[gptalk] Re: Default DC Policy

  • From: "Robert Mariani" <rmariani@xxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 31 Aug 2006 10:03:43 +1000 (EST)


hi all - i am still seeing errors from security related issues.  

If i check the event viewer of a pc i am seeing Userenv error relating to access
denied on registery.POL files of various GPOs.

I have checked the securities
on the directories under  Sysvol\policies\<GUID> and they
correspond back to the secutities and group in GPMC - but if i check other 
securities
esp the registery.pol file they may be different than what is applied at the 
GPO or on
the GUID directory

Should the files and folders beneith
Sysvol\policies\<GUID> be the same as that directory?

Should i consider
replacing securites on all child objects for each GUID in the policy directory 
- using
the advanced security settings?

thanks in advance

Robert







On Wed, August 30, 2006 3:10 pm, Delaney, Doug
said: 
> if the domain is 2003, the "Enterprise Domain Controllers"
group has 
> read access... 
> 
> 
> Doug Delaney 
> GM Desktop Engineering 
> Global Client Engineering GM 
> 1075 W.
Entrance Dr., MS 2B, Cube 2130 
> Auburn Hills, MI 48326 
> Lab:
248-365-9187 
> Tel: 248-754-7917 
> Pg: 248-870-0306 pager 
>
Mail: Doug.Delaney@xxxxxxx 
> 
> Note: The information in this email is
intended solely for the 
> addressee. Access to this email by anyone else is
unauthorized. If you 
> are not the intended recipient, any disclosure, copying,
distribution or 
> any action taken or omitted to be taken in reliance on it is
prohibited. 
> 
> 
> -----Original Message----- 
> 
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
> On
Behalf Of Darren Mar-Elia 
> Sent: Wednesday, August 30, 2006 3:57 AM 
>
To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
>

> If the GPO is linked to the DC OU, then there's no harm in granted Auth. 
> Users access to it to get things working. I don't have a DC in front of 
> me to see what the default perms on that GPO should be but I'm guessing 
> the Domain Controllers group probably has read rights as well. 
> 
> 
> 
> -----Original message----- 
> 
From:
"Robert Mariani" rmariani@xxxxxxxxxxx 
> Date: Tue, 29 Aug 2006
23:35:43 -0400 
> To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re:
Default DC Policy 
> 
>> 
>> 
>> Hi Darren - I
have given Authenticated Users read access to this file 
>> and a gpoupdate
/force applies without error. 
>> 
>> should this file have that
security on it as my default domain policy 
>> doesn't 
>> 
>> 
>> 
>> 
>> On Wed, August 30, 2006 5:10 
>> pm, Darren Mar-Elia said: 
>> > Robert- 
>> > You
might want to check the 
>> following: 
>> > 
>>
> 1) that the registry.pol file is actually there 
>> > 2) that the
permissions that appear on it look ok (that System and 
>> > Authenticated

>> Users 
>> > have at least Read access to it) 
>>
> 
>> > If the above are 
>> true, then you might want to
download my polviewer utility on my site 
>> > and use 
>> it
to try and open that registry.pol file. If the file format is 
>> corrupted,
then 
>> > it will report that and you know that the file is no good and

>> > probably needs to 
>> be 
>> > rebuilt. 
>> > 
>> > Darren 
>> > 
>> >
-----Original 
>> message----- 
>> > 
>> 
From:
"Robert Mariani" rmariani@xxxxxxxxxxx 
>> > Date: Tue, 29 Aug
2006 23:05:12 -0400 
>> > To: gptalk@xxxxxxxxxxxxx 
>> >
Subject: [gptalk] Default DC Policy 
>> > 
>> >> 
>> >> 
>> >> 
>> >> Hi All, 
>> >> ?? I had the unfortunate experience of 
>> having to do
an 
>> >> authoriative domain restore this morning. 
>>
>> 
>> 
>> >> Everything went ok - except bloody
Veritas Backup Exec 
>> playing up a bit? 
>> >> 
>> >> I am seeing only one error showing 
>> >> when my
DC's apply the default domain contollers policy 
>> >> 
>>
>> it is an error 1043 
>> >> followed by 1096 
>>
>> 
>> >> 
>> >> Windows cannot access the
registry policy file, 
>> >> 
>> 
>
<domain>\sysvol\<domain>\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> \Machine\registry.pol. 
>> 
>> >> (Access is denied.
). 
>> >> 
>> >> For more information, 
>>
see Help and Support Center at 
>> >>
http://go.microsoft.com/fwlink/events.asp. 
>> 
>> >> 
>> >> 
>> >> anyone got any ideas in how 
>>
>> 
>> to correct?? 
>> >> 
>> >>
Thanks 
>> >> Robert 
>> >> 
>> 
>> >> 
>> > 
>> > *********************** 
>> > You can 
>> unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 
>> > 
>>
'unsubscribe' in the Subject field OR by logging into the 
> freelists.org Web
interface. 
>> 
>> > Archives for the list are available at 
>> http://www.freelists.org/archives/gptalk/ 
>> >
************************ 
>> > 
>> 
>> 
>> 
> 
> *********************** 
> You can unsubscribe
from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web
interface. Archives for the list 
> are available at
http://www.freelists.org/archives/gptalk/ 
> ************************ 
>
*********************** 
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 
> 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. 
> Archives for the list are
available at http://www.freelists.org/archives/gptalk/ 
>
************************ 
> 

Other related posts: