Active Directory and Group Policy FAQ
Hi All,
This thread is a summary of the Frequently Asked Questions on Windows Server forums; we consolidate them and post it here for your reference. If you have any further questions, please kindly start a new thread in that other community members and we can easily attend to your question and reply. Thanks for your cooperation.How to Questions
Q1: How can I deploy the number, currency, date and time format via group policy?
Q3: How can I control whether the Language Bar is visible via group policy?
Q4: How can I move an AD LDS instance from one computer to another?
Q5: How can I export a list of user accounts that are enabled from Active Directory?
Q6: How can I control local user group membership via group policy?
Q8: How can I configure different password polices for different types of domain users?
Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?
Problems
Q1: Windows Server 2008 fails to authenticate user account from trusted domain with the error saying that "The security database on the server does not have a computer account for this workstation trust relationship."Q2: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.
Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.
Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 or Vista SP1 computer.
NOTE: Microsoft does not offer formal support for the communities you'll find here. Instead, our role is to provide a platform for people who want to take advantage of the global community of Microsoft customers and product experts. Microsoft may monitor content to ensure the accuracy of the information you'll find, but any information provided by Microsoft staff is offered "AS IS" with no warranties, and no rights are conferred. You assume all risk for your use.
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 9:37
- UpravenýLaura Zhang - MSFTMSFT, Moderátor2. dubna 2009 7:10
Všechny reakce
How To - Q1: How can I deploy the number, currency, date and time format via group policy?
A: You can use the following methods to deploy the number, currency, date and time format via group policy:Method 1: Use Group Policy Preference
================================
If there is a Windows Server 2008 or Windows Vista SP1 with RSAT machine in the Windows Server 2003/2008 domain, you can deploy the Regional Options group policy preference policy to manage the time and data format for a set of users.
[User Configuration\Preferences\Control Panel Settings\Regional Options]
For more information, please refer to the following TechNet articles:
Regional Options Extension
http://technet.microsoft.com/en-us/library/cc754496.aspx
Enable and Disable Settings in a Preference Item
http://technet.microsoft.com/en-us/library/cc754299.aspx
Overview of Preferences
http://technet.microsoft.com/en-us/library/cc732027.aspx
You do not need to upgrade to Windows Server 2008 to use Group Policy Preference policies. You can configure a Group Policy preference item in a Windows Server 2003 environment from either a Windows Server 2008 server or a Windows Vista with Service Pack 1 client with RSAT update installed. If you do not have Windows Server 2008 server, you can download and install Remote Server Administration Tools on Windows Vista with SP1 on a Vista client to manage and configure them.
The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:
Information about new Group Policy preferences in Windows Server 2008
http://support.microsoft.com/kb/943729
Method 2: Use Logon Script
=======================
The regional setting related registry entries are located in:
HKEY_CURRENT_USER\Control Panel\International
If there is no Windows Server 2008 server or Windows Vista SP1 with RSAT machine, you can deploy a logon script or create a custom.adm file to configure the registry entry.
You may perform the following steps to deploy these settings via logon script:
1. Logon as an administrator and configure the regional settings as desired.
2. Export the [HKEY_CURRENT_USER\Control Panel\International] registry key to a registry file and put this registry file in a share folder.
3. Create a new Windows Batch File with the following command:
regedit /s <Path of the registry file>
For example, if the path to the registry file is \\server\share\RegionalSetting.reg, you can include the command below in the batch file:
regedit /s \\server\share\RegionalSetting.reg
4. Create a GPO to deploy a logon script to run the newly created batch file to users.
If you do not want to deploy these settings via logon script, you may also create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:
How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)
http://support.microsoft.com/kb/323639
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:38
- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:47
How To - Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?
A: The administrative template file inetesc.adm can also be used to deploy the Internet Explorer Enhanced Security Configuration settings on Windows Server 2008.
To do so, you can Download the adm file from the following link and import it to the GPO.
Here are the detailed steps:
-
1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
-
2. Right-click a GPO and select Edit.
-
3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
-
4. Click the button Add, and then double-click the adm file to import it.
-
5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
-
6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:47
-
How To - Q3: How can I control whether the Language Bar is visible via group policy?
A: Currently, there is no group policy available to control whether the Language Bar is visible. However, the language bar settings are stored in the following registry key:HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
The ShowStatus value becomes 0 when we select the option "Floating on desktop"
The ShowStatus value becomes "3" when set to "Hidden" which is the default.
The ShowStatus value becomes "4" when set to "Docked on the taskbar"
As a result, you can control the language bar by using a logon script to set the ShowStatus value. Here is a sample script to enable the language bar:
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell. RegWrite" HKCU\Software\Microsoft\CTF\LangBar\ShowStatus", 4, "REG_DWORD"
Note. You need to logoff and then logon again for the change to take effect, even though you modify it by using logon script.If you do not want to deploy these settings via logon script, you may also create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:
How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)
http://support.microsoft.com/kb/323639
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:38
- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:47
How To - Q4: How can I move an AD LDS instance from one computer to another?
A: You can move an AD LDS instance from one server to another with a backup taken with dsdbutil.exe. To do so, you can perform the following steps:On source computer
----------------------------
Follow the steps described in the following TechNet link to create an AD LDS instance backup:
Step 1: Back Up AD LDS Instance Data
http://technet.microsoft.com/en-us/library/cc730864.aspx
On target computer
----------------------------
Please perform the following steps:
- Create a new AD LDS instance using the same settings that were specified during the installation of the AD LDS instance that you want to recover or move. In this case, do not create an application directory partition during setup. You can restore your original application directory partition from your backup. Therefore, on the Application Directory Partition page in the Active Directory Lightweight Directory Services Setup Wizard, click No, do not create an application directory partition.
- Restore the instance with the backup taken with dsdbutil.exe. For the detailed steps, refer to:
Step 2: Restore AD LDS Instance Data
http://technet.microsoft.com/en-us/library/cc725903.aspx
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:47
How To - Q5: How can I export a list of user accounts that are enabled from Active Directory?
A: When you configure the “Account options” settings for a user in Active Directory, numerical values are assigned to the UserAccountControl attribute. When a user account is disabled, the following property flag is set:Property flag
Value in hexadecimal
Value in decimal
ACCOUNTDISABLE
0x0002
2
To export all enabled accounts, we could specify the filter as the following:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
For example we could export all enabled user accounts via the following command,
csvde -d "dc=<Domain>,dc=<com>" -r "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -f enabled.csv
Likewise, we could export all disabled user accounts via the following command.csvde -d " dc=<Domain>,dc=<com>" -r "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -f disabled.csv
NOTE: There is no "!" before "userAccountControl".For more information about UserAccountControl flags and how to manipulate them, please refer to the following article:
How to use the UserAccountControl flags to manipulate user account properties
http://support.microsoft.com/?id=305144How to query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:47
How To - Q6: How can I control local user group membership via group policy?
A: You can use Restricted Groups policy to control group membership on domain clients. Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:- Members
- Member Of
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" list specifies which other groups the restricted group should belong to.
For example, if you would like to add a global group to be a member of Administrators group on all workstations, you can configure the Restricted Group group policy. For the detailed steps, please refer to the following Microsoft Knowledge Base article:
How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations
http://support.microsoft.com/kb/320065
For more information about Restricted Group group policy, please refer to the following articles:
Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301
Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076
When you use the Restricted Groups "Member of" functionality, Windows Server 2003 Group Policy objects may not be processed in the order that you expect
http://support.microsoft.com/kb/925443
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:48
How To - Q7: How can I use WMI filter to apply group policy to specific versions of operating system and to Server Core computer?
A: If you would like to control group policy application by the operating system version of computer, you may consider using WMI filter in this scenario. Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. For more information about WMI Filter, please refer to the following links:HOWTO: Leverage Group Policies with WMI Filters
http://support.microsoft.com/kb/555253
WMI filtering
http://technet.microsoft.com/en-us/library/cc779036.aspx
To differentiate operating systems of computers, you may build WMI Filters by using the Version and OperatingSystemSKU properties of Win32_OperatingSystem WMI Class. The following are some examples:
SELECT Version FROM Win32_OperatingSystem WHERE Version < "6"
Version < "6" <<-- OS is anything less than Vista/Windows Server 2008, which are version 6.X.X
SELECT Version FROM Win32_OperatingSystem WHERE Version = "5.1.2600"
Version = "5.1.2600" <<-- OS is specifically Windows XP SP2
SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE "6.0.%"
Version LIKE "6.0.%" <<-- OS is either Vista or Windows Server 2008 only
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.0.%” AND ProductType <> “1”
Version LIKE “6.0.%” AND ProductType <> “1” <<-- OS is specifically Windows Server 2008 server/DC only
SELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE OperatingSystemSKU = 12
OR OperatingSystemSKU = 39 OR OperatingSystemSKU = 14 OR OperatingSystemSKU = 41 OR
OperatingSystemSKU = 13 OR OperatingSystemSKU = 40 OR OperatingSystemSKU = 29
Server Core computer. These values map back to HEX values, which map back to:PRODUCT_DATACENTER_SERVER_CORE
PRODUCT_DATACENTER_SERVER_CORE_V
PRODUCT_ENTERPRISE_SERVER_CORE
PRODUCT_ENTERPRISE_SERVER_CORE_V
PRODUCT_STANDARD_SERVER_CORE
PRODUCT_STANDARD_SERVER_CORE_V
PRODUCT_WEB_SERVER_CORE
More Information
-------------------------
http://msdn.microsoft.com/en-us/library/ms724358.aspx
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:43
- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:48
How To - Q8: How can I configure different password polices for different types of domain users?
A: In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. The Windows Server 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. It is the Fine-Grained Password policy. For example, you can apply more strict settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.For more information on Fine-Grained Password policy, please refer to the following Microsoft TechNet link:
AD DS: Fine-Grained Password Policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:48
How To - Q9: How can I configure users to apply some specific user configuration group polices only when they logon to some computers, such as terminal server?
A: Generally speaking, Group Policy applies to users or computers in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.To set user configuration per computer, follow these steps:
- In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
- Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used, for example, computers in public areas, in laboratories, and in classrooms, etc.
For more information about the Loopback policy, please refer to the following Microsoft Knowledge Base article:
231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287
The Loopback group policy setting is especially useful in a terminal server environment. Administrators usually want to lock down a terminal session so that all users get a restricted environment when they log on to terminal session; however, this restriction should not affect other logon sessions when users log on to other domain computers.
To lock down a terminal session, you can refer to the following Microsoft Knowledge Base articles and links:
278295 How to lock down a Windows Server 2003 or Windows 2000 Terminal Server
http://support.microsoft.com/?id=278295
Locking Down Windows Server 2003 Terminal Server Sessions
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:46
- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 6:46
How To - Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?
A: Sometimes you might choose to restructure your existing environment and migrate to a complete new Windows Server 2008 domain due to the following considerations:• To optimize the arrangement of elements within the logical Active Directory structure
• To assist in completing a business merger, acquisition, or divestiture
Restructuring involves the migration of resources between Active Directory domains in either the same forest or in different forests. You can use the Active Directory Migration Tool version 3.1 (ADMT v3.1) to perform object migrations and security translation as necessary so that users can maintain access to network resources during the migration process. To download the ADMT v3.1 tool, please refer to the following link:
Active Directory Migration Tool version 3.1
As domain migration is a rather complex task, please read the following white paper before you perform the migration task:
ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains
Laura Zhang - MSFTQuestion - Q1: Windows Server 2008 fails to authenticate user account from trusted domain with the error saying that "The security database on the server does not have a computer account for this workstation trust relationship."
