Sign in with
Sign up | Sign in
Your question

Group Policy Errors

Last response: in Windows 2000/NT
Share
Anonymous
December 29, 2004 6:59:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

This is a complicated problem that I've searched and tried many things to
help solve to no avail. I would be very happy if someone could give me a
hand.

We have one domain controller. The C partition is 3.99 GB and has 31 MB
free. I am trying to apply a group policy which will cause computers to
automatically patch themselves using a SUS server that I just set up. The
policy does not take effect on the clients. Here are the error messages from
event logs:

1. On the domain controller:

This error message shows up every 5 minutes in the application log:
Source: SceCli
Event ID: 1202
Security Policies are propogated with warning. 0x534: No mapping between
account names and security IDs was done.

In the File Replication Service log I get the following warnings:
Source: NtFrs
Event ID: 13564
The file replication service has detected that the volume holding the FRS
debug logs is running out of disk space. This will not affect replication
unless this volume hosts database, staging, or replica root paths as well.

Source: NtFrs
Event ID: 13516
The file replication service is no longer preventing the computer FOODC from
becoming a domain controller. The system volume has been notified that the
system volume is now ready to be shared as SYSVOL...


2. On a Windows 2003 member server and on XP Professional clients:

Source: Userenv
EventID: 1030
Windows cannot query for the list of Group Policy objects...

Source: Userenv
EventID: 1101
Windows cannot access the the object
OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The access to the
object may be denied. Group Policy processing aborted.

3. On Windows 2000 professional clients:

the policy is not applied correctly and there appear to be no corresponding
error messages in the event viewer.

Things I've tried already:

I followed the instructions of Q324383: Troubleshooting SCECLI 1202 events.

Under the troubleshooting steps, it says to determine the account that is
causing the failure. When I type in "find /i "cannot find"
%SYSTEMROOT%\security\logs\winlogon.log" I get:

--------------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
Cannot find Power Users.
<this message is repeated about 54 times>

Then when I try the next step of "find /i "Power Users"
%SYSTEMROOT%\security\templates\policies\gpt*.*" I get:

File not found - C:\WINNT\security\templates\policies\gpt*.*

*********

I would like to apply the group policy to all the computers in the domain.
All help is greatly appreciated.

Thanks,

Steve

More about : group policy errors

Anonymous
December 30, 2004 5:33:41 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"stevendytiuk" wrote:
> Hi,
>
> This is a complicated problem that I've searched and tried
> many things to
> help solve to no avail. I would be very happy if someone
> could give me a
> hand.
>
> We have one domain controller. The C partition is 3.99 GB and
> has 31 MB
> free. I am trying to apply a group policy which will cause
> computers to
> automatically patch themselves using a SUS server that I just
> set up. The
> policy does not take effect on the clients. Here are the
> error messages from
> event logs:
>
> 1. On the domain controller:
>
> This error message shows up every 5 minutes in the application
> log:
> Source: SceCli
> Event ID: 1202
> Security Policies are propogated with warning. 0x534: No
> mapping between
> account names and security IDs was done.
>
> In the File Replication Service log I get the following
> warnings:
> Source: NtFrs
> Event ID: 13564
> The file replication service has detected that the volume
> holding the FRS
> debug logs is running out of disk space. This will not affect
> replication
> unless this volume hosts database, staging, or replica root
> paths as well.
>
> Source: NtFrs
> Event ID: 13516
> The file replication service is no longer preventing the
> computer FOODC from
> becoming a domain controller. The system volume has been
> notified that the
> system volume is now ready to be shared as SYSVOL...
>
>
> 2. On a Windows 2003 member server and on XP Professional
> clients:
>
> Source: Userenv
> EventID: 1030
> Windows cannot query for the list of Group Policy objects...
>
> Source: Userenv
> EventID: 1101
> Windows cannot access the the object
> OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The
> access to the
> object may be denied. Group Policy processing aborted.
>
> 3. On Windows 2000 professional clients:
>
> the policy is not applied correctly and there appear to be no
> corresponding
> error messages in the event viewer.
>
> Things I've tried already:
>
> I followed the instructions of Q324383: Troubleshooting SCECLI
> 1202 events.
>
> Under the troubleshooting steps, it says to determine the
> account that is
> causing the failure. When I type in "find /i "cannot find"
> %SYSTEMROOT%securitylogswinlogon.log" I get:
>
> --------------- C:WINNTSECURITYLOGSWINLOGON.LOG
> Cannot find Power Users.
> <this message is repeated about 54 times>
>
> Then when I try the next step of "find /i "Power Users"
> %SYSTEMROOT%securitytemplatespoliciesgpt*.*" I get:
>
> File not found - C:WINNTsecuritytemplatespoliciesgpt*.*
>
> *********
>
> I would like to apply the group policy to all the computers in
> the domain.
> All help is greatly appreciated.
>
> Thanks,
>
> Steve

