[gptalk] Re: Default DC Policy

  • From: "Robert Mariani" <rmariani@xxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 31 Aug 2006 10:23:11 +1000 (EST)


Hi Darren,
  I have tried the suedo secutiry filtering change but to no avail
which made me think that i would have to do a manual security change.

I will
replace all child objects with the security of the GUID named folder.

I will
report back shortly

Robert



On Thu, August 31, 2006
10:11 am, Darren Mar-Elia said: 



Yes, the security should be same all on files underneath the GUID named folder
in SYSVOL and its typically inherited from the GUID-named folder level (i.e. 
each
GUID-named folder set its own ACLs, which makes sense). One thing you might try 
is, from
GPMC, open each GPO from the Group Policy Objects container and make a security
filtering change. You could just change something and then change it back, and 
see if
that stamps the proper ACLs on the files in SYSVOL.





Darren




From:
gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of
Robert Mariani
Sent: Wednesday, August 30, 2006 5:04
PM
To: gptalk@xxxxxxxxxxxxx
Subject:
[gptalk] Re: Default DC Policy



 



hi all - i am still seeing errors from security related issues.


If i check the event viewer of a pc i am seeing Userenv error relating to
access denied on registery.POL files of various GPOs.

I have checked the
securities on the directories under Sysvol\policies\> and
they correspond back to the secutities and group in GPMC - but if i check other
securities esp the registery.pol file they may be different than what is 
applied at the
GPO or on the GUID directory

Should the files and folders beneith
Sysvol\policies\ be the same as that directory?

Should i
consider replacing securites on all child objects for each GUID in the policy 
directory
- using the advanced security settings?

thanks in advance

Robert







On Wed, August 30, 2006 3:10 pm,
Delaney, Doug said: 
> if the domain is 2003, the "Enterprise Domain
Controllers" group has 
> read access... 
> 
> 
>
Doug Delaney 
> GM Desktop Engineering 
> Global Client Engineering GM

> 1075 W. Entrance Dr., MS 2B, Cube 2130 
> Auburn Hills, MI 48326 
> Lab: 248-365-9187 
> Tel: 248-754-7917 
> Pg: 248-870-0306 pager

> Mail: Doug.Delaney@xxxxxxx 
> 
> Note: The information in
this email is intended solely for the 
> addressee. Access to this email by
anyone else is unauthorized. If you 
> are not the intended recipient, any
disclosure, copying, distribution or 
> any action taken or omitted to be taken
in reliance on it is prohibited. 
> 
> 
> -----Original
Message----- 
> 
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Darren Mar-Elia 
>
Sent: Wednesday, August 30, 2006 3:57 AM 
> To: gptalk@xxxxxxxxxxxxx 
>
Subject: [gptalk] Re: Default DC Policy 
> 
> If the GPO is linked to
the DC OU, then there's no harm in granted Auth. 
> Users access to it to get
things working. I don't have a DC in front of 
> me to see what the default
perms on that GPO should be but I'm guessing 
> the Domain Controllers group
probably has read rights as well. 
> 
> 
> 
>
-----Original message----- 
> 
From: "Robert Mariani"
rmariani@xxxxxxxxxxx 
> Date: Tue, 29 Aug 2006 23:35:43 -0400 
> To:
gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
> 
>> 
>> 
>> Hi Darren - I have given Authenticated Users
read access to this file 
>> and a gpoupdate /force applies without error.

>> 
>> should this file have that security on it as my default
domain policy 
>> doesn't 
>> 
>> 
>> 
>> 
>> On Wed, August 30, 2006 5:10 
>> pm, Darren
Mar-Elia said: 
>> > Robert- 
>> > You might want to check
the 
>> following: 
>> > 
>> > 1) that the
registry.pol file is actually there 
>> > 2) that the permissions that
appear on it look ok (that System and 
>> > Authenticated 
>>
Users 
>> > have at least Read access to it) 
>> > 
>> > If the above are 
>> true, then you might want to download my
polviewer utility on my site 
>> > and use 
>> it to try and
open that registry.pol file. If the file format is 
>> corrupted, then 
>> > it will report that and you know that the file is no good and 
>> > probably needs to 
>> be 
>> > rebuilt. 
>> > 
>> > Darren 
>> > 
>> >
-----Original 
>> message----- 
>> > 
>> 
From:
"Robert Mariani" rmariani@xxxxxxxxxxx 
>> > Date: Tue, 29 Aug
2006 23:05:12 -0400 
>> > To: gptalk@xxxxxxxxxxxxx 
>> >
Subject: [gptalk] Default DC Policy 
>> > 
>> >> 
>> >> 
>> >> 
>> >> Hi All, 
>> >> ?? I had the unfortunate experience of 
>> having to do
an 
>> >> authoriative domain restore this morning. 
>>
>> 
>> 
>> >> Everything went ok - except bloody
Veritas Backup Exec 
>> playing up a bit? 
>> >> 
>> >> I am seeing only one error showing 
>> >> when my
DC's apply the default domain contollers policy 
>> >> 
>>
>> it is an error 1043 
>> >> followed by 1096 
>>
>> 
>> >> 
>> >> Windows cannot access the
registry policy file, 
>> >> 
>> 
>
\sysvol\\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}

> \Machine\registry.pol. 
>> 
>> >> (Access is
denied. ). 
>> >> 
>> >> For more information, 
>> see Help and Support Center at 
>> >>
http://go.microsoft.com/fwlink/events.asp. 
>> 
>> >> 
>> >> 
>> >> anyone got any ideas in how 
>>
>> 
>> to correct?? 
>> >> 
>> >>
Thanks 
>> >> Robert 
>> >> 
>> 
>> >> 
>> > 
>> > *********************** 
>> > You can 
>> unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 
>> > 
>>
'unsubscribe' in the Subject field OR by logging into the 
> freelists.org Web
interface. 
>> 
>> > Archives for the list are available at 
>> http://www.freelists.org/archives/gptalk/ 
>> >
************************ 
>> > 
>> 
>> 
>> 
> 
> *********************** 
> You can unsubscribe
from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web
interface. Archives for the list 
> are available at
http://www.freelists.org/archives/gptalk/ 
> ************************ 
>
*********************** 
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 
> 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. 
> Archives for the list are
available at http://www.freelists.org/archives/gptalk/ 
>
************************ 
> 


Other related posts: