none
Active Directory and Group Policy FAQ

All replies

  • How To - Q1: How can I deploy the number, currency, date and time format via group policy?


    A: You can use the following methods to deploy the number, currency, date and time format via group policy:

     

    Method 1: Use Group Policy Preference

    ================================

    If there is a Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1 with RSAT or Windows 7 with RSAT machine in the Windows Server 2003/2008/2008 R2 domain, you can deploy the Regional Options group policy preference policy to manage the time and data format for a set of users.

     

    [User Configuration\Preferences\Control Panel Settings\Regional Options]

     

    For more information, please refer to the following TechNet articles:

     

    Regional Options Extension

    http://technet.microsoft.com/en-us/library/cc754496.aspx

     

    Enable and Disable Settings in a Preference Item

    http://technet.microsoft.com/en-us/library/cc754299.aspx

     

    Overview of Preferences

    http://technet.microsoft.com/en-us/library/cc732027.aspx

     

    You do not need to upgrade to Windows Server 2008 or Windows Server 2008 R2 to use Group Policy Preference policies. You can configure a Group Policy preference item in a Windows Server 2003 environment from either a Windows Server 2008/R2 server or a Windows Vista with Service Pack 1/Windows 7 client with RSAT update installed. If you do not have Windows Server 2008/R2 server, you can download and install Remote Server Administration Tools on a Windows Vista or Windows 7 client to manage and configure them.

    Microsoft Remote Server Administration Tools for Windows Vista 
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en


    Remote Server Administration Tools for Windows 7 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

    The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:

     

    Information about new Group Policy preferences in Windows Server 2008

    http://support.microsoft.com/kb/943729

     

    Method 2: Use Custom Administrative Template 

    =======================

    The regional setting related registry entries are located in:

     

    HKEY_CURRENT_USER\Control Panel\International

     

    If there is no Windows Server 2008/R2 server or Windows Vista SP1/Windows7 with RSAT machine, you may create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:e a custom.adm file to configure the registry entry.

     

    How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)

    http://support.microsoft.com/kb/323639


    If you do not want to create a custom administrative template, you can also deploy a logon script or creat

     

    You may perform the following steps to deploy these settings via logon script:

     

    1.         Logon as an administrator and configure the regional settings as desired.

    2.         Export the [HKEY_CURRENT_USER\Control Panel\International] registry key to a registry file and put this registry file in a share folder.

    3.         Create a new Windows Batch File with the following command:

     

    regedit /s <Path of the registry file>

     

    For example, if the path to the registry file is \\server\share\RegionalSetting.reg, you can include the command below in the batch file:

     

    regedit /s \\server\share\RegionalSetting.reg

     

    4.         Create a GPO to deploy a logon script to run the newly created batch file to users.

     

    If you do not want to deploy these settings via logon script,  


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:22 AM
  • How To - Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?

     

    A: The administrative template file inetesc.adm can also be used to deploy the Internet Explorer Enhanced Security Configuration settings on Windows Server 2008.

     

    To do so, you can Download the adm file from the following link and import it to the GPO.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

     

    Here are the detailed steps:

     

    • 1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    • 2. Right-click a GPO and select Edit.
    • 3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    • 4. Click the button Add, and then double-click the adm file to import it.
    • 5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    • 6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.



    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:28 AM
  • How To - Q3: How can I control whether the Language Bar is visible via group policy?


    A: Currently, there is no group policy available to control whether the Language Bar is visible. However, the language bar settings are
    stored in the following registry key:

     

    HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar

     

    The ShowStatus value becomes 0 when we select the option "Floating on desktop"

    The ShowStatus value becomes "3" when set to "Hidden" which is the default.

    The ShowStatus value becomes "4" when set to "Docked on the taskbar"


    As a result, you may create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:

     

    How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)

    http://support.microsoft.com/kb/323639


    You can also control the language bar by using a logon script to set the ShowStatus value. Here is a sample script to enable the language bar:


    Dim WshShell

     

    Set WshShell = WScript.CreateObject("WScript.Shell")

     

    WshShell. RegWrite" HKCU\Software\Microsoft\CTF\LangBar\ShowStatus", 4, "REG_DWORD"


    Note.
    You need to logoff and then logon again for the change to take effect, even though you modify it by using logon script.

