Applied BaselineDC,remove it and DC still thinks policy is there

[Guest]

I applied Baselinedc.INF security template to selected DC's, through OU GPO. I downloaded that from SecurityOPs guide.

I noticed that since then several Userenv errors appear on eventvwr - sytem on Dc's that got the template applied to.

I attempted to move DC's out of that OU-BaselineDC. I did secedit /refresh machine_policy /enforce, I rebooted the DC's 2 times and waited about an hour to make sure replication was completed.

Then I go to my DC and do gpresult: still lists PolicyBaselineDC as an applied GPO. There is no such policy anymore. I continue to get several Userenv errors (Windows cannot determine the user or computer name).

How can I get rid of that policy that the DC think it is still applied to it ?

 

[Ace Fekay [MVP]]

In

I applied Baselinedc.INF security template to selected DC's, through
OU GPO. I downloaded that from SecurityOPs guide.

I noticed that since then several Userenv errors appear on eventvwr -
sytem on Dc's that got the template applied to.

I attempted to move DC's out of that OU-BaselineDC. I did secedit
/refresh machine_policy /enforce, I rebooted the DC's 2 times and
waited about an hour to make sure replication was completed.

Then I go to my DC and do gpresult: still lists PolicyBaselineDC as
an applied GPO. There is no such policy anymore. I continue to get
several Userenv errors (Windows cannot determine the user or computer
name).

How can I get rid of that policy that the DC think it is still
applied to it ?

Actually it's really still a policy that's being applied.

As for the errors, can you post an unedited ipconfig /all to check your
configuration out? This will give us a starting point in diagnosis.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Marlon Brown]

Darn. I have access only thru TS to MYDC and now that baselineDC.inf that is
still applied apparently is 'blocking' TS conenctions. I tried to connect
to it to get the info you requested but TS fails. The only way that I can
retrieve info is thru eventvwr or only on Monday when I come back to the
office and logon on DC locally.





"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Darn. I have access only thru TS to MYDC and now that baselineDC.inf
that is still applied apparently is 'blocking' TS conenctions. I
tried to connect to it to get the info you requested but TS fails.
The only way that I can retrieve info is thru eventvwr or only on
Monday when I come back to the office and logon on DC locally.





"Ace Fekay [MVP]"

Maybe when you go into the office Monday, you can use the Security and
Analysis snap in and set the regular policy on it to eliminate what you did,
unless you can uninstall it. Not sure what you did, but I believe you set it
to the local policy and not to the Domain Controller GPO.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Marlon Brown]

I am positive was something caused by that BaselineDC applied on OU. I
applied that one to two DC's on an isolated OU and both now presents same
Userenv errors and don't let connect thru TS. Could that BaselineDC has
blocked somehow ability to see new policies on the local DCs ?

I don't have backups from those specific servers. How can I get rid of those
settings done in the registry and other modifications done by that
baselinedc.inf ?


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

I am positive was something caused by that BaselineDC applied on OU. I
applied that one to two DC's on an isolated OU and both now presents
same Userenv errors and don't let connect thru TS. Could that
BaselineDC has blocked somehow ability to see new policies on the
local DCs ?

I don't have backups from those specific servers. How can I get rid
of those settings done in the registry and other modifications done
by that baselinedc.inf ?

As I mentioned, you can use Security and Analysis console.

Bedst practices for Security Configuration and Analysis:
http://www.microsoft.com/technet/tr...wsserver2003/proddocs/entserver/sag_SCMbp.asp


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 09:11:07 -0700, in
microsoft.public.win2000.active_directory, =?Utf-8?B?
TWFybG9uIEJyb3du?= ([email protected]) said,

I applied Baselinedc.INF security template to selected DC's, through OU GPO. I downloaded that from SecurityOPs guide.

I noticed that since then several Userenv errors appear on eventvwr - sytem on Dc's that got the template applied to.

I attempted to move DC's out of that OU-BaselineDC. I did secedit /refresh machine_policy /enforce, I rebooted the DC's 2 times and waited about an hour to make sure replication was completed.

Then I go to my DC and do gpresult: still lists PolicyBaselineDC as an applied GPO. There is no such policy anymore. I continue to get several Userenv errors (Windows cannot determine the user or computer name).

How can I get rid of that policy that the DC think it is still applied to it ?

First, moving DCs out of the Domain Controllers OU is generally not a
good idea, for reasons such as what you're encountering.

With that said, when you promote a server to become a DC, security
settings applied to it during the process are saved as DC
Security.inf. Put your DCs back into the Domain Controllers OU and
assign the DC Security security template; this should clear up your
problem if it was, indeed, the template change that caused your
problems.

HTH,

Laura

 

[Marlon Brown]

Responses below.

circa Sat, 25 Oct 2003 09:11:07 -0700, in
microsoft.public.win2000.active_directory, =?Utf-8?B?
TWFybG9uIEJyb3du?= ([email protected]) said,

/refresh machine_policy /enforce, I rebooted the DC's 2 times and waited
about an hour to make sure replication was completed.applied GPO. There is no such policy anymore. I continue to get several
Userenv errors (Windows cannot determine the user or computer name).

First, moving DCs out of the Domain Controllers OU is generally not a
good idea, for reasons such as what you're encountering.

How would you apply such .inf file to DC's then ? Would you apply that to
all DC's in your production environment ?
After testing those I moved selected pilot DC's to an OU that has DC
policies applied to it, but now using the forementioned .inf file.

With that said, when you promote a server to become a DC, security
settings applied to it during the process are saved as DC
Security.inf. Put your DCs back into the Domain Controllers OU and
assign the DC Security security template; this should clear up your
problem if it was, indeed, the template change that caused your
problems.

Unfortunately applied the dc security.inf didn't cleared it. Anything coming
from domain policies was no longer replicated to affected DC's.I ran secedit
and reapplied the .sdb for DC's on both machines and forced replication. It
seems it is working now.

Thank you

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 20:03:20 -0800, in
microsoft.public.win2000.active_directory, Marlon Brown
([email protected]) said,

How would you apply such .inf file to DC's then ? Would you apply that to
all DC's in your production environment ?

No, I would test in a lab.

After testing those I moved selected pilot DC's to an OU that has DC
policies applied to it, but now using the forementioned .inf file.



Unfortunately applied the dc security.inf didn't cleared it.

That's because you didn't put the DCs back where they belong, si?

Anything coming
from domain policies was no longer replicated to affected DC's.I ran secedit
and reapplied the .sdb for DC's on both machines and forced replication. It
seems it is working now.

I would strongly encourage you to reassign that template by importing
it into group policy at the Domain Controllers OU and putting all of
your DCs back into that OU. The worst you will do is return them to
their initial DCPromo states.

Thank you

You're welcome,

Laura