Hi Darren, I have tried the suedo secutiry filtering change but to no avail which made me think that i would have to do a manual security change. I will replace all child objects with the security of the GUID named folder. I will report back shortly Robert On Thu, August 31, 2006 10:11 am, Darren Mar-Elia said: Yes, the security should be same all on files underneath the GUID named folder in SYSVOL and its typically inherited from the GUID-named folder level (i.e. each GUID-named folder set its own ACLs, which makes sense). One thing you might try is, from GPMC, open each GPO from the Group Policy Objects container and make a security filtering change. You could just change something and then change it back, and see if that stamps the proper ACLs on the files in SYSVOL. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Mariani Sent: Wednesday, August 30, 2006 5:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Default DC Policy hi all - i am still seeing errors from security related issues. If i check the event viewer of a pc i am seeing Userenv error relating to access denied on registery.POL files of various GPOs. I have checked the securities on the directories under Sysvol\policies\> and they correspond back to the secutities and group in GPMC - but if i check other securities esp the registery.pol file they may be different than what is applied at the GPO or on the GUID directory Should the files and folders beneith Sysvol\policies\ be the same as that directory? Should i consider replacing securites on all child objects for each GUID in the policy directory - using the advanced security settings? thanks in advance Robert On Wed, August 30, 2006 3:10 pm, Delaney, Doug said: > if the domain is 2003, the "Enterprise Domain Controllers" group has > read access... > > > Doug Delaney > GM Desktop Engineering > Global Client Engineering GM > 1075 W. Entrance Dr., MS 2B, Cube 2130 > Auburn Hills, MI 48326 > Lab: 248-365-9187 > Tel: 248-754-7917 > Pg: 248-870-0306 pager > Mail: Doug.Delaney@xxxxxxx > > Note: The information in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you > are not the intended recipient, any disclosure, copying, distribution or > any action taken or omitted to be taken in reliance on it is prohibited. > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Darren Mar-Elia > Sent: Wednesday, August 30, 2006 3:57 AM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Default DC Policy > > If the GPO is linked to the DC OU, then there's no harm in granted Auth. > Users access to it to get things working. I don't have a DC in front of > me to see what the default perms on that GPO should be but I'm guessing > the Domain Controllers group probably has read rights as well. > > > > -----Original message----- > From: "Robert Mariani" rmariani@xxxxxxxxxxx > Date: Tue, 29 Aug 2006 23:35:43 -0400 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Default DC Policy > >> >> >> Hi Darren - I have given Authenticated Users read access to this file >> and a gpoupdate /force applies without error. >> >> should this file have that security on it as my default domain policy >> doesn't >> >> >> >> >> On Wed, August 30, 2006 5:10 >> pm, Darren Mar-Elia said: >> > Robert- >> > You might want to check the >> following: >> > >> > 1) that the registry.pol file is actually there >> > 2) that the permissions that appear on it look ok (that System and >> > Authenticated >> Users >> > have at least Read access to it) >> > >> > If the above are >> true, then you might want to download my polviewer utility on my site >> > and use >> it to try and open that registry.pol file. If the file format is >> corrupted, then >> > it will report that and you know that the file is no good and >> > probably needs to >> be >> > rebuilt. >> > >> > Darren >> > >> > -----Original >> message----- >> > >> From: "Robert Mariani" rmariani@xxxxxxxxxxx >> > Date: Tue, 29 Aug 2006 23:05:12 -0400 >> > To: gptalk@xxxxxxxxxxxxx >> > Subject: [gptalk] Default DC Policy >> > >> >> >> >> >> >> >> >> Hi All, >> >> ?? I had the unfortunate experience of >> having to do an >> >> authoriative domain restore this morning. >> >> >> >> >> Everything went ok - except bloody Veritas Backup Exec >> playing up a bit? >> >> >> >> I am seeing only one error showing >> >> when my DC's apply the default domain contollers policy >> >> >> >> it is an error 1043 >> >> followed by 1096 >> >> >> >> >> >> Windows cannot access the registry policy file, >> >> >> > \sysvol\\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} > \Machine\registry.pol. >> >> >> (Access is denied. ). >> >> >> >> For more information, >> see Help and Support Center at >> >> http://go.microsoft.com/fwlink/events.asp. >> >> >> >> >> >> >> anyone got any ideas in how >> >> >> to correct?? >> >> >> >> Thanks >> >> Robert >> >> >> >> >> >> > >> > *********************** >> > You can >> unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with >> > >> 'unsubscribe' in the Subject field OR by logging into the > freelists.org Web interface. >> >> > Archives for the list are available at >> //www.freelists.org/archives/gptalk/ >> > ************************ >> > >> >> >> > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the list > are available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with > 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. > Archives for the list are available at //www.freelists.org/archives/gptalk/ > ************************ >