Hi,

First of all, I would uninstall everything you can from the C: and
install on the other partition (Which I am assuming you have). Eg.
MSOffice etc. Also move any shares to the other partition as well.
The DC is not going to last long with only 31MB free. You need at
least 1GB free. Do a search on C:\ for files larger than 1MB. Move
all that aren’t system files. I was surprised how many large "junk"
files I had on my C: taking up space. Also DON’T install SUS on this
DC. It will fill the drive up in seconds. As you don’t have the
ability to Choose what you download just what you ’authorize’ it fills
up pretty quick with useless updates for OS’ you don’t have.

About the Errors. Go to your DC. Go to the Default Domain
Controllers Group Policy. Go to User Rights Assignment (Under Comp
Config-Windows-Security Settings-Local Policies) Look in the Security
Setting list for any "Deleted" accounts. You will recognize them by
the GUID in replacement of the name. Edit the Policy to delete the
GUID. Do the Same for Default Domain Group Policy and any Computer
Group Policies you may have setup.

I went to www.eventid.net which is the BEST Source I have found for
Event Viewer Errors. When putting in SceCli 1202 I got the following

http://www.eventid.net/display.asp?eventid=1202&eventno...

It forwarded me to the MS Site
http://support.microsoft.com/default.aspx?scid=kb;en-us;247482

The Ntfrs warnings will go away when you clean out your C:\
The other warnings on the clients will go away when you find the
annoying deleted account.

Also, check you have DNS setup correctly. I have it laid out on my
website http://www.sd61.bc.ca/windows2000 "Under XP and Setting up
Internal DNS Server"

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Group-Pol...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740808
Anonymous
December 31, 2004 1:29:03 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you Lara for your excellent help.

I managed to free up some space, giving 67 MB free. There are a lot of log
files on the C partition that I think I can delete but I'm scared to delete
things in case they actually are important and cause major problems ;)  At
any rate the NTFRS errors are not showing up anymore.

I discovered that the deleted account was caused by not having a "power
users" security group. I simply created one and now the SceCli Event 1202 is
gone and I get a message saying that the group policy applied successfully.
This web site helped me figure the Power Users problem:
http://www.5rocks.com/item.asp?ID=395

Now, even though the event viewer says that the group policy is applied
successfully, I still do not see the results of it on my clients. I am still
trying to resolve the Userenv errors on those clients.

I am also going to check out the DNS setup as per your last paragraph.

Whew, this is a lot more work than I thought it would be. Thanks again for
your help and if you have any other suggestions I'd be happy to hear them.

Happy New Year!

Steve

"lforbes" wrote:

