Security Group Policy Not Applying

  • 1.6K Views
  • Last Post 12 May 2017
skaushal2 posted this 13 September 2005

Hi all

I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy object.  

in the event viewer of the DC's i'm getting this errors after every 5 min

Event id: 1202
"Security policies were propagated with warning.
0x4b8 : An extended error has occurred."

When I drill down to the clients winlogon.log file i see the following
entry
Error 0  to send the control flag 1 over to server.

Make a local copy of \domain.dom\sysvol\domain.dom\Policies{31B2F340-0160-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPOINFOFLAG_BACKGROUND )

Process GP template gpt00000.dom.
This is not the last GPO.

The log file also specifies:

Warning 2 - The system
cannnot find the file specified.
cannot find the remote
desktop users.
Configure the remote desktop
users.
   add \group
name
Error 8520 - A local group
cannot have another cross domain local group as member.

Has anyone ever seen this
error and/or know what the solution
is.

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
 
You never win Silver, You
lose Gold

show

Order By: Standard | Newest | Votes
thahirkdy posted this 12 May 2017


Thanks Coleman, I will try the steps mentioned in the link and and will update.
Regards,
Thahir.


show

hcoleman posted this 10 May 2017

See “Known Issues” on



https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14,-2016

 

 

show

skaushal2 posted this 14 September 2005

Hi All,

Thanks to  everyone for guiding
me to the solution. It was because of the restricted group policy on the
DC's to control the domain group membership. I removed it and updated the
GP.and it worked.
Have a nice day... :-)

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
 
You never win Silver, You
lose Gold

show

skaushal2 posted this 13 September 2005

Thanks for the response.. However i
have already checked this and all the related policies in win2003 are not
defined in my case.. :-(

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
 
You never win Silver, You
lose Gold

show

deji posted this 13 September 2005

http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&pha
se=1

Look at the 0x4b8 section.

HTH

show

bdesmond posted this 13 September 2005

You setting restricted groups in a policy? DCs don™t have local groups,
they just have the domain database, so, this is to be expected depending on
what you™re trying ot nest int eh domain version of this group.

 

Thanks,
Brian Desmond

brian@xxxxxxxxxxxxxxxx

 

c -
312.731.3132

show

darren.marelia posted this 13 September 2005

Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy.

Darren

show

jpsalemi posted this 13 September 2005

It sounds like a restricted groups policy being attempted wrong.....But,
from what I've seen, it won't even let you try that.

John



Sudhir Kaushal
To
Sent by: ActiveDir@xxxxxxxxxxxxxxxxxx
ActiveDir-owner@m cc
ail.activedir.org
Subject
RE: [ActiveDir] Security Group
09/13/2005 07:39 Policy Not Applying
AM


Please respond to
ActiveDir@xxxxxxx
tivedir.org



Thanks for the response.. However i have already checked this and all the
related policies in win2003 are not defined in my case.. :-(

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649

You never win Silver, You lose Gold

show

Close