Can't set Local Security policies. They fail to save

Discussion in 'Windows Small Business Server' started by Al-Amin, Oct 22, 2005.

  1. Al-Amin

    Al-Amin Guest

    Hi,
    I’m using Windows SBS 2003 with about 60 computers using XP pro SP2 on the
    network.

    Out of the blues my administrator account no longer connects to the server
    from client computers on the network. It gives me the error "Logon Failure:
    The user has not been granted the requested logon type at this computer".

    A day later I could no longer logon to the server. It would give me the
    error message: “The local policy of this system does not permit you to logon
    interactivelyâ€. However I can still logon to the server remotely from any of
    the systems on the network.

    I believe my problems have to do with user rights specifically (Access this
    computer from the Network, Allow Logon Locally & Allow Logon through terminal
    services) not granted to the administrator. These rights were previously
    defined but for some reason the local security policies have been altered.

    I'm getting this error when attempting to grant a user any rights through
    the local security policy. When I open up the Local Security Policy and
    navigate to "User Rights assignment," I can open a policy and add a setting,
    but when I click OK, I get this error:
    "An extended error has occurred. Failed to save."
    After I click through the box, and the name appears in the list, but when you
    close/reopen the Local Security Policy, it's gone.

    I’m in need of help
     
    Al-Amin, Oct 22, 2005
    #1
    1. Advertisements

  2. Hi,

    Thanks for posting here!

    For your description, I understand that you have some problems to access
    the SBS server box locally or remotely. If I am off base, please don't
    hesitate to let me know.

    Before we go further, please kindly help me collect some information to
    isolate the issue in order to resolve the issue efficiently:

    1. In current status, Can you logon the server box remotely (from other
    client computer)? Can you logon the server box locally (before the server
    box)?

    2. Do you try to use another Administrator user account to test? How about
    the result? Do you try to create a new Administrator account using Add User
    Wizard (Server Management console -> Users -> Add a User) to test? How
    about the result?

    3. Try to reboot the server box to refresh configuration and then test, how
    about the result?

    4. Which computer local security policy did you change to try to grant the
    specific Administrator logon on locally and remotely permissions? Did the
    issue that the local security policy can not saved happen on the specific
    box random or always time? Does it happen on other computer?

    5. Can you find any error events in Event Viewer? If yes, please tell me
    the detail error information in the newsgroup or mal me the error log for
    further analyze.

    Save a text copy of Application /System log:
    A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
    Event Viewer.
    B. Right-click on Application/System log and select "Save Log File As?".
    Please send the log files to my mailbox:

    Additionally, I would like to give you some suggestions to try to trouble
    shoot the issue:

    I. As you known, the error "The local policy of this system does not permit
    you to log on interactively" may occur if the user does not have "logon
    locally" user right.

    Please check if the user accounts who can not logon to the server is a
    member of either the Remote Operators group or the Domain Power Users
    group. On SBS 2003, the "Deny log on locally" policy setting is applied to
    the Remote Operators group in the Default Domain Controllers Policy object.
    This policy setting also applies to the Domain Power Users group because
    the Domain Power Users group is a member of the Remote Operators group.
    Since a deny policy always overrides an allow policy, this policy setting
    prevents users from logging on to domain controllers in the domain, even if
    the "Allow log on locally" policy applies to the same users.

    Remove the Domain Users group or those users from the Remote Users group or
    the Domain Power Users group. Try to test, how about the result?

    Please refer to the following KB article to get detail methods:
    "The local policy of this system does not permit you to logon
    interactively" error message when you try to log on to a computer that is
    running Windows Small Business Server 2003 by using an Administrator account
    http://support.microsoft.com/?id=841188

    II. And also try to check the following settings:

    1. On the problematic Workstation, run rsop.msc to check the effective
    "Allow logon locally" policy to make sure that the domain users group is
    listed. If not, add it into the Default domain policy. In addition, make
    sure that the "deny logon locally" policy is not defined in RSOP (Result
    set of policy). In addition, check the "Access this computer from network"
    policy to make sure that the everyone is listed and the "Deny access to
    this computer from the network" is configured properly.

    2. On the server, open Server Management console, locate Users node, right
    click the user account and click Properties, click the Terminal Services
    profile tab and make sure that the "Deny this user permissions to logon to
    terminal server" option is uncheck.

    3. To grant guests Logon rights to the RDP-TCP connection, start the
    Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest
    has at least Logon rights.

    For detail information, please see:
    278433 Accessing Terminal Services Using New User Rights Options
    http://support.microsoft.com/?id=278433

    289289 Remote Desktop Connection "The Local Policy of This System Does Not
    http://support.microsoft.com/?id=289289

    I am currently standing by for your test result. I appreciate your time and
    efforts to perform test and collect information. I am happy to be
    assistance of you!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Oct 24, 2005
    #2
    1. Advertisements

  3. Al-Amin

    Al-Amin Guest

    Hi Jenny. Thanks for your post. I was starting to lose hope.
    In reply to your questions.

    1. Yes I can logon to the server box remotely using the built in
    administrator account but no I can’t logon to the server locally with the
    same administrator account
    2. I can’t logon on locally with any of the other administrator accounts.
    I created a new Administrator account using the add user wizard and it
    allowed me to logon locally to the server box. But I still can’t set local
    policies
    3. I have rebooted the server and I still get the same results
    4. The policies I tried to change to allow local and remote logon are ACCESS
    THIS COMPUTER FROM THE NETWORK and ALLOW LOGON LOCALLY in Domain Security
    Policy>Local Policies>User Rights Assignment.
    The issue of policies not saving happens all the time since I first
    experienced the problems with the server box.
    On other computers
    5. I tried saving the application/security log but got the error UNABLE TO
    SAVE EVENT LOG FILE. A REQUIRED PRIVILEDGE IS NOT HELD BY THE CLIENT

    With regards to your suggestion for trouble shooting.
    I. The user does not have the “logon locally†user right and like I
    mentioned I can’t seem to grant the rights.
    Secondly I’ve checked and the user is not a member of the Remote Operators
    group but a member of Domain Power Users Group. I removed the user from the
    groups and was able to logon locally. Thanks One problem solved.
    II. Here are the results after I ran rsop.msc
    i. The Domain Users Group is not listed in “Allow logon locally†policy. I
    couldn’t add it into the default domain policy
    The “Deny logon locally†in RSOP is defined and lists SBS Remote Operators
    and SBS STS Workers
    “The Access This computer from Network†policy is defined and everyone is
    listed.
    While the “Deny Access to this computer from the network†is not defined
    ii. On Terminal services Tab “Allow Logon to terminal Server" is checked
    Hope I got it right.

    --
    AIP Admin


     
    Al-Amin, Oct 24, 2005
    #3
  4. Hi,

    Thanks for your update!

    For your now scenario, I suggest you follow KB 816585 article to apply
    predefined Security Template on SBS 2003 to restore security groups
    permissions.

    816585 HOW TO: Apply Predefined Security Templates in Windows Server 2003
    http://support.microsoft.com/?id=816585

    Note: please strictly follow the steps to process and create a backup file
    of the SYSVOL share.

    Next, run "gpupdate.exe /force" under command prompt to force the policy
    refresh, reboot the Server to test. Additionally, domain user try to logoff
    and then logon to client computer to test if user can save system logs.

    If the issue persists, please help me collect group policy report for
    further analyze:
    1. Please run command " gpresult /v > c:\gpresult.txt" respectively in the
    server box and some problematic workstation and find the files to mail to
    me for analyze. My mailboxes:

    2. Collect system/security log in the server box and the problematic
    workstation. If the user still can not save system log permissions, you can
    try to use domain admin account to test, or logon on to local computer
    using local Administrator account to test, how about the result?

    I appreciate your time! I am look forward to hearing from you!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Oct 25, 2005
    #4
  5. Al-Amin

    Al-Amin Guest

    Jenny Hi there and thanks for all the help.

    I followed your instructions on applying the predefined security templates.
    I also ran the gpupdate.exe /force. the administrator account still can't
    connect to serverThe local policies are still set as before.