> "stevendytiuk" wrote:
> > Hi,
> >
> > This is a complicated problem that I've searched and tried
> > many things to
> > help solve to no avail. I would be very happy if someone
> > could give me a
> > hand.
> >
> > We have one domain controller. The C partition is 3.99 GB and
> > has 31 MB
> > free. I am trying to apply a group policy which will cause
> > computers to
> > automatically patch themselves using a SUS server that I just
> > set up. The
> > policy does not take effect on the clients. Here are the
> > error messages from
> > event logs:
> >
> > 1. On the domain controller:
> >
> > This error message shows up every 5 minutes in the application
> > log:
> > Source: SceCli
> > Event ID: 1202
> > Security Policies are propogated with warning. 0x534: No
> > mapping between
> > account names and security IDs was done.
> >
> > In the File Replication Service log I get the following
> > warnings:
> > Source: NtFrs
> > Event ID: 13564
> > The file replication service has detected that the volume
> > holding the FRS
> > debug logs is running out of disk space. This will not affect
> > replication
> > unless this volume hosts database, staging, or replica root
> > paths as well.
> >
> > Source: NtFrs
> > Event ID: 13516
> > The file replication service is no longer preventing the
> > computer FOODC from
> > becoming a domain controller. The system volume has been
> > notified that the
> > system volume is now ready to be shared as SYSVOL...
> >
> >
> > 2. On a Windows 2003 member server and on XP Professional
> > clients:
> >
> > Source: Userenv
> > EventID: 1030
> > Windows cannot query for the list of Group Policy objects...
> >
> > Source: Userenv
> > EventID: 1101
> > Windows cannot access the the object
> > OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The
> > access to the
> > object may be denied. Group Policy processing aborted.
> >
> > 3. On Windows 2000 professional clients:
> >
> > the policy is not applied correctly and there appear to be no
> > corresponding
> > error messages in the event viewer.
> >
> > Things I've tried already:
> >
> > I followed the instructions of Q324383: Troubleshooting SCECLI
> > 1202 events.
> >
> > Under the troubleshooting steps, it says to determine the
> > account that is
> > causing the failure. When I type in "find /i "cannot find"
> > %SYSTEMROOT%securitylogswinlogon.log" I get:
> >
> > --------------- C:WINNTSECURITYLOGSWINLOGON.LOG
> > Cannot find Power Users.
> > <this message is repeated about 54 times>
> >
> > Then when I try the next step of "find /i "Power Users"
> > %SYSTEMROOT%securitytemplatespoliciesgpt*.*" I get:
> >
> > File not found - C:WINNTsecuritytemplatespoliciesgpt*.*
> >
> > *********
> >
> > I would like to apply the group policy to all the computers in
> > the domain.
> > All help is greatly appreciated.
> >
> > Thanks,
> >
> > Steve
>
> Hi,
>
> First of all, I would uninstall everything you can from the C: and
> install on the other partition (Which I am assuming you have). Eg.
> MSOffice etc. Also move any shares to the other partition as well.
> The DC is not going to last long with only 31MB free. You need at
> least 1GB free. Do a search on C:\ for files larger than 1MB. Move
> all that aren’t system files. I was surprised how many large "junk"
> files I had on my C: taking up space. Also DON’T install SUS on this
> DC. It will fill the drive up in seconds. As you don’t have the
> ability to Choose what you download just what you ’authorize’ it fills
> up pretty quick with useless updates for OS’ you don’t have.
>
> About the Errors. Go to your DC. Go to the Default Domain
> Controllers Group Policy. Go to User Rights Assignment (Under Comp
> Config-Windows-Security Settings-Local Policies) Look in the Security
> Setting list for any "Deleted" accounts. You will recognize them by
> the GUID in replacement of the name. Edit the Policy to delete the
> GUID. Do the Same for Default Domain Group Policy and any Computer
> Group Policies you may have setup.
>
> I went to www.eventid.net which is the BEST Source I have found for
> Event Viewer Errors. When putting in SceCli 1202 I got the following
>
> http://www.eventid.net/display.asp?eventid=1202&eventno...
>
> It forwarded me to the MS Site
> http://support.microsoft.com/default.aspx?scid=kb;en-us;247482
>
> The Ntfrs warnings will go away when you clean out your C:\
> The other warnings on the clients will go away when you find the
> annoying deleted account.
>
> Also, check you have DNS setup correctly. I have it laid out on my
> website http://www.sd61.bc.ca/windows2000 "Under XP and Setting up
> Internal DNS Server"
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.WindowsForumz.com/Active-Directory-Group-Pol...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740808
>
Related resources
Anonymous
December 31, 2004 10:09:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Steve,

> I discovered that the deleted account was caused by not having a
> "power users" security group. I simply created one and now the
SceCli
> Event 1202 is gone and I get a message saying that the group policy
> applied successfully.

I thought for some reason that may be the problem. The Power Users
group is a Windows Default group so although I don’t give it any
priviledges I make sure it isn’t deleted just to avoid any errors.

