No announcement yet.

Problem with Impersonate client after authentication in GP

  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with Impersonate client after authentication in GP

    Scream at me if this is in the wrong forum. Thanks in advance.

    Setup: Mix of Win2K/SP4 server and Server 2003/some with SP1
    No Problem with the Win2K/SP4 servers.
    The problem seems to occur 'Intermittently' and always is after Windows 2003 server SP1 is installed.

    The 'big' symptom is that on this intermittent basis, Windows 2003/SP1 servers will dissappear from the network. They are up, can be pinged, no remote desktop however, no application/share, etc.
    Removing SP1 appears to resolve this problem.

    Admins are telling me this is related to a Group Policy:
    We have had a Group Policy, Applied at the OU level (not domain level) for the local security setting: Impersonate client after login
    This facilitates a central logging server.
    The member of the Impersonate client after login is the account which logs into the servers and collects event logs.

    From another forum thread I was reading, and several passes through Microsoft documentation, it seems that there may be differences in the way the Impersonate control is applied to W2k and 2003. In Win 2K, other accounts - Administrators and Service, are members of the policy. In Win 2003 server, the policy is Disabled on install and there are no other members.

    So, Questions:
    1) If the GP is enabling and assigning the '<account>' to the Impersonate client after authentication for the Win 2003 server, Do the accounts 'Administrator' and 'Service' need to be added as well?
    Is this the problem? Or might it be something else?
    (If you need more info. to understand me, I'll gladly comply)

    2) Any clues as to why this would be spurious/intermittent?

    3) Any particular tools available to pin this down? I'm setting up a Win2003 test server, it will be in a test OU in the same domain.
    I will be using GPInventory, 'whoami /all' and whatever else I can come up with to try to figure this out.

    Any help is very sincerely appreciated. Thanks for your time.

  • #2
    Re: Problem with Impersonate client after authentication in GP

    Reply to my own thread --
    1) Discovered that the 'admins' don't have KB913446 patch applied -- that is most likely the problem here, IMO.
    2) In setting up a base W2003 server, the item in my post is incorrect:
    Local Policy/Impersonate client after authentication IS Enabled and IS populated with Administrator and Service.

    Monday's are such fun.

    I'm trying to validate that the group policy to Add the <account> to Impersonate client after authentication is NOT the problem or find out why it would be.
    Thanks very much.


    • #3
      Re: Problem with Impersonate client after authentication in GP

      So your problem is no more or you think it will be no more soon?


      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.


      • #4
        Re: Problem with Impersonate client after authentication in GP

        I do not know.
        The remaining question that I have is if this is simply a matter of adding 'Administrator', 'Service' to the Impersonate....
        along with the <account> added for the logging service.
        I'm waiting for the test machines to fail remote connections -
        two have the ms06-007 patch, two do not have the patch
        the GP is applying to all four test devices.