[gptalk] Re: Default DC Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 30 Aug 2006 17:11:25 -0700

Yes, the security should be same all on files underneath the GUID named
folder in SYSVOL and its typically inherited from the GUID-named folder
level (i.e. each GUID-named folder set its own ACLs, which makes sense). One
thing you might try is, from GPMC, open each GPO from the Group Policy
Objects container and make a security filtering change. You could just
change something and then change it back, and see if that stamps the proper
ACLs on the files in SYSVOL.
 
Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Mariani
Sent: Wednesday, August 30, 2006 5:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default DC Policy


hi all - i am still seeing errors from security related issues.  

If i check the event viewer of a pc i am seeing Userenv error relating to
access denied on registery.POL files of various GPOs.

I have checked the securities on the directories under  Sysvol\policies\
<file://\\Sysvol\policies\<GUID> <GUID> and they correspond back to the
secutities and group in GPMC - but if i check other securities esp the
registery.pol file they may be different than what is applied at the GPO or
on the GUID directory

Should the files and folders beneith Sysvol\policies\<GUID> be the same as
that directory?

Should i consider replacing securites on all child objects for each GUID in
the policy directory - using the advanced security settings?

thanks in advance

Robert







On Wed, August 30, 2006 3:10 pm, Delaney, Doug said: 
> if the domain is 2003, the "Enterprise Domain Controllers" group has 
> read access... 
> 
> 
> Doug Delaney 
> GM Desktop Engineering 
> Global Client Engineering GM 
> 1075 W. Entrance Dr., MS 2B, Cube 2130 
> Auburn Hills, MI 48326 
> Lab: 248-365-9187 
> Tel: 248-754-7917 
> Pg: 248-870-0306 pager 
> Mail: Doug.Delaney@xxxxxxx 
> 
> Note: The information in this email is intended solely for the 
> addressee. Access to this email by anyone else is unauthorized. If you 
> are not the intended recipient, any disclosure, copying, distribution or 
> any action taken or omitted to be taken in reliance on it is prohibited. 
> 
> 
> -----Original Message----- 
> 
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Darren Mar-Elia 
> Sent: Wednesday, August 30, 2006 3:57 AM 
> To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
> 
> If the GPO is linked to the DC OU, then there's no harm in granted Auth. 
> Users access to it to get things working. I don't have a DC in front of 
> me to see what the default perms on that GPO should be but I'm guessing 
> the Domain Controllers group probably has read rights as well. 
> 
> 
> 
> -----Original message----- 
> 
From: "Robert Mariani" rmariani@xxxxxxxxxxx 
> Date: Tue, 29 Aug 2006 23:35:43 -0400 
> To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
> 
>> 
>> 
>> Hi Darren - I have given Authenticated Users read access to this file 
>> and a gpoupdate /force applies without error. 
>> 
>> should this file have that security on it as my default domain policy 
>> doesn't 
>> 
>> 
>> 
>> 
>> On Wed, August 30, 2006 5:10 
>> pm, Darren Mar-Elia said: 
>> > Robert- 
>> > You might want to check the 
>> following: 
>> > 
>> > 1) that the registry.pol file is actually there 
>> > 2) that the permissions that appear on it look ok (that System and 
>> > Authenticated 
>> Users 
>> > have at least Read access to it) 
>> > 
>> > If the above are 
>> true, then you might want to download my polviewer utility on my site 
>> > and use 
>> it to try and open that registry.pol file. If the file format is 
>> corrupted, then 
>> > it will report that and you know that the file is no good and 
>> > probably needs to 
>> be 
>> > rebuilt. 
>> > 
>> > Darren 
>> > 
>> > -----Original 
>> message----- 
>> > 
>> 
From: "Robert Mariani" rmariani@xxxxxxxxxxx 
>> > Date: Tue, 29 Aug 2006 23:05:12 -0400 
>> > To: gptalk@xxxxxxxxxxxxx 
>> > Subject: [gptalk] Default DC Policy 
>> > 
>> >> 
>> >> 
>> >> 
>> >> Hi All, 
>> >> ?? I had the unfortunate experience of 
>> having to do an 
>> >> authoriative domain restore this morning. 
>> >> 
>> 
>> >> Everything went ok - except bloody Veritas Backup Exec 
>> playing up a bit? 
>> >> 
>> >> I am seeing only one error showing 
>> >> when my DC's apply the default domain contollers policy 
>> >> 
>> >> it is an error 1043 
>> >> followed by 1096 
>> >> 
>> >> 
>> >> Windows cannot access the registry policy file, 
>> >> 
>> 
> <domain>\sysvol\<domain>\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> \Machine\registry.pol. 
>> 
>> >> (Access is denied. ). 
>> >> 
>> >> For more information, 
>> see Help and Support Center at 
>> >> http://go.microsoft.com/fwlink/events.asp. 
>> 
>> >> 
>> >> 
>> >> anyone got any ideas in how 
>> >> 
>> to correct?? 
>> >> 
>> >> Thanks 
>> >> Robert 
>> >> 
>> 
>> >> 
>> > 
>> > *********************** 
>> > You can 
>> unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 
>> > 
>> 'unsubscribe' in the Subject field OR by logging into the 
> freelists.org Web interface. 
>> 
>> > Archives for the list are available at 
>> http://www.freelists.org/archives/gptalk/ 
>> > ************************ 
>> > 
>> 
>> 
>> 
> 
> *********************** 
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the list 
> are available at http://www.freelists.org/archives/gptalk/ 
> ************************ 
> *********************** 
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 
> 'unsubscribe' in the Subject field OR by logging into the freelists.org
Web interface. 
> Archives for the list are available at
http://www.freelists.org/archives/gptalk/ 
> ************************ 
> 

Other related posts: