MarkSnark1
asked on
Remote Desktop not working for new members of Remote Desktop Users group
I recently promoted a new server to Domain Controller and since then new users added to the remote desktop users get the whole "To log on to this remote computer, you must be granted the Allow log on throught Terminal Services bit...." bit. I am not sure the promoted server is related to the issue but at any rate when I go to the Local Security Policy "security Settings\local Policies\User Rights Assignment" the Allow log on through Remote Desktop Services add user button is grey out. I hate greyed out buttons.
Anyway, in Group Policy Management when right click to edit the "Default Domain Controllers Policy" I get a "Failed to open the Group Policy Object" and the details say "The system cannot find the path specified". So, as result I am not able to enable/edit "Allow log on through Terminal Services". The Group Policy Management Editor does not seem to be working at all. Any suggestions?
Anyway, in Group Policy Management when right click to edit the "Default Domain Controllers Policy" I get a "Failed to open the Group Policy Object" and the details say "The system cannot find the path specified". So, as result I am not able to enable/edit "Allow log on through Terminal Services". The Group Policy Management Editor does not seem to be working at all. Any suggestions?
ASKER
People who had remote desktop privleges prior to the dc promotion can still use rdp but when new users and groups to the Remote Desktop Users group, including the Domain Users group which I just added per your suggestion, still get the message when attempting to log on. I agree with you that it is probably a replication issue of which the Group Policy Editor failing is also a symptom. The problem is I do not how diagnose nor fix it. I did not see anything in the event viewer that would lead me in any direction. Thank you for the response.
Can you confirm that on both dcs there are shares mounted under the name \\dc1\sysvol and \\dc2\sysvol? Can you please restart the file replication service on both servers and check the corresponding logs for entries about frs?
ASKER
Thank you,
I ran net share and essentially got the followin on both dc's:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.ATW
Share name Resource Remark
--------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\A
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
Techsup C:\Techsup
The command completed successfully.
I also restarted the "file replication service" on both servers. The GP editor still does not work. Where do I find the logs?
Thank you again.
I ran net share and essentially got the followin on both dc's:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.ATW
Share name Resource Remark
--------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\A
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
Techsup C:\Techsup
The command completed successfully.
I also restarted the "file replication service" on both servers. The GP editor still does not work. Where do I find the logs?
Thank you again.
ASKER
In the event view for the system log there were no errors for either of the dc's when I restarted the frs.
Ok, so FRS seems ok, else you would have no netlogon share on both servers.
Can you state, what error message you get, when editing gpos?
Can you do a dcdiag on both dcs and post it here?
Can the new users log onto different machines, or does the problem only exist on the terminal server? If only on ts, have you checked dns configuration (dns must not point to external servers)?
Can you state, what error message you get, when editing gpos?
Can you do a dcdiag on both dcs and post it here?
Can the new users log onto different machines, or does the problem only exist on the terminal server? If only on ts, have you checked dns configuration (dns must not point to external servers)?
ASKER
The message when I right click on the Default Domain Controllers Policy is "Failed to open the Group Policy Object. You may not have appropriate rights. Details: The system cannot find the path specified."
I do not know to which path it refers nor how or where to change it.
I do not know to which path it refers nor how or where to change it.
ASKER
I ran the dcdiag but I do not know how to capture the results.
Use dcdiag > result.txt, open result.txt with notepad and copy & paste here
ASKER
The problem only exits when they try to use remote desktop to access other computers from within and without the LAN. Using their there logon credentials on local computers works fine.
So you need to allow all users in your environment to connect to client pcs through rdp, right?
If that is true, can you please launch the computer management on a client that is to be accessed by a user and check, what members are in the local "Remote Desktop users" group? Only members in there can login via rdp (you can do different, but this is the simplest way). If you manually add the new user to log in there, can he/she the access this test pc via rdp?
If that is true, can you please launch the computer management on a client that is to be accessed by a user and check, what members are in the local "Remote Desktop users" group? Only members in there can login via rdp (you can do different, but this is the simplest way). If you manually add the new user to log in there, can he/she the access this test pc via rdp?
ASKER
DC1
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = atwoodsrvx
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\AT
Starting test: Connectivity
......................... ATWOODSRVX passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\AT
Starting test: Advertising
......................... ATWOODSRVX passed test Advertising
Starting test: FrsEvent
......................... ATWOODSRVX passed test FrsEvent
Starting test: DFSREvent
......................... ATWOODSRVX passed test DFSREvent
Starting test: SysVolCheck
......................... ATWOODSRVX passed test SysVolCheck
Starting test: KccEvent
......................... ATWOODSRVX passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ATWOODSRVX passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ATWOODSRVX passed test MachineAccount
Starting test: NCSecDesc
......................... ATWOODSRVX passed test NCSecDesc
Starting test: NetLogons
......................... ATWOODSRVX passed test NetLogons
Starting test: ObjectsReplicated
......................... ATWOODSRVX passed test ObjectsReplicated
Starting test: Replications
......................... ATWOODSRVX passed test Replications
Starting test: RidManager
......................... ATWOODSRVX passed test RidManager
Starting test: Services
......................... ATWOODSRVX passed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:41
Event String:
Driver Remote Desktop Easy Print required for printer HP160509 (HP Photosmart Plus B210 series) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:56
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:59
Event String:
Driver Remote Desktop Easy Print required for printer Kyocera Mita KM-2550 KX on SERVER (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:00
Event String:
Driver Remote Desktop Easy Print required for printer UpstairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:01
Event String:
Driver Remote Desktop Easy Print required for printer ServerRoomHP on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:01
Event String:
Driver Remote Desktop Easy Print required for printer DownStairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:02
Event String:
Driver Remote Desktop Easy Print required for printer HP Photosmart Plus B210 series (Network) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:03
Event String:
Driver Remote Desktop Easy Print required for printer KONICA Minolta C451 PS on ATWOODSRVX (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:04
Event String:
Driver Remote Desktop Easy Print required for printer Fax (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:04
Event String:
Driver Remote Desktop Easy Print required for printer Kyocera KM-2560 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:05
Event String:
Driver Remote Desktop Easy Print required for printer Microsoft XPS Document Writer (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:06
Event String:
Driver Remote Desktop Easy Print required for printer OPtionsKyocera KM-2540 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:07
Event String:
Driver Remote Desktop Easy Print required for printer OptionsKyoceraDownstairs (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
......................... ATWOODSRVX failed test SystemLog
Starting test: VerifyReferences
......................... ATWOODSRVX passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ATWOODCC
Starting test: CheckSDRefDom
......................... ATWOODCC passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ATWOODCC passed test CrossRefValidation
Running enterprise tests on : ATWOODCC.LOCAL
Starting test: LocatorCheck
......................... ATWOODCC.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... ATWOODCC.LOCAL passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = atwoodsrvx
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\AT
Starting test: Connectivity
......................... ATWOODSRVX passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\AT
Starting test: Advertising
......................... ATWOODSRVX passed test Advertising
Starting test: FrsEvent
......................... ATWOODSRVX passed test FrsEvent
Starting test: DFSREvent
......................... ATWOODSRVX passed test DFSREvent
Starting test: SysVolCheck
......................... ATWOODSRVX passed test SysVolCheck
Starting test: KccEvent
......................... ATWOODSRVX passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ATWOODSRVX passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ATWOODSRVX passed test MachineAccount
Starting test: NCSecDesc
......................... ATWOODSRVX passed test NCSecDesc
Starting test: NetLogons
......................... ATWOODSRVX passed test NetLogons
Starting test: ObjectsReplicated
......................... ATWOODSRVX passed test ObjectsReplicated
Starting test: Replications
......................... ATWOODSRVX passed test Replications
Starting test: RidManager
......................... ATWOODSRVX passed test RidManager
Starting test: Services
......................... ATWOODSRVX passed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:41
Event String:
Driver Remote Desktop Easy Print required for printer HP160509 (HP Photosmart Plus B210 series) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:56
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:13:59
Event String:
Driver Remote Desktop Easy Print required for printer Kyocera Mita KM-2550 KX on SERVER (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:00
Event String:
Driver Remote Desktop Easy Print required for printer UpstairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:01
Event String:
Driver Remote Desktop Easy Print required for printer ServerRoomHP on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:01
Event String:
Driver Remote Desktop Easy Print required for printer DownStairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:02
Event String:
Driver Remote Desktop Easy Print required for printer HP Photosmart Plus B210 series (Network) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:03
Event String:
Driver Remote Desktop Easy Print required for printer KONICA Minolta C451 PS on ATWOODSRVX (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:04
Event String:
Driver Remote Desktop Easy Print required for printer Fax (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:04
Event String:
Driver Remote Desktop Easy Print required for printer Kyocera KM-2560 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:05
Event String:
Driver Remote Desktop Easy Print required for printer Microsoft XPS Document Writer (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:06
Event String:
Driver Remote Desktop Easy Print required for printer OPtionsKyocera KM-2540 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:14:07
Event String:
Driver Remote Desktop Easy Print required for printer OptionsKyoceraDownstairs (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.
......................... ATWOODSRVX failed test SystemLog
Starting test: VerifyReferences
......................... ATWOODSRVX passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ATWOODCC
Starting test: CheckSDRefDom
......................... ATWOODCC passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ATWOODCC passed test CrossRefValidation
Running enterprise tests on : ATWOODCC.LOCAL
Starting test: LocatorCheck
......................... ATWOODCC.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... ATWOODCC.LOCAL passed test Intersite
ASKER
DC2
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GoodmanVmAd
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GO
Starting test: Connectivity
......................... GOODMANVMAD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GO
Starting test: Advertising
......................... GOODMANVMAD passed test Advertising
Starting test: FrsEvent
......................... GOODMANVMAD passed test FrsEvent
Starting test: DFSREvent
......................... GOODMANVMAD passed test DFSREvent
Starting test: SysVolCheck
......................... GOODMANVMAD passed test SysVolCheck
Starting test: KccEvent
......................... GOODMANVMAD passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... GOODMANVMAD passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... GOODMANVMAD passed test MachineAccount
Starting test: NCSecDesc
......................... GOODMANVMAD passed test NCSecDesc
Starting test: NetLogons
......................... GOODMANVMAD passed test NetLogons
Starting test: ObjectsReplicated
......................... GOODMANVMAD passed test ObjectsReplicated
Starting test: Replications
......................... GOODMANVMAD passed test Replications
Starting test: RidManager
......................... GOODMANVMAD passed test RidManager
Starting test: Services
......................... GOODMANVMAD passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 12/11/2011 15:00:44
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:32
Event String:
Driver KONICA MINOLTA C652SeriesPS required for printer !!atwoodsrvx!C552ds-Copier
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:33
Event String:
Driver Muratec MFX-2550 PCL6 required for printer !!atwoodsrvx!Muratec-FRONT
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:34
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
......................... GOODMANVMAD failed test SystemLog
Starting test: VerifyReferences
......................... GOODMANVMAD passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ATWOODCC
Starting test: CheckSDRefDom
......................... ATWOODCC passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ATWOODCC passed test CrossRefValidation
Running enterprise tests on : ATWOODCC.LOCAL
Starting test: LocatorCheck
......................... ATWOODCC.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... ATWOODCC.LOCAL passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GoodmanVmAd
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GO
Starting test: Connectivity
......................... GOODMANVMAD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GO
Starting test: Advertising
......................... GOODMANVMAD passed test Advertising
Starting test: FrsEvent
......................... GOODMANVMAD passed test FrsEvent
Starting test: DFSREvent
......................... GOODMANVMAD passed test DFSREvent
Starting test: SysVolCheck
......................... GOODMANVMAD passed test SysVolCheck
Starting test: KccEvent
......................... GOODMANVMAD passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... GOODMANVMAD passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... GOODMANVMAD passed test MachineAccount
Starting test: NCSecDesc
......................... GOODMANVMAD passed test NCSecDesc
Starting test: NetLogons
......................... GOODMANVMAD passed test NetLogons
Starting test: ObjectsReplicated
......................... GOODMANVMAD passed test ObjectsReplicated
Starting test: Replications
......................... GOODMANVMAD passed test Replications
Starting test: RidManager
......................... GOODMANVMAD passed test RidManager
Starting test: Services
......................... GOODMANVMAD passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 12/11/2011 15:00:44
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:32
Event String:
Driver KONICA MINOLTA C652SeriesPS required for printer !!atwoodsrvx!C552ds-Copier
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:33
Event String:
Driver Muratec MFX-2550 PCL6 required for printer !!atwoodsrvx!Muratec-FRONT
An error event occurred. EventID: 0x00000457
Time Generated: 12/11/2011 15:36:34
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
......................... GOODMANVMAD failed test SystemLog
Starting test: VerifyReferences
......................... GOODMANVMAD passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ATWOODCC
Starting test: CheckSDRefDom
......................... ATWOODCC passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ATWOODCC passed test CrossRefValidation
Running enterprise tests on : ATWOODCC.LOCAL
Starting test: LocatorCheck
......................... ATWOODCC.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... ATWOODCC.LOCAL passed test Intersite
ASKER
The pc I am trying to give them access to is a virtual machine. I will try to logon with their credentials from the hyper v host.
