GPO for user not applied

[Uffe]

Hi,

We have a domain with W2ksp4 based DC's and WinXPsp2 clients.

The Gpo for the user are not being applied to domain users but to domain
admins.
Permissions for the GPO are Authenticated Users - Read and Apply Group
Policy

On the client i get an error in the application eventlog with:
Source: Userenv
Event ID: 1053
User: NT INSTANS\SYSTEM
Description:
Windows cannot determine the user or computer name. (No mapping between
account names and security IDs was done). Group Policy processing aborted.

Any suggestions appreciated.

/Uffe

 

[Florian Frommherz]

Howdie!

On the client i get an error in the application eventlog with:
Source: Userenv
Event ID: 1053
User: NT INSTANS\SYSTEM
Description:
Windows cannot determine the user or computer name. (No mapping between
account names and security IDs was done). Group Policy processing aborted.

The secure channel between the computer and the domain (controllers)
might be broken. Reset the computer's active directory account and try
unjoining and re-joining it to the domain.

cheers,

Florian

 

[Uffe]

Thanks for the response, but I don't think that is the problem because
computer policies get applied and user policys also gets applied if the user
has domain admins priviligies.
It is only user policies that doesn't get applied. I Thought it had
something to do with permissions but I can't figure out where.

/Uffe

 

[Mike Luo [MSFT]]

Hello,

Thank you for using newsgroup!

I have the following suggestions to narrow down this problem:
1. Use the sam user to logon from the other computer, to see if this
problem occurs on one computer or all computers.
2. Type \\Domain.com\SYSVOL\Domain.com\policies\{GUID} accesss every folder
under policies, to check if the account has the permissions to access
policies.
3. You can use the command: "Showacls /s
c:\Windows\Sysvol\Sysvol\domain.com\policies >c:\acls.txt >". This command
will export all permissions on policies folder and sub-folder into acls.txt
file. Please post acls.txt to newsgroup.

Thanks & Regards,

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Uffe]

Hi,

Answer to the suggestions below:
1. Same problem on all computers.
2. No problem browsing the \\Domain.com\SYSVOL\Domain.com\policies\{GUID}
structure.
3. Showacls are a reskit tool for W2k3. Is it possible to run it on w2k?

/Uffe

 

[Uffe]

Complimentary answer, I tried the w2k3 reskit tool and it seemed to work
just fine on w2k as well even if it isn't supported.
I have attached the result.

/Uffe

 

[Mike Luo [MSFT]]

Hello,

Thank you for your update!

I checked the acls, there is no problem. I would like to enable userenv.log
on one Windows XP client so we can perform further troubleshooting. To
enable userenv.log£º

1. Adding the following registry value:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
Value Data: 10002 (Hex)

The log file is written to the %SystemRoot%\Debug\UserMode\Userenv.log file.

2. Reboot the Windows XP client, and logon as a domain account.

Please post the Userenv.log on newsgroup.

Thanks.

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Luo [MSFT]]

Hello,

I checked the userenv.log file and found "GetUserNameEx failed with 1317".
This message means that the user can't be determined and apply GPOs.
This may be caused the Authenticated Users group having no permissions on
the container including users and computers, please check the domain, OU,
computers, make sure that Authenticated Users group has read permission.

Thanks & Regards,

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Uffe]

Hi,

That was the problem, Authenticated users lacked read permissions on the OU
where the user object is.

Thanks for your help Mike

Kind Regards,
Uffe

 

[Mike Luo [MSFT]]

Thank you for the confirm. Glad to know that problem is solved now.

If you need more help or have other concerns in the future, just post back
into the newsgroup. It is always our pleasure to be of help. Have a nice
day!

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.