[gptalk] Re: Default DC Policy

  • From: "MS Support" <mssupport@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 22 Sep 2006 20:31:17 -0500

Have you tried the hotfix that is included with KB903252?

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Mariani
Sent: Wednesday, August 30, 2006 7:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default DC Policy

 

Hi Darren,
  I have tried the suedo secutiry filtering change but to no avail which
made me think that i would have to do a manual security change.

I will replace all child objects with the security of the GUID named folder.

I will report back shortly

Robert



On Thu, August 31, 2006 10:11 am, Darren Mar-Elia said: 

Yes, the security should be same all on files underneath the GUID named
folder in SYSVOL and its typically inherited from the GUID-named folder
level (i.e. each GUID-named folder set its own ACLs, which makes sense). One
thing you might try is, from GPMC, open each GPO from the Group Policy
Objects container and make a security filtering change. You could just
change something and then change it back, and see if that stamps the proper
ACLs on the files in SYSVOL.

Darren

 

<hr size=2 width="100%" align=center tabindex=65535> 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Mariani
Sent: Wednesday, August 30, 2006 5:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default DC Policy

 

hi all - i am still seeing errors from security related issues. 

If i check the event viewer of a pc i am seeing Userenv error relating to
access denied on registery.POL files of various GPOs.

I have checked the securities on the directories under Sysvol\policies\
<file:///\\Sysvol\policies\%3cGUID> > and they correspond back to the
secutities and group in GPMC - but if i check other securities esp the
registery.pol file they may be different than what is applied at the GPO or
on the GUID directory

Should the files and folders beneith Sysvol\policies\ be the same as that
directory?

Should i consider replacing securites on all child objects for each GUID in
the policy directory - using the advanced security settings?

thanks in advance

Robert







On Wed, August 30, 2006 3:10 pm, Delaney, Doug said: 
> if the domain is 2003, the "Enterprise Domain Controllers" group has 
> read access... 
> 
> 
> Doug Delaney 
> GM Desktop Engineering 
> Global Client Engineering GM 
> 1075 W. Entrance Dr., MS 2B, Cube 2130 
> Auburn Hills, MI 48326 
> Lab: 248-365-9187 
> Tel: 248-754-7917 
> Pg: 248-870-0306 pager 
> Mail: Doug.Delaney@xxxxxxx 
> 
> Note: The information in this email is intended solely for the 
> addressee. Access to this email by anyone else is unauthorized. If you 
> are not the intended recipient, any disclosure, copying, distribution or 
> any action taken or omitted to be taken in reliance on it is prohibited. 
> 
> 
> -----Original Message----- 
> 
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Darren Mar-Elia 
> Sent: Wednesday, August 30, 2006 3:57 AM 
> To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
> 
> If the GPO is linked to the DC OU, then there's no harm in granted Auth. 
> Users access to it to get things working. I don't have a DC in front of 
> me to see what the default perms on that GPO should be but I'm guessing 
> the Domain Controllers group probably has read rights as well. 
> 
> 
> 
> -----Original message----- 
> 
From: "Robert Mariani" rmariani@xxxxxxxxxxx 
> Date: Tue, 29 Aug 2006 23:35:43 -0400 
> To: gptalk@xxxxxxxxxxxxx 
> Subject: [gptalk] Re: Default DC Policy 
> 
>> 
>> 
>> Hi Darren - I have given Authenticated Users read access to this file 
>> and a gpoupdate /force applies without error. 
>> 
>> should this file have that security on it as my default domain policy 
>> doesn't 
>> 
>> 
>> 
>> 
>> On Wed, August 30, 2006 5:10 
>> pm, Darren Mar-Elia said: 
>> > Robert- 
>> > You might want to check the 
>> following: 
>> > 
>> > 1) that the registry.pol file is actually there 
>> > 2) that the permissions that appear on it look ok (that System and 
>> > Authenticated 
>> Users 
>> > have at least Read access to it) 
>> > 
>> > If the above are 
>> true, then you might want to download my polviewer utility on my site 
>> > and use 
>> it to try and open that registry.pol file. If the file format is 
>> corrupted, then 
>> > it will report that and you know that the file is no good and 
>> > probably needs to 
>> be 
>> > rebuilt. 
>> > 
>> > Darren 
>> > 
>> > -----Original 
>> message----- 
>> > 
>> 
From: "Robert Mariani" rmariani@xxxxxxxxxxx 
>> > Date: Tue, 29 Aug 2006 23:05:12 -0400 
>> > To: gptalk@xxxxxxxxxxxxx 
>> > Subject: [gptalk] Default DC Policy 
>> > 
>> >> 
>> >> 
>> >> 
>> >> Hi All, 
>> >> ?? I had the unfortunate experience of 
>> having to do an 
>> >> authoriative domain restore this morning. 
>> >> 
>> 
>> >> Everything went ok - except bloody Veritas Backup Exec 
>> playing up a bit? 
>> >> 
>> >> I am seeing only one error showing 
>> >> when my DC's apply the default domain contollers policy 
>> >> 
>> >> it is an error 1043 
>> >> followed by 1096 
>> >> 
>> >> 
>> >> Windows cannot access the registry policy file, 
>> >> 
>> 
> \sysvol\\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> \Machine\registry.pol. 
>> 
>> >> (Access is denied. ). 
>> >> 
>> >> For more information, 
>> see Help and Support Center at 
>> >> http://go.microsoft.com/fwlink/events.asp. 
>> 
>> >> 
>> >> 
>> >> anyone got any ideas in how 
>> >> 
>> to correct?? 
>> >> 
>> >> Thanks 
>> >> Robert 
>> >> 
>> 
>> >> 
>> > 
>> > *********************** 
>> > You can 
>> unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 
>> > 
>> 'unsubscribe' in the Subject field OR by logging into the 
> freelists.org Web interface. 
>> 
>> > Archives for the list are available at 
>> http://www.freelists.org/archives/gptalk/ 
>> > ************************ 
>> > 
>> 
>> 
>> 
> 
> *********************** 
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the list 
> are available at http://www.freelists.org/archives/gptalk/ 
> ************************ 
> *********************** 
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 
> 'unsubscribe' in the Subject field OR by logging into the freelists.org
Web interface. 
> Archives for the list are available at
http://www.freelists.org/archives/gptalk/ 
> ************************ 
> 


Other related posts: