We have 50-60 client machines, all XP sp2
All the client machines, including 2 members server logs event ID 1202 Secli warning along with Event ID:1085 & Event ID:1030
*************************************************
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 9/22/2008
Time: 12:39:44 PM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/22/2008
Time: 12:39:44 PM
User: N/A
Computer:
Description:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 9/22/2008
Time: 11:40:31 AM
User: Administrator
Computer:
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
Troubleshooting Steps
*********************
In the XP client machine, we enabled winlogon logging.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
On the Edit menu, click Add Value, and then add the following registry value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2
We ran gpupdate /force
Check the winlogon.log in C:\windows\security\logs
From the winlogon.log we found the following
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Avance.
Configuration of Registry Keys was completed with one or more errors.
1.Hence the security (permissions) application on registry key is failing on the key HKLM\MACHINE\SOFTWARE\Avance
2. We took a MPS report and analyzed the Appliedsectempl.txt and found these registry settings come from Default domain policy.
3. we went to the domain controller and found the default domain policy >computer configuration >windows settings>security>registry has lot of manually configured registry keys in the policy.
They were assigned with certain security permissions.
4. However in the client machines, they are not able to apply on certain registry keys.
5. Now we need to find why it fails on certain registry
1.we went to the xp clients registry.
2.by default all keys should have following security permissions.
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
3.but for the key which was failing in win logon log doesn’t have these permissions
4. they security permission for the key is just “EVERYONE” with Read permissions for the key machine\software\Avance.
5.we added SYSTEM and gave FULL CONTROL
6. as soon as we hit apply, all other default permissions were populated automatically !!!
We did gpupdate /force on the xp machine and analyzed the winlogon.log
Now it passes for machine\software\Avance..
However fails for a different registry key
----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance. ------------------------------------ it passed here now
Configure machine\software\C07ft5Y.
Configure machine\software\Clients.
Configure machine\software\ColumbiaSoft.
Configure machine\software\Compaq.
Configure machine\software\Corel.
Configure machine\software\Crystal Decisions.
Configure machine\software\ej-technologies.
Configure machine\software\EPSON.
Configure machine\software\FLEXlm License Manager.
Configure machine\software\Forte.
Configure machine\software\Gemplus.
Configure machine\software\GNU.
Configure machine\software\Google.
Configure machine\software\Hewlett-Packard.
Configure machine\software\HP.
Configure machine\software\IGC.
Configure machine\software\InstallShield.
Configure machine\software\Intel.
Configure machine\software\Intel Corporation.
Configure machine\software\Intuit.
Configure machine\software\JavaSoft.
Configure machine\software\Lake.
Configure machine\software\Licenses.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Licenses. .---------------------------------------- however this time it failed for this key.
Configuration of Registry Keys was completed with one or more errors
1. We added SYSTEM with FC on the registry key machine\software\Licenses.
2. And did a gpupdate /force
3. In winlogon now if fails for some other key.
This may keep on failing for many keys right after fixing the permissions on each key.
It gave SECLI 1704 after fixing 6 such registry key permissions.
But when we check on a different machine, winlogon may talk about a completely different registry key.
It’s a pain to ckeck all winlogon logs from different machines and then correct registry
We have a good workaround
**********************************
1.Goto registry editor of a client machine.
2. locate HKLM\Software >right click>permissions>
3.check whether we have the following default permissions
System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control
4.If yes locate HKLM\Software >right click>permissions> advanced and check the box which reads
“Replace all permissions on child objects”
It may fail to set the permission on some subkeys.
Just press ok- you may avoid it
Then do a gpupdate /force
YOU GET A SECLI 1704 !!!!
Thanks
Jerry
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment