Group Policy is not propogating (error 1202) 1

[meekrob]

I'm having problems getting some security policies to propogate. I added some Group policies in AD ( some basic password expiration stuff) and now I get a bunch of this in my application log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/28/2002
Time: 10:33:26 AM
User: NT AUTHORITY\SYSTEM
Computer: PIKACHU
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (5).


and:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 6/28/2002
Time: 10:33:26 AM
User: N/A
Computer: PIKACHU
Description:
Security policies are propagated with warning. 0x5 : Access is denied.
Please look for more details in TroubleShooting section in Security Help.


I found a Microsoft support article (Q284461) which seems to indicate a registry key fix (deleting the SECURITY tree) after you change some permissions in Group Policy. However the GPO:

Computer Configuration\Windows Settings\Security Settings\System Services

does not exist on my computer and so I am not able to delete the SECURITY tree, and umm well I'm not sure this is a great idea anyway ...

Thanks for reading.

Best regards,

meekrob

 

[GlenJohnson]

http://www.eventid.net/display.asp?app=Top10&eventid=1000

Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Every step of life shows much caution is required".
Johann Wolfgang von Goethe (1749-1832); German poet and playwright.

 

[meekrob]

Yep I've read that ...

 

[GlenJohnson]

Keep on truckin bud, this is what I've had to do. Tedious and a real pain in the a**. Wish someone would come up with an easy to manuvere web sit for searching Event ID's. I know there's

http://www.eventid.net

but even that's not easy to use. It might be more user freindly if you pay the $15 yearly subscription, but without knowing what that gets you, I really don't want to pay it. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Every step of life shows much caution is required".
Johann Wolfgang von Goethe (1749-1832); German poet and playwright.

 

[meekrob]

Hmm this might be it here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q279432

This is wierd but it's an easy fix, so I hope it works...

Damn, I guess not. Well the problem description fit, event 1000 and 1202 every five minutes. If anyone has any ideas I'd love to hear em.

 

[brontosaurus]

The Access Denied portion of the event log message means that there's some attempt to process a piece of your policy that's failing due to local system restrictions. Here's something you can try to help find out where the issue is:

1)On the affected machine, Open up REGEDT32 and navigate to this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

2)Add a Reg_Dword key called ExtensionDebugLevel with a value of 2

3)From a command prompt, run SECEDIT /refreshpolicy machine_policy /enforce

4) Restart Netlogon service

5) Search for the file called WINLOGON.LOG on your machine. It will tell you at what point GPO processing failed.

 

[MattWray]

Brontosaurus,
I have been researching this problem to no avail for a couple months now. I have tried your above fix, but, when I search for the WINLOGON.LOG, it is not found. I have enabled hidden files and folders already. Any Ideas? Matt Wray
CCNA, MCP

 

[brontosaurus]

Hey Matt, The file should be created automatically in C:\winnt\security\logs. I've done it several times without a hitch and I just ran it on another DC as a test. You double checked the settings on the DC you're running it from?

 

[Guest_imported]

I just checked that path, but the file is not there. I have Backup.log, scesetup.log and scesrv.log only. What settings are you referring to on the DC?

 

[brontosaurus]

Sorry Matt, that was poor wording on my part. What I meant by "settings" was the registry edits, just double-check those are correct. I'm sure they are, though, you probably tried it several times. I wonder if it would work if you created a file called winlogon.log and let it be edited? Just a thought. Make sure the permissions on that LOG directory aren't restricting "writes" as well....

 

[MattWray]

OK, I am not real handy with the registry, so I'll post what is there and tell me if it's right.

ExtensionDebugLevel : REG_DWORD : 0x2

As well as the normal stuff that's in there. I ran the refresh policy from the run command and restarted the Netlogon thru the Services snap-in, I'll try again now that I created the log...
Cross your fingers. Matt Wray
CCNA, MCP

 

[meekrob]

ok, I've enabled the advanced debugging, and I've found something...

I'm just not sure what to do with it.

I guess I'll post it here:

----Configure General Service Settings...
Configure TlntSvr.
Warning 5: Access is denied.
Error opening TlntSvr.
Warning 5: Access is denied.
Error opening TlntSvr.

General Service configuration completed with error.

Telnet server. The telnet service is turned off on all my servers and workstations... well I've got some new search terms to look for, and I can play around until I find something. I'll let you guys know if I do.

 

[GlenJohnson]

TlntSvr. That looks like telnet. Is your telnet service started? I have a server that everytime I reboot it, sql doesn't start, so when I try and access a database, I get an authentication error. I have to go into the logon options for sql, and re-enter the password, then start the service. Then I can start sql. I can't unless I re-enter that (*&&^)(**() password. Check your services. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"There is nothing like a dream to create the future."
Victor Hugo (1802-1885); French writer.

 

[MattWray]

Well, Ive just found something very interesting. I just redid the Refreshpolicy and stopped and restarted the netlogon, and the winlogon.log file I manually created disappeared.. Very strange... Matt Wray
CCNA, MCP

 

[brontosaurus]

Hey Matt. In one of your Group Policies you've likely edited the Telnet service to be disabled. The log is saying that there's a domain member (or two) out there that's not taking a liking to that. Just to test out this theory, remove the Telnet Service Group Policy and see if your event viewer clears up....

 

[meekrob]

Well, here is where I get to admit that overlooked something. My group policies are propogating, the telnet error affects only telnet. (I do need to get rid of it however it's filling up application logs on the server and workstation boxen) Part of my active directory structure that looks like this:

domain.myorg.com [ Default Domain Policy ]
----Accounts [ Password Policy + Printer Policy ]
--------Management
--------Sales
--------MIS
--------Operations

My strategy was to have one general policy for every object under accounts, and then add policies to each sub-category, like management would get a different policy than sales, etc.

My policy changes were made to a policy located under accounts. There are no actual user objects under accounts, they are all located in container objects. I thought that the policy changes would affect anything in that branch of the tree, apparently I am wrong. When I made changes to the default policy the changes were indeed propogated, with that annoying telnet error...

Thanks for your help guys. By the way, I've started the telnet server and run secedit, checked my winlogon.log and application log, it doesn't clear up the error... it must be a policy problem hidden in this default policy.

 

[GlenJohnson]

Sounds like your getting closer. Good for you. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"There is nothing like a dream to create the future."
Victor Hugo (1802-1885); French writer.