hi all - i am still seeing errors from security related issues. If i check the event viewer of a pc i am seeing Userenv error relating to access denied on registery.POL files of various GPOs. I have checked the securities on the directories under Sysvol\policies\<GUID> and they correspond back to the secutities and group in GPMC - but if i check other securities esp the registery.pol file they may be different than what is applied at the GPO or on the GUID directory Should the files and folders beneith Sysvol\policies\<GUID> be the same as that directory? Should i consider replacing securites on all child objects for each GUID in the policy directory - using the advanced security settings? thanks in advance Robert On Wed, August 30, 2006 3:10 pm, Delaney, Doug said: > if the domain is 2003, the "Enterprise Domain Controllers" group has > read access... > > > Doug Delaney > GM Desktop Engineering > Global Client Engineering GM > 1075 W. Entrance Dr., MS 2B, Cube 2130 > Auburn Hills, MI 48326 > Lab: 248-365-9187 > Tel: 248-754-7917 > Pg: 248-870-0306 pager > Mail: Doug.Delaney@xxxxxxx > > Note: The information in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you > are not the intended recipient, any disclosure, copying, distribution or > any action taken or omitted to be taken in reliance on it is prohibited. > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Darren Mar-Elia > Sent: Wednesday, August 30, 2006 3:57 AM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Default DC Policy > > If the GPO is linked to the DC OU, then there's no harm in granted Auth. > Users access to it to get things working. I don't have a DC in front of > me to see what the default perms on that GPO should be but I'm guessing > the Domain Controllers group probably has read rights as well. > > > > -----Original message----- > From: "Robert Mariani" rmariani@xxxxxxxxxxx > Date: Tue, 29 Aug 2006 23:35:43 -0400 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Default DC Policy > >> >> >> Hi Darren - I have given Authenticated Users read access to this file >> and a gpoupdate /force applies without error. >> >> should this file have that security on it as my default domain policy >> doesn't >> >> >> >> >> On Wed, August 30, 2006 5:10 >> pm, Darren Mar-Elia said: >> > Robert- >> > You might want to check the >> following: >> > >> > 1) that the registry.pol file is actually there >> > 2) that the permissions that appear on it look ok (that System and >> > Authenticated >> Users >> > have at least Read access to it) >> > >> > If the above are >> true, then you might want to download my polviewer utility on my site >> > and use >> it to try and open that registry.pol file. If the file format is >> corrupted, then >> > it will report that and you know that the file is no good and >> > probably needs to >> be >> > rebuilt. >> > >> > Darren >> > >> > -----Original >> message----- >> > >> From: "Robert Mariani" rmariani@xxxxxxxxxxx >> > Date: Tue, 29 Aug 2006 23:05:12 -0400 >> > To: gptalk@xxxxxxxxxxxxx >> > Subject: [gptalk] Default DC Policy >> > >> >> >> >> >> >> >> >> Hi All, >> >> ?? I had the unfortunate experience of >> having to do an >> >> authoriative domain restore this morning. >> >> >> >> >> Everything went ok - except bloody Veritas Backup Exec >> playing up a bit? >> >> >> >> I am seeing only one error showing >> >> when my DC's apply the default domain contollers policy >> >> >> >> it is an error 1043 >> >> followed by 1096 >> >> >> >> >> >> Windows cannot access the registry policy file, >> >> >> > <domain>\sysvol\<domain>\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} > \Machine\registry.pol. >> >> >> (Access is denied. ). >> >> >> >> For more information, >> see Help and Support Center at >> >> http://go.microsoft.com/fwlink/events.asp. >> >> >> >> >> >> >> anyone got any ideas in how >> >> >> to correct?? >> >> >> >> Thanks >> >> Robert >> >> >> >> >> >> > >> > *********************** >> > You can >> unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with >> > >> 'unsubscribe' in the Subject field OR by logging into the > freelists.org Web interface. >> >> > Archives for the list are available at >> //www.freelists.org/archives/gptalk/ >> > ************************ >> > >> >> >> > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the list > are available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with > 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. > Archives for the list are available at //www.freelists.org/archives/gptalk/ > ************************ >