Discussion:
Restricted Groups Not Working
(too old to reply)
Jody Stoll
2005-04-08 15:50:12 UTC
Permalink
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on my xp
workstations. I have created the group in ad and have assigned the users
to the group through the 'Members of this Group' section in the
Restricted groups and specified 'administrators' in the 'This group is a
member of '

So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that I
can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.

Could it be a corrupted GP? If so then it would be 2 separate GPs which
are corrupted as this is occuring with at least 2 GP's that I have tried.

Although previously I have had this working by using the Domain Users
group to the local administrators group I do not want to add domain
users to local admins for obvious reasons.

Please find below a copy of the winlog.log file i have taken from my win
xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.

The Domain is Win2k3 running in full Native mode.

Any help would be most gratefully recieved.

cheers



**************************

No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.

Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----


----Un-initialize configuration engine...
**************************

No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.

Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----


----Un-initialize configuration engine...
Nick Finco [MSFT]
2005-04-08 22:36:04 UTC
Permalink
Can you work with the C:\WINDOWS\security\templates\policies\gpt00000.dom
template manually via secedit /validate, /import, or /configure? If the
template is the issue, you can edit it and it will contain the GUID of the
GPO from which it came so you can fix manually in the sysvol or via gpedit.
If the template is fine, %windir%\security\database\secedit.sdb might be
corrupt. You might be able to try using "esentutl /r edb" while in the
%windir%\security directory to recover it or refer to KB278316.

N
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on my xp
workstations. I have created the group in ad and have assigned the users
to the group through the 'Members of this Group' section in the Restricted
groups and specified 'administrators' in the 'This group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that I can
see the winlogon.log file in the security folder. I am getting scecli 1202
events in the eventlog but cannot seem to see what the problem is. The MS
article refers to the users/group being recently deleted in AD but this
is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs which
are corrupted as this is occuring with at least 2 GP's that I have tried.
Although previously I have had this working by using the Domain Users
group to the local administrators group I do not want to add domain users
to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my win
xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
Jody
2005-04-21 10:40:26 UTC
Permalink
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the C:\WINDOWS\security\templates\policies\gpt00000.dom
template manually via secedit /validate, /import, or /configure? If the
template is the issue, you can edit it and it will contain the GUID of the
GPO from which it came so you can fix manually in the sysvol or via gpedit.
If the template is fine, %windir%\security\database\secedit.sdb might be
corrupt. You might be able to try using "esentutl /r edb" while in the
%windir%\security directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on my xp
workstations. I have created the group in ad and have assigned the users
to the group through the 'Members of this Group' section in the Restricted
groups and specified 'administrators' in the 'This group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that I can
see the winlogon.log file in the security folder. I am getting scecli 1202
events in the eventlog but cannot seem to see what the problem is. The MS
article refers to the users/group being recently deleted in AD but this
is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs which
are corrupted as this is occuring with at least 2 GP's that I have tried.
Although previously I have had this working by using the Domain Users
group to the local administrators group I do not want to add domain users
to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my win
xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Jody
2005-04-21 11:06:00 UTC
Permalink
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?

cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Roger
2005-04-21 16:44:38 UTC
Permalink
Jody,

These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image is
transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...

You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?

On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to hot-fixes,
updates or service packs between the laptops and desktops?

One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is a
member of", especially when the "Administrator" group is involved.

The way I approached this was:
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the "local
Administrator" group in:
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't
browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being
used by the "target" users. Note, if this is going to apply to all your
machines, you should be careful about applying this policy to the entire
domain.

Very Important: The "Administrators" group contains the global group "Domain
Admins" by default, if you modify the membership of the "Administrators"
group via group policy, the membership becomes explicit. That is, any user
or group not listed in the policy will not be included in the
"Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group.

Roger
Post by Jody
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Jody
2005-04-21 23:54:59 UTC
Permalink
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid
id's. Also all machines are running SP2 and with the latest hotfixes as
provided by our SUS server. Also all machines are in the correct OU and
serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to
be intermittent.
Any idea's??

cheers
Post by Roger
Jody,
These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image is
transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?
On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to hot-fixes,
updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is a
member of", especially when the "Administrator" group is involved.
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the "local
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't
browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being
used by the "target" users. Note, if this is going to apply to all your
machines, you should be careful about applying this policy to the entire
domain.
Very Important: The "Administrators" group contains the global group "Domain
Admins" by default, if you modify the membership of the "Administrators"
group via group policy, the membership becomes explicit. That is, any user
or group not listed in the policy will not be included in the
"Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group.
Roger
Post by Jody
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Roger
2005-04-22 15:43:09 UTC
Permalink
Jody,

I was re-reading your original post and was struck by the log entry "this is
not the last GPO". So, my (obvious) question is: Is there another policy
that's being applied after this one that only affects the desktops, or that
could be "un-doing" the change you're trying to make?

