Group Policy not being applied
in [Windows Servers]
|
Prev: ASR recovery fails - the capacity of the current system diskdrive is insufficient
Next: Installing sql svr 2005 dev edition on stand alone desktop
From: Robert Jacobs on 20 Jan 2010 11:28 Hello experts - I know I'm not posting this in a Group Policy group, but there were only 6 or 7 members of those groups, so I'm guessing I might have better luck here (plus, it might not just be a group policy problem). On a Windows Server (2003 R1 Standard) I have setup automatic logon for a domain admin account (in a locked/secured room) that automatically launches a piece of software after logged in. The problem is, the screensaver starts after 900 seconds, and a password is required to get back into the machine afterwords. However, users who access the program launched on this computer should not be given the admin's password. Therefore, I added a new OU, put this domain admin's user account in the OU, and created a group policy to disable the screensaver requires password option. Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult, and sure enough, the policy I just added did not show up. I rebooted the server, rebooted the domain server, same result. I then ran rsop.msc. When this box appears, red x's appear on Computer Configuration and User Configuration (as well as the top level where it says username on computername - RSoP). Clicking on any of the twisties/plus signs freezes the rsop.msc program. I right clicked User and Computer Configuration, clicked the Error Information tab, and it says: _________________________________________________ Group Policy Infrastructure failed due to the error listed below. The system cannot find the path specified. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available. Additional Information: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Windows cannot access the file gpt.ini for GPO cn= {1DDFFB81-0EE1-4103-8F53- A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file must be present at the location <\\domainname.local\sysvol \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53- A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted. What in the world am I supposed to do? Does it have anything to do with the auto logon feature? Where else can I look? All of your answers are GREATLY appreciated, and essential! Thank!
From: Ace Fekay [MVP-DS, MCT] on 20 Jan 2010 12:12 "Robert Jacobs" <robertjacobsit(a)gmail.com> wrote in message news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053(a)l30g2000yqb.googlegroups.com... > Hello experts - I know I'm not posting this in a Group Policy group, > but there were only 6 or 7 members of those groups, so I'm guessing I > might have better luck here (plus, it might not just be a group policy > problem). > > On a Windows Server (2003 R1 Standard) I have setup automatic logon > for a domain admin account (in a locked/secured room) that > automatically launches a piece of software after logged in. The > problem is, the screensaver starts after 900 seconds, and a password > is required to get back into the machine afterwords. However, users > who access the program launched on this computer should not be given > the admin's password. > > Therefore, I added a new OU, put this domain admin's user account in > the OU, and created a group policy to disable the screensaver requires > password option. > > Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult, > and sure enough, the policy I just added did not show up. I rebooted > the server, rebooted the domain server, same result. > > I then ran rsop.msc. When this box appears, red x's appear on > Computer Configuration and User Configuration (as well as the top > level where it says username on computername - RSoP). Clicking on any > of the twisties/plus signs freezes the rsop.msc program. I right > clicked User and Computer Configuration, clicked the Error Information > tab, and it says: > _________________________________________________ > Group Policy Infrastructure failed due to the error listed below. > The system cannot find the path specified. > > Note: Due to the GP Core failure, none of the other Group Policy > components processed their policy. Consequently, status information > for the other components is not available. > Additional Information: > Windows cannot query for the list of Group Policy objects. Check the > event log for possible messages previously logged by the policy engine > that describes the reason for this. > > Windows cannot access the file gpt.ini for GPO cn= > {1DDFFB81-0EE1-4103-8F53- > A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file > must be present at the location <\\domainname.local\sysvol > \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53- > A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ). > Group Policy processing aborted. > > What in the world am I supposed to do? Does it have anything to do > with the auto logon feature? Where else can I look? All of your > answers are GREATLY appreciated, and essential! > > Thank! Hi Robert, First, you could have posted this to the AD group and GPO groups, which are more specific to the question. But not a prob that you posted it here. I actually cross-posted my response to both groups. When you reply, make sure you have both groups in the "To:" field. What I would suggest is to not host such an application on a DC. When creating a GPO for users to apply for something such as this, you may need to use Loopback. However, I highly suggest and recommend to not do this because it is a domain controller. A DC has a specific Default Domain Controller Policy that affects it by default, and the loopback can possibly cause problems with it. As for the errors you are seeing, they may be stemming from an underlying issue that may be something more serious. To better diagnose this, we'll need additional information. Please post the following: Unedited ipconfig /all from the DC Sample workstation unedited ipconfig /all Event log errors on the DC (EventID# and Source name). Event log errors on the workstation (EventID# and Source name). Indicate how many DCs and domains you have. Thank you, -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Sergiy Grykshtas on 20 Jan 2010 15:45 as a suggestion: check if you have enforsed policy above this new OU. try to apply this policy to both computers and users. serggry "Robert Jacobs" <robertjacobsit(a)gmail.com> ???????/???????? ? ???????? ?????????: news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053(a)l30g2000yqb.googlegroups.com... > Hello experts - I know I'm not posting this in a Group Policy group, > but there were only 6 or 7 members of those groups, so I'm guessing I > might have better luck here (plus, it might not just be a group policy > problem). > > On a Windows Server (2003 R1 Standard) I have setup automatic logon > for a domain admin account (in a locked/secured room) that > automatically launches a piece of software after logged in. The > problem is, the screensaver starts after 900 seconds, and a password > is required to get back into the machine afterwords. However, users > who access the program launched on this computer should not be given > the admin's password. > > Therefore, I added a new OU, put this domain admin's user account in > the OU, and created a group policy to disable the screensaver requires > password option. > > Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult, > and sure enough, the policy I just added did not show up. I rebooted > the server, rebooted the domain server, same result. > > I then ran rsop.msc. When this box appears, red x's appear on > Computer Configuration and User Configuration (as well as the top > level where it says username on computername - RSoP). Clicking on any > of the twisties/plus signs freezes the rsop.msc program. I right > clicked User and Computer Configuration, clicked the Error Information > tab, and it says: > _________________________________________________ > Group Policy Infrastructure failed due to the error listed below. > The system cannot find the path specified. > > Note: Due to the GP Core failure, none of the other Group Policy > components processed their policy. Consequently, status information > for the other components is not available. > Additional Information: > Windows cannot query for the list of Group Policy objects. Check the > event log for possible messages previously logged by the policy engine > that describes the reason for this. > > Windows cannot access the file gpt.ini for GPO cn= > {1DDFFB81-0EE1-4103-8F53- > A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file > must be present at the location <\\domainname.local\sysvol > \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53- > A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ). > Group Policy processing aborted. > > What in the world am I supposed to do? Does it have anything to do > with the auto logon feature? Where else can I look? All of your > answers are GREATLY appreciated, and essential! > > Thank! >
From: Paul Bergson [MVP-DS] on 21 Jan 2010 08:31 I'm sorry if this comes across rude it is not intended to. You are handing over the keys to your enterprise by providing this sort of access. I don't believe you need to have this program run as a domain admin. All some user has to do is run a command (At this terminal) to have them be joined to the domain admins (DA) group and they are then full DA right's and can go about doing what they please anywhere in the enterprise. Putting this in a secure location means nothing. If I were your supervisor I would remove your admin rights and contemplate terminating you. I am serious! Forget about the screensaver not working and due the work to get this application running w/o the elevated rights. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:eWFO6OfmKHA.3840(a)TK2MSFTNGP06.phx.gbl... > "Robert Jacobs" <robertjacobsit(a)gmail.com> wrote in message > news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053(a)l30g2000yqb.googlegroups.com... >> Hello experts - I know I'm not posting this in a Group Policy group, >> but there were only 6 or 7 members of those groups, so I'm guessing I >> might have better luck here (plus, it might not just be a group policy >> problem). >> >> On a Windows Server (2003 R1 Standard) I have setup automatic logon >> for a domain admin account (in a locked/secured room) that >> automatically launches a piece of software after logged in. The >> problem is, the screensaver starts after 900 seconds, and a password >> is required to get back into the machine afterwords. However, users >> who access the program launched on this computer should not