Some Policies not applying after upgrade to 2003 and XP Pro-

fnstrat2

2004-10-11 14:45:04 UTC

Also seeing this in the winlogon.log file on the one domain controller having
problems.

Error 0 to send control flag 1 over to server.

Make a local copy of
\\sjc.sjca.edu\SysVol\sjc.sjca.edu\Policies\{465D3307-4C66-4AEB-BD19-DECCFE168607}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.inf.

This is the last GPO : domain policy is ignored on DC.
-------------------------------------------
Tuesday, September 07, 2004 11:29:52 AM
Copy undo values to the merged policy.

----Un-initialize configuration engine...
-------------------------------------------
Tuesday, September 07, 2004 11:29:53 AM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...

----Configure User Rights...
Configure S-1-5-21-1451830106-1666385412-837300805-512.
Configure S-1-5-20.
Configure S-1-5-19.
Configure S-1-5-32-544.
Configure S-1-5-21-1451830106-1666385412-837300805-6151.
Configure S-1-5-21-1451830106-1666385412-837300805-1004.
Configure S-1-5-21-1451830106-1666385412-837300805-7104.
Configure S-1-5-21-1451830106-1666385412-837300805-5104.
Configure S-1-5-21-1451830106-1666385412-837300805-7105.
Configure S-1-5-21-1451830106-1666385412-837300805-5105.
Configure S-1-5-21-1451830106-1666385412-837300805-6148.
Configure S-1-5-21-1451830106-1666385412-837300805-6835.
Configure S-1-5-21-1451830106-1666385412-837300805-5056.
Configure S-1-5-11.
Configure S-1-1-0.
Configure S-1-5-32-554.
Configure S-1-5-32-549.
Configure S-1-5-32-550.
Configure S-1-5-32-551.
Configure S-1-5-32-548.
Configure S-1-5-9.
Configure S-1-5-32-545.
Configure S-1-5-21-1451830106-1666385412-837300805-2601.
Configure S-1-5-21-1451830106-1666385412-837300805-4848.

User Rights configuration was completed successfully.

----Configure Security Policy...
Configure log settings.
Configure event audit settings.

Audit/Log configuration was completed successfully.

Kerberos Policy configuration was completed successfully.
Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.

Configuration of Registry Values was completed successfully.

----Configure available attachment engines...

Configuration of attachment engines was completed successfully.

----Un-initialize configuration engine...
**************************

Error 0 to send control flag 1 over to server.

Make a local copy of
\\sjc.sjca.edu\SysVol\sjc.sjca.edu\Policies\{465D3307-4C66-4AEB-BD19-DECCFE168607}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Post by fnstrat2
After upgrading our servers and some clients I've started noticing a lot of
weird problems and have discovered that many machines are getting policy
processing errors. I use a very large number of policies on our machines so
it is causing quit a few problems.
Security policies propagated with warning. 0x4b8: An extended error has
occurred. Please review the detailed log security\logs\winlogon.log
When I look in Resultant set of Policy I see this error under the precedence
GPOs higher in the list have the highest priority
The policy engine did not attempt to configure the setting.
Configure User Rights
Configure s-1-5-32-544
Error 1168. Element not found.
Some user rights are not defined in SecEdit
Erron configuring 5-.... etc.
Could this problem be caused by inconsistent or wrong version of the *.adm
files being used in the policies? When upgrading to XP and 2003 do I need to
change all the .adm files to support XP?
Does anyone know how I can track this problem down?
Thanks for any help.