Announcement

Collapse
No announcement yet.

Xp clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Xp clients

    Hi

    4 of my xp pro clients have 1030 errors along with 40960/40961

    Previous admin never set the GPO.
    This is a w2k server in 1 forest - ad-integrated domain/ single level domain.
    1 DC/DNS no exchange or wins

    I already checked eventid.net cannot find the answer that would fix my problem.

    I downloaded gpmc.msi when I try to browse to other computer I get access denied.

    Thanks in Advance
    Joe

  • #2
    Re: Xp clients

    Hi Joe.
    Could you post the full errors of each event id?
    What SP level is your DC at?
    Originally posted by bravored View Post
    I downloaded gpmc.msi when I try to browse to other computer I get access denied.
    From where to where? Did you use administrative credentials?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Xp clients

      from the xp client
      Event Type: Warning
      Event Source: LSASRV
      Event Category: (3)
      Event ID: 40961
      Date: 11/15/2006
      Time: 1:36:35 AM
      User: N/A
      Computer: NGIT-118
      Description:
      The Security System could not establish a secured connection with the server ldap/server info No authentication protocol was available.

      Event Type: Error
      Event Source: Userenv
      Event Category: None
      Event ID: 1030
      Date: 11/15/2006
      Time: 3:12:43 AM
      User:
      Computer:
      Description:
      Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

      Windows 2000 DC is SP4
      No errors on the DC. I only have 1. I am not using dc replication.

      Just confused why only 4 pcs have these errors. At one time I implemented a WSUS but I had removed all. I think the issues started after I stopped using WSUS. But not sure.

      Joe

      Comment


      • #4
        Re: Xp clients

        First off run NETdiag and DCdiag on the DC

        1. Could be a DNS problem. I take it you have checked the client machines are pointed to the correct address for DNS ?

        2. Logon to one of the affected clients and browse to :\\server_name\sysvol\Domain_name\policies. You should see a list of GUIDs, and you should be able to browse them. ?

        This should give you more idea of the problem. I cant see how removing the wsus server would cause a problem unless it had other roles, or a GPO was corrupted which is not impossible but unlikely.
        The Univurse is still winning!

        W2K AD, WSUS, RIS 2003. ISA also AVG Server
        ** If contributors help you, recognise them and give reputation points where appropriate **

        Comment


        • #5
          Re: Xp clients

          I went through 2 computers that has the event id 40961 1030; I was able to browse through the \\server_name\sysvol\Domain_name\policies

          I ran netdiag/dcdiag on the DC - only the systemlog failed on the dcdiag/always fails on me

          It odd that this error is only happening to 4 pcs not all the pcs.

          On the effected pc I ran gpupdate /force
          Here is the results of such client pc[ i ran it as user]

          gpresult /USER domain\user

          Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
          Copyright (C) Microsoft Corp. 1981-2001

          Created On 11/16/2006 at 9:47:27 AM



          RSOP results for XX\xxx on XX-xx : Logging Mode
          -------------------------------------------------------------

          OS Type: Microsoft Windows XP Professional
          OS Configuration: Member Workstation
          OS Version: 5.1.2600
          Domain Name: XX
          Domain Type: Windows 2000
          Site Name: Default-First-Site-Name
          Roaming Profile:
          Local Profile: C:\Documents and Settings\xxx
          Connected over a slow link?: No


          COMPUTER SETTINGS
          ------------------

          Last time Group Policy was applied: 11/16/2006 at 9:45:14 AM
          Group Policy was applied from: dc
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          Default Domain Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Local Group Policy
          Filtering: Not Applied (Empty)

          The computer is a part of the following security groups:
          --------------------------------------------------------
          BUILTIN\Administrators
          Everyone
          BUILTIN\Users
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          XX-xxx$
          Domain Computers


          USER SETTINGS
          --------------
          CN=,CN=Users,DC=
          Last time Group Policy was applied: 11/16/2006 at 9:45:14 AM
          Group Policy was applied from: Domain
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          N/A

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Default Domain Policy
          Filtering: Disabled (Link)

          Local Group Policy
          Filtering: Not Applied (Empty)

          The user is a part of the following security groups:
          ----------------------------------------------------
          Domain Users
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          NT AUTHORITY\INTERACTIVE
          NT AUTHORITY\Authenticated Users
          LOCAL

          What ya think?


