Group Policy Errors

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

This is a complicated problem that I've searched and tried many things to
help solve to no avail. I would be very happy if someone could give me a
hand.

We have one domain controller. The C partition is 3.99 GB and has 31 MB
free. I am trying to apply a group policy which will cause computers to
automatically patch themselves using a SUS server that I just set up. The
policy does not take effect on the clients. Here are the error messages from
event logs:

1. On the domain controller:

This error message shows up every 5 minutes in the application log:
Source: SceCli
Event ID: 1202
Security Policies are propogated with warning. 0x534: No mapping between
account names and security IDs was done.

In the File Replication Service log I get the following warnings:
Source: NtFrs
Event ID: 13564
The file replication service has detected that the volume holding the FRS
debug logs is running out of disk space. This will not affect replication
unless this volume hosts database, staging, or replica root paths as well.

Source: NtFrs
Event ID: 13516
The file replication service is no longer preventing the computer FOODC from
becoming a domain controller. The system volume has been notified that the
system volume is now ready to be shared as SYSVOL...


2. On a Windows 2003 member server and on XP Professional clients:

Source: Userenv
EventID: 1030
Windows cannot query for the list of Group Policy objects...

Source: Userenv
EventID: 1101
Windows cannot access the the object
OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The access to the
object may be denied. Group Policy processing aborted.

3. On Windows 2000 professional clients:

the policy is not applied correctly and there appear to be no corresponding
error messages in the event viewer.

Things I've tried already:

I followed the instructions of Q324383: Troubleshooting SCECLI 1202 events.

Under the troubleshooting steps, it says to determine the account that is
causing the failure. When I type in "find /i "cannot find"
%SYSTEMROOT%\security\logs\winlogon.log" I get:

--------------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
Cannot find Power Users.
<this message is repeated about 54 times>

Then when I try the next step of "find /i "Power Users"
%SYSTEMROOT%\security\templates\policies\gpt*.*" I get:

File not found - C:\WINNT\security\templates\policies\gpt*.*

*********

I would like to apply the group policy to all the computers in the domain.
All help is greatly appreciated.

Thanks,

Steve
 
stevendytiuk said:
Hi,

This is a complicated problem that I've searched and tried
many things to
help solve to no avail. I would be very happy if someone
could give me a
hand.

We have one domain controller. The C partition is 3.99 GB and
has 31 MB
free. I am trying to apply a group policy which will cause
computers to
automatically patch themselves using a SUS server that I just
set up. The
policy does not take effect on the clients. Here are the
error messages from
event logs:

1. On the domain controller:

This error message shows up every 5 minutes in the application
log:
Source: SceCli
Event ID: 1202
Security Policies are propogated with warning. 0x534: No
mapping between
account names and security IDs was done.

In the File Replication Service log I get the following
warnings:
Source: NtFrs
Event ID: 13564
The file replication service has detected that the volume
holding the FRS
debug logs is running out of disk space. This will not affect
replication
unless this volume hosts database, staging, or replica root
paths as well.

Source: NtFrs
Event ID: 13516
The file replication service is no longer preventing the
computer FOODC from
becoming a domain controller. The system volume has been
notified that the
system volume is now ready to be shared as SYSVOL...


2. On a Windows 2003 member server and on XP Professional
clients:

Source: Userenv
EventID: 1030
Windows cannot query for the list of Group Policy objects...

Source: Userenv
EventID: 1101
Windows cannot access the the object
OU=TestEnvironment,DC=Foo,DC=local in Active Directory. The
access to the
object may be denied. Group Policy processing aborted.

3. On Windows 2000 professional clients:

the policy is not applied correctly and there appear to be no
corresponding
error messages in the event viewer.

Things I've tried already:

I followed the instructions of Q324383: Troubleshooting SCECLI
1202 events.

Under the troubleshooting steps, it says to determine the
account that is
causing the failure. When I type in "find /i "cannot find"
%SYSTEMROOT%securitylogswinlogon.log" I get:

--------------- C:WINNTSECURITYLOGSWINLOGON.LOG
Cannot find Power Users.
<this message is repeated about 54 times>

Then when I try the next step of "find /i "Power Users"
%SYSTEMROOT%securitytemplatespoliciesgpt*.*" I get:

File not found - C:WINNTsecuritytemplatespoliciesgpt*.*

*********

I would like to apply the group policy to all the computers in
the domain.
All help is greatly appreciated.

Thanks,

Steve

Hi,

First of all, I would uninstall everything you can from the C: and
install on the other partition (Which I am assuming you have). Eg.
MSOffice etc. Also move any shares to the other partition as well.
The DC is not going to last long with only 31MB free. You need at
least 1GB free. Do a search on C:\ for files larger than 1MB. Move
all that aren’t system files. I was surprised how many large "junk"
files I had on my C: taking up space. Also DON’T install SUS on this
DC. It will fill the drive up in seconds. As you don’t have the
ability to Choose what you download just what you ’authorize’ it fills
up pretty quick with useless updates for OS’ you don’t have.

