Difference between revisions of "Active Directory/Documentation/Planning"

From WolfTech
Jump to navigation Jump to search
Line 143: Line 143:
 
  Security policies were propagated with warning. 0x534 : No mapping between account
 
  Security policies were propagated with warning. 0x534 : No mapping between account
 
  names and security IDs was done.
 
  names and security IDs was done.
 
+
 
  Advanced help for this problem is available on http://support.microsoft.com. Query
 
  Advanced help for this problem is available on http://support.microsoft.com. Query
 
  for "troubleshooting 1202 events".  
 
  for "troubleshooting 1202 events".  
 
+
 
  Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs)
 
  Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs)
 
  could not be resolved to a SID.  This error is possibly caused by a mistyped or
 
  could not be resolved to a SID.  This error is possibly caused by a mistyped or
Line 152: Line 152:
 
  branch of a GPO.  To resolve this event, contact an administrator in the domain to
 
  branch of a GPO.  To resolve this event, contact an administrator in the domain to
 
  perform the following actions:  
 
  perform the following actions:  
 
+
 
  1. Identify accounts that could not be resolved to a SID:
 
  1. Identify accounts that could not be resolved to a SID:
 
+
 
  From the command prompt, type: FIND /I "Cannot find"  
 
  From the command prompt, type: FIND /I "Cannot find"  
 
  %SYSTEMROOT%\Security\Logs\winlogon.log
 
  %SYSTEMROOT%\Security\Logs\winlogon.log
 
+
 
  The string following "Cannot find" in the FIND output identifies the problem account  
 
  The string following "Cannot find" in the FIND output identifies the problem account  
 
  names.
 
  names.
 
+
 
  Example: Cannot find JohnDough.
 
  Example: Cannot find JohnDough.
 
+
 
  In this case, the SID for username "JohnDough" could not be determined. This most
 
  In this case, the SID for username "JohnDough" could not be determined. This most
 
  likely occurs because the account was deleted, renamed, or is spelled differently
 
  likely occurs because the account was deleted, renamed, or is spelled differently
 
  (e.g. "JohnDoe").  
 
  (e.g. "JohnDoe").  
 
+
 
  2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source
 
  2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source
 
  GPOs that contain the problem accounts:
 
  GPOs that contain the problem accounts:
 
+
 
  a. Start -> Run -> RSoP.msc
 
  a. Start -> Run -> RSoP.msc
 
  b. Review the results for Computer Configuration\Windows Settings\Security
 
  b. Review the results for Computer Configuration\Windows Settings\Security
Line 179: Line 179:
 
  "Source GPO". Note the specific User Rights, Restricted Groups and containing Source  
 
  "Source GPO". Note the specific User Rights, Restricted Groups and containing Source  
 
  GPOs that are generating errors.  
 
  GPOs that are generating errors.  
 
+
 
  3. Remove unresolved accounts from Group Policy
 
  3. Remove unresolved accounts from Group Policy
 
+
 
  a. Start -> Run -> MMC.EXE
 
  a. Start -> Run -> MMC.EXE
 
  b. From the File menu select "Add/Remove Snap-in..."
 
  b. From the File menu select "Add/Remove Snap-in..."

Revision as of 12:14, 27 November 2006

Tasks

Group Policies

Block Incompatible GPOs

Use WMI filters to block incompatible GPOs.

  • Default Domain Policy - Still deciding how to handle GP differences between WinXP and Vista.
  • Domain-Laptop Policy - Still deciding how to handle GP differences between WinXP and Vista.
  • FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender.
  • FW-NCSU-Microsoft-UPHClean-1.6d-20060616
  • FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207
  • FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has builtin defrag scheduling.
  • SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20060829 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible.
  • SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible.
  • SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible.