Regarding the imaging process, if this sounds like a stupid question,
forgive me, but here goes: Does the base image (that gets ghosted) include
SP2? If not, then (from your last post) it sounds like you're relying on SUS
to apply SP2 and any other patches/hotfixes... Is that correct? If so, have
you tried a "gpupdate /replace"?

One last question. Have you tried running the GPMC's "Group Policy
Modeling" and "Group Policy Results" against one of the user accounts and
desktop machines?

Cheers,

Roger
Post by Jody
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid
id's. Also all machines are running SP2 and with the latest hotfixes as
provided by our SUS server. Also all machines are in the correct OU and
serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to
be intermittent.
Any idea's??
cheers
Post by Roger
Jody,
These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image is
transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?
On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to hot-fixes,
updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is a
member of", especially when the "Administrator" group is involved.
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the "local
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't
browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being
used by the "target" users. Note, if this is going to apply to all your
machines, you should be careful about applying this policy to the entire
domain.
Very Important: The "Administrators" group contains the global group "Domain
Admins" by default, if you modify the membership of the "Administrators"
group via group policy, the membership becomes explicit. That is, any user
or group not listed in the policy will not be included in the
"Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group.
Roger
Post by Jody
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Roger
2005-04-22 15:51:01 UTC
Permalink
Jody,

Todd Heron wrote an excellent checklist on page 1 of this group. Look for
the entry "Domain Users into Local Admins".

Cheers,

Roger
Post by Jody
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid
id's. Also all machines are running SP2 and with the latest hotfixes as
provided by our SUS server. Also all machines are in the correct OU and
serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to
be intermittent.
Any idea's??
cheers
Post by Roger
Jody,
These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image is
transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?
On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to hot-fixes,
updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is a
member of", especially when the "Administrator" group is involved.
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the "local
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't
browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being
used by the "target" users. Note, if this is going to apply to all your
machines, you should be careful about applying this policy to the entire
domain.
Very Important: The "Administrators" group contains the global group "Domain
Admins" by default, if you modify the membership of the "Administrators"
group via group policy, the membership becomes explicit. That is, any user
or group not listed in the policy will not be included in the
"Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group.
Roger
Post by Jody
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Jody
2005-04-26 08:19:52 UTC
Permalink
Roger,
I've read Todds post and can verify that:
1:name resolution is not an issue and neither is DNS as this is all
configured correctly.
2:Please bear in mind that 90% of the policy is applying it only seems
to be the restricted groups section that isnt taking effect and 'allow
to load and unload device drivers' which also doesnt seem to be working.
3:The way the policies are is that at my departmental OU i have a
Computer policy for all the PC's ie with SUS server settings etc etc and
restricted groups. Then for each seperate 'Team'(OU) within the
department I have User policies depending on their specific needs.
Within the computer policy the user settings are disabled and for each
'Team' user policy then the computer policy is disabled
4:SP2 is on the ghost image and not being rolled out by SUS however
hotfixes are rolled out by SUS.
5:The same computer policy sometimes will apply to a machine but 9 times
out of 10 it wont. My own personal laptop that I use I can get it to
apply everytime when i place the computer account in the department OU.
So it would seem to suggest that it is something local to my ghost
image. (But i'll be damned if I know what)!! Norton antivirus Corporate
edition is also installed but no Firewall.
6:On the ghost Image Novell Client 4.90 is installed along with Novell
Zenworks Agents. (However this is also true of my laptop)and other
machines where i have had the policy to work.
7:I have run RSOP and all seems to be OK

