Group Policy Failure
Fujitsu
the GPO’s do not apply when the client is booted. There is error 1053 in the
event log reporting an Access Denied error. The description of this event is
“Windows cannot determine the computer or user name. (Access is denied.).
Group Policy processing aborted.”. The userenv.log file shows MyGetUserName:
GetUserNameEx failed with 5
I have one Domain Controller (Windows Server 2003) and one client, which is
XP SP2, in my network. Note that DNS is integrated with Active Directory.
If I leave the GPO as the Default Domain policy and Default Domain
Controller Policy I do not appear to have the problem.
If I set some security options in Default Domain Policy\Windows
Settings\Security Settings\Local Policies\Security Options, shut down the
client, restart the DC and then restart the client I cannot predict whether
the error will or will not occur during the client restart. Sometimes it
does, sometimes it doesn’t. There seems to be no pattern with regards to the
security options set / unset and whether the problem occurs or not.
If the system is OK and I then reboot the DC, the next time I reboot the
client the error might occur or it might not occur. Again I cannot predict
what will happen.
If the problem has occurred on the client then no matter how many times I
restart the client (without rebooting the DC) the problem is still there.
If the error has occurred on the client and I reboot the DC (without
changing any GPO values at all) and then restart the client sometimes the
client is OK (i.e. the error does not occur) and sometimes the error
persists. Once more I cannot predict the outcome
I can say that if the system is OK and I do not reboot the DC I can boot the
client as often as I like and it is always OK.
I have completely rebuilt my DC from scratch but the problem is still there.
Has anyone any idea what I can do to try and determine the cause of this
problem?
Greg DeMaderios
"Fujitsu" <Fuj...@noemail.nospam> wrote in message
news:E627C695-3B3C-41A3...@microsoft.com...
>I have a problem with Windows Server 2003, Windows XP SP2 and GPO.
>Sometimes
> the GPO's do not apply when the client is booted. There is error 1053 in
> the
> event log reporting an Access Denied error. The description of this event
> is
> "Windows cannot determine the computer or user name. (Access is denied.).
> Group Policy processing aborted.". The userenv.log file shows
> MyGetUserName:
> GetUserNameEx failed with 5
I had this problem on my second DC as I couldn't access the SYSVOL or GPMC
with ANY credentials. Another factor was Event Viewer filling up with 1053
errors every few minutes for Userenv.
> I have one Domain Controller (Windows Server 2003) and one client, which
> is
> XP SP2, in my network. Note that DNS is integrated with Active Directory.
>
> If I leave the GPO as the Default Domain policy and Default Domain
> Controller Policy I do not appear to have the problem.
>
> If I set some security options in Default Domain Policy\Windows
> Settings\Security Settings\Local Policies\Security Options, shut down the
> client, restart the DC and then restart the client I cannot predict
> whether
> the error will or will not occur during the client restart. Sometimes it
> does, sometimes it doesn't. There seems to be no pattern with regards to
> the
> security options set / unset and whether the problem occurs or not.
Is this for Users or Computers? If it's for Computers, then your target
computer must be in whichever OU you're applying the GPO to. I've had to
shutdown some clients a few times in addition to gpupdate /force in order to
get the GP to apply. "gpresult" from a command prompt is an interesting
tool to use. Type "gpresult /?" to see the different options. Very useful
tool for tracking down GPOs.
> If the system is OK and I then reboot the DC, the next time I reboot the
> client the error might occur or it might not occur. Again I cannot predict
> what will happen.
>
> If the problem has occurred on the client then no matter how many times I
> restart the client (without rebooting the DC) the problem is still there.
>
> If the error has occurred on the client and I reboot the DC (without
> changing any GPO values at all) and then restart the client sometimes the
> client is OK (i.e. the error does not occur) and sometimes the error
> persists. Once more I cannot predict the outcome
>
> I can say that if the system is OK and I do not reboot the DC I can boot
> the
> client as often as I like and it is always OK.
>
> I have completely rebuilt my DC from scratch but the problem is still
> there.
>
> Has anyone any idea what I can do to try and determine the cause of this
> problem?
Let me know if any of this helps and we can move forward from here!
Greg DeMaderios
Fujitsu
The 1053 occurs on the client once only at boot up. It is the computer
options that are failing. The target computer is in the correct OU.
I have found out that the problem occurs on the client when I see Event ID
529 in the Domain Controllers Security event log. This is logged during the
Domain Controller start up. There is no information in this event other than
Logon Type 3, Logon Process Kerberos, Authentication Package Kerberos. All
other fields are blank (including User Name).
When the system is in this bad state, on the client, gpupdate /target:user
seems to work OK (i.e. no errors in the Application Event Log). However
gpupdate /target:computer fails with event ids 1006 (Windows cannot bind to
roydom.local domain. (Invalid Credentials). Group Policy processing aborted.)
and 1030 (Windows cannot query for the list of Group Policy objects. A
message that describes the reason for this was previously logged by the
policy engine) in the Application Event log.
Strangely enough in the bad state gpresult /scope COMPUTER /z does not
report any errors!