be given >> the admin's password. >> >> Therefore, I added a new OU, put this domain admin's user account in >> the OU, and created a group policy to disable the screensaver requires >> password option. >> >> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult, >> and sure enough, the policy I just added did not show up. I rebooted >> the server, rebooted the domain server, same result. >> >> I then ran rsop.msc. When this box appears, red x's appear on >> Computer Configuration and User Configuration (as well as the top >> level where it says username on computername - RSoP). Clicking on any >> of the twisties/plus signs freezes the rsop.msc program. I right >> clicked User and Computer Configuration, clicked the Error Information >> tab, and it says: >> _________________________________________________ >> Group Policy Infrastructure failed due to the error listed below. >> The system cannot find the path specified. >> >> Note: Due to the GP Core failure, none of the other Group Policy >> components processed their policy. Consequently, status information >> for the other components is not available. >> Additional Information: >> Windows cannot query for the list of Group Policy objects. Check the >> event log for possible messages previously logged by the policy engine >> that describes the reason for this. >> >> Windows cannot access the file gpt.ini for GPO cn= >> {1DDFFB81-0EE1-4103-8F53- >> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file >> must be present at the location <\\domainname.local\sysvol >> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53- >> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ). >> Group Policy processing aborted. >> >> What in the world am I supposed to do? Does it have anything to do >> with the auto logon feature? Where else can I look? All of your >> answers are GREATLY appreciated, and essential! >> >> Thank! > > > > Hi Robert, > > First, you could have posted this to the AD group and GPO groups, which > are more specific to the question. But not a prob that you posted it here. > I actually cross-posted my response to both groups. When you reply, make > sure you have both groups in the "To:" field. > > > What I would suggest is to not host such an application on a DC. When > creating a GPO for users to apply for something such as this, you may need > to use Loopback. However, I highly suggest and recommend to not do this > because it is a domain controller. A DC has a specific Default Domain > Controller Policy that affects it by default, and the loopback can > possibly cause problems with it. > > As for the errors you are seeing, they may be stemming from an underlying > issue that may be something more serious. To better diagnose this, we'll > need additional information. Please post the following: > > Unedited ipconfig /all from the DC > Sample workstation unedited ipconfig /all > Event log errors on the DC (EventID# and Source name). > Event log errors on the workstation (EventID# and Source name). > Indicate how many DCs and domains you have. > > Thank you, > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit > among responding engineers, and to help others benefit from your > resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & > MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, > please contact Microsoft PSS directly. Please check > http://support.microsoft.com for regional support phone numbers. > >
From: Robert Jacobs on 21 Jan 2010 09:51
On Jan 21, 7:31 am, "Paul Bergson [MVP-DS]" <pbbergs(a)no_spammsn.com> wrote: > I'm sorry if this comes across rude it is not intended to. > > You are handing over the keys to your enterprise by providing this sort of > access. I don't believe you need to have this program run as a domain > admin. All some user has to do is run a command (At this terminal) to have > them be joined to the domain admins (DA) group and they are then full DA > right's and can go about doing what they please anywhere in the enterprise. > Putting this in a secure location means nothing. If I were your supervisor > I would remove your admin rights and contemplate terminating you. I am > serious! > > Forget about the screensaver not working and due the work to get this > application running w/o the elevated rights. > > -- > Paul Bergson > MVP - Directory Services > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > 2008, 2003, 2000 (Early Achiever), NT4 > Microsoft's Thrive IT Pro of the Month - June 2009 > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup This > posting is provided "AS IS" with no warranties, and confers no rights. > > "Ace Fekay [MVP-DS, MCT]" <ace...(a)mvps.RemoveThisPart.org> wrote in messagenews:eWFO6OfmKHA.3840(a)TK2MSFTNGP06.phx.gbl... > > > > > "Robert Jacobs" <robertjacob...