Microsoft KB Archive/290647

From BetaArchive Wiki

Article ID: 290647

Article Last Modified on 11/1/2006



APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server



This article was previously published under Q290647

SYMPTOMS

Group Policy settings are not replicated between domain controllers. Therefore, users do not receive Group Policy settings for computers. The following events appear in the Application log in Microsoft Windows Server 2003:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com . The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.



Additionally, the following events may appear in the Application log every five minutes in Microsoft Windows 2000 Server:

Event Type: Error
Event ID: 1000
Source: Userenv
Category: None
User: NT AUTHORITY\SYSTEM

Description: Windows cannot access the registry information at \\domain\sysvol\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).

Event Type: Error
Event ID: 1001
Source: SceCli
Category: None
User: N/A

Description: Security policy cannot be propagated. Cannot access the template. Error code =3. \\domain\sysvol\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

Event Type: Error
Event ID: 1000
Source: Userenv
Category: None
User: NT AUTHORITY\SYSTEM

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).

CAUSE

This issue may occur if you assign incorrect permissions to the %SystemRoot%\Winnt\Sysvol folder or if you assign incorrect groups to Bypass Traverse Checking User Rights Assignment. Additionally, this issue may occur if the sysvol share permissions are too restrictive.

RESOLUTION

To resolve this issue, use one of the following methods, depending on your operating system:

Windows Server 2003

  1. Set the folder security permissions. To do this, follow these steps:
    1. In Windows Explorer, right-click the %SystemRoot%\Windows\Sysvol folder, and then click Properties.
    2. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:

      Administrators: Full Control
      Authenticated Users: Read, Read & Execute, and List Folder Contents
      Creator Owner: Nothing selected
      Server Operators: Read, Read & Execute, and List Folder Contents
      System: Full Control

    3. Right-click the %SystemRoot%\Windows\Sysvol\Sysvol folder, and then click Properties.
    4. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
    5. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain folder, and then click Properties.
    6. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
    7. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies folder, and then click Properties.
    8. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:

      Administrators: Full Control
      Authenticated Users: Read, Read & Execute, and List Folder Contents
      Creator Owner: Nothing selected
      Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write
      Server Operators: Read, Read & Execute, and List Folder Contents
      System: Full Control

    9. For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies folder, right-click the file or folder, and then click Properties.
    10. On the Security tab, click Advanced, click to select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
  2. Open Active Directory Users and Computers. To do this, click Start, click All Programs, and then click Administrative Tools.
  3. Expand Active Directory Users and Computers, expand the domain name, right-click Domain Controllers, and then click Properties.
  4. On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.

    Note The Edit button is not available if the Group Policy Management Console is installed. In this scenario, click Open to start the Group Policy Management Console, expand domain name, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

    For additional information about the Group Policy Management Console, visit the following Microsoft Web site:
  5. Expand the following folders:

    Computer Configuration
    Windows Settings
    Security Settings
    Local Policies

  6. Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:

    Authenticated Users
    Everyone
    Administrators

    To add these groups if they are not present, click Add User or Group, and then click Browse.
  7. Click Start, click Run, type gpupdate, and then click OK.
  8. Verify that the sysvol share permissions are set correctly, as follows:

    Administrators = Full Control
    Authenticated Users = Full Control
    Everyone = Read

Note If this procedure does not resolve the issue, or if you have problems accessing the Global Policy, examine the binding order on the server to make sure the internal network adaptor is first in the binding order list. To examine the binding order, follow these steps:

  1. Right-click My Network Places, and then click Properties.
  2. On the Advanced menu, click Advanced Settings.
  3. In the Connections box, make sure that the internal network adaptor is listed first. If it is not, use the arrows to move it to the top of the list.

Windows 2000 Server

  1. Set the folder security permissions. To do this, follow these steps:
    1. In Windows Explorer, right-click the %SystemRoot%\Winnt\Sysvol folder, and then click Properties.
    2. On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:

      Administrators: Full Control
      Authenticated Users: Read, Read & Execute, and List Folder Contents
      Creator Owner: Nothing selected
      Server Operators: Read, Read & Execute, and List Folder Contents
      System: Full Control

    3. Click OK.
    4. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol folder, and then click Properties.
    5. On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
    6. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain: folder, and then click Properties.
    7. On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
    8. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies folder, and then click Properties.
    9. On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:

      Administrators: Full Control
      Authenticated Users: Read, Read & Execute, and List Folder Contents
      Creator Owner: Nothing selected
      Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write
      Server Operators: Read, Read & Execute, and List Folder Contents
      System: Full Control

    10. Click OK.
    11. For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies folder, right-click the file or folder, and then click Properties. On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
  2. Open Active Directory Users and Computers: Click Start, click Programs, and then click Administrative Tools.
  3. Expand Active Directory Users and Computers, and then expand the domain name.
  4. Right-click Domain Controllers, and then click Properties.
  5. On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
  6. Expand the folders:

    Computer Configuration
    Windows Settings
    Security Settings
    Local Policies

  7. Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:

    Authenticated Users
    Everyone
    Administrators

    To add these groups if they are not present, click Add, and then click Browse.
  8. At a command prompt, type:

    secedit /refreshpolicy machine_policy /enforce


  9. Verify that the sysvol share permissions are set correctly, as follows:

    Administrators = FC
    Authenticated Users = FC
    Everyone = Read

NOTE: If this procedure does not resolve the issue, or you have problems accessing the Global Policy, check the Bindings on the server to make sure the internal network adapter is first in the binding order list. To check the binding order, follow these steps:

  1. Right-click My Network Places, and then clickProperties.
  2. Click the Advanced Menu, and then click Advanced Settings.
  3. Under Connections, make sure the internal network adapter is listed first. If it is not, use the arrows to move it to the top of the list.


MORE INFORMATION

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

271213 Event ID 1000 and 1001 Repeat Every 5 Minutes in the Event Log


259398 SceCli Event ID 1001 and UserEnv Event ID 1000 When Dfs Client Is Disabled


285923 Error Messages Every 5 Minutes Report Events 1000, 1001, and 13508, Citing Replication Trouble


258296 Unbinding File and Printer Sharing from Primary Network Adapter in Multihomed Domain Controller Causes Policy Problems on the Domain Controller



Additional query words: GPO 1000 1001 1058 1030 permissions sysvol

Keywords: kberrmsg kbprb KB290647