    The user accounts are back online but unfortunately the administrative
    account still can’t connect to server from client computers. It still gives
    the error "Logon Failure: The user has not been granted the requested logon
    type at this computer".

    I still can’t set any of the local security policies on the server box. It
    still fails to save giving the error message "An extended error has occurred.
    Failed to save". I have e-mailed the group policy report and the system and
    security logs from the server box to you.

    Regards

    --
    AIP Admin


     
    Al-Amin, Oct 25, 2005
    #5
  6. Hi,

    Thanks for your group policy information! After research your group policy,
    I found the Default Domain Controllers policy has not been applied and many
    default group policy settings has been changed.

    For your now scenario, I suggest you backup your current group policy and
    then try to reset all default Group Policy(s) for your SBS domain to test.

    The only way that you can do it to use the GPMC.MSC console on a fresh
    installed SBS Server, export all the GPO settings and import it to the
    existing one.

    For more info about GPMC, please refer to:
    Backing up, Restoring, Migrating, and Copying GPOs
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi
    t/937d5838-f720-4c0b-a65c-e8ed2658a414.mspx

    If you have not a fresh installed SBS Server, you can also try to export
    fine running SBS server group policy settings to test. If you can not get
    that resource, please let me know I will mail you it.

    I appreciate your time and efforts to perform test. I am happy to be
    further assistance and looking forward to your reply!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
     
    Jenny wu [MSFT], Oct 26, 2005
    #6
  7. Al-Amin

    Al-Amin Guest

    Hi,
    I have backed up the GPO's like you suggested but unfortunately i couldn't
    reset the default group policy because i don't have a fresh installed SBS
    server. I would really apreciate it if you could e-mail it to me.

    Thanks for the assistance. It's much appreciated
    --
    AIP Admin


     
    Al-Amin, Oct 27, 2005
    #7
  8. Hi,

    Thanks for your update! I have attached the default group policy backup
    file in mail, please try to import these files to reset your domain group
    policy.

    Note: Before do this process, please take a full backup of SBS server box
    in case unexpected thing, you can restore:

    Backing Up and Restoring Windows Small Business Server 2003
    http://download.microsoft.com/download/b/d/8/bd8e1a40-d202-429a-8eb7-26300d6
    2bcc9/BKU_BkupRstr.doc

    You can refer to the following steps to import default group policy:
    1. Run command "gpmc.msc" (no quotation marks) to open Group Policy
    Management console.
    2. Locate Forest servername -> Group Policy Objects, right click Default
    Domain Controllers Policy and choose Import Settings ¡­ item to import
    appropriate group policy from backup file I sent you.
    3. Repeat step 2 to import these default group policies.
    4. After please check if these group policy object links to appropriate OU
    (still in the Group Policy Management console):

    a. Go to Forest servername -> Domains -> servername.local, there are
    following group policies links to it:
    +++Default Domain Policy
    +++Small Business Server Client Computer
    +++Small Business Server Domain Password Policy
    +++Small Business Server Internet Connection Firewall
    +++Small Business Server Lockout Policy
    +++Small Business Server Remote Assistance Policy
    +++Small Business Server Windows Firewall

    b. Go to Forest servername -> Domains -> Domain Controllers, there are
    following group policies links to it:
    +++Default Domain Controllers Policy
    +++Small Business Server Auditing Policy

    c. Go to Forest servername -> Domains -> MyBusiness -> Security Groups,
    there are following group policies links to it:
    +++Default Domain Policy

    If not, please try to correct, and then try to test to see if the issue be
    fixed.

    I appreciate your time and efforts to the issue. I am happy to be
    assistance of you and look forward to your reply!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
    <>
    <>
     
    Jenny wu [MSFT], Oct 28, 2005
    #8
  9. Hi,

    I am sorry, but what is your valid mail address? You can mail me to tell
    the inforamtion, my mailbox is:

    Thanks!

    Have a nice weekend!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    --------------------
     
    Jenny wu [MSFT], Oct 28, 2005
    #9
  10. Al-Amin

    Al-Amin Guest

    Hi Jenny Hope you had a nice weekend.
    I imported the default Group Policies from a fresh SBS Installation as per
    your instructions.
    Afterwards I was able to set the Local Security Policies for the Domain and
    Domain controller which it finally allowed me to do. All the problems I was
    having were resolved until I rebooted the server box and we went back to how
    its was before. The settings were saved but I can't re-define them. It gives
    me the error
    " An extended error has occurred. Failed to save
    \\AIPDC.local\sysvol\AIPDC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\WindowsNT\SecEdit\GptTmpl.inf"

    I thought that maybe it didn't save properly so i did the import of default
    policies again. Just for the same thing to happen after re-booting.

    Also whenever I reboot the server i find this error in the application log
    Source Userenv
    Category None
    Event ID 1030
    User Admin
    Computer Server
    "Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this."

    Do you think this has anything to do with the problem.
    Thanks for everything and waiting for your reply. At least I'm half way to
    breathing a sigh of relief




    I couldn't acce
    --
    AIP Admin


     
    Al-Amin, Oct 31, 2005
    #10
  11. Hi,

    Thanks for your update!

    I am sorry for the delayed response due to weekend. Please understand that
    the newsgroups are staffed weekdays by Microsoft Support professionals to
    answer your systems and applications questions. Your understanding is
    greatly appreciated!

    For time critical issues (not business down), we encourage you to contact
    CSS directly for more immediate assistance:
    International Support (non-US/Canada):
    http://support.microsoft.com/common/international.aspx

    US and Canada:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone

    To continue working with me in the newsgroups, please see the following:

    1. Please try to create a new GPO and configure some settings to test, how
    about the result?
    2. Please try to change settings of Security Settings and Administrative
    Templates settings, does the issue happen? Also please try to change some
    settings of the Default Domain Policy, how about the result?
    3. Please try to perform a clean boot to check if there is any application
    conflict.

    A Clean Boot will allow us to isolate any device drivers or programs that
    are loading at startup that may be causing a conflict with other device
    drivers or programs that are installed in your computer.

    1) Run MSCONFIG.EXE.
    2) In the Services tab, click "Hide All Microsoft Services" and click
    "Disable All".
    3) In the Startup tab, click "Disable All". Click OK. (This will
    temporarily prevent third-party programs from running automatically during
    start-up.)
    4) Restart the computer and check whether the problem still persists.

    If the problem does not occur, it indicates that the problem is related to
    one application or service we have disabled. You can use the MSCONFIG tool
    again to re-enable the disabled item one by one to find out the culprit.

    If the issue persists, please try to use Regmon and Filemon to monitor the
    issue and try to find the exact cause:

    Filemon and Regmon are free monitoring utilities from www.sysinternals.com
    available for download. They allow you to monitor file and registry access
    on a machine. When you start either one of these utilities
    (Filemon.exe,Regmon.exe), you will notice that they start monitoring
    activity on your machine right away. Are goal in running these utilities
    is to capture file and registry activity during the sequence of events that
    causes the problem you are experiencing. Please use the following steps to
    capture data with these utilities. You will need to follow the steps below
    for both utilities.

    Download page:

    http://www.sysinternals.com/ntw2k/utilities.shtml

    1. Familiarize yourself with the Capture and Clear buttons below the menu
    bar. You can alternatively use Ctrl+E and Ctrl+X.

    2. Stop the capture and clear the current events. This will allow us to
    capture minimal activity. There will be some activity that will be
    extraneous, but that's okay. We would rather have to much data then not
    capture the correct events.

    3. Make sure your application is in a state where you are ready to
    reproduce the problem (change some settings of GPO).

    NOTE: In order to see minimal traffic from the utilities close all other
    applications that are not involved in the test.

