[gptalk] Re: gpupdate question

• From: jfvanmeter@xxxxxxxxxxx
• To: gptalk@xxxxxxxxxxxxx, gptalk@xxxxxxxxxxxxx
• Date: Tue, 17 Apr 2007 16:33:59 +0000

Hello everyone, and thank you all for the help. So far I've been unable to find 
the solution for this issue.

the server is a Win2k3 server that was put in a OU that had my  XP Workstation 
policy link to it, that policy was applied to the server.

Then it was noted that the server was in the wrong OU and it was moved and it 
now is receiving the Win2k3 Server Policy. 

I've logged onto the server with both the local admin account (LLLLL.AAAAA) and 
my domain account
(DDDDDD.AAAAAA) and it doesn't seam to matter.

There are settings and acl's that were applied from the XP Policy that are not 
correct for a Win2k3 server, and since the server policy doesn't replace them I 
believe this maybe causing strange problems.

When I run Process Monitor and try to run MBSA or Fport I'm not seening any 
access denied messages. The only thing to note is the following registry key.

When I run fport, proc mon logs the following
hklm\software\microsoft\windows nt\currentversion\imagefile execurion 
options\fport.exe name not found

When i run MBSA, proc mon logs the following
HKLM\SAM\SAM\Domains\account\Users\Names\LLLLLL.AAAAA (<--- the account of the 
renamed local admin that is applied from my XP Workstation policy) name not 
found

Could it be the user profile still being named LLLLLLL.AAAAAA that is causing 
the problem. 

I'm getting ready to turn on more logging on the server and see what that find.

Take Care --John


-------------- Original message ----------------------
From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>
> Are you, by any chance, accessing the server remotely?  Is there  policy
> in place that denies remote admin rights?  Try blocking inheritance on the
> OU to see if it a current policy that is giving you the issue.
> 
> Martin T. Hugo
> Network Administrator
> Hilliard City Schools
> Tel: 614-921-7102
> Martin_Hugo@xxxxxxxx
> 
> gptalk@xxxxxxxxxxxxx writes:
> >John-
> >Sounds like two different issues. You will get the "Ok to reboot" message
> >any time that certain client side extensions (e.g. Software Installation
> >or
> >Folder Redirection) need to run a foreground processing mode in order to
> >apply. 
> >
> >On the 2nd issue, I'm not familiar with fport, so not sure I can answer
> >that
> >but I it is very possible that if your server was getting security policy
> >from a different OU, that moving it to the new OU would not automatically
> >undo that policy. Normally, security policy "tattoos" a machine unless you
> >explicitly countermand it with a new policy.
> >
> >Darren
> >
> >-----Original Message-----
> >From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> >Behalf Of jfvanmeter@xxxxxxxxxxx
> >Sent: Monday, April 16, 2007 10:52 AM
> >To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> >Subject: [gptalk] gpupdate question
> >
> >Hello Everyone, I have a question that I need help with.
> >
> >I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got
> >my
> >Windows XP Group Policy. 
> >
> >Then it was moved to the correct OU, and recieves the member server
> >policy.
> >
> >Every time I run "gpupdate /force" I get the following. Certain Computer
> >policies are enabled that can only run during startup.
> >ok to Reboot? (Y/N)
> >
> >Every time that I refresh group policy it wants to reboot, I see 1704
> >events
> >that security policy in the group policy object has been applied
> >successfully.
> >
> >I've ran gpupdate as the local admin and as a domain admin.
> >
> >If I try to run fport on the server as either a local admin or a domain
> >admin I get the following error "You must have administrator privileges to
> >run fport - exiting...... 
> >
> >The local admin account is in the administrators group, and the domain
> >admin
> >group is in the administrators group.
> >
> >Could this be a registry tattoo from the xp policy that got applied? any
> >thoughts? 
> >
> >Thanks Everyone, take care and have fun --John
> >
> > 
> >
> >
> >***********************
> >You can unsubscribe from gptalk by sending email to
> >gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
> >by logging into the freelists.org Web interface. Archives for the list
> >are available at //www.freelists.org/archives/gptalk/
> >************************
> 
> 

--- Begin Message ---

• From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>
• To: gptalk@xxxxxxxxxxxxx
• Date: Tue, 17 Apr 2007 15:22:10 +0000

Are you, by any chance, accessing the server remotely?  Is there  policy in place that denies remote admin rights?  Try blocking inheritance on the OU to see if it a current policy that is giving you the issue. Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx gptalk@xxxxxxxxxxxxx writes: John- Sounds like two different issues. You will get the "Ok to reboot" message any time that certain client side extensions (e.g. Software Installation or Folder Redirection) need to run a foreground processing mode in order to apply. On the 2nd issue, I'm not familiar with fport, so not sure I can answer that but I it is very possible that if your server was getting security policy from a different OU, that moving it to the new OU would not automatically undo that policy. Normally, security policy "tattoos" a machine unless you explicitly countermand it with a new policy. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of jfvanmeter@xxxxxxxxxxx Sent: Monday, April 16, 2007 10:52 AM To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx Subject: [gptalk] gpupdate question Hello Everyone, I have a question that I need help with. I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got my Windows XP Group Policy. Then it was moved to the correct OU, and recieves the member server policy. Every time I run "gpupdate /force" I get the following. Certain Computer policies are enabled that can only run during startup. ok to Reboot? (Y/N) Every time that I refresh group policy it wants to reboot, I see 1704 events that security policy in the group policy object has been applied successfully. I've ran gpupdate as the local admin and as a domain admin. If I try to run fport on the server as either a local admin or a domain admin I get the following error "You must have administrator privileges to run fport - exiting...... The local admin account is in the administrators group, and the domain admin group is in the administrators group. Could this be a registry tattoo from the xp policy that got applied? any thoughts? Thanks Everyone, take care and have fun --John   *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************

--- End Message ---

Other related posts:

• » [gptalk] gpupdate question
• » [gptalk] Re: gpupdate question
• » [gptalk] Re: gpupdate question
• » [gptalk] Re: gpupdate question
• » [gptalk] Re: gpupdate question

1. Home
2. gptalk
3. Archive
4. 04-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---