this is good - it looks like the computer is seen in Active Directory and policies are being applied.

Where did you configure the new Win 7 policies? Can we see a screenshot of the GPMC with that OU expanded?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33718511
So now we have progress...........I looked at the gpo again and noticed there were actually no computer policies in place for testing. So I added a simple icon policy to test. After forcing a gp update and restarting I actually could not log onto the domain . This is the error message I recieved:

"The trust relationship between this workstation and the primary domain failed."

When editing printer policies I also recieved this error message when trying to add targetting based on security groups.

Here is a screenshot of the test policy that I have since disabled to re-gain active directory access.
Capture.PNG
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33719172
Check the eventlog. Event 3210 is common in this case and can often give you some clues. If that's the case, I would:

1) Gracefully disjoin the computer from the domain if you can, if not, delete it from AD.

2) Make sure time is synced correctly between the domain controller and the client.

3) Rejoin in to the domiain (after 15 min or so), and choose a new name to avoid conflicts.
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33719286
Can't find anything in the event logs the only error is with WMI which shouldn't be related. I have left the domain.......renamed........waiting a while and re-joined. still not luck.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33719328
Which eventlog did you check? There has to be something in the security log of the workstation if you had a failed attempt. Otherwise you need to look at your system auditing.

Why don't you try setting a policy that isn't a group policy preference. The Client-Side extensions are fairly new and sometimes cause issues. Set a standard computer policy and see what happens.
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33719457
I actually went through all the logs including the group policy log. Win7 also gives a summary of errors etc and looking through the errors all are un related. I tried setting a basic policy just to run a startup script and this time I didn't get locked out of the domain but the policy didn't apply either. gpresult /R doesn't even show it.
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 500 total points
ID: 33720128
I'm not sure how Win 2000 Domains respond to RSoP requests. You may not see the policy being applied when you run gpresult. Try using the verbose command like before, and maybe it will show more details.

Check out this KB, looks right up your alley:

http://support.microsoft.com/?id=976494
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33725048
Ok so the output from verbose mode didn't show it either. The hotfix download is currently not available so I'll try again later and let you know how it works. Thanks
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33725777
Progress has been made. I no longer get the trust relationship error and now the system settings policy is being applied..partly........I added some items for drive mapping and to add printers which doesn't seem to work but everything else seems to be working. Could this be one of the Client-Side extensions bugs?
0
 
LVL 7

Author Comment

by:deisrobinson
ID: 33725938
Scratch that last message the policy is now working corretly. I used targeting when apply the drive mapping and of course the account I was testing wasn't a part of the appropriate group. The hotfix did the job. Thanks.
0
 
LVL 7

Author Closing Comment

by:deisrobinson
ID: 33725941
Thanks for the help.
0

Join & Write a Comment

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now