RE: [ActiveDir] Security Group Policy Not Applying

[Darren Mar-Elia]

Unless you are entering the group as free text (i.e. just typing it in). Couple 
of points here. Using restricted group policy on DCs to control domain group 
membership is bad news. I would simply avoid it. This particular error 
indicates that you are trying to add a group to a domain local group that is 
from another domain, and that this is not allowed--at least not on a domain 
local group. I would go into the Restricted Groups policies that are applying 
to your DCs (either linked to the Domain Controllers OU or to the Domain) and 
figure which policy is doing this. You can also run rsop.msc on the DC in 
question to see which GPO is delivering the winning restricted groups policy.

Darren

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, September 13, 2005 6:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Group Policy Not Applying

It sounds like a restricted groups policy being attempted wrong.....But, from 
what I've seen, it won't even let you try that.

John




                                                                           
             Sudhir Kaushal                                                
             <[EMAIL PROTECTED]                                             
             m>                                                         To 
             Sent by:                  ActiveDir@mail.activedir.org        
             [EMAIL PROTECTED]                                          cc 
             ail.activedir.org                                             
                                                                   Subject 
                                       RE: [ActiveDir] Security Group      
             09/13/2005 07:39          Policy Not Applying                 
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             [EMAIL PROTECTED]                                             
                tivedir.org                                                
                                                                           
                                                                           





Thanks for the response.. However i have already checked this and all the 
related policies in win2003 are not defined in my case.. :-(

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649

“You never win Silver, You lose Gold”








----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.
----------------------------------------------------------------------------------------



                                                                          
    <deji                                                                 
    @readymaids.com>             To:                                      
    Sent by:             <ActiveDir@mail.activedir.org>                   
    ActiveDir-owner              cc:                                      
                                 Subject:        RE: [ActiveDir] Security 
                         Group Policy Not Applying                        
    09/13/2005 06:00 PM                                                   
    Please respond to                                                     
    ActiveDir                                                             
                                                                          





http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&pha

se=1

Look at the 0x4b8 section.

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying



Hi all

I'm having an issue with ONE of my DC's (Win2003) not applying a group policy 
object.

in the event viewer of the DC's i'm getting this errors after every 5 min

Event id: 1202
"Security policies were propagated with warning.
0x4b8 : An extended error has occurred."

When I drill down to the clients winlogon.log file i see the following entry


Error 0  to send the control flag 1 over to server.

Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9

}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.
This is not the last GPO.

The log file also specifies:

Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
  add <domainname>\group name
Error 8520 - A local group cannot have another cross domain local group as 
member.



Has anyone ever seen this error and/or know what the solution is.

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649

"You never win Silver, You lose Gold"




-----------------------------------------------------------------------------

-----------
This is a PRIVATE message. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.
-----------------------------------------------------------------------------

-----------


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[EMAIL PROTECTED]       Vry&-4ibb