Ok, your dc's seem okay, too. You can reset your default domain controller policy to default (and thus repair it) by using the following command:
dcgpofix /target:dc
Then you need to reapply your settings (if you have them in mind or on paper). Perhaps it would be a good idea to make such settings in your own gpo, it is a best practise to leave the two built in gpos as they are.
dcgpofix /target:dc
Then you need to reapply your settings (if you have them in mind or on paper). Perhaps it would be a good idea to make such settings in your own gpo, it is a best practise to leave the two built in gpos as they are.
ASKER
I was able to logon to the virtual pc via the hyper-v app with the new user's credentials.
Thus you verified that it's only the gpo not applying any more. Restore your gpo as stated above, create a new gpo and reapply your settings. Perhaps think about the option to use gpo to add your desired users to the local remote desktop users group for easier management.
Try the following:
Put rdp-enabled users in a security group, like "RDP users".
Create a gpo to add the group "RDP Users" to the local group "Remote Desktop Users" on the desired clients (using restricted groups)
Try the following:
Put rdp-enabled users in a security group, like "RDP users".
Create a gpo to add the group "RDP Users" to the local group "Remote Desktop Users" on the desired clients (using restricted groups)
ASKER
I ran the gpo fix on the DC2 and it bombed with the following:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.ATW
C:\>dcgpofix /target:goodmanvmad
Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1
Copyright (C) Microsoft Corporation. 1981-2003
Description: Recreates the Default Group Policy Objects (GPOs) for a domain
Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
The parameter is incorrect.
The restore failed. See previous messages for more details
C:\>
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.ATW
C:\>dcgpofix /target:goodmanvmad
Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1
Copyright (C) Microsoft Corporation. 1981-2003
Description: Recreates the Default Group Policy Objects (GPOs) for a domain
Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
The parameter is incorrect.
The restore failed. See previous messages for more details
C:\>
ASKER
Not sure about the parameter. I assumed just the machine name.
ASKER
Does this utility change user share access on folders? I have really never set much up in Group Policy so I am assuming it is not overwriting much with the default setup. What are the adverse effects?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am sure it will run but I am afraid of the warning. I am not sure what might get shut down with this command. Can you tell me what possible specific adverse affects it might have. Is it going to render user folder share permisissions in effective? I have not really modifided the Group Policy on this domain so I am not afraid of that but will it afftect user permission that have been set up through Active Directory. What server applications would fail? Please see the warning below and understand my apprehension. Thank you for your ongoing support.
C:\>dcgpofix /target:dc
Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1
Copyright (C) Microsoft Corporation. 1981-2003
Description: Recreates the Default Group Policy Objects (GPOs) for a domain
Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
You are about to restore Default Domain controller policy for the following doma
in
ATWOODCC.LOCAL
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>?
C:\>dcgpofix /target:dc
Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1
Copyright (C) Microsoft Corporation. 1981-2003
Description: Recreates the Default Group Policy Objects (GPOs) for a domain
Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
You are about to restore Default Domain controller policy for the following doma
in
ATWOODCC.LOCAL
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>?
As it will overwrite the domain controller policy, it will revert every change, you made in this policy. So your arights assignments, that were made through this policy (and only those) will be reverted. You will have to do them all over (e.g. for your remote desktop users). If you had any other assignments within this policy, these will be lost, too. On the other hand you cannot change anything to the policy at current, as it is corrupt.
You can smoothen the process in first creating a new policy and rebuilding any setting, you already did in the default domain controller policy before resetting the ddcp.