HELP!
Post by Roger
Jody,
Todd Heron wrote an excellent checklist on page 1 of this group. Look for
the entry "Domain Users into Local Admins".
Cheers,
Roger
Post by Jody
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid
id's. Also all machines are running SP2 and with the latest hotfixes as
provided by our SUS server. Also all machines are in the correct OU and
serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to
be intermittent.
Any idea's??
cheers
Post by Roger
Jody,
These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image is
transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?
On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to hot-fixes,
updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is a
member of", especially when the "Administrator" group is involved.
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the "local
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you can't
browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are being
used by the "target" users. Note, if this is going to apply to all your
machines, you should be careful about applying this policy to the entire
domain.
Very Important: The "Administrators" group contains the global group "Domain
Admins" by default, if you modify the membership of the "Administrators"
group via group policy, the membership becomes explicit. That is, any user
or group not listed in the policy will not be included in the
"Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group.
Roger
Post by Jody
In addition, i been doing some further troubleshooting and have been
able to get the restricted groups setting working on a load of laptops.
The machines that I have the problem with are our build xp machines
which are all created from a ghost image. the problem seems to lie with
the machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is
the issue, you can edit it and it will contain the GUID of the GPO
from which it came so you can fix manually in the sysvol or via
gpedit. If the template is fine,
%windir%\security\database\secedit.sdb might be corrupt. You might
be able to try using "esentutl /r edb" while in the %windir%\security
directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on
my xp workstations. I have created the group in ad and have assigned
the users to the group through the 'Members of this Group' section
in the Restricted groups and specified 'administrators' in the 'This
group is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that
I can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain
Users group to the local administrators group I do not want to add
domain users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Nick Finco [MSFT]
2005-04-22 18:19:22 UTC
Permalink
There's a database corruption scenario that can occasionally happen with
secedit.sdb. XPSP2 sysprep installs exhibit it more often for some reason
(the source of the issue has subsequently been fixed). Run "esentutl /g
%windir%\security\database\secedit.sdb" to verify your system's security
database isn't corrupt. If it is, KB278316
(http://support.microsoft.com/default.aspx?scid=kb;en-us;278316) talks about
how to repair it.