          Thanks
          Joe

          Comment


          • #6
            Re: Xp clients

            Could you post the gpresults from a computer that's working fine?
            Noticed:
            Default Domain Policy
            Filtering: Disabled (Link)


            Also, check for NIC driver updates for the 4 PCs that have the errors.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Xp clients

              On a working pc:

              Any benefits using autoenrollment., The other user pc doesnt have that enabled

              Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
              Copyright (C) Microsoft Corp. 1981-2001

              Created On 11/16/2006 at 1:47:55 PM



              RSOP results for DOMAIN\USER on CLIENTPC : Logging Mode
              -------------------------------------------------------------

              OS Type: Microsoft Windows XP Professional
              OS Configuration: Member Workstation
              OS Version: 5.1.2600
              Domain Name: DOMAIN
              Domain Type: Windows 2000
              Site Name: Default-First-Site-Name
              Roaming Profile:
              Local Profile: C:\Documents and Settings\USER
              Connected over a slow link?: No


              COMPUTER SETTINGS
              ------------------

              Last time Group Policy was applied: 11/16/2006 at 1:34:46 PM
              Group Policy was applied from: dc.DOMAIN.des.xx.com
              Group Policy slow link threshold: 500 kbps

              Applied Group Policy Objects
              -----------------------------
              Default Domain Policy
              Local Group Policy

              The computer is a part of the following security groups:
              --------------------------------------------------------
              BUILTIN\Administrators
              Everyone
              BUILTIN\Users
              NT AUTHORITY\NETWORK
              NT AUTHORITY\Authenticated Users
              CLIENTPC$
              Domain Computers

              Resultant Set Of Policies for Computer:
              ----------------------------------------

              Software Installations
              ----------------------
              N/A

              Startup Scripts
              ---------------
              N/A

              Shutdown Scripts
              ----------------
              N/A

              Account Policies
              ----------------
              GPO: Default Domain Policy
              Policy: MinimumPasswordAge
              Computer Setting: N/A

              GPO: Default Domain Policy
              Policy: PasswordHistorySize
              Computer Setting: 1

              GPO: Default Domain Policy
              Policy: MinimumPasswordLength
              Computer Setting: N/A

              GPO: Default Domain Policy
              Policy: LockoutBadCount
              Computer Setting: N/A

              GPO: Default Domain Policy
              Policy: MaximumPasswordAge
              Computer Setting: 42

              Audit Policy
              ------------
              N/A

              User Rights
              -----------
              N/A

              Security Options
              ----------------
              GPO: Default Domain Policy
              Policy: RequireLogonToChangePassword
              Computer Setting: Not Enabled

              GPO: Default Domain Policy
              Policy: PasswordComplexity
              Computer Setting: Not Enabled

              GPO: Default Domain Policy
              Policy: ForceLogoffWhenHourExpire
              Computer Setting: Not Enabled

              GPO: Default Domain Policy
              Policy: ClearTextPassword
              Computer Setting: Not Enabled

              Event Log Settings
              ------------------
              N/A

              Restricted Groups
              -----------------
              N/A

              System Services
              ---------------
              N/A

              Registry Settings
              -----------------
              N/A

              File System Settings
              --------------------
              N/A

              Public Key Policies
              -------------------
              N/A

              Administrative Templates
              ------------------------
              GPO: Local Group Policy
              Setting: SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrol lment
              State: Enabled


              USER SETTINGS
              --------------
              CN=user,CN=Users,DC=DOMAIN,DC=xx,DC=xxx,DC=com
              Last time Group Policy was applied: 11/16/2006 at 1:36:32 PM
              Group Policy was applied from: dc.DOMAIN.xx.xxx.com
              Group Policy slow link threshold: 500 kbps

              Applied Group Policy Objects
              -----------------------------
              Default Domain Policy
              Local Group Policy

              The user is a part of the following security groups:
              ----------------------------------------------------
              Domain Users
              Everyone
              BUILTIN\Administrators
              BUILTIN\Users
              NT AUTHORITY\INTERACTIVE
              NT AUTHORITY\Authenticated Users
              LOCAL

              Resultant Set Of Policies for User:
              ------------------------------------

              Software Installations
              ----------------------
              N/A

              Public Key Policies
              -------------------
              N/A

              Administrative Templates
              ------------------------
              GPO: Local Group Policy
              Setting: Software\Policies\Microsoft\Cryptography\AutoEnrol lment
              State: Enabled

              Folder Redirection
              ------------------
              N/A

              Internet Explorer Browser User Interface
              ----------------------------------------
              N/A

              Internet Explorer Connection
              ----------------------------
              N/A

              Internet Explorer URLs
              ----------------------
              N/A

              Internet Explorer Security
              --------------------------
              N/A

              Internet Explorer Programs
              --------------------------
              N/A

              Comment


              • #8
                Re: Xp clients

                I think you may have to go through a process of ilimination on this.
                I noticed as JeremyW did that the local group policy was not being applied.

                1. Check this out for the 1030 event & make sure the listed services are started correctly.
                http://support.microsoft.com/kb/842804

                Also are there any events showing on the server/s ?
                The Univurse is still winning!

                W2K AD, WSUS, RIS 2003. ISA also AVG Server
                ** If contributors help you, recognise them and give reputation points where appropriate **

                Comment


                • #9
                  Re: Xp clients

                  Bravored, maybe a more systematic approach would be helpful.
                  http://technet2.microsoft.com/Window...f09231033.mspx
                  Post back with any questions or updates.

                  Thanks.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Xp clients

                    Typically are you supposed to see any events generated in the event log of the DC?

                    I have no errors in it. I only have the 1030 events in 4 clients.

                    Last week I choose 2 clients and issues gpupdate /force on 2 clients; and I have seen the reoccurance on of the issue on the 2 clients.

                    Today I found info of running:
                    SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.
                    SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.

                    If running gpupdate /force doesnt work I'm going to try this.

                    FYI: I havent set any group policy requirements. I think it was maybe set by the old sys admin.

                    Comment


                    • #11
                      Re: Xp clients

                      Typically are you supposed to see any events generated in the event log of the DC?
                      yes, if they're security related to authentication.


                      Today I found info of running:
                      SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.
                      SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.

                      If running gpupdate /force doesnt work I'm going to try this.
                      The secedit command is the W2K version of GPUPDATE. It does the same thing more or less.

                      Comment


                      • #12
                        Re: Xp clients

                        Originally posted by bravored View Post
                        Typically are you supposed to see any events generated in the event log of the DC?
                        Well what are you referring to? Group Policy processing events? If so, you'll generally see them only on the machine having issues.

                        I only have the 1030 events in 4 clients.
                        Is this the only event you're seeing? Do you see any 1058 errors?

                        Check out this search and see if any of it applies to you. http://www.google.com/search?hl=en&q=event+1030


                        Today I found info of running:
                        SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.
                        SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.

                        If running gpupdate /force doesnt work I'm going to try this.
                        As was stated by simondrake79, gpupdate is the way to you manually update Group Policy in XP. Those particular secedit switches don't work in XP. (but the secedit utility is still there in XP)

                        FYI: I havent set any group policy requirements.
                        I'm not sure what you mean by this.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: Xp clients

                          When I go through group policy and click properties I see USER and COMPUTER I went through all of them(almost) All of them shows as "not configured"

                          SO I havent set the group policy to enable

                          Comment


                          • #14
                            Re: Xp clients

                            I dont see 1058 but I find a new one 1006.
                            Event Type: Error
                            Event Source: Userenv
                            Event Category: None
                            Event ID: 1030
                            Date: 11/20/2006
                            Time: 10:59:03 AM
                            User:
                            Computer:
                            Description:
                            Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

                            For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                            This came after I did the SECEDIT on the DC

                            Anyone seen 1006 with 1030?

                            Comment


                            • #15
                              Re: Xp clients

                              Originally posted by bravored View Post
                              I dont see 1058 but I find a new one 1006.
                              Event Type: Error
                              Event Source: Userenv
                              Event Category: None
                              Event ID: 1030
                              Date: 11/20/2006
                              Time: 10:59:03 AM
                              User:
                              Computer:
                              Description:
                              Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

                              For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                              This came after I did the SECEDIT on the DC

                              Anyone seen 1006 with 1030?

                              Ok, so you've run SECEDIT on the DC which is W2k. This wont really solve anything but its shown you have some sort of consistent problem by the event log quoted above. As it states in the event log: are there any previous logs? By using previous we're talking seconds before rather than hours or days.

                              The easiest way to see what policies are enabled on your machine is by running the RSOP msc on an XP machine. Go to one of your dodgy XP machines and do the following:

                              1. Start Microsoft Management Console (MMC), click Start, click Run, type mmc, and then click OK.
                              2. On the File menu, click Add/Remove Snap-in.
                              3. On the Standalone tab, click Add.
                              4. In the Available Standalone Snap-in box, click Resultant Set of Policy, and then click Add.
                              5. In the RSoP snap-in, right-click Resultant Set of Policy, and then click Generate RSoP Data.
                              6. After the RSoP Wizard starts, click Next all the way through to the end and click Finish.
                              7. To view COMPUTER policies right-click on the Computer Configuration node and click Properties, tick the check box "Display All GPOs and filtering status" you'll see a list of whats being applied and not applied.
                              8. Do the same for USER

                              Comment

                              Working...
                              X