Sign in with
Sign up | Sign in
Your question

secedit or group policy issues?

Last response: in Windows 2000/NT
Share
Anonymous
August 24, 2004 9:48:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I just did the following
1) Created a new OU in AD on a Win2K Server SP4
2) Created a new Group Policy Object under this OU. Objectives:
2.1) The only reason why these users are in AD under this OU is purely for
IIS Authentication, and because it looks like those users need "Log on
locally right" for Basic Authentication or Integrated Windows authentication
to work (otherwise with auditing, a failure audit is generated when I try
to log on with the correct username/password pair)
2.2) I try to set up a GPO under this OU so users under this OU can't do
anything destructive even if they try to log on (which they would be allowed
to do so)
3) at command prompt:
3.1) secedit /refreshpolicy user_policy /enforce
3.2) secedit /refreshpolicy machine_policy /enforce
3.3) secedit /refreshpolicy machine_policy

4) Wait a few minutes

5) Try to logon to the console (of the one and only one Domain Controller
for the domain) as those users under this OU, and I get the following logged
in event viewer:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 24/08/2004
Time: 17:28:20
User: MyWEB\SiteAdmin
Computer: MyWEBServer
Description:
Windows cannot establish a connection to myweb.local with (0).

How could I rectify this?
Anonymous
August 24, 2004 10:04:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Also checked out
http://support.microsoft.com/default.aspx?scid=kb;en-us;290647
Everything is as stated on that article!

"Patrick" <patl@reply.newsgroup.msn.com> wrote in message
news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> I just did the following
> 1) Created a new OU in AD on a Win2K Server SP4
> 2) Created a new Group Policy Object under this OU. Objectives:
> 2.1) The only reason why these users are in AD under this OU is purely for
> IIS Authentication, and because it looks like those users need "Log on
> locally right" for Basic Authentication or Integrated Windows
authentication
> to work (otherwise with auditing, a failure audit is generated when I try
> to log on with the correct username/password pair)
> 2.2) I try to set up a GPO under this OU so users under this OU can't do
> anything destructive even if they try to log on (which they would be
allowed
> to do so)
> 3) at command prompt:
> 3.1) secedit /refreshpolicy user_policy /enforce
> 3.2) secedit /refreshpolicy machine_policy /enforce
> 3.3) secedit /refreshpolicy machine_policy
>
> 4) Wait a few minutes
>
> 5) Try to logon to the console (of the one and only one Domain Controller
> for the domain) as those users under this OU, and I get the following
logged
> in event viewer:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 24/08/2004
> Time: 17:28:20
> User: MyWEB\SiteAdmin
> Computer: MyWEBServer
> Description:
> Windows cannot query for the list of Group Policy objects . A message that
> describes the reason for this was previously logged by this policy engine.
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 24/08/2004
> Time: 17:28:20
> User: MyWEB\SiteAdmin
> Computer: MyWEBServer
> Description:
> Windows cannot establish a connection to myweb.local with (0).
>
> How could I rectify this?
>
>
Anonymous
August 24, 2004 10:41:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The user right for logon locally is a computer configuration - not user and
would apply to only computers in that OU. You need to configure that user
right on the computer where users need the right to logon locally and that
can be done either in Local Security Policy or at the OU level where that
computer is located.

Dns misconfiguration is also the main cause of Group Policy an AD problems.
Your domain controller [I believe you have one] must point only to itself as
it's preferred dns server via it's static IP address. W2K/XP Pro domain
computers must point only to AD domain controllers as their preferred dns
server and NEVER an ISP dns server. It is also a good idea to not have your
domain controllers to be multi homed with multiple network adapters. Netdiag
and dcdiag are very helpful in checking for proper domain configuration for
domain controllers and domain members. The link below explains more on AD
dns. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...