Symptom=========
In a multi-domain environment, you may find that the computer fails to authenticate the user accounts from a trusted domain in Windows Server 2008 or Windows Vista Service Pack 1 based computer.
If you try to use that user account from the trusted domain to log on to this computer, the following error may occur
"The security database on the server does not have a computer account for this workstation trust relationship."
Possible Cause
============
This behavior may occur if the trust relationship between these two domains is the "downlevel" type. If the trust type is considered downlevel and the logon attempt fails with Kerberos error "0xc000018b - STATUS_NO_TRUST_SAM_ACCOUNT", Windows Server 2008 or Windows Vista SP1 will not fall back to NTLM authentication.
NOTE: To check the trust status, you may run the NLTEST.exe tool. Use the following command:
nltest /domain_trusts
The output would be like as follows:
0: <Domain 1> (NT 4) (Direct Inbound)
1: <Domain 2> (NT 5) (Direct Inbound)
2: <Domain 3> (NT 5) (Direct Inbound)If the type is "NT 4", it means the trust is downlevel trust.
Resolution
========
To resolve this issue, recreate the trust between the Active Directory domains to eliminate the downlevel trust type.
After recreating the trust, run "nltest /domain_trusts" again to verify the trust type is "NT 5".
More Information
===============
When the trust level is downlevel and when Kerberos failed with the "STATUS_NO_TRUST_SAM_ACCOUNT" error, Windows Server 2008 or Vista SP1 behaves differently as Windows Server 2003 or Vista RTM. Windows Server 2008 and Vista SP1 will not fall back to NTLM.
This was a design change made to address security concerns regarding a Downgrade attack.
Laura Zhang - MSFTQuestion - Q2: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.
Symptom=========
You configure Internet Explorer on Windows client computers by using the Active Directory Internet Explorer Maintenance Group Policies to customize the Internet Explorer Home page.
The policy is applied only the first time that the user logs on. For example, the user's home page is changed to the home page that is specified in the Group Policy Object (GPO). If the user later changes their home page to a different one, the GPO never sets it back to the page that the user specified in the GPO during a subsequent logon procedure.
This behavior is applicable to all Internet Explorer Maintenance Policies
Possible Cause
============
There are two possible causes:
1. During subsequent logon procedures, Gpt.ini is queried and the version is checked. The client believes that the GPO has already been applied and therefore the IEAK\Install.ins file is not requested during the second logon procedure. Because the Install.ins file is not requested, the Home_Page value is not processed and is not reset to the home page that is specified in the GPO.
2. The Internet Explorer Maintenance policy is configured in Preference Mode. The Internet Explorer Maintenance preference mode is designed to provide initial settings for a user without enforcing these settings. For example, the user may set the corporate intranet portal page as the home page. If no other restrictions apply, the user may modify these settings. When an Internet Explorer Maintenance policy is in preference mode, the policy will only be applied to a client computer again when the policy has changed. At that time, the new preferences will be introduced on the client computer.
Resolution
========
1. Enable the "Internet Explorer Maintenance Policy Processing" policy under [Computer Configuration\Administrative Templates\System\Group Policy] and check the option "Process even if the Group Policy objects have not changed". This option updates and reapplies the policies even if the policies have not changed. To do so, please perform the following steps:
a. Open the corresponding group policy in the Group Policy Editor.
b. Locate the [ Computer Configuration\Administrative Templates\System\Group Policy\ Internet Explorer Maintenance Policy Processing] group policy, double click it to open the Properties dialog.
c. Select the “Enabled” option and check the “Process even if the Group Policy objects have not changed” option.
d. Click OK.
e. Refresh group policy to test this problem again.