    4. Click the capture button or use Ctrl+E to start capturing data.

    5. Reproduce the problem. (close the GPO snap in)

    6. Stop the capture by clicking the 'Capture' button or use Ctrl+E.

    7. Save each capture to a file, zip them up and send them to me for review,
    my mailbox is:

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
    <>
    <>
    <>
    <>
    <>
     
    Jenny wu [MSFT], Nov 1, 2005
    #11
  12. Al-Amin

    Al-Amin Guest

    Hi Jenny.
    Sorry for the delay in replying. I had problems with my internet access.
    1. I created new GPO's and configured some settings. They work well until i
    reboot then i'm back to the same problem.
    2. When i try to change settings for default domain policy it gives the same
    error "An extended error has occurred. Failed to save
    \\AIPDC.local\sysvol\AIPDC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
    3. I did a clean boot and the problem still persisted.

    I have downloaded the Filemon monitoring utility and ran it as directed. I
    have e-mailed the results to you. Hope it's of help. Thanks and don't
    hesitate to let me know if there are any more tests you want me to do.
    --
    AIP Admin


     
    Al-Amin, Nov 7, 2005
    #12
  13. Hi,

    Thanks for your information. After research the capture files I can not
    find information I need, please kindly help me collect it again. Please
    follow below steps to capture:

    1. Please reboot the server box in clean boot mode (please refer to the
    previous post to get steps to perform clean boot. Regarding to your capture
    files, there is not any file that is captured in clean boot situation).

    2. Please run command "gpmc.msc" (no quotation marks) to open Group Policy
    Management console and right click the Default Domain Policy to open Group
    Policy Object Editor console.

    3. Locate User Configuration -> Administrative Templates -> Start Menu and
    Taskbar node, please double click Add Logoff to the Start Menu item to open
    it Properties page. Please check "Enabled" checkbox and then please leave
    the GPO Editor console for a moment.

    4. Please launch the File Monitor, click "Options" button on the menu and
    choose "Filter/Highlight.." item to open filters settings configuration
    page, input "sysvol" (no quotation marks) in the blank of "Include" and
    ensure monitor all logs by check all checkboxes of "Log opens". Then click
    Ok.

    5. Switch to the GPO Editor console, click "Apply" button to apply the
    change. Then you will find records in the File Monitor, please save that
    and send it to me.

    And also please check the group policy permissions using ADSI Edit. You can
    refer to the following steps to check:

    1. Please ensure that the Support Tool has been installed. The ADSI Edit
    utility is located in the Support Tools folder on the Windows Server 2003
    CD-ROM.

    2. Click "Start", and then click "Run". In the "Open" box, type
    "adsiedit.msc" (without the quotation marks), and then click "OK".

    3. In the left pane, please locate ADSI Edit -> domainname -> CN = system
    -> CN=Policies -> CN= {31B2F340-016D-11D2-945F-00C04FB984F9} node and right
    click it and choose Properties to open Properties page, under Security tab,
    please ensure appropriate user groups list here and they have proper
    permissions. If not, please verify it and then try to test.

    I appreciate your time and efforts to perform test and collect information.
    I am happy to be further assistance of you and look forward to your reply!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
     
    Jenny wu [MSFT], Nov 8, 2005
    #13
  14. Al-Amin

    Al-Amin Guest

    Hi Jenny,

    I have followed the instructions you sent me.
    Steps 1-4 went smoothly
    In step 5 when I clicked the apply button I got the following error
    The GP Snapin was unable to save your changes due to the following error
    LOGON FAILURE: THE USER HAS NOT BEEN GRANTED THE REQUESTED LOGON TYPE AT
    THIS COMPUTER

    Notwithstanding I still clicked Ok and the monitor utility captured some
    information which I have sent to you via e-mail.
    I also checked the GP permissions using ADSI EDIT. The administrator account
    which I use has full control. So that is OK.

    Let me know if there is anything else you need.
    Thanks
    --
    AIP Admin


     
    Al-Amin, Nov 8, 2005
    #14
  15. Hi,

    I appreciate your patient to the issue. After analyze the capture file, I
    found there is not any write process happened but Read process can
    implement successfully. The problem happened before Write process happened.
    Or the user account has not permissions to edit the default domain
    controller policy.

    For you got error of " LOGON FAILURE: THE USER HAS NOT BEEN GRANTED THE
    REQUESTED LOGON TYPE AT THIS COMPUTER", please double check if the user
    account belongs to the Remote Operators group or the Domain Power Users
    group. Also please check if Domain Admins or Power Users is in the Remote
    Operators Group. If yes, please verify it and then test to see if the issue
    be fixed.

    And also please check if the appropriate groups are listed in the "Access
    this Computer from the Network" permission of the Default Domain Controller
    policy. You can find this permission in the following folder:

    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment

    The following groups have the "Access this Computer from the Network"
    permission on domain controllers by default:

    Administrators
    Authenticated Users
    Everyone

    NOTE: Include the Everyone group in the list of groups because certain
    operations involve accounts that may not have been authenticated to the
    domain yet. Examples of these operations include when a user changes an
    expired password at logon, or when a user in a trusting domain needs to
    anonymously enumerate users and groups to apply Access Control Lists (ACLs)
    in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest
    trusts).

    Is the settings configured fine?

    I need more information about your group policy settings and users
    permissions, please kindly help me collect group policy report s by run the
    Group Policy Result wizard. I appreciate your time!

    I. To get group policy report:
    1. Run command"gpmc.msc" (no quotation marks) in command prompt to open
    Group Policy Management console.
    2. Locate Forest: -> Group Policy Results node, right click it to choose
    Group Policy Results wizard.. to launch a group policy result wizard.
    3. Follow guide to produce some user accounts group policy result.

    II. Could you find related error event in Event Viewer (Start ->
    Administrative Tools -> Event Viewer) in the SBS server box? If yes, please
    paste the detail error information in the newsgroup or mail to me.

    III. Try to test if you can logon the server box from client computer and
    edit the group policy, tell me the result.

    IV. Have you installed any thirty party Antivirus software on the server
    box? Please disable it and perform a clean boot to verify any conflicts of
    applications.

    A Clean Boot will allow us to isolate any device drivers or programs that
    are loading at startup that may be causing a conflict with other device
    drivers or programs that are installed in your computer.

    1) Run MSCONFIG.EXE.
    2) In the Services tab, click "Hide All Microsoft Services" and click
    "Disable All".
    3) In the Startup tab, click "Disable All". Click OK. (This will
    temporarily prevent third-party programs from running automatically during
    start-up.)
    4) Restart the computer and check whether the problem still persists.
    If the problem does not occur, it indicates that the problem is related to
    one application or service we have disabled. You can use the MSCONFIG tool
    again to re-enable the disabled item one by one to find out the culprit.

    Please add all files to zip file and mail me at

    I appreciate your time to collect information. I am happy to be further
    assistance!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
     
    Jenny wu [MSFT], Nov 10, 2005
    #15
  16. Al-Amin

    Al-Amin Guest

    Hi Jenny,
    1. The account does not belong to the Remote Operators Group nor the Domain
    Power Users Group. Neither Domain Admins nor power Users is in the Remote
    Operators group.
    2. Administrator, everyone and Authenticated users all have the permission
    "access this computer from network"
    3. I have run the GP wizard and e-mailed results to you. I have also found a
    related error in event view. Please find below.
    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1030
    Date: 11/10/2005
    Time: 4:54:51 PM
    User: AIPDC\aipdcstor
    Computer: AIPDC-SERVER
    Description:
    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.

    4. I logged on to the server box and tried to edit Group Policy and it gave
    me the usual error
    "An extended error has occurred. Failed to save
    \\AIPDC.local\sysvol\AIPDC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98

    5. I disabled the trend anti-virus we use and did a clean boot but the
    problem still persisted

    I have e-mailed you all the results thanks for the help
    --
    AIP Admin


     
    Al-Amin, Nov 10, 2005
    #16
  17. Hi,

    Thanks for your update!