"Patrick" <patl@reply.newsgroup.msn.com> wrote in message
news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> I just did the following
> 1) Created a new OU in AD on a Win2K Server SP4
> 2) Created a new Group Policy Object under this OU. Objectives:
> 2.1) The only reason why these users are in AD under this OU is purely for
> IIS Authentication, and because it looks like those users need "Log on
> locally right" for Basic Authentication or Integrated Windows
authentication
> to work (otherwise with auditing, a failure audit is generated when I try
> to log on with the correct username/password pair)
> 2.2) I try to set up a GPO under this OU so users under this OU can't do
> anything destructive even if they try to log on (which they would be
allowed
> to do so)
> 3) at command prompt:
> 3.1) secedit /refreshpolicy user_policy /enforce
> 3.2) secedit /refreshpolicy machine_policy /enforce
> 3.3) secedit /refreshpolicy machine_policy
>
> 4) Wait a few minutes
>
> 5) Try to logon to the console (of the one and only one Domain Controller
> for the domain) as those users under this OU, and I get the following
logged
> in event viewer:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 24/08/2004
> Time: 17:28:20
> User: MyWEB\SiteAdmin
> Computer: MyWEBServer
> Description:
> Windows cannot query for the list of Group Policy objects . A message that
> describes the reason for this was previously logged by this policy engine.
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 24/08/2004
> Time: 17:28:20
> User: MyWEB\SiteAdmin
> Computer: MyWEBServer
> Description:
> Windows cannot establish a connection to myweb.local with (0).
>
> How could I rectify this?
>
>
Related resources
Anonymous
August 25, 2004 2:56:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

No joy
1) The machine which is experiencing the problem where GPO is not loaded is
the Domain Controller itself. On this DC, under Networking settings, DNS is
set to use its own DNS (i.e. the IP address of the server)

2) The User Rights "Logon Locally" is set at a Domain Controller level
(under Domain Controller Security Policy) which overwrites Local/Domain
security policies.

"Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
news:7ZLWc.225411$eM2.33568@attbi_s51...
> The user right for logon locally is a computer configuration - not user
and
> would apply to only computers in that OU. You need to configure that user
> right on the computer where users need the right to logon locally and that
> can be done either in Local Security Policy or at the OU level where that
> computer is located.
>
> Dns misconfiguration is also the main cause of Group Policy an AD
problems.
> Your domain controller [I believe you have one] must point only to itself
as
> it's preferred dns server via it's static IP address. W2K/XP Pro domain
> computers must point only to AD domain controllers as their preferred dns
> server and NEVER an ISP dns server. It is also a good idea to not have
your
> domain controllers to be multi homed with multiple network adapters.
Netdiag
> and dcdiag are very helpful in checking for proper domain configuration
for
> domain controllers and domain members. The link below explains more on AD
> dns. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
>
>
> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> > I just did the following
> > 1) Created a new OU in AD on a Win2K Server SP4
> > 2) Created a new Group Policy Object under this OU. Objectives:
> > 2.1) The only reason why these users are in AD under this OU is purely
for
> > IIS Authentication, and because it looks like those users need "Log on
> > locally right" for Basic Authentication or Integrated Windows
> authentication
> > to work (otherwise with auditing, a failure audit is generated when I
try
> > to log on with the correct username/password pair)
> > 2.2) I try to set up a GPO under this OU so users under this OU can't do
> > anything destructive even if they try to log on (which they would be
> allowed
> > to do so)
> > 3) at command prompt:
> > 3.1) secedit /refreshpolicy user_policy /enforce
> > 3.2) secedit /refreshpolicy machine_policy /enforce
> > 3.3) secedit /refreshpolicy machine_policy
> >
> > 4) Wait a few minutes
> >
> > 5) Try to logon to the console (of the one and only one Domain
Controller
> > for the domain) as those users under this OU, and I get the following
> logged
> > in event viewer:
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot query for the list of Group Policy objects . A message
that
> > describes the reason for this was previously logged by this policy
engine.
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot establish a connection to myweb.local with (0).
> >
> > How could I rectify this?
> >
> >
>
>
Anonymous
August 25, 2004 2:56:54 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If this is a domain controller then add the users or global group that you want to
have logon locally user right in the Domain Controller Security Policy and then it
should show as the "effective" setting in Local Security Policy of the domain
controller after a refresh. You can also run gpresult while logged onto the domain
controller and see the GPO's applied to that computer and logged on user and the last
time they were refreshed. The /v switch will give much more detailed info on the
GPO's being applied. Since you are having problems. I would also run first netdiag
and then dcdiag on the domain controller looking for any failed tests/errors/warnings
that may indicate if there is a problem even if it is the only domain
ontroller. --- Steve