You can smoothen the process in first creating a new policy and rebuilding any setting, you already did in the default domain controller policy before resetting the ddcp.
ASKER
I am just trying to get an idea of the scope. I think the specific question is "what are assignments?" Will people be able to logon without specific attention to their profile? Get their email? Access data in sql, get to documents in folders they are supposed to use, get to documents they are not supposed to use?
In the five years I have supported this domain I cannot think of any changes I have made in the Group Policy editor but I have made plenty of changes in the AD, and usershares, databases. 3 third party Server based apps run on dc1. Will all of this turn to goo? Or will I just have to reassisgn Remote Desk Top users? As always, I appreciate your input. Thank you.
In the five years I have supported this domain I cannot think of any changes I have made in the Group Policy editor but I have made plenty of changes in the AD, and usershares, databases. 3 third party Server based apps run on dc1. Will all of this turn to goo? Or will I just have to reassisgn Remote Desk Top users? As always, I appreciate your input. Thank you.
As I don't know, what was originally implemented in the policy, I can hardly guess the scope. In a standard environment, the default domain controller policy handles password policies, communication settings between dcs and clients, who is able to log onto domain controllers (console and rdp), mainly security settings.
In default state it does NOT configure any file system based access, no sql server related settings, no group memberships or e-mail settings.
But as there were changes made to the policy, I can't tell for sure. Maybe like you can only guess what settings may have been changed. I can say, that under normal circumstances no 3rd party software makes changes to the policy and only really really few depend on MANUAL changes to it.
If it was my domain or I were in this situation for a customer of mine, I would do the step provided above. You can't save the settings as they are corrupt already, so you don't have any other chance (in my opinion). It is most unlikely that any other software will suffer from the rebuild, but one cannot be 100% sure ...
In default state it does NOT configure any file system based access, no sql server related settings, no group memberships or e-mail settings.
But as there were changes made to the policy, I can't tell for sure. Maybe like you can only guess what settings may have been changed. I can say, that under normal circumstances no 3rd party software makes changes to the policy and only really really few depend on MANUAL changes to it.
If it was my domain or I were in this situation for a customer of mine, I would do the step provided above. You can't save the settings as they are corrupt already, so you don't have any other chance (in my opinion). It is most unlikely that any other software will suffer from the rebuild, but one cannot be 100% sure ...
So I have one more idea, how you can savely check, what happens, if your default domain controller policy goes missing: Try to disable the gpo and use a test client and a test server to access each other. Start "gpupdate /force" on each (or reboot them both) to have the changes take effect.
Note that when you disable the gpo, it is like having it deleted (so e.g. password policy will be affected, too). So the effect will be much more than when you restore it to factory defaults.
Would this be a "save way" to test it for you?
I can't say "restore it to defaults, there is nothing that can go wrong" as this would be a lie. I try to inform you of all possible consequences as far as I can estimate them. I don't want to to talk you into doing it, I just give suggestions and hints.
Note that when you disable the gpo, it is like having it deleted (so e.g. password policy will be affected, too). So the effect will be much more than when you restore it to factory defaults.
Would this be a "save way" to test it for you?
I can't say "restore it to defaults, there is nothing that can go wrong" as this would be a lie. I try to inform you of all possible consequences as far as I can estimate them. I don't want to to talk you into doing it, I just give suggestions and hints.
ASKER
Still working on this. Not quite ready for the last resort.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076
for the following reason:
With Microsoft's assurance that this was the only option left, we executed the fix with no adverse affects on our relatively unchanged GP. Thank you for your help.
Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076
for the following reason:
With Microsoft's assurance that this was the only option left, we executed the fix with no adverse affects on our relatively unchanged GP. Thank you for your help.
ASKER
I did not request that this be closed without points. The Nemisis should get 500 points.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076
for the following reason:
Thank you for your help. It worked with no adverse effects on our domain.
Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076
for the following reason:
Thank you for your help. It worked with no adverse effects on our domain.
MarkSnark1 added comment, that he wanted to award the points to me. Please check.
ASKER
This solution worked.
But your main problem seems to be, that your ad replication between the old and new dc doesn't seem to work. Have you verified your log files on both dcs? Anything stating that there were problems replicating? Are the default dc shares in place on both servers (\\dc\sysvol)?