N
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm
Post by Jody
Roger,
Yes at the end of the ghost process sysprep is run which changes the sid
id's. Also all machines are running SP2 and with the latest hotfixes as
provided by our SUS server. Also all machines are in the correct OU and
serviced by the 'nottsxpadmins' policy.
I can get the policy to apply to a machine occasionly but this seems to be
intermittent.
Any idea's??
cheers
Post by Roger
Jody,
These machines are built from "ghosted images" (assuming you're using
Symantec Ghost), so I'm assuming you're changing the SID's once the image
is transferred to the target machine? I know, it's one of those "dumb
questions", but sometimes ya just gotta ask...
You said that this worked with laptops, but not desktop. Is the
"Notts-xpadmins" policy applied to the OU where the desktop machines are
located?
On a related note, are all the machines (desktops and laptops) running XP
SP2? More to the point, are there any differences with respect to
hot-fixes, updates or service packs between the laptops and desktops?
One other thing to consider: There has been quite a bit of traffic
regarding the use of both the "Members of this group" AND "This group is
a member of", especially when the "Administrator" group is involved.
1) Created a "Global Security Group", and put all the "target" users into
that group
2) Used GPMC to create a policy that modified the membership of the
Computer Configuration | Windows Settings | Security Settings |
Restricted Groups
3) When adding users to the "Administrators" group, remember that you
can't browse for that group, you have to type "Administrators".
4) In the "Members of this group", browse for the "Global Security Group"
created in Step 1.
5) close the policy
6) In the GPMC, apply the policy to the OU with the computers that are
being used by the "target" users. Note, if this is going to apply to all
your machines, you should be careful about applying this policy to the
entire domain.
Very Important: The "Administrators" group contains the global group
"Domain Admins" by default, if you modify the membership of the
"Administrators" group via group policy, the membership becomes explicit.
That is, any user or group not listed in the policy will not be included
in the "Administrators" group, so remember to add "Domain Admins" to the
"Administrators" group. Roger
In addition, i been doing some further troubleshooting and have been able
to get the restricted groups setting working on a load of laptops. The
machines that I have the problem with are our build xp machines which are
all created from a ghost image. the problem seems to lie with the
machines that are all ghosted from this image.
What on the client side could be causing this?
cheers
Post by Jody
Jody,
Has the problem been resolved? If not, I may have a solution for you.
Post by Nick Finco [MSFT]
Can you work with the
C:\WINDOWS\security\templates\policies\gpt00000.dom template manually
via secedit /validate, /import, or /configure? If the template is the
issue, you can edit it and it will contain the GUID of the GPO from
which it came so you can fix manually in the sysvol or via gpedit. If
the template is fine, %windir%\security\database\secedit.sdb might be
corrupt. You might be able to try using "esentutl /r edb" while in
the %windir%\security directory to recover it or refer to KB278316.
N
--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Jody Stoll
Hi ,
I'm trying through Group policy to add a Security Group which I have
created called Notts-xpadmins to the local administrators group on my
xp workstations. I have created the group in ad and have assigned the
users to the group through the 'Members of this Group' section in the
Restricted groups and specified 'administrators' in the 'This group
is a member of '
So far nothing is working although the rest of the GP is working.
I have researched this slighly and have turned on debugging so that I
can see the winlogon.log file in the security folder. I am getting
scecli 1202 events in the eventlog but cannot seem to see what the
problem is. The MS article refers to the users/group being recently
deleted in AD but this is definately not the case.
Could it be a corrupted GP? If so then it would be 2 separate GPs
which are corrupted as this is occuring with at least 2 GP's that I
have tried.
Although previously I have had this working by using the Domain Users
group to the local administrators group I do not want to add domain
users to local admins for obvious reasons.
Please find below a copy of the winlog.log file i have taken from my
win xp sp2 workstation
The MS KB article I have been using to troubleshoot is Q324383.
The Domain is Win2k3 running in full Native mode.
Any help would be most gratefully recieved.
cheers
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:25:59
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
**************************
No template is defined in GPO
\\i3.co.uk\SysVol\i3.co.uk\Policies\{5C036063-D807-4613-8A8D-80DC41C72395}\Machine.
Make a local copy of
\\i3.co.uk\sysvol\i3.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of
\\i3.co.uk\SysVol\i3.co.uk\Policies\{605E3F4E-F240-4E73-9A92-9DA478C00C93}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
08 April 2005 16:26:05
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error creating database.
----Configuration engine was initialized with one or more errors.----
----Un-initialize configuration engine...
No,still not been able to be resolved!
Jody
2005-04-26 08:06:55 UTC
Permalink
Do I run this on the domain controller or the Client machine?
Post by Nick Finco [MSFT]
There's a database corruption scenario that can occasionally happen with
secedit.sdb. XPSP2 sysprep installs exhibit it more often for some reason
(the source of the issue has subsequently been fixed). Run "esentutl /g
%windir%\security\database\secedit.sdb" to verify your system's security
database isn't corrupt. If it is, KB278316
(http://support.microsoft.com/default.aspx?scid=kb;en-us;278316) talks about
how to repair it.
N
Roger
2005-04-26 16:08:03 UTC
Permalink
Jody,

Run this on the local (client) machine. Check out the link that Nick
references, it describes the symptoms.

Roger
Post by Jody
Do I run this on the domain controller or the Client machine?
Post by Nick Finco [MSFT]
There's a database corruption scenario that can occasionally happen with
secedit.sdb. XPSP2 sysprep installs exhibit it more often for some reason
(the source of the issue has subsequently been fixed). Run "esentutl /g
%windir%\security\database\secedit.sdb" to verify your system's security
database isn't corrupt. If it is, KB278316
(http://support.microsoft.com/default.aspx?scid=kb;en-us;278316) talks about
how to repair it.
N
Roger
2005-04-26 17:17:35 UTC
Permalink
Jody,

If you're still getting the "scecli 1202" errors, check out these links:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324383

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/operations/c4f3f2e7-c213-4df1-b88d-043043a100cf.mspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;834519

Are the laptops using the "detect slow link" setting and the desktops not
using that setting?

Roger
Post by Jody
Do I run this on the domain controller or the Client machine?
Post by Nick Finco [MSFT]
There's a database corruption scenario that can occasionally happen with
secedit.sdb. XPSP2 sysprep installs exhibit it more often for some reason
(the source of the issue has subsequently been fixed). Run "esentutl /g
%windir%\security\database\secedit.sdb" to verify your system's security
database isn't corrupt. If it is, KB278316
(http://support.microsoft.com/default.aspx?scid=kb;en-us;278316) talks about
how to repair it.
N
Loading...