(a)gmail.com> wrote in message > >news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053(a)l30g2000yqb.googlegroups.com.... > >> Hello experts - I know I'm not posting this in a Group Policy group, > >> but there were only 6 or 7 members of those groups, so I'm guessing I > >> might have better luck here (plus, it might not just be a group policy > >> problem). > > >> On a Windows Server (2003 R1 Standard) I have setup automatic logon > >> for a domain admin account (in a locked/secured room) that > >> automatically launches a piece of software after logged in. The > >> problem is, the screensaver starts after 900 seconds, and a password > >> is required to get back into the machine afterwords. However, users > >> who access the program launched on this computer should not be given > >> the admin's password. > > >> Therefore, I added a new OU, put this domain admin's user account in > >> the OU, and created a group policy to disable the screensaver requires > >> password option. > > >> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult, > >> and sure enough, the policy I just added did not show up. I rebooted > >> the server, rebooted the domain server, same result. > > >> I then ran rsop.msc. When this box appears, red x's appear on > >> Computer Configuration and User Configuration (as well as the top > >> level where it says username on computername - RSoP). Clicking on any > >> of the twisties/plus signs freezes the rsop.msc program. I right > >> clicked User and Computer Configuration, clicked the Error Information > >> tab, and it says: > >> _________________________________________________ > >> Group Policy Infrastructure failed due to the error listed below. > >> The system cannot find the path specified. > > >> Note: Due to the GP Core failure, none of the other Group Policy > >> components processed their policy. Consequently, status information > >> for the other components is not available. > >> Additional Information: > >> Windows cannot query for the list of Group Policy objects. Check the > >> event log for possible messages previously logged by the policy engine > >> that describes the reason for this. > > >> Windows cannot access the file gpt.ini for GPO cn= > >> {1DDFFB81-0EE1-4103-8F53- > >> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file > >> must be present at the location <\\domainname.local\sysvol > >> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53- > >> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ). > >> Group Policy processing aborted. > > >> What in the world am I supposed to do? Does it have anything to do > >> with the auto logon feature? Where else can I look? All of your > >> answers are GREATLY appreciated, and essential! > > >> Thank! > > > Hi Robert, > > > First, you could have posted this to the AD group and GPO groups, which > > are more specific to the question. But not a prob that you posted it here. > > I actually cross-posted my response to both groups. When you reply, make > > sure you have both groups in the "To:" field. > > > What I would suggest is to not host such an application on a DC. When > > creating a GPO for users to apply for something such as this, you may need > > to use Loopback. However, I highly suggest and recommend to not do this > > because it is a domain controller. A DC has a specific Default Domain > > Controller Policy that affects it by default, and the loopback can > > possibly cause problems with it. > > > As for the errors you are seeing, they may be stemming from an underlying > > issue that may be something more serious. To better diagnose this, we'll > > need additional information. Please post the following: > > > Unedited ipconfig /all from the DC > > Sample workstation unedited ipconfig /all > > Event log errors on the DC (EventID# and Source name). > > Event log errors on the workstation (EventID# and Source name). > > Indicate how many DCs and domains you have. > > > Thank you, > > > -- > > Ace > > > This posting is provided "AS-IS" with no warranties or guarantees and > > confers no rights. > > > Please reply back to the newsgroup or forum for collaboration benefit > > among responding engineers, and to help others benefit from your > > resolution. > > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & > > MCSA 2003/2000, MCSA Messaging 2003 > > Microsoft Certified Trainer > > Microsoft MVP - Directory Services > > > If you feel this is an urgent issue and require immediate assistance, > > please contact Microsoft PSS directly. Please check > >http://support.microsoft.comfor regional support phone numbers.- Hide quoted text - > > - Show quoted text - The server is not a DC, it's simply a standard windows server with SQL running as well as a test program - And thanks Paul for your advice on my being fired. I would love to tell you that this is being performed on a utility server domain (only utility servers and utility 'domain admin' accounts are used (testing domain)), and that none of our enterprise data is at any risk from any user at any time - and I'd love to tell you what I'm trying to accomplish is for testing purposes only - and would be applied on our actual domain in the future with accounts that only have permissions to specific directories required for that specific application to run - I'm just trying to get any bugs worked out on our TESTING domain before attempting to go live with COMPLETELY DIFFERENT accounts, but accounts that need to auto logon, none-the-less. And, finally, I would like to thank you for all of your help in resolving the issues I'm running into - you're a huge help. Thank goodness you put all of your fancy certifications (Mr. Early Achiever) to good use, by not asking any follow up questions, or asking the nature of this project before telling me you are serious about my lack of intelligence, my threat to my company, and the fact that I should (seriously) be fired. Again - great help, MVP. |