2. Ensure that the policy is not configured in Preference Mode.
a. Open and edit the GPO where you configured these IE Maintenance settings.
b. Expand to the branch [User Configuration\Windows Settings\Internet Explorer Maintenance].
c. Right-click the above "Internet Explorer Maintenance" item, please verify if the "Preference Mode" option is checked.
d. If it is checked, we need to reset settings and disable the "Preference Mode". To do this,
- Note down all the settings you have configured. We need to re-configure them later.
- Right-click the "Internet Explorer Maintenance" in the left pane, and click "Reset Browser Settings".
- Right-click the "Internet Explorer Maintenance" in the left pane, and make sure to uncheck "Preference Mode".
- Re-configure your settings.
- Refresh group policy and wait until this change has been replicated to all other DC's and then check this issue again.
Laura Zhang - MSFT- UpravenýLaura Zhang - MSFTMSFT, Moderátor31. března 2009 7:05
Question - Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.
Symptom=========
On a Windows Server 2008 based Read-Only Domain Controller (RODC), the DHCP Server service does not start. When you try to start the service, the following error message will occur:
An error occurred while trying to start the DHCP Server service on <computername.domainname.com>. For more information about the error, see Event Viewer.
The request is not supported.
In the system event log, the following events may be logged:
Product: Windows Operating System
ID: 1035
Source: Microsoft-Windows-DHCP-Server
Version: 6.0
Symbolic Name: EVENT_SERVER_READ_ONLY_GROUP_ERROR
Message: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.Product: Windows Operating System
ID: 1036
Source: Microsoft-Windows-DHCP-Server
Version: 6.0
Symbolic Name: EVENT_SERVER_ADMIN_GROUP_ERROR
Message: The DHCP server was unable to create or lookup the DHCP Administrators
local group on this computer. The error code is in the data.Possible Cause
============
This behavior is as expected. DHCP service is trying to create and read the “DHCP Users” and “DHCP Administrators” groups in Active Directory. However, this cannot be done on Read-Only Domain Controllers. The objects can only be replicated into an RODC from a writable DC.
Resolution
========
To work around this behavior, use either of the methods below:
Method 1
-------------
Create the groups manually on a writable domain controller and allow them to replicate to the RODC.
Method 2
--------------
1. Install DHCP on a writable domain controller to allow the groups to be created automatically, then allow them to replicate to the RODC.
2. Uninstall the DHCP server service from the writable DC and the groups will remain.More Information
================
Applications That Are Known to Work with RODCs
http://technet.microsoft.com/en-us/library/cc732790.aspx
Laura Zhang - MSFTQuestion - Q4: The "Enterprise root CA" option is not available when you try to install the Certificate Services component in Windows Server 2003.
Symptom=========
In Microsoft Windows Server 2003, the Enterprise root CA option is not available. This issue occurs when you try to install the Certificate Services component and set up a certification authority.
Possible Cause
============
This issue can occur if the Public Key Services container does not exist in Active Directory. For example, this issue can occur if the ADSIEdit tool (Adsiedit.msc) was used to delete the Public Key Services container.
Resolution
========
To resolve this issue, please refer to the following Microsoft Knowledge Base article:
In Windows Server 2003, the "Enterprise root CA" option is not available when you try to install the Certificate Services component
http://support.microsoft.com/kb/938613/en-us
Laura Zhang - MSFTQuestion - Q5: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled.
Symptom=========
Consider the following scenario:
• The following policies are enabled on a domain controller that is running Windows Server 2003 in a domain:
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)]
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)]
• The following policies are enabled on a member computer that is running Windows Vista Service Pack 1 or Windows Server 2008 in the same domain:
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)]
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees)]
In this scenario, Group Policy settings are not applied on the member computer. Additionally, the following event is logged in the System log on the member computer:
Date: Date
Event ID: 1058
Level: Error
Keywords:
User: UserSID
Computer: CompuerName
Description:
The processing of Group Policy failed. Windows attempted to read the file \\ path \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Note: This problem occurs only on member computers that are running Windows Server 2008 or Windows Vista Service Pack 1 (SP1). It does not occur on member computers that are running Windows Server 2003, Windows XP, or the release version of Windows Vista.
Possible Cause
============
When a Server Message Block (SMB) version 1 client establishes a non-guest session or a non-anonymous session with a server, the client enables security signatures for the server. Later sessions then inherit the security signature sequence that is already established.
To improve security, Windows Server 2008 and Windows Vista SP1 prevent server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session. However, this improved security does not address the scenario that is described in the "Symptoms" section.
Resolution
========
To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:
Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled
http://support.microsoft.com/kb/950876
To work around this problem, use one of the following methods.
Method 1
Disable the following policy on the member computers that are running Windows Server 2008 or Windows Vista SP1:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Method 2
On the member computers that are running Windows Server 2008 or Windows Vista SP1, follow these steps:
1. Click Start , type regedit in the Start Search box, and then press ENTER.
2. Locate the RequireSecuritySignature registry entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
3. Right-click RequireSecuritySignature , and then click Modify .
4. In the Value data box, type 0 , and then click OK .
5. Exit Registry Editor.
Method 3
On the member computers that are running Windows Server 2008 or Windows Vista Service Pack 1, follow these steps:
1. Click Start, type regedit in the Start Search box, and then press ENTER.
2. Locate the AllowGuestAuthWhenSigningRequired registry entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
3. Right-click AllowGuestAuthWhenSigningRequired , and then click Modify .
4. In the Value data box, type 1, and then click OK .
5. Exit Registry Editor.
Laura Zhang - MSFTQuestion - Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 or Vista SP1 computer.
Symptom=========
Event 1091 is recorded every 5 minutes on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008
Eventlog: System
Source: Microsoft-Windows-GroupPolicy
Eventid: 1091
Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <Group Policy Registry>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Possible Cause
============
1. Some MOF files which are needed to generate the RSoP result are missing.
2. You configure a file security policy to set file permissions on a folder. In addition, the path that you specified for the folder contains some environment variables. For example, you specify the following path for the folder:
%ALLUSERSPROFILE%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP
The Group Policy engine translates the environment variables incorrectly
Resolution
========
1. Verify you have the following files:
%SYSTEMROOT%\system32\wbem\polprocl.mof
%SYSTEMROOT%\system32\wbem\en-US\polprocl.mfl
NOTE: "en-US" should be replaced with the actual language that is installed
2. If those files are missing you can copy them from a working full Windows Server 2008 installation and then run the following command to recompile the .mof file in an administrative elevated Command window:
mofcomp %SYSTEMROOT%\system32\wbem\polprocl.mof
gpupdate /force
3. If you configure file security policy and use environmental variables in the file path, please download and install the hot fix described in the following Microsoft Knowledge Base article:
The RSoP snap-in does not display some file security policies, and Event ID 1091 is logged on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008
http://support.microsoft.com/kb/955248
Laura Zhang - MSFTQuestion - Q7: DCPROMO fails with following error: "To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep".
Symptom=========
You would like to install a Windows Server 2008 domain controller in a Windows Server 2003 domain. You have run the “adprep /forestprep" and "adprep /domainprep" commands by using the "sources/adprep" files from the Windows Server 2008 server. However, when you run dcpromo on the 2008 server, you still receive the following error message:
To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep
Possible Cause
============
This issue can occur if you are using pre-RTM media to do the ADPrep commands.
Resolution
========
To verify it, open adsiedit.msc on the domain controller that holds the infrastructure operations master role, expand to cn=ActiveDirectoryUpdate,cn=DomainUpdates,cn=system,DC=domain, right click cn=ActiveDirectoryUpdate, and then check the value of the attribute revision.
If you are using a pre-RTM media, the revision is 2.
If you are using a RTM media, the revision is 3.
If it is pre-RTM media, please find a RTM version of Windows Server 2008 media to run the “adprep /forestprep" and "adprep /domainprep" commands again.
Question - Q8: The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing.
Symptom=========
Consider the following scenario:
• You are running a Windows Server 2008-based computer that has a third-party key storage provider (KSP) installed.
• The third-party KSP does not allow for SHA1 hash signing. The KSP may be configured to disallow SHA1 hash signing or may not support it.
• You install the Active Directory Certificate Services role on the computer. When you do this, you configure Certificate Services to use the KSP for the certification authority (CA) private key.
In this scenario, the Active Directory Certificate Services service does not start. Additionally, the following event is logged in the System log:
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 100
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description: "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. CAName ErrorDescription "
Possible Cause
============
When the Active Directory Certificate Services service starts, it tests the private key by signing a random SHA1 hash. If the KSP that is used for the private key does not allow for SHA1 hash signing, the Active Directory Certificate Services service does not start.
Resolution
========
To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:
The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing
http://support.microsoft.com/kb/952722
Laura Zhang - MSFTQuestion - Q9: You receive the Event 1030 and 1058 errors from userenv saying that “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com”.
Symptom=========
You experience one or more of the following symptoms on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP or Microsoft Windows 2000:
l Group Policy settings are not applied to the computers.
l Group Policy replication is not completed between the domain controllers on the network.
l You cannot open Group Policy snap-ins. For example, you cannot open the Domain Controller Security Policy snap-in, or the Domain Security Policy snap-in.
If you view the Application log in Event Viewer on Windows XP or Windows Server 2003, you see events that are similar to the following events:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: Date
Time: Time
User: User_Name
Computer: Computer_Name
Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com . The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at http://support.microsoft.com.Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: Date
Time: Time
User: User_Name
Computer: Computer_Name
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.
Possible Cause
============
These issues occur if the computers that are on your network cannot connect to certain Group Policy objects. Specifically, these objects are in the Sysvol folders on your network's domain controllers.
Resolution
========
Because there are many possible causes for this event error, we suggest that you refer to the following Microsoft Knowledge Base article to troubleshoot the configuration of your network to narrow down the cause and then correct the configuration:
Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/887303
The main steps include the following:
Step one: Examine the DNS settings and network properties on the servers and client computers
Step two: Examine the Server Message Block signing settings on the client computers and member servers
Step three: Make sure that the TCP/IP NetBIOS Helper service is started on all computers
Step four: Make sure that Distributed File System (DFS) is enabled on all computers
Step five: Examine the contents and the permissions of the Sysvol folder
Step six: Make sure that the Bypass traverse checking right is granted to the required groups
Step seven: Make sure that the domain controllers are not in a journal wrap state
Step eight: Run the Dfsutil /PurgeMupCache command
Laura Zhang - MSFTQuestion - Q10: A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing.
Symptom
=========
If a Windows Vista-based or Windows Server 2008-based computer is configured for loopback processing, the computer does not receive any settings from GPOs in AD DS.
============
This behavior in Windows Vista and Windows Server 2008 is changed from the behavior in Windows XP and in Windows Server 2003. Windows Vista and Windows Server 2008 try to retrieve the attributes of GPOs for users from the computer. In Windows Vista or in Windows Server 2008, the loopback policy does not apply if the computer does not have at least the Read permission on the GPOs.
========
To read the attributes of the GPOs, the computer needs at least the Read permission for the GPOs. Please ensure that the computer object has the Read permission on the group policy object.
1. Open the Group Policy Management console, expand the forest and domain tree on the left panel.
2. Select the loopback group policy. The settings will be displayed on the right side of panel.
3. In the “Scope” tab, check the “Security Filtering” configuration to ensure that the computer object has at least “Read” permission. By default, “Authenticated Users” group has this permission. If you have not customized the security settings for the group policy, it should be fine as a domain computer belongs to the “Authenticated Users” group.
Laura Zhang - MSFT