     

     


    Laura Zhang - MSFT
     
    Tuesday, March 31, 2009 6:32 AM
  • How To - Q4: How can I move an AD LDS instance from one computer to another?


    A:
    You can move an AD LDS instance from one server to another with a backup taken with dsdbutil.exe. To do so, you can perform the following steps:

     

    On source computer

    ----------------------------

    Follow the steps described in the following TechNet link to create an AD LDS instance backup:

     

    Step 1: Back Up AD LDS Instance Data

    http://technet.microsoft.com/en-us/library/cc730864.aspx

     

    On target computer

    ----------------------------

    Please perform the following steps:

     

    1. Create a new AD LDS instance using the same settings that were specified during the installation of the AD LDS instance that you want to recover or move. In this case, do not create an application directory partition during setup. You can restore your original application directory partition from your backup. Therefore, on the Application Directory Partition page in the Active Directory Lightweight Directory Services Setup Wizard, click No, do not create an application directory partition.
    2. Restore the instance with the backup taken with dsdbutil.exe. For the detailed steps, refer to:

     

    Step 2: Restore AD LDS Instance Data

    http://technet.microsoft.com/en-us/library/cc725903.aspx




    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:37 AM
  • How To - Q5: How can I export a list of user accounts that are enabled from Active Directory?


    A: When you
    configure the “Account options” settings for a user in Active Directory, numerical values are assigned to the UserAccountControl attribute. When a user account is disabled, the following property flag is set:

     

    Property flag

    Value in hexadecimal

    Value in decimal

    ACCOUNTDISABLE

    0x0002

    2

     


    To export all enabled accounts, we could specify the filter as the following:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

    For example we could export all enabled user accounts via the following command,

    csvde -d "dc=<Domain>,dc=<com>" -r "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -f enabled.csv

    Likewise, we could export all disabled user accounts via the following command.

     

    csvde -d " dc=<Domain>,dc=<com>" -r "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -f disabled.csv

    NOTE: There is no "!" before "userAccountControl".

     

    For more information about UserAccountControl flags and how to manipulate them, please refer to the following article:

    How to use the UserAccountControl flags to manipulate user account properties
    http://support.microsoft.com/?id=305144

     

    How to query Active Directory by using a bitwise filter

    http://support.microsoft.com/kb/269181


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:40 AM
  • How To - Q6: How can I control local user group membership via group policy?


    A:
    You can use Restricted Groups policy to control group membership on domain clients. Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:

    • Members
    • Member Of

     

    The "Members" list defines who should and should not belong to the restricted group. The "Member Of" list specifies which other groups the restricted group should belong to.

     

    For example, if you would like to add a global group to be a member of Administrators group on all workstations, you can configure the Restricted Group group policy. For the detailed steps, please refer to the following Microsoft Knowledge Base article:

     

    How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations

    http://support.microsoft.com/kb/320065

     

    For more information about Restricted Group group  policy, please refer to the following articles:

     

    Description of Group Policy Restricted Groups

    http://support.microsoft.com/kb/279301

     

    Updates to Restricted Groups ("Member of") behavior of user-defined local groups

    http://support.microsoft.com/kb/810076

     

    When you use the Restricted Groups "Member of" functionality, Windows Server 2003 Group Policy objects may not be processed in the order that you expect

    http://support.microsoft.com/kb/925443


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:41 AM
  • How To - Q7: How can I use WMI filter to apply group policy to specific versions of operating system and to Server Core computer?


    A:
    If you would like to control group policy application by the operating system version of computer, you may consider using WMI filter in this scenario. Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. For more information about WMI Filter, please refer to the following links:

     

    HOWTO: Leverage Group Policies with WMI Filters

    http://support.microsoft.com/kb/555253

     

    WMI filtering

    http://technet.microsoft.com/en-us/library/cc779036.aspx

     

    To differentiate operating systems of computers, you may build WMI Filters by using the Version and OperatingSystemSKU properties of Win32_OperatingSystem WMI Class. The following are some examples:

     

    SELECT Version FROM Win32_OperatingSystem WHERE Version < "6"

    Version < "6" <<-- OS is anything less than Vista/Windows Server 2008, which are version 6.X.X

     

    SELECT Version FROM Win32_OperatingSystem WHERE Version = "5.1.2600"

    Version = "5.1.2600" <<-- OS is specifically Windows XP SP2

     

    SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE "6.0.%"

    Version LIKE "6.0.%" <<-- OS is either Vista or Windows Server 2008 only

     

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.0.%” AND ProductType <> 1”

    Version LIKE “6.0.%” AND ProductType <> “1” <<-- OS is specifically Windows Server 2008 server/DC only

     

    SELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE OperatingSystemSKU = 12

    OR OperatingSystemSKU = 39 OR OperatingSystemSKU = 14 OR OperatingSystemSKU = 41 OR

    OperatingSystemSKU = 13 OR OperatingSystemSKU = 40 OR OperatingSystemSKU = 29


    Server Core computer. These values map back to HEX values, which map back to:

     

    PRODUCT_DATACENTER_SERVER_CORE

    PRODUCT_DATACENTER_SERVER_CORE_V

    PRODUCT_ENTERPRISE_SERVER_CORE

    PRODUCT_ENTERPRISE_SERVER_CORE_V

    PRODUCT_STANDARD_SERVER_CORE

    PRODUCT_STANDARD_SERVER_CORE_V

    PRODUCT_WEB_SERVER_CORE

     

    More Information

    -------------------------

    http://msdn.microsoft.com/en-us/library/ms724358.aspx


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:42 AM
  • How To - Q8: How can I configure different password polices for different types of domain users?


    A: In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain.
    These policies were specified in the Default Domain Policy for the domain. The Windows Server 2008 and Windows Server 2008 R2 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. It is the Fine-Grained Password policy.  For example, you can apply more strict settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

     

    For more information on Fine-Grained Password policy, please refer to the following Microsoft TechNet link:

     

    AD DS: Fine-Grained Password Policies

    http://technet.microsoft.com/en-us/library/cc770394.aspx


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:42 AM
  • How To - Q9: How can I configure users to apply some user configuration group polices only when they logon to several specific computers, such as terminal server?


    A: Generally speaking, Group Policy applies to users or computers in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

     

    To set user configuration per computer, follow these steps:

     

    1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
    2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

     

    This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used, for example, computers in public areas, in laboratories, and in classrooms, etc.

     

    For more information about the Loopback policy, please refer to the following Microsoft Knowledge Base article:

     

    231287 Loopback Processing of Group Policy

    http://support.microsoft.com/?id=231287

     

    The Loopback group policy setting is especially useful in a terminal server environment. Administrators usually want to lock down a terminal session so that all users get a restricted environment when they log on to terminal session; however, this restriction should not affect other logon sessions when users log on to other domain computers.

     

    To lock down a terminal session, you can refer to the following Microsoft Knowledge Base articles and links:

     

    278295 How to lock down a Windows Server 2003 or Windows 2000 Terminal Server

    http://support.microsoft.com/?id=278295

     

    Locking Down Windows Server 2003 Terminal Server Sessions

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:44 AM
  • How To - Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?


    A: Sometimes you might choose to restructure your existing environment and migrate to a complete new Windows Server 2008 domain due to the following considerations:

     

              To optimize the arrangement of elements within the logical Active Directory structure

              To assist in completing a business merger, acquisition, or divestiture

     

    Restructuring involves the migration of resources between Active Directory domains in either the same forest or in different forests. You can use the Active Directory Migration Tool version 3.1 (ADMT v3.1) to perform object migrations and security translation as necessary so that users can maintain access to network resources during the migration process. To download the ADMT v3.1 tool, please refer to the following link:

     

    Active Directory Migration Tool version 3.1

    http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en#Instructions

     

    As domain migration is a rather complex task, please read the following white paper before you perform the migration task:

     

    ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

    http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:45 AM
  • Question - Q1: Windows Server 2008 fails to authenticate user account from trusted domain with the error saying that "The security database on the server does not have a computer account for this workstation trust relationship."


    Symptom

    =========

    In a multi-domain environment, you may find that the computer fails to authenticate the user accounts from a trusted domain in Windows Server 2008 or Windows Vista Service Pack 1 based computer.

     

    If you try to use that user account from the trusted domain to log on to this computer, the following error may occur

    "The security database on the server does not have a computer account for this workstation trust relationship."

     

    Possible Cause

    ============

    This behavior may occur if the trust relationship between these two domains is the "downlevel" type. If the trust type is considered downlevel and the logon attempt fails with Kerberos error "0xc000018b - STATUS_NO_TRUST_SAM_ACCOUNT", Windows Server 2008 or Windows Vista SP1 will not fall back to NTLM authentication.

     

    NOTE: To check the trust status, you may run the NLTEST.exe tool. Use the following command:

        nltest /domain_trusts

     

    The output would be like as follows:

        0: <Domain 1> (NT 4) (Direct Inbound)
        1: <Domain 2> (NT 5) (Direct Inbound)
        2: <Domain 3> (NT 5) (Direct Inbound)

    If the type is "NT 4", it means the trust is downlevel trust.

     

    Resolution

    ========

    To resolve this issue, recreate the trust between the Active Directory domains to eliminate the downlevel trust type.

    After recreating the trust, run "nltest /domain_trusts" again to verify the trust type is "NT 5".

     

    More Information

    ===============

    When the trust level is downlevel and when Kerberos failed with the "STATUS_NO_TRUST_SAM_ACCOUNT" error, Windows Server 2008 or Vista SP1 behaves differently as Windows Server 2003 or Vista RTM. Windows Server 2008 and Vista SP1 will not fall back to NTLM.  

     

    This was a design change made to address security concerns regarding a Downgrade attack.


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:50 AM
  • Question - Q2: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.


    Symptom

    =========

    You configure Internet Explorer on Windows client computers by using the Active Directory Internet Explorer Maintenance Group Policies to customize the Internet Explorer Home page.

     

    The policy is applied only the first time that the user logs on. For example, the user's home page is changed to the home page that is specified in the Group Policy Object (GPO). If the user later changes their home page to a different one, the GPO never sets it back to the page that the user specified in the GPO during a subsequent logon procedure.

     

    This behavior is applicable to all Internet Explorer Maintenance Policies

     

    Possible Cause

    ============

    There are two possible causes:

     

    1.      During subsequent logon procedures, Gpt.ini is queried and the version is checked. The client believes that the GPO has already been applied and therefore the IEAK\Install.ins file is not requested during the second logon procedure. Because the Install.ins file is not requested, the Home_Page value is not processed and is not reset to the home page that is specified in the GPO.

    2.      The Internet Explorer Maintenance policy is configured in Preference Mode. The Internet Explorer Maintenance preference mode is designed to provide initial settings for a user without enforcing these settings. For example, the user may set the corporate intranet portal page as the home page. If no other restrictions apply, the user may modify these settings. When an Internet Explorer Maintenance policy is in preference mode, the policy will only be applied to a client computer again when the policy has changed. At that time, the new preferences will be introduced on the client computer.

     

    Resolution

    ========

    1. Enable the "Internet Explorer Maintenance Policy Processing" policy under [Computer Configuration\Administrative Templates\System\Group Policy] and check the option "Process even if the Group Policy objects have not changed". This option updates and reapplies the policies even if the policies have not changed. To do so, please perform the following steps:

     

    a.      Open the corresponding group policy in the Group Policy Editor.

    b.      Locate the [ Computer Configuration\Administrative Templates\System\Group Policy\ Internet Explorer Maintenance Policy Processing] group policy, double click it to open the Properties dialog.

    c.       Select the “Enabled” option and check the “Process even if the Group Policy objects have not changed” option.

    d.      Click OK.

    e.      Refresh group policy to test this problem again.

     

    2. Ensure that the policy is not configured in Preference Mode.

     

    a.      Open and edit the GPO where you configured these IE Maintenance settings.

    b.       Expand to the branch [User Configuration\Windows Settings\Internet Explorer Maintenance].

    c.        Right-click the above "Internet Explorer Maintenance" item, please verify if the "Preference Mode" option is checked.

    d.      If it is checked, we need to reset settings and disable the "Preference Mode". To do this,

     

    - Note down all the settings you have configured. We need to re-configure them later.

    - Right-click the "Internet Explorer Maintenance" in the left pane, and click "Reset Browser Settings".

    - Right-click the "Internet Explorer Maintenance" in the left pane, and make sure to uncheck "Preference Mode".

    - Re-configure your settings.

          - Refresh group policy and wait until this change has been replicated to all other DC's and then check this issue again.


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:51 AM
  • Question - Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.


    Symptom

    =========

    On a Windows Server 2008 based Read-Only Domain Controller (RODC), the DHCP Server service does not start. When you try to start the service, the following error message will occur:

     

    An error occurred while trying to start the DHCP Server service on <computername.domainname.com>. For more information about the error, see Event Viewer.