"Patrick" <patl@reply.newsgroup.msn.com> wrote in message
news:eX6pEViiEHA.2764@TK2MSFTNGP11.phx.gbl...
> No joy
> 1) The machine which is experiencing the problem where GPO is not loaded is
> the Domain Controller itself. On this DC, under Networking settings, DNS is
> set to use its own DNS (i.e. the IP address of the server)
>
> 2) The User Rights "Logon Locally" is set at a Domain Controller level
> (under Domain Controller Security Policy) which overwrites Local/Domain
> security policies.
>
> "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
> news:7ZLWc.225411$eM2.33568@attbi_s51...
>> The user right for logon locally is a computer configuration - not user
> and
>> would apply to only computers in that OU. You need to configure that user
>> right on the computer where users need the right to logon locally and that
>> can be done either in Local Security Policy or at the OU level where that
>> computer is located.
>>
>> Dns misconfiguration is also the main cause of Group Policy an AD
> problems.
>> Your domain controller [I believe you have one] must point only to itself
> as
>> it's preferred dns server via it's static IP address. W2K/XP Pro domain
>> computers must point only to AD domain controllers as their preferred dns
>> server and NEVER an ISP dns server. It is also a good idea to not have
> your
>> domain controllers to be multi homed with multiple network adapters.
> Netdiag
>> and dcdiag are very helpful in checking for proper domain configuration
> for
>> domain controllers and domain members. The link below explains more on AD
>> dns. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>>
>>
>>
>> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
>> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
>> > I just did the following
>> > 1) Created a new OU in AD on a Win2K Server SP4
>> > 2) Created a new Group Policy Object under this OU. Objectives:
>> > 2.1) The only reason why these users are in AD under this OU is purely
> for
>> > IIS Authentication, and because it looks like those users need "Log on
>> > locally right" for Basic Authentication or Integrated Windows
>> authentication
>> > to work (otherwise with auditing, a failure audit is generated when I
> try
>> > to log on with the correct username/password pair)
>> > 2.2) I try to set up a GPO under this OU so users under this OU can't do
>> > anything destructive even if they try to log on (which they would be
>> allowed
>> > to do so)
>> > 3) at command prompt:
>> > 3.1) secedit /refreshpolicy user_policy /enforce
>> > 3.2) secedit /refreshpolicy machine_policy /enforce
>> > 3.3) secedit /refreshpolicy machine_policy
>> >
>> > 4) Wait a few minutes
>> >
>> > 5) Try to logon to the console (of the one and only one Domain
> Controller
>> > for the domain) as those users under this OU, and I get the following
>> logged
>> > in event viewer:
>> >
>> > Event Type: Error
>> > Event Source: Userenv
>> > Event Category: None
>> > Event ID: 1000
>> > Date: 24/08/2004
>> > Time: 17:28:20
>> > User: MyWEB\SiteAdmin
>> > Computer: MyWEBServer
>> > Description:
>> > Windows cannot query for the list of Group Policy objects . A message
> that
>> > describes the reason for this was previously logged by this policy
> engine.
>> >
>> > Event Type: Error
>> > Event Source: Userenv
>> > Event Category: None
>> > Event ID: 1000
>> > Date: 24/08/2004
>> > Time: 17:28:20
>> > User: MyWEB\SiteAdmin
>> > Computer: MyWEBServer
>> > Description:
>> > Windows cannot establish a connection to myweb.local with (0).
>> >
>> > How could I rectify this?
>> >
>> >
>>
>>
>
>
Anonymous
August 25, 2004 2:58:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Also, the machine (a DC on a Win2K Server SP4) only has a single gigabit
ethernet card with a single IP.

Note once again, the GPO Loading error is happening when user in the
non-default OU try to logon to the DC itself (note once again there should
be no GPO progagation issues here, there is only 1 server which is the DC
itself!)

"Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
news:7ZLWc.225411$eM2.33568@attbi_s51...
> The user right for logon locally is a computer configuration - not user
and
> would apply to only computers in that OU. You need to configure that user
> right on the computer where users need the right to logon locally and that
> can be done either in Local Security Policy or at the OU level where that
> computer is located.
>
> Dns misconfiguration is also the main cause of Group Policy an AD
problems.
> Your domain controller [I believe you have one] must point only to itself
as
> it's preferred dns server via it's static IP address. W2K/XP Pro domain
> computers must point only to AD domain controllers as their preferred dns
> server and NEVER an ISP dns server. It is also a good idea to not have
your
> domain controllers to be multi homed with multiple network adapters.
Netdiag
> and dcdiag are very helpful in checking for proper domain configuration
for
> domain controllers and domain members. The link below explains more on AD
> dns. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
>
>
> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> > I just did the following
> > 1) Created a new OU in AD on a Win2K Server SP4
> > 2) Created a new Group Policy Object under this OU. Objectives:
> > 2.1) The only reason why these users are in AD under this OU is purely
for
> > IIS Authentication, and because it looks like those users need "Log on
> > locally right" for Basic Authentication or Integrated Windows
> authentication
> > to work (otherwise with auditing, a failure audit is generated when I
try
> > to log on with the correct username/password pair)
> > 2.2) I try to set up a GPO under this OU so users under this OU can't do
> > anything destructive even if they try to log on (which they would be
> allowed
> > to do so)
> > 3) at command prompt:
> > 3.1) secedit /refreshpolicy user_policy /enforce
> > 3.2) secedit /refreshpolicy machine_policy /enforce
> > 3.3) secedit /refreshpolicy machine_policy
> >
> > 4) Wait a few minutes
> >
> > 5) Try to logon to the console (of the one and only one Domain
Controller
> > for the domain) as those users under this OU, and I get the following
> logged
> > in event viewer:
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot query for the list of Group Policy objects . A message
that
> > describes the reason for this was previously logged by this policy
engine.
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 24/08/2004
> > Time: 17:28:20
> > User: MyWEB\SiteAdmin
> > Computer: MyWEBServer
> > Description:
> > Windows cannot establish a connection to myweb.local with (0).
> >
> > How could I rectify this?
> >
> >
>
>
Anonymous
August 25, 2004 4:14:54 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Problem sorted...
the GPO Domain Controller Security Policies were too secure!!
It needs permission to
1) run essential *.exe like NETLOGON, etc.
2) Access computer from the network!!! (to access the GPO in the first
place!)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:83PWc.175739$8_6.3929@attbi_s04...
> If this is a domain controller then add the users or global group that you
want to
> have logon locally user right in the Domain Controller Security Policy and
then it
> should show as the "effective" setting in Local Security Policy of the
domain
> controller after a refresh. You can also run gpresult while logged onto
the domain
> controller and see the GPO's applied to that computer and logged on user
and the last
> time they were refreshed. The /v switch will give much more detailed info
on the
> GPO's being applied. Since you are having problems. I would also run first
netdiag
> and then dcdiag on the domain controller looking for any failed
tests/errors/warnings
> that may indicate if there is a problem even if it is the only domain
> ontroller. --- Steve
>
>
> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
