Archived from groups: microsoft.public.win2000.security (
More info?)
I really do not know exactly why that is happening. I know it can take up to
a few minutes for RSOP to complete. I do know that for XP Pro computers that
the built in firewall if enabled will interfere with RSOP logging mode for
that target computer. The XP firewall can be configured to allow access to
file and print sharing ports. If you can not telnet into a XP computer of
yours for port 139 or 445 TCP then the firewall is probably blocking access.
To use telnet try at the command line " telnet xxx.xxx.xxx.xxx 139" for
example to test port 139 TCP using the actual IP address of the target
computer. If the port is available you will get a blank screen with a
blinking cursor. If not you will get an access denied message.
Another potential problem is if your domain controller or domain clients are
misconfigured as far as dns. For Active Directory, the domain controller
must point to itself as it's preferred dns server and the domain computers
must point to only the domain controller as their preferred dns server and
as shown with ipconfig /all. NEVER list an ISP dns server in the list of
preferred dns servers for any domain computer. The domain client computer
should be able to ping the domain controller by it's IP address and fully
qualified domain name as in dc1.mydomain.com. The domain controller must
also be able to ping the domain clients in the same way. There are support
tools called netdiag and dcdiag that can help in determining if the domain
controller and domain clients are configured correctly and can communicate
correctly with the domain controller. Dcdiag is only for domain controllers
while netdiag is for both. Also always make it a habit to check Event Viewer
on your domain controller and domain clients whenever you are having
problems as often pertinent errors are recorded that can give you a clue as
to the problem. The links below may help. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- a
must read on AD dns
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag.
Pertains to W2003 also, just be sure to install from the disk for the
appropriate operating system.
"Gina" <Gina@discussions.microsoft.com> wrote in message
news:AE05352E-F9AF-4F23-AA64-8BB6A7B13D43@microsoft.com...
> Yes Steven, I am new to GPO, and the fact about sec groups was lost on me
> in
> the volumes of articles I have been reading. I guess it's one of those
> fundemental laws no one bothers to mention anymore.
>
> Regarding the RPC error--my problem was that I need to allow remote
> administration on the XP client. I created a policy for XP machines that
> did
> that and got the RSoP wizard to run. However, I'm using SBS 2003, and
> when
> the wizard completes and I click the "finish" button, it says "generating
> report..." and hangs the server management GUI. Any ideas on that?
>
> Thanks Steven. --Gina
> "Steven L Umbach" wrote:
>
>> Security groups have always been used to filter Group Policy. That is not
>> unique to GPMC. By default authenticated users have the apply permission
>> to
>> a Group Policy but you can modify that to your needs. The free Windows
>> 2003
>> Server Deployment Kit is some of the best reading around for Windows
>> 2003.
>> It is divided up into may chapters as shown in the link below. --- Steve
>>
>>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDME_overview.asp
>>
>> "Gina" <Gina@discussions.microsoft.com> wrote in message
>> news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
>> > Thank you Steven. What you said about policy applying only to users
>> > and
>> > computers I finally discovered on a google forum. I am amazed that
>> > with
>> > all
>> > the reading I have been doing lately, that simple fact was not
>> > apparent.
>> > What is confusing to me is that with the GPMC, you can use security
>> > groups
>> > to
>> > apply policy through filtering, right?
>> >
>> > I will look into your suggestions on the RPC problem. Thank you very
>> > much.
>> > --Gina
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> The user or computer that you are applying the Group Policy to must be
>> >> in
>> >> the OU. It should not matter where the groups are as Group Policy does
>> >> not
>> >> apply to groups - only users and computers but groups can be used to
>> >> manage
>> >> who Group Policy applies to via changing the "apply" permission for
>> >> the
>> >> Group Policy. Use only global groups if you are trying to manage Group
>> >> Policy apply permissions. The rpc unavailable error could mean that
>> >> the
>> >> computer that you are trying to run the RSOP for is not turned on, it
>> >> has
>> >> a
>> >> firewall enabled on it, or there is a name resolution problem. See the
>> >> link
>> >> below on Active Directory dns as proper dns configuration in the
>> >> domain
>> >> is
>> >> critical for Group Policy and everything else to work properly. The
>> >> support
>> >> tools netdiag and dcdiag are very helpful in tracking down
>> >> domain/networking
>> >> problems that can contribute to Group Policy problems. --- Steve
>> >>
>> >>
>> >> ttp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
>> >> dns
>> >> FAQ
>> >>
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>> >> netdiag
>> >> and how to install support tools.
>> >>
>> >> "Gina" <Gina@discussions.microsoft.com> wrote in message
>> >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
>> >> >I hope someone can pinpoint what I am doing wrong in the following:
>> >> >
>> >> > In AD, I create an OU, create a user policy to do obvious desktop
>> >> > things
>> >> > like remove run menu, and I assign/link the policy to the OU. Other
>> >> > than
>> >> > this policy, there is only the default policies which come with SBS
>> >> > 2003.
>> >> >
>> >> > If I move a user object to the OU, then log the user onto an XP
>> >> > client,
>> >> > the
>> >> > policy is applied as expected.
>> >> >
>> >> > Here is the problem: if I create a global or domain security group
>> >> > and
>> >> > add
>> >> > this user to the group, and move the security group to the OU the
>> >> > policy
>> >> > is
>> >> > not applied when this user logs on.
>> >> >
>> >> > Additional symptom: When this user logs on in the 2nd scenario,
>> >> > besides
>> >> > the
>> >> > custom policy not being applied, it appears that a previous domain
>> >> > policy
>> >> > which has been removed is trying to apply. It was a software
>> >> > install
>> >> > policy
>> >> > that results in a message when the user logs on saying "you have to
>> >> > be
>> >> > an
>> >> > admin to install software".
>> >> >
>> >> > One more thing: I cannot run the group policy results in SBS for
>> >> > this
>> >> > user
>> >> > and computer. I receive "rpc server unavailble" errors, but all the
>> >> > appropriate services are running.
>> >> >
>> >> > Thanks for anything--Gina
>> >>
>> >>
>> >>
>>
>>
>>