DNS is more than likely if your Group Policy isn’t applying. From
reading your original post I actually thought the errors were relating
to another issue. Setup your DNS like I explained in my website and
it should fix your GP problems. If you have a DHCP Server, in the
properties of the Domain, under the DNS tab make sure you click to
"always register clients in DNS" and "Register clients that don’t
use dynamic DNS"

Running ipconfig /flushdns and ipconfig /registerdns from the command
line of the problem machines may help. Also install NETDOM from the
Windows 2000 Server CD (support tools) and run netdom reset
computername for the machines having difficulties. Make sure that DNS
is setup correctly first and that the IP’s and the machine names
listed in DNS forward AND reverse match the IP and the machine name in
DHCP.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Group-Pol...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=743758
Anonymous
December 31, 2004 10:43:34 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

One more thing

> I managed to free up some space, giving 67 MB free. There are a lot
of
> log files on the C partition that I think I can delete but I’m
> scared to delete

You will really need to free up stuff on C:\ Even 67 MB is not
enough. What do you have installed? Can any of it be installed on
another drive? You can run Disk Cleanup by right clicking the
drive-properties and clicking the Disk Cleanup button. It will
indentify any files you can delete safely. Also remove any Windows
Component files that you don’t need.

You should be safe to delete old log files. I would backup to CD and
then if you are getting errors with regards to them then you can
restore them. Also you can delete the i386 folder if you have that on
your drive. (As long as you have the Windows CD)

The other thing would be to invest in Partition Magic and increase the
size of the partition.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Group-Pol...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=743759
Anonymous
January 19, 2005 6:23:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Again

Well I tried all the tips you suggested, and group policy is still not
working. It appears that we have a ghost domain controller lurking, though.
I'm not sure how this came about since I am pretty new to the company, but
Computer2 is listed as a domain controller in AD and there are errors that it
cannot be replicated to. Computer2 exists but does not appear to be a domain
controller.

Do you think this could be the reason group policy isn't working?

Thanks for your help... sorry for the big delay - I waited a while since I
am quite frustrated at this problem ;) 

Steve

"Steven Dytiuk" wrote:

> Thank you Lara for your excellent help.
>
> I managed to free up some space, giving 67 MB free. There are a lot of log
> files on the C partition that I think I can delete but I'm scared to delete
> things in case they actually are important and cause major problems ;)  At
> any rate the NTFRS errors are not showing up anymore.
>
> I discovered that the deleted account was caused by not having a "power
> users" security group. I simply created one and now the SceCli Event 1202 is
> gone and I get a message saying that the group policy applied successfully.
> This web site helped me figure the Power Users problem:
> http://www.5rocks.com/item.asp?ID=395
>
> Now, even though the event viewer says that the group policy is applied
> successfully, I still do not see the results of it on my clients. I am still
> trying to resolve the Userenv errors on those clients.
>
> I am also going to check out the DNS setup as per your last paragraph.
>
> Whew, this is a lot more work than I thought it would be. Thanks again for
> your help and if you have any other suggestions I'd be happy to hear them.
>
> Happy New Year!
>
> Steve
>
> "lforbes" wrote:
>
> > "stevendytiuk" wrote:
> > > Hi,
> > >
> > > This is a complicated problem that I've searched and tried
> > > many things to
> > > help solve to no avail. I would be very happy if someone
> > > could give me a
> > > hand.
> > >
> > > We have one domain controller. The C partition is 3.99 GB and
> > > has 31 MB
> > > free. I am trying to apply a group policy which will cause
> > > computers to
> > > automatically patch themselves using a SUS server that I just
> > > set up. The
> > > policy does not take effect on the clients. Here are the
> > > error messages from
> > > event logs:
> > >
> > > 1. On the domain controller:
> > >
> > > This error message shows up every 5 minutes in the application
> > > log:
> > > Source: SceCli
> > > Event ID: 1202
> > > Security Policies are propogated with warning. 0x534: No
> > > mapping between
> > > account names and security IDs was done.
> > >
> > > In the File Replication Service log I get the following
> > > warnings:
> > > Source: NtFrs
> > > Event ID: 13564
> > > The file replication service has detected that the volume
> > > holding the FRS
> > > debug logs is running out of disk space. This will not affect
> > > replication
> > > unless this volume hosts database, staging, or replica root
> > > paths as well.
> > >
> > > Source: NtFrs
> > > Event ID: 13516
> > > The file replication service is no longer preventing the
> > > computer FOODC from
> > > becoming a domain controller. The system volume has been
> > > notified that the
> > > system volume is now ready to be shared as SYSVOL...
> > >
> > >
> > > 2. On a Windows 2003 member server and on XP Professional
> > > clients:
> > >
> > > Source: Userenv
> > > EventID: 1030
> > > Windows cannot query for the list of Group Policy objects...
> > >
> > > Source: Userenv
> > > EventID: 1101
> > > Windows cannot access the the object
> > > OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The
> > > access to the
> > > object may be denied. Group Policy processing aborted.
> > >
> > > 3. On Windows 2000 professional clients:
> > >
> > > the policy is not applied correctly and there appear to be no
> > > corresponding
> > > error messages in the event viewer.
> > >
> > > Things I've tried already:
> > >
> > > I followed the instructions of Q324383: Troubleshooting SCECLI
> > > 1202 events.
> > >
> > > Under the troubleshooting steps, it says to determine the
> > > account that is
> > > causing the failure. When I type in "find /i "cannot find"
> > > %SYSTEMROOT%securitylogswinlogon.log" I get:
> > >
> > > --------------- C:WINNTSECURITYLOGSWINLOGON.LOG
> > > Cannot find Power Users.
> > > <this message is repeated about 54 times>
> > >
> > > Then when I try the next step of "find /i "Power Users"
> > > %SYSTEMROOT%securitytemplatespoliciesgpt*.*" I get:
> > >
> > > File not found - C:WINNTsecuritytemplatespoliciesgpt*.*
> > >
> > > *********
> > >
> > > I would like to apply the group policy to all the computers in
> > > the domain.
> > > All help is greatly appreciated.
> > >
> > > Thanks,
> > >
> > > Steve
> >
> > Hi,
> >
> > First of all, I would uninstall everything you can from the C: and
> > install on the other partition (Which I am assuming you have). Eg.
> > MSOffice etc. Also move any shares to the other partition as well.
> > The DC is not going to last long with only 31MB free. You need at
> > least 1GB free. Do a search on C:\ for files larger than 1MB. Move
> > all that aren’t system files. I was surprised how many large "junk"
> > files I had on my C: taking up space. Also DON’T install SUS on this
> > DC. It will fill the drive up in seconds. As you don’t have the
> > ability to Choose what you download just what you ’authorize’ it fills
> > up pretty quick with useless updates for OS’ you don’t have.
> >
> > About the Errors. Go to your DC. Go to the Default Domain
> > Controllers Group Policy. Go to User Rights Assignment (Under Comp
> > Config-Windows-Security Settings-Local Policies) Look in the Security
> > Setting list for any "Deleted" accounts. You will recognize them by
> > the GUID in replacement of the name. Edit the Policy to delete the
> > GUID. Do the Same for Default Domain Group Policy and any Computer
> > Group Policies you may have setup.
> >
> > I went to www.eventid.net which is the BEST Source I have found for
> > Event Viewer Errors. When putting in SceCli 1202 I got the following
> >
> > http://www.eventid.net/display.asp?eventid=1202&eventno...
> >
> > It forwarded me to the MS Site
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;247482
> >
> > The Ntfrs warnings will go away when you clean out your C:\
> > The other warnings on the clients will go away when you find the
> > annoying deleted account.
> >
> > Also, check you have DNS setup correctly. I have it laid out on my
> > website http://www.sd61.bc.ca/windows2000 "Under XP and Setting up
> > Internal DNS Server"
> >
> > Cheers,
> >
> > Lara
> >
> > --
> > http://www.WindowsForumz.com/ This article was posted by author's request
> > Articles individually checked for conformance to usenet standards
> > Topic URL: http://www.WindowsForumz.com/Active-Directory-Group-Pol...
> > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740808
> >
Anonymous
January 20, 2005 8:24:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> Computer2 is listed as a domain controller in AD and there are
errors
> that it cannot be replicated to. Computer2 exists but does not
appear
> to be a domain controller.

Logon and make sure the computer is not a DC. If it isn’t then move it
out of the Domain Controllers OU. See if that fixes your problems. It
sounds like you have quite a few issues in this Domain. It is hard to
troubleshoot remotely.

Good Luck

Lara
!