NULL SID group prevents group policy processing

M

mocity

When i run gpresult on XP machines in our domain which
consists of mostly Win2000 domain controllers and a few
win2003 domain controllers (primary domain controller is
2000), I get the following output:

Applied Group Policy Objects
-----------------------------
Local Group Policy

The following GPOs were not applied because they were
filtered out
Default Domain Policy
Filtering: Denied (Security)

Default Computer Group Policy Object
Filtering: Denied (Security)

Default Domain Policy
Filtering: Denied (Security)

The computer is a part of the following security
groups:

NULL SID
NT AUTHORITY\NETWORK

What is the NULL SID group? is that a builtin group?
why I am not an authenticated user should I be?

2000 machines give gpresult output like:

FINANCE\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Power Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
OURDOMAIN\Domain Admins

Also, i should note in the XP machine's logs , we get a
kerberos PAC verification error, Event ID 7 . the help
center link told me to use nltest to check the secure
channel and I did and it looks fine i think except if
type
nltest /sc_query:blush:urdomain /server:primarydomaincontroller
i get I_netlogoncontrol_failed: Status = 1355 0x54b
ERROR_NO_SUCH_DOMAIN.

one more caveat: am I supposed to have kerberos key
distribution center running on all DC's?

thanks. sorry for the long posting.

-mocity

if somebody could shed light on
 
T

Tim Hines [MSFT]

The gpresult output indicates that your computer account is a member of the
NEW SID group. This is not a default group.

Your computer account should be a in authenticated users. If you look at
the user portion of gpresult you will probably see that your account is a
member of the group. The user section is at the bottom of the report.

The error from scquery usually indicates that there is a problem contacting
DCs. It could also be caused by typo errors when running the command.

The KDC service should run on all DCs. If it is not you should start it and
make sure that it is set to auto.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Guest

Thanks for your response. i just wanted to verify one thing:
you wrote "NEW SID" group, do you mean that as is, or NULL SID as
in the gpresult output?
and Should I be able to see this group in the list of security groups in active directory?

-mocity.
 
T

Tim Hines [MSFT]

Yes I meant NULL SID. You should be able to see the group
--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows XP Logon script location 3
Group Policy Problem 3
Local admin privileges gone haywire 1
Group Policy Preferences not mapping Printer in only 1 XP workstat 1
Group Policy Problems on new xp pro machine w/ SP3 1
Incorrect GPResult result 3
inheretance is broken - sdprop adminsdholder, builtin container an 0
Computer configuration in Group Policy not enforced in Vista 1

Top