> news:eX6pEViiEHA.2764@TK2MSFTNGP11.phx.gbl...
> > No joy
> > 1) The machine which is experiencing the problem where GPO is not loaded
is
> > the Domain Controller itself. On this DC, under Networking settings,
DNS is
> > set to use its own DNS (i.e. the IP address of the server)
> >
> > 2) The User Rights "Logon Locally" is set at a Domain Controller level
> > (under Domain Controller Security Policy) which overwrites Local/Domain
> > security policies.
> >
> > "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
> > news:7ZLWc.225411$eM2.33568@attbi_s51...
> >> The user right for logon locally is a computer configuration - not user
> > and
> >> would apply to only computers in that OU. You need to configure that
user
> >> right on the computer where users need the right to logon locally and
that
> >> can be done either in Local Security Policy or at the OU level where
that
> >> computer is located.
> >>
> >> Dns misconfiguration is also the main cause of Group Policy an AD
> > problems.
> >> Your domain controller [I believe you have one] must point only to
itself
> > as
> >> it's preferred dns server via it's static IP address. W2K/XP Pro domain
> >> computers must point only to AD domain controllers as their preferred
dns
> >> server and NEVER an ISP dns server. It is also a good idea to not have
> > your
> >> domain controllers to be multi homed with multiple network adapters.
> > Netdiag
> >> and dcdiag are very helpful in checking for proper domain configuration
> > for
> >> domain controllers and domain members. The link below explains more on
AD
> >> dns. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >>
> >>
> >>
> >> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
> >> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
> >> > I just did the following
> >> > 1) Created a new OU in AD on a Win2K Server SP4
> >> > 2) Created a new Group Policy Object under this OU. Objectives:
> >> > 2.1) The only reason why these users are in AD under this OU is
purely
> > for
> >> > IIS Authentication, and because it looks like those users need "Log
on
> >> > locally right" for Basic Authentication or Integrated Windows
> >> authentication
> >> > to work (otherwise with auditing, a failure audit is generated when
I
> > try
> >> > to log on with the correct username/password pair)
> >> > 2.2) I try to set up a GPO under this OU so users under this OU can't
do
> >> > anything destructive even if they try to log on (which they would be
> >> allowed
> >> > to do so)
> >> > 3) at command prompt:
> >> > 3.1) secedit /refreshpolicy user_policy /enforce
> >> > 3.2) secedit /refreshpolicy machine_policy /enforce
> >> > 3.3) secedit /refreshpolicy machine_policy
> >> >
> >> > 4) Wait a few minutes
> >> >
> >> > 5) Try to logon to the console (of the one and only one Domain
> > Controller
> >> > for the domain) as those users under this OU, and I get the following
> >> logged
> >> > in event viewer:
> >> >
> >> > Event Type: Error
> >> > Event Source: Userenv
> >> > Event Category: None
> >> > Event ID: 1000
> >> > Date: 24/08/2004
> >> > Time: 17:28:20
> >> > User: MyWEB\SiteAdmin
> >> > Computer: MyWEBServer
> >> > Description:
> >> > Windows cannot query for the list of Group Policy objects . A message
> > that
> >> > describes the reason for this was previously logged by this policy
> > engine.
> >> >
> >> > Event Type: Error
> >> > Event Source: Userenv
> >> > Event Category: None
> >> > Event ID: 1000
> >> > Date: 24/08/2004
> >> > Time: 17:28:20
> >> > User: MyWEB\SiteAdmin
> >> > Computer: MyWEBServer
> >> > Description:
> >> > Windows cannot establish a connection to myweb.local with (0).
> >> >
> >> > How could I rectify this?
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
August 25, 2004 10:30:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Great. Thanks for posting back what worked. Yes you can secure yourself out of access
if not careful. -- Steve

