none
SBS 2011 - event 302 RRS feed

  • Question

  • Last week, I had some troubles with the standard SBS 2011 GPO's. I tried to tackle this using the information from http://blog.korteksolutions.com/the-user-accounts-cannot-be-added-into-grouppolicy-allsbsusers-sbs-2011/, but with a twist. Before importing the file 'gpofix2011.txt' mentioned in this article, I edited the file and renamed the policies it was going to create. Then I imported the file and a bunch of new GPO's was created. By renaming them, I could easily compare both existing and newly imported policy. I didn't find any differences, so I deleted the imported (renamed) policies.

    And then it started-  the event log logs this error every 20 minutes: "The User accounts cannot be added into GroupPolicy 'AllSBSUsers'. Please Verify the GroupPolicy 'AllSBSUsers' exists.". After reading several forums and blogs, it turns to be about the GPO “Windows SBS User Policy”. Something with the SYSTEM account on the Delegation tab. Checked it and the SYSTEM account is there and has the appropriate permissions (Edit Settings, Delete, Modify security), so that's not it.

    So what's causing the error?

    Simon

    Monday, August 27, 2012 1:06 PM

All replies

  • What were the problems, and what are you actually trying to do?

    Robert Pearman SBS MVP | www.titlerequired.com | www.itauthority.co.uk

    Tuesday, August 28, 2012 11:51 AM
    Moderator
  • What were the problems, and what are you actually trying to do?

    I was examining the policy result on clients (running GPResult) and noticed a bunch of GPO's under 'Denied GPO's' with reason 'Access denied'. Those GPO's where named with their GUI instead of their name. In order to find out which policies they were, I added 'Authenticated users' to all GPO's, if absent in Security filtering. And didn't make a backup before changing this. Stupid. I _did_ export the settings of each GPO to HTML before changing anything. Good.

    It turned out a bunch of standard SBS 2011 GPO's were executed on the SBS itself, but they shouldn't - they didn't have 'Authenticated users' in their security filtering. Oops. So I tried to fix this by restoring the policy files from a backup to "C:\Windows\sysvol\sysvol\<domain>\Policies", after creating a copy of the existing policy files. That didn't do the trick, so I put the copy back and started searching for a solution. I completely forgot about the HTML files I created earlier. And that's when I stumbled across the blog mentioned above and performed the steps outlined - with the twist I described above.

    After correcting the Security filters, everything seemed to be ok again, except for event 302 appearing every 20 minutes now....

    Simon

    Wednesday, August 29, 2012 7:08 AM
  • On my SBS2011 - on the 'Windows SBS User Policy' under Security Filtering, each user is listed individually.

    Robert Pearman SBS MVP | www.titlerequired.com | www.itauthority.co.uk

    Wednesday, August 29, 2012 8:21 AM
    Moderator
  • Here too, along with a couple GUID's.

    Simon

    Wednesday, August 29, 2012 9:50 AM