Another item that causes this is when someone creates a group policy that changes the security permissions of a service. For example, one may want to change the security settings for the spooler service so that any user can restart it.
>From my experience, I have noticed that DCs will log an error, even though the security setting was changed on a member server. Deleting the services "security" subkey (i.e. HKLM\System\CurrentControlSet\Services\<service>\Security) and rebooting the server. The Security subkey will regenerate and the permissions will be setup according to the default setting for that subkey OR be set by any applicable group policies. Gill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruess, Don Sent: Friday, June 27, 2003 11:54 AM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost Thanks, but I looked for that one. I even went so far as to set all policies to "not defined" hoping it would clear it and I could re-instate new polices. Don -----Original Message----- From: Gill Gilliland [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 10:30 AM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost Goto your Default Domain Controllers Policy that should be linked to the Domain Controllers OU and goto "Computer Configuration\Security Settings\Local Policies\User Rights Assignment (and possibly \Security Options) and within each policy, look for orphaned SIDs. They would show up as *S-something. These SIDs are accounts that have been deleted and thus, AD cannot apply group policies to them :) The orphaned account SIDs can be deleted, but use caution. It may be that the SID is being looked up and its taking awhile. I usually use a resource kit tool to look up the SID to verify that it does not map to an account. If you do delete an active SID, you are just removing it from the permissions list on that policy, not actually deleting THE SID. If needed, simply add the account back into the permissions list. Gill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruess, Don Sent: Friday, June 27, 2003 10:25 AM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost It is on a DC Don -----Original Message----- From: Gill Gilliland [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 9:01 AM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost Sorry for the repeated replies...For some reason the email bounce for me is ultra slow... Gill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruess, Don Sent: Friday, June 27, 2003 9:35 AM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost I have checked the permissions and all seems to be ok. I will take a look at the bind order. Thanks, Don -----Original Message----- From: Meade, Devin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 5:14 PM To: NT 2000 Discussions Subject: RE: Group Policy and I am lost Look at: Q290647 - c/b NTFS permission to SYSVOL - Q258296 - c/b binding order We had status code 3's every five mins and this was it. (I know you said you are getting 2's) Devin L. Meade, CNE, MCP Network Administrator Frankfurt-Short-Bruza www.fsb-ae.com www.oklahomadome.com -----Original Message----- From: Don bruess [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 5:03 PM To: NT 2000 Discussions Subject: Group Policy and I am lost I keep getting this error and have looked on eventid.net and Microsoft and have been unable to find information about it. "The Group Policy client-site extension Scripts was passed flags [17] and returned a failure status code of [2]." I find a lot of references to failure status code [3] and others but not to [2]. It is one of the errors that show up in the log every 5 minutes however I have check and have none of the problems the other status codes allude to. If you have any information that would help or if you could remove the blinders I would be very grateful. Thanks Don ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
