Microsoft KB Archive/290647: Difference between revisions
m (Text replacement - ">" to ">") |
m (Text replacement - "&" to "&") |
||
Line 119: | Line 119: | ||
<p>Administrators: Full Control<br /> | <p>Administrators: Full Control<br /> | ||
Authenticated Users: Read, Read & | Authenticated Users: Read, Read & Execute, and List Folder Contents<br /> | ||
Creator Owner: Nothing selected<br /> | Creator Owner: Nothing selected<br /> | ||
Server Operators: Read, Read & | Server Operators: Read, Read & Execute, and List Folder Contents<br /> | ||
System: Full Control</p> | System: Full Control</p> | ||
Line 134: | Line 134: | ||
<p>Administrators: Full Control<br /> | <p>Administrators: Full Control<br /> | ||
Authenticated Users: Read, Read & | Authenticated Users: Read, Read & Execute, and List Folder Contents<br /> | ||
Creator Owner: Nothing selected<br /> | Creator Owner: Nothing selected<br /> | ||
Group Policy Creator Owners: Read, Read & | Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write<br /> | ||
Server Operators: Read, Read & | Server Operators: Read, Read & Execute, and List Folder Contents<br /> | ||
System: Full Control<br /> | System: Full Control<br /> | ||
</p> | </p> | ||
Line 200: | Line 200: | ||
<p>Administrators: Full Control<br /> | <p>Administrators: Full Control<br /> | ||
Authenticated Users: Read, Read & | Authenticated Users: Read, Read & Execute, and List Folder Contents<br /> | ||
Creator Owner: Nothing selected<br /> | Creator Owner: Nothing selected<br /> | ||
Server Operators: Read, Read & | Server Operators: Read, Read & Execute, and List Folder Contents<br /> | ||
System: Full Control</p> | System: Full Control</p> | ||
Line 216: | Line 216: | ||
<p>Administrators: Full Control<br /> | <p>Administrators: Full Control<br /> | ||
Authenticated Users: Read, Read & | Authenticated Users: Read, Read & Execute, and List Folder Contents<br /> | ||
Creator Owner: Nothing selected<br /> | Creator Owner: Nothing selected<br /> | ||
Group Policy Creator Owners: Read, Read & | Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write<br /> | ||
Server Operators: Read, Read & | Server Operators: Read, Read & Execute, and List Folder Contents<br /> | ||
System: Full Control<br /> | System: Full Control<br /> | ||
</p> | </p> |
Latest revision as of 13:54, 21 July 2020
Article ID: 290647
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q290647
SYMPTOMS
Group Policy settings are not replicated between domain controllers. Therefore, users do not receive Group Policy settings for computers. The following events appear in the Application log in Microsoft Windows Server 2003:
Additionally, the following events may appear in the Application log every five minutes in Microsoft Windows 2000 Server:
CAUSE
This issue may occur if you assign incorrect permissions to the %SystemRoot%\Winnt\Sysvol folder or if you assign incorrect groups to Bypass Traverse Checking User Rights Assignment. Additionally, this issue may occur if the sysvol share permissions are too restrictive.
RESOLUTION
To resolve this issue, use one of the following methods, depending on your operating system:
Windows Server 2003
- Set the folder security permissions. To do this, follow these steps:
- In Windows Explorer, right-click the %SystemRoot%\Windows\Sysvol folder, and then click Properties.
- On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:
Administrators: Full Control
Authenticated Users: Read, Read & Execute, and List Folder Contents
Creator Owner: Nothing selected
Server Operators: Read, Read & Execute, and List Folder Contents
System: Full Control - Right-click the %SystemRoot%\Windows\Sysvol\Sysvol folder, and then click Properties.
- On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
- Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
folder, and then click Properties. - On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
- Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
\Policies folder, and then click Properties. - On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:
Administrators: Full Control
Authenticated Users: Read, Read & Execute, and List Folder Contents
Creator Owner: Nothing selected
Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write
Server Operators: Read, Read & Execute, and List Folder Contents
System: Full Control
- For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
\Policies folder, right-click the file or folder, and then click Properties. - On the Security tab, click Advanced, click to select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.