About the Errors. Go to your DC. Go to the Default Domain
Controllers Group Policy. Go to User Rights Assignment (Under Comp
Config-Windows-Security Settings-Local Policies) Look in the Security
Setting list for any "Deleted" accounts. You will recognize them by
the GUID in replacement of the name. Edit the Policy to delete the
GUID. Do the Same for Default Domain Group Policy and any Computer
Group Policies you may have setup.

I went to www.eventid.net which is the BEST Source I have found for
Event Viewer Errors. When putting in SceCli 1202 I got the following

http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&phase=1

It forwarded me to the MS Site
http://support.microsoft.com/default.aspx?scid=kb;en-us;247482

The Ntfrs warnings will go away when you clean out your C:\
The other warnings on the clients will go away when you find the
annoying deleted account.

Also, check you have DNS setup correctly. I have it laid out on my
website http://www.sd61.bc.ca/windows2000 "Under XP and Setting up
Internal DNS Server"

Cheers,

Lara
 
Thank you Lara for your excellent help.

I managed to free up some space, giving 67 MB free. There are a lot of log
files on the C partition that I think I can delete but I'm scared to delete
things in case they actually are important and cause major problems ;) At
any rate the NTFRS errors are not showing up anymore.

I discovered that the deleted account was caused by not having a "power
users" security group. I simply created one and now the SceCli Event 1202 is
gone and I get a message saying that the group policy applied successfully.
This web site helped me figure the Power Users problem:
http://www.5rocks.com/item.asp?ID=395

Now, even though the event viewer says that the group policy is applied
successfully, I still do not see the results of it on my clients. I am still
trying to resolve the Userenv errors on those clients.

I am also going to check out the DNS setup as per your last paragraph.

Whew, this is a lot more work than I thought it would be. Thanks again for
your help and if you have any other suggestions I'd be happy to hear them.

Happy New Year!

Steve
 
Hi Steve,
I discovered that the deleted account was caused by not having a
"power users" security group. I simply created one and now the SceCli
Event 1202 is gone and I get a message saying that the group policy
applied successfully.

I thought for some reason that may be the problem. The Power Users
group is a Windows Default group so although I don’t give it any
priviledges I make sure it isn’t deleted just to avoid any errors.

DNS is more than likely if your Group Policy isn’t applying. From
reading your original post I actually thought the errors were relating
to another issue. Setup your DNS like I explained in my website and
it should fix your GP problems. If you have a DHCP Server, in the
properties of the Domain, under the DNS tab make sure you click to
"always register clients in DNS" and "Register clients that don’t
use dynamic DNS"

Running ipconfig /flushdns and ipconfig /registerdns from the command
line of the problem machines may help. Also install NETDOM from the
Windows 2000 Server CD (support tools) and run netdom reset
computername for the machines having difficulties. Make sure that DNS
is setup correctly first and that the IP’s and the machine names
listed in DNS forward AND reverse match the IP and the machine name in
DHCP.

Cheers,

Lara
 
Hi,

One more thing
I managed to free up some space, giving 67 MB free. There are a lot of
log files on the C partition that I think I can delete but I’m
scared to delete

You will really need to free up stuff on C:\ Even 67 MB is not
enough. What do you have installed? Can any of it be installed on
another drive? You can run Disk Cleanup by right clicking the
drive-properties and clicking the Disk Cleanup button. It will
indentify any files you can delete safely. Also remove any Windows
Component files that you don’t need.

You should be safe to delete old log files. I would backup to CD and
then if you are getting errors with regards to them then you can
restore them. Also you can delete the i386 folder if you have that on
your drive. (As long as you have the Windows CD)

The other thing would be to invest in Partition Magic and increase the
size of the partition.

Cheers,

Lara
 
Hi Again

Well I tried all the tips you suggested, and group policy is still not
working. It appears that we have a ghost domain controller lurking, though.
I'm not sure how this came about since I am pretty new to the company, but
Computer2 is listed as a domain controller in AD and there are errors that it
cannot be replicated to. Computer2 exists but does not appear to be a domain
controller.

Do you think this could be the reason group policy isn't working?

Thanks for your help... sorry for the big delay - I waited a while since I
am quite frustrated at this problem ;)

Steve
 
Hi,
Computer2 is listed as a domain controller in AD and there are errors
that it cannot be replicated to. Computer2 exists but does not appear
to be a domain controller.

Logon and make sure the computer is not a DC. If it isn’t then move it
out of the Domain Controllers OU. See if that fixes your problems. It
sounds like you have quite a few issues in this Domain. It is hard to
troubleshoot remotely.

Good Luck

Lara
 
Back
Top