     

    The request is not supported.

    In the system event log, the following events may be logged:

     

    Product: Windows Operating System
    ID: 1035
    Source: Microsoft-Windows-DHCP-Server
    Version: 6.0
    Symbolic Name: EVENT_SERVER_READ_ONLY_GROUP_ERROR
    Message: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.

     

    Product: Windows Operating System
    ID: 1036
    Source: Microsoft-Windows-DHCP-Server
    Version: 6.0
    Symbolic Name: EVENT_SERVER_ADMIN_GROUP_ERROR
    Message: The DHCP server was unable to create or lookup the DHCP Administrators
    local group on this computer. The error code is in the data.

     

    Possible Cause

    ============

    This behavior is as expected. DHCP service is trying to create and read the “DHCP Users” and “DHCP Administrators” groups in Active Directory. However, this cannot be done on Read-Only Domain Controllers. The objects can only be replicated into an RODC from a writable DC.

     

    Resolution

    ========

    To work around this behavior, use either of the methods below:

     

    Method 1

    -------------

     Create the groups manually on a writable domain controller and allow them to replicate to the RODC.

     

    Method 2

    --------------

    1. Install DHCP on a writable domain controller to allow the groups to be created automatically, then allow them to replicate to the RODC.
    2. Uninstall the DHCP server service from the writable DC and the groups will remain.

     

    More Information

    ================

    Applications That Are Known to Work with RODCs

    http://technet.microsoft.com/en-us/library/cc732790.aspx


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:53 AM
  • Question - Q4: The "Enterprise root CA" option is not available when you try to install the Certificate Services component in Windows Server 2003.


    Symptom

    =========

    In Microsoft Windows Server 2003, the Enterprise root CA option is not available. This issue occurs when you try to install the Certificate Services component and set up a certification authority.

     

    Possible Cause

    ============

    This issue can occur if the Public Key Services container does not exist in Active Directory. For example, this issue can occur if the ADSIEdit tool (Adsiedit.msc) was used to delete the Public Key Services container.

     

    Resolution

    ========

    To resolve this issue, please refer to the following Microsoft Knowledge Base article:

     

    In Windows Server 2003, the "Enterprise root CA" option is not available when you try to install the Certificate Services component

    http://support.microsoft.com/kb/938613/en-us



    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:54 AM
  • Question - Q5: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled.


    Symptom

    =========

    Consider the following scenario:

     

    • The following policies are enabled on a domain controller that is running Windows Server 2003 in a domain:

     

    [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)]

    [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)]

     

    The following policies are enabled on a member computer that is running Windows Vista Service Pack 1 or Windows Server 2008 in the same domain:

     

    [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)]

    [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees)]

     

    In this scenario, Group Policy settings are not applied on the member computer. Additionally, the following event is logged in the System log on the member computer:

     

    Date: Date

    Event ID: 1058

    Level: Error

    Keywords:

    User: UserSID

    Computer: CompuerName

    Description:

    The processing of Group Policy failed. Windows attempted to read the file \\ path \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

    a) Name Resolution/Network Connectivity to the current domain controller.

    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

    c) The Distributed File System (DFS) client has been disabled.

     

    Note: This problem occurs only on member computers that are running Windows Server 2008 or Windows Vista Service Pack 1 (SP1). It does not occur on member computers that are running Windows Server 2003, Windows XP, or the release version of Windows Vista.

     

    Possible Cause

    ============

    When a Server Message Block (SMB) version 1 client establishes a non-guest session or a non-anonymous session with a server, the client enables security signatures for the server. Later sessions then inherit the security signature sequence that is already established.

     

    To improve security, Windows Server 2008 and Windows Vista SP1 prevent server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session. However, this improved security does not address the scenario that is described in the "Symptoms" section.

     

    Resolution

    ========

    To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:

     

    Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled

    http://support.microsoft.com/kb/950876

     

    To work around this problem, use one of the following methods.