"Patrick" <patl@reply.newsgroup.msn.com> wrote in message
news:ujTHBTpiEHA.1652@TK2MSFTNGP09.phx.gbl...
> Problem sorted...
> the GPO Domain Controller Security Policies were too secure!!
> It needs permission to
> 1) run essential *.exe like NETLOGON, etc.
> 2) Access computer from the network!!! (to access the GPO in the first
> place!)
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:83PWc.175739$8_6.3929@attbi_s04...
>> If this is a domain controller then add the users or global group that you
> want to
>> have logon locally user right in the Domain Controller Security Policy and
> then it
>> should show as the "effective" setting in Local Security Policy of the
> domain
>> controller after a refresh. You can also run gpresult while logged onto
> the domain
>> controller and see the GPO's applied to that computer and logged on user
> and the last
>> time they were refreshed. The /v switch will give much more detailed info
> on the
>> GPO's being applied. Since you are having problems. I would also run first
> netdiag
>> and then dcdiag on the domain controller looking for any failed
> tests/errors/warnings
>> that may indicate if there is a problem even if it is the only domain
>> ontroller. --- Steve
>>
>>
>> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
>> news:eX6pEViiEHA.2764@TK2MSFTNGP11.phx.gbl...
>> > No joy
>> > 1) The machine which is experiencing the problem where GPO is not loaded
> is
>> > the Domain Controller itself. On this DC, under Networking settings,
> DNS is
>> > set to use its own DNS (i.e. the IP address of the server)
>> >
>> > 2) The User Rights "Logon Locally" is set at a Domain Controller level
>> > (under Domain Controller Security Policy) which overwrites Local/Domain
>> > security policies.
>> >
>> > "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
>> > news:7ZLWc.225411$eM2.33568@attbi_s51...
>> >> The user right for logon locally is a computer configuration - not user
>> > and
>> >> would apply to only computers in that OU. You need to configure that
> user
>> >> right on the computer where users need the right to logon locally and
> that
>> >> can be done either in Local Security Policy or at the OU level where
> that
>> >> computer is located.
>> >>
>> >> Dns misconfiguration is also the main cause of Group Policy an AD
>> > problems.
>> >> Your domain controller [I believe you have one] must point only to
> itself
>> > as
>> >> it's preferred dns server via it's static IP address. W2K/XP Pro domain
>> >> computers must point only to AD domain controllers as their preferred
> dns
>> >> server and NEVER an ISP dns server. It is also a good idea to not have
>> > your
>> >> domain controllers to be multi homed with multiple network adapters.
>> > Netdiag
>> >> and dcdiag are very helpful in checking for proper domain configuration
>> > for
>> >> domain controllers and domain members. The link below explains more on
> AD
>> >> dns. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>> >>
>> >>
>> >>
>> >> "Patrick" <patl@reply.newsgroup.msn.com> wrote in message
>> >> news:uwBG5ofiEHA.3988@tk2msftngp13.phx.gbl...
>> >> > I just did the following
>> >> > 1) Created a new OU in AD on a Win2K Server SP4
>> >> > 2) Created a new Group Policy Object under this OU. Objectives:
>> >> > 2.1) The only reason why these users are in AD under this OU is
> purely
>> > for
>> >> > IIS Authentication, and because it looks like those users need "Log
> on
>> >> > locally right" for Basic Authentication or Integrated Windows
>> >> authentication
>> >> > to work (otherwise with auditing, a failure audit is generated when
> I
>> > try
>> >> > to log on with the correct username/password pair)
>> >> > 2.2) I try to set up a GPO under this OU so users under this OU can't
> do
>> >> > anything destructive even if they try to log on (which they would be
>> >> allowed
>> >> > to do so)
>> >> > 3) at command prompt:
>> >> > 3.1) secedit /refreshpolicy user_policy /enforce
>> >> > 3.2) secedit /refreshpolicy machine_policy /enforce
>> >> > 3.3) secedit /refreshpolicy machine_policy
>> >> >
>> >> > 4) Wait a few minutes
>> >> >
>> >> > 5) Try to logon to the console (of the one and only one Domain
>> > Controller
>> >> > for the domain) as those users under this OU, and I get the following
>> >> logged
>> >> > in event viewer:
>> >> >
>> >> > Event Type: Error
>> >> > Event Source: Userenv
>> >> > Event Category: None
>> >> > Event ID: 1000
>> >> > Date: 24/08/2004
>> >> > Time: 17:28:20
>> >> > User: MyWEB\SiteAdmin
>> >> > Computer: MyWEBServer
>> >> > Description:
>> >> > Windows cannot query for the list of Group Policy objects . A message
>> > that
>> >> > describes the reason for this was previously logged by this policy
>> > engine.
>> >> >
>> >> > Event Type: Error
>> >> > Event Source: Userenv
>> >> > Event Category: None
>> >> > Event ID: 1000
>> >> > Date: 24/08/2004
>> >> > Time: 17:28:20
>> >> > User: MyWEB\SiteAdmin
>> >> > Computer: MyWEBServer
>> >> > Description:
>> >> > Windows cannot establish a connection to myweb.local with (0).
>> >> >
>> >> > How could I rectify this?
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
!