Fw: [ActiveDir] Security Group Policy Not Applying

[Sudhir Kaushal]

Hi All,

One small query in this regard.. The problem i was facing because of one domain local group added in the restricted group in the default domain controller policy.

Can we have global group defined in the restricted groups in the default domain controller policy instead of domain local group ??

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
 
“You never win Silver, You lose Gold”

 

 


----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
----------------------------------------------------------------------------------------

----- Forwarded by Sudhir Kaushal/GIS/CSC on 09/14/2005 11:11 AM -----

Sudhir Kaushal/GIS/CSC @CSC Sent by: ActiveDir-owner 09/14/2005 10:36 AM Please respond to ActiveDir

To:        ActiveDir@mail.activedir.org         cc:                 Subject:        RE: [ActiveDir] Security Group Policy Not Applying

Hi All,

Thanks to  everyone for guiding me to the solution. It was because of the restricted group policy on the DC's to control the domain group membership. I removed it and updated the GP.and it worked.
Have a nice day... :-)

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
 
“You never win Silver, You lose Gold”

 

 


----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
----------------------------------------------------------------------------------------

"Darren Mar-Elia" <darren.marelia @quest.com> Sent by: ActiveDir-owner 09/13/2005 10:29 PM Please respond to ActiveDir

To:        <ActiveDir@mail.activedir.org>        cc:                Subject:        RE: [ActiveDir] Security Group Policy Not Applying

Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy.

Darren

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, September 13, 2005 6:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Group Policy Not Applying

It sounds like a restricted groups policy being attempted wrong.....But, from what I've seen, it won't even let you try that.

John




                                                                         
           Sudhir Kaushal                                                
           <[EMAIL PROTECTED]                                            
           m>                                                         To
           Sent by:                  ActiveDir@mail.activedir.org        
           [EMAIL PROTECTED]                                          cc
           ail.activedir.org                                            
                                                                 Subject
                                     RE: [ActiveDir] Security Group      
           09/13/2005 07:39          Policy Not Applying                
           AM                                                            
                                                                         
                                                                         
           Please respond to                                            
           [EMAIL PROTECTED]                                            
              tivedir.org                                                
                                                                         
                                                                         





Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-(

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649

“You never win Silver, You lose Gold”








----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
----------------------------------------------------------------------------------------



                                                                       
  <deji                                                                
  @readymaids.com>             To:                                      
  Sent by:             <ActiveDir@mail.activedir.org>                  
  ActiveDir-owner              cc:                                      
                               Subject:        RE: [ActiveDir] Security
                       Group Policy Not Applying                        
  09/13/2005 06:00 PM                                                  
  Please respond to                                                    
  ActiveDir                                                            
                                                                       





http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&pha

se=1

Look at the 0x4b8 section.

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying



Hi all

I'm having an issue with ONE of my DC's (Win2003) not applying a group policy object.

in the event viewer of the DC's i'm getting this errors after every 5 min

Event id: 1202
"Security policies were propagated with warning.
0x4b8 : An extended error has occurred."

When I drill down to the clients winlogon.log file i see the following entry


Error 0  to send the control flag 1 over to server.

Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9

}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.
This is not the last GPO.

The log file also specifies:

Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add <domainname>\group name
Error 8520 - A local group cannot have another cross domain local group as member.



Has anyone ever seen this error and/or know what the solution is.

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649

"You never win Silver, You lose Gold"




-----------------------------------------------------------------------------

-----------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
-----------------------------------------------------------------------------

-----------


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[EMAIL PROTECTED]                 Vry&-4ibb