    Please do as follows to check settings:

    1- Verify that the OU GPO has Authenticated Users with Read and Apply Group
    Policy.

    a. Run command "gpmc.msc" (no quotation marks) to open Group Policy
    Management console.
    b. Locate Forest servername -> Group Policy Objects, click Default Domain
    Controllers Policy
    c. Please check if the Authenticated Users list in Security Filter in right
    panel. If not, please add it.
    d. After please check if these group policy object links to appropriate OU
    (still in the Group Policy Management console):

    2- Verify that the OU itself has Authenticated Users with Read permissions.

    a. Open ADUC (Start -> Administrative Tools -> Active Directory Users and
    Computers).
    b. Locate server name -> Domain Controllers node, right click your SBS
    server in right panel to choose Properties to open Properties page.
    c. Under Security tab, please ensure Authenticated Users has Read
    permissions.
    d. Click Advanced button, under Permissions tab, please ensure Domain Admin
    has full control (Allow) permissions.

    If not, please verified it and then test to see if how thing goes.

    And also I suggest you perform the following check to try to trouble shoot
    the issue:

    1. Network Binding Order

    To correctly configure the network binding order, follow these steps:

    A. Right-click My Network Places, and then click Properties.
    B. On the Advanced menu, click Advanced Settings.
    C. Under Connections, use the up and down arrow buttons to put the
    connections in the following order:

    Local Area Connection for the internal adapter
    Local Area Connection for the external adapter
    Remote Access Connections

    2. DNS Configuration

    Correct DNS configuration is important for the correct functioning of
    Active Directory and programs on Small Business Server.

    To verify correct DNS configuration, follow these steps:

    A. Click Start, point to Programs, point to Administrative Tools, and then
    click DNS.
    B. Right-click the name of your server, and then click Properties.
    C. Click the Forwarders tab, and then click Enable Forwarders. If the IP
    addresses provided by your ISP are not listed here, add them by typing the
    IP address, and then clicking Add.

    3. TCP/IP settings of client computers

    A. Right-click My Network Places, and then click Properties.
    B. Right-click Local Area Connection for the internal network, and then
    click Properties.
    C. Click Internet Protocol (TCP/IP), and then click Properties. By default,
    the internal IP address of the server with a Class C subnet, 255.255.255.0.
    The Default Gateway for this connection must be blank. The IP address for
    the Primary DNS server must be the internal IP address of the server and
    the Alternate DNS server IP address must be blank.

    D. Right-click My Network Places, and then click Properties.
    E. Right-click the Local Area Connection for your external adapter, and
    then click Properties.
    F. Click Internet Protocol (TCP/IP), and then click Properties.
    G. Under DNS, click Use the following DNS server. The IP address for the
    Primary DNS server must be the IP address of the server, and the Alternate
    DNS server IP address must be blank. Do not list your ISP''s DNS servers
    here or obtain DNS server IP address automatically.

    Restart the SBS server, does the issue still occur?

    4. On the XP workstation goes to User Accounts in Control Panel.

    Advanced Tab
    Manage Passwords
    Remove All.
    Logged out and back in.

    5. Make sure the Distributed File System service is started, and set the
    Startup type to Automatic. To do this, use the following steps:

    1. Click "Start", point to "Programs", point to "Administrative Tools", and
    then click "Services".
    2. In "Services", double-click "Distributed File System".
    3. On the "General" tab, click "Automatic" next to "Startup type".
    4. Under "Service Status", click "Start" if the service is not started.
    5. Click "OK", and then close the "Services" window.

    Restart the computer in clean boot to see if the issue be fixed.

    If the issue still persists, for further trouble shoot the issue we need
    more information that is hard handle in newsgroup, I suggest you contact
    Microsoft Customer Support Services via telephone so that a dedicated
    Support Professional can assist with your request online. Thanks for your
    understanding!

    To obtain the phone numbers for specific technology request please take a
    look at the web site listed below.

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    If you are outside the US please see http://support.microsoft.com for
    regional support phone numbers.

    More information:
    887303 Applying Group Policy causes Userenv errors and events to occur on
    your
    http://support.microsoft.com/?id=887303

    839499 You cannot open file shares or Group Policy snap-ins when you
    disable
    http://support.microsoft.com/?id=839499

    I appreciate your time! I am happy to be assistance and look forward to
    your test result.

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
    <>
     
    Jenny wu [MSFT], Nov 11, 2005
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.