- Open Active Directory Users and Computers. To do this, click Start, click All Programs, and then click Administrative Tools.
- Expand Active Directory Users and Computers, expand the domain name, right-click Domain Controllers, and then click Properties.
- On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
Note The Edit button is not available if the Group Policy Management Console is installed. In this scenario, click Open to start the Group Policy Management Console, expanddomain name
, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
For additional information about the Group Policy Management Console, visit the following Microsoft Web site: - Expand the following folders:
Computer Configuration
Windows Settings
Security Settings
Local Policies - Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:
Authenticated Users
Everyone
Administrators - Click Start, click Run, type gpupdate, and then click OK.
- Verify that the sysvol share permissions are set correctly, as follows:
Administrators = Full Control
Authenticated Users = Full Control
Everyone = Read
Note If this procedure does not resolve the issue, or if you have problems accessing the Global Policy, examine the binding order on the server to make sure the internal network adaptor is first in the binding order list. To examine the binding order, follow these steps:
- Right-click My Network Places, and then click Properties.
- On the Advanced menu, click Advanced Settings.
- In the Connections box, make sure that the internal network adaptor is listed first. If it is not, use the arrows to move it to the top of the list.
Windows 2000 Server
- Set the folder security permissions. To do this, follow these steps:
- In Windows Explorer, right-click the %SystemRoot%\Winnt\Sysvol folder, and then click Properties.
- On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:
Administrators: Full Control
Authenticated Users: Read, Read & Execute, and List Folder Contents
Creator Owner: Nothing selected
Server Operators: Read, Read & Execute, and List Folder Contents
System: Full Control - Click OK.
- Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol folder, and then click Properties.
- On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
- Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
: folder, and then click Properties. - On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
- Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
\Policies folder, and then click Properties. - On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:
Administrators: Full Control
Authenticated Users: Read, Read & Execute, and List Folder Contents
Creator Owner: Nothing selected
Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write
Server Operators: Read, Read & Execute, and List Folder Contents
System: Full Control
- Click OK.
- For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\
domain
\Policies folder, right-click the file or folder, and then click Properties. On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.
- Open Active Directory Users and Computers: Click Start, click Programs, and then click Administrative Tools.
- Expand Active Directory Users and Computers, and then expand the domain name.
- Right-click Domain Controllers, and then click Properties.
- On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
- Expand the folders:
Computer Configuration
Windows Settings
Security Settings
Local Policies - Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:
Authenticated Users
Everyone
Administrators - At a command prompt, type:
secedit /refreshpolicy machine_policy /enforce
- Verify that the sysvol share permissions are set correctly, as follows:
Administrators = FC
Authenticated Users = FC
Everyone = Read
NOTE: If this procedure does not resolve the issue, or you have problems accessing the Global Policy, check the Bindings on the server to make sure the internal network adapter is first in the binding order list. To check the binding order, follow these steps:
- Right-click My Network Places, and then clickProperties.
- Click the Advanced Menu, and then click Advanced Settings.
- Under Connections, make sure the internal network adapter is listed first. If it is not, use the arrows to move it to the top of the list.
MORE INFORMATION
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
271213 Event ID 1000 and 1001 Repeat Every 5 Minutes in the Event Log
259398 SceCli Event ID 1001 and UserEnv Event ID 1000 When Dfs Client Is Disabled
285923 Error Messages Every 5 Minutes Report Events 1000, 1001, and 13508, Citing Replication Trouble
258296 Unbinding File and Printer Sharing from Primary Network Adapter in Multihomed Domain Controller Causes Policy Problems on the Domain Controller
Additional query words: GPO 1000 1001 1058 1030 permissions sysvol
Keywords: kberrmsg kbprb KB290647