     

    Method 1

     

    Disable the following policy on the member computers that are running Windows Server 2008 or Windows Vista SP1:

     

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)

     

    Method 2

    On the member computers that are running Windows Server 2008 or Windows Vista SP1, follow these steps:

     

    1.  Click Start , type regedit in the Start Search box, and then press ENTER. 

    2.  Locate the RequireSecuritySignature registry entry under the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters 

    3.  Right-click RequireSecuritySignature , and then click Modify . 

    4.  In the Value data box, type 0 , and then click OK . 

    5.  Exit Registry Editor. 

     

    Method 3

    On the member computers that are running Windows Server 2008 or Windows Vista Service Pack 1,  follow these steps:

     

    1.  Click Start, type regedit in the Start Search box, and then press ENTER. 

    2.  Locate the AllowGuestAuthWhenSigningRequired registry entry under the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters 

    3.  Right-click AllowGuestAuthWhenSigningRequired , and then click Modify . 

    4.  In the Value data box, type 1, and then click OK . 

    5.  Exit Registry Editor. 


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:56 AM
  • Question - Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 or Vista SP1 computer.


    Symptom

    =========

    Event 1091 is recorded every 5 minutes on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008

     

    Eventlog: System

    Source: Microsoft-Windows-GroupPolicy

    Eventid: 1091

    Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <Group Policy Registry>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

     

    Possible Cause

    ============

    1. Some MOF files which are needed to generate the RSoP result are missing.

    2. You configure a file security policy to set file permissions on a folder. In addition, the path that you specified for the folder contains some environment variables. For example, you specify the following path for the folder:

     

    %ALLUSERSPROFILE%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP

     

    The Group Policy engine translates the environment variables incorrectly

     

    Resolution

    ========

    1. Verify you have the following files:

     

    %SYSTEMROOT%\system32\wbem\polprocl.mof

    %SYSTEMROOT%\system32\wbem\en-US\polprocl.mfl

     

    NOTE: "en-US" should be replaced with the actual language that is installed

     

    2. If those files are missing you can copy them from a working full Windows Server 2008 installation and then run the following command to recompile the .mof file in an administrative elevated Command window:

     

    mofcomp %SYSTEMROOT%\system32\wbem\polprocl.mof

    gpupdate /force

     

    3. If you configure file security policy and use environmental variables in the file path, please download and install the hot fix described in the following Microsoft Knowledge Base article:

     

    The RSoP snap-in does not display some file security policies, and Event ID 1091 is logged on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008

    http://support.microsoft.com/kb/955248

     


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 6:57 AM
  • Question - Q7: DCPROMO fails with following error: "To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep".


    Symptom

    =========

    You would like to install a Windows Server 2008 domain controller in a Windows Server 2003 domain. You have run the “adprep /forestprep" and "adprep /domainprep" commands by using the "sources/adprep" files from the Windows Server 2008 server. However, when you run dcpromo on the 2008 server, you still receive the following error message:

     

    To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep

     

    Possible Cause

    ============

    This issue can occur if you are using pre-RTM media to do the ADPrep commands.

     

    Resolution

    ========

    To verify it, open adsiedit.msc on the domain controller that holds the infrastructure operations master role, expand to cn=ActiveDirectoryUpdate,cn=DomainUpdates,cn=system,DC=domain, right click cn=ActiveDirectoryUpdate, and then check the value of the attribute revision.

     

    If you are using a pre-RTM media, the revision is 2.

    If you are using a RTM media, the revision is 3.

     

    If it is pre-RTM media, please find a RTM version of Windows Server 2008 media to run the “adprep /forestprep" and "adprep /domainprep" commands again.

     

    Tuesday, March 31, 2009 6:58 AM
  • Question - Q8: The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing.


    Symptom

    =========

    Consider the following scenario:

     

    • You are running a Windows Server 2008-based computer that has a third-party key storage provider (KSP) installed. 

    The third-party KSP does not allow for SHA1 hash signing. The KSP may be configured to disallow SHA1 hash signing or may not support it. 

    You install the Active Directory Certificate Services role on the computer. When you do this, you configure Certificate Services to use the KSP for the certification authority (CA) private key. 

     

    In this scenario, the Active Directory Certificate Services service does not start. Additionally, the following event is logged in the System log:

    Event Type: Error

    Event Source: CertSvc

    Event Category: None

    Event ID: 100

    Date: Date

    Time: Time

    User: N/A

    Computer: ComputerName

    Description: "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. CAName ErrorDescription "

     

    Possible Cause

    ============

    When the Active Directory Certificate Services service starts, it tests the private key by signing a random SHA1 hash. If the KSP that is used for the private key does not allow for SHA1 hash signing, the Active Directory Certificate Services service does not start.

     

    Resolution

    ========

    To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:

    The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing

    http://support.microsoft.com/kb/952722


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 7:00 AM
  • Question - Q9: You receive the Event 1030 and 1058 errors from userenv saying that “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com”.


    Symptom

    =========

    You experience one or more of the following symptoms on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP or Microsoft Windows 2000:

     

    l  Group Policy settings are not applied to the computers.

    l  Group Policy replication is not completed between the domain controllers on the network.

    l  You cannot open Group Policy snap-ins. For example, you cannot open the Domain Controller Security Policy snap-in, or the Domain Security Policy snap-in.

     

    If you view the Application log in Event Viewer on Windows XP or Windows Server 2003, you see events that are similar to the following events:

     

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1058
    Date: Date
    Time: Time
    User: User_Name
    Computer: Computer_Name
    Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com . The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at
    http://support.microsoft.com.

     

    Event Type: Error

    Event Source: Userenv

    Event Category: None

    Event ID: 1030

    Date: Date

    Time: Time

    User: User_Name

    Computer: Computer_Name

    Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.

     

    Possible Cause

    ============

    These issues occur if the computers that are on your network cannot connect to certain Group Policy objects. Specifically, these objects are in the Sysvol folders on your network's domain controllers.

     

    Resolution

    ========

    Because there are many possible causes for this event error, we suggest that you refer to the following Microsoft Knowledge Base article to troubleshoot the configuration of your network to narrow down the cause and then correct the configuration:

     

    Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000

    http://support.microsoft.com/kb/887303

     

    The main steps include the following:

     

    Step one: Examine the DNS settings and network properties on the servers and client computers

    Step two: Examine the Server Message Block signing settings on the client computers and member servers

    Step three: Make sure that the TCP/IP NetBIOS Helper service is started on all computers

    Step four: Make sure that Distributed File System (DFS) is enabled on all computers

    Step five: Examine the contents and the permissions of the Sysvol folder

    Step six: Make sure that the Bypass traverse checking right is granted to the required groups

    Step seven: Make sure that the domain controllers are not in a journal wrap state

    Step eight: Run the Dfsutil /PurgeMupCache command


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 7:01 AM
  • Question - Q10: A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing.

     

    Symptom

    =========

    If a Windows Vista-based or Windows Server 2008-based computer is configured for loopback processing, the computer does not receive any settings from GPOs in AD DS.

     

    Possible Cause

    ============

    This behavior in Windows Vista and Windows Server 2008 is changed from the behavior in Windows XP and in Windows Server 2003. Windows Vista and Windows Server 2008 try to retrieve the attributes of GPOs for users from the computer. In Windows Vista or in Windows Server 2008, the loopback policy does not apply if the computer does not have at least the Read permission on the GPOs.

     

    Resolution

    ========

    To read the attributes of the GPOs, the computer needs at least the Read permission for the GPOs. Please ensure that the computer object has the Read permission on the group policy object.

    1. Open the Group Policy Management console, expand the forest and domain tree on the left panel.

    2. Select the loopback group policy. The settings will be displayed on the right side of panel.

    3. In the “Scope” tab, check the “Security Filtering” configuration to ensure that the computer object has at least “Read” permission. By default, “Authenticated Users” group has this permission. If you have not customized the security settings for the group policy, it should be fine as a domain computer belongs to the “Authenticated Users” group.


    Laura Zhang - MSFT
    Tuesday, March 31, 2009 7:02 AM
  • "To resolve this issue, recreate the trust between the Active Directory domains to eliminate the downlevel trust type."

    What does it mean to recreate the trust? Is there any chance that a detailed procedure may be posted?


    --Yegor

    Tuesday, June 22, 2010 5:48 PM
  • "To resolve this issue, recreate the trust between the Active Directory domains to eliminate the downlevel trust type."

    What does it mean to recreate the trust? Is there any chance that a detailed procedure may be posted?


    --Yegor


    I have windows 2003 R2 ent. doamin server and configure the AD in the same server and login the users on the same domain but the users are facing some proble they some time can't access the share printer, folder and share network drive.they have got the error "Network path was not found" and another is network not accessable plz. cont. system administrator

    Hari Singh


    Hari Singh 9810200395
    Thursday, September 29, 2011 8:35 AM