Domain Policy

Options:

  • Create separate domain policies for Vista and Windows 2000/XP/2003.
    • Creates more complexity by having completely separate group policy environments for different OS's.
    • OS's may have different security levels/inconsistent security policies.
      • Reduces predictability.
      • Complicates determining security compliance.
      • Compatibility issues could vary on different OS's
  • Use common domain policy for all OS's and create a separate domain policy for Vista only policies.
    • This would prevent any unintended consequences on XP/2003 computers.
    • Reduces complexity by having common security policies for all OS's.
    • Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
  • Use common domain policy for all OS's including Vista only policies.
    • Will require testing to make sure Vista only policies don't cause problems on XP/2003 computers.
    • Reduces complexity by having common security policies for all OS's.
    • Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.

Observations:

  • Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation.

Test Software

Compatible

Incompatible

Untested

Migration Wizard

Deployment

WDS Server

  • Brought up ECE00WDS.
  • Created WDS GPO template.
  • Created image.
  • Installed Vista from WDS.

Todo:

  • Apply Member Server template.
  • Setup DFS Replication between WDS Servers

Create Unattended Image

  • Created Image

Todo:

  • Make image actually install unattended.

Resolve Errors

Unable to Update Group Policy

Details

When I run gpupdate /force, I get the following error message and the following event is logged:

User policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would be
generated once the machine gets connected to the domain controller and Group Policy has succesfully processed.
If you do not see a success message for several hours, then contact your administrator.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed because of lack of network connectivity to a domain
controller. This may be a transient condition. A success message would be generated once the
machine gets connected to the domain controller and Group Policy has succesfully processed.
If you do not see a success message for several hours, then contact your administrator.
To diagnose the failure, review the event log or invoke gpmc.msc to access information about
Group Policy results.
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/22/2006 10:41:49 AM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          WOLFTECH\pgmurphy.admin
Computer:      VPCVista.ece.ncsu.edu
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This 
could be  caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has
not  replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
   <EventID>1055</EventID>
   <Version>0</Version>
   <Level>2</Level>
   <Task>0</Task>
   <Opcode>1</Opcode>
   <Keywords>0x8000000000000000</Keywords>
   <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" />
   <EventRecordID>1285</EventRecordID>
   <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" />
   <Execution ProcessID="1044" ThreadID="2868" />
   <Channel>System</Channel>
   <Computer>VPCVista.ece.ncsu.edu</Computer>
   <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" />
 </System>
 <EventData>
   1
   1753
   0
   125
   1317
   The specified account does not exist. 
 </EventData>
</Event>
Group Policy Infrastructure failed due to the error listed below.
The specified account does not exist. 
Note: Due to the GP Core failure, none of the other Group Policy components processed
their policy. Consequently, status information for the other components is not available.

Cause

Solution

Unable to Update Group Policy

Details

Log Name:      Application
Source:        SceCli
Date:          11/27/2006 11:50:35 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      epona.ece.ncsu.edu
Description:
Security policies were propagated with warning. 0x534 : No mapping between account
names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query
for "troubleshooting 1202 events". 

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs)
could not be resolved to a SID.  This error is possibly caused by a mistyped or
deleted user account referenced in either the User Rights or Restricted Groups
branch of a GPO.  To resolve this event, contact an administrator in the domain to
perform the following actions: 

1.	Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find" 
%SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account 
names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most
likely occurs because the account was deleted, renamed, or is spelled differently
(e.g. "JohnDoe"). 

2.	Use RSoP to identify the specific User Rights, Restricted Groups, and Source
GPOs that contain the problem accounts:

a.	Start -> Run -> RSoP.msc
b.	Review the results for Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows
Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged
with a red X.
c.	For any User Right or Restricted Group marked with a red X, the corresponding 
GPO that contains the problem policy setting is listed under the column entitled 
"Source GPO". Note the specific User Rights, Restricted Groups and containing Source 
GPOs that are generating errors. 

3.	Remove unresolved accounts from Group Policy

a.	Start -> Run -> MMC.EXE
b.	From the File menu select "Add/Remove Snap-in..."
c.	From the "Add/Remove Snap-in" dialog box select "Add..."
d.	In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.	In the "Select Group Policy Object" dialog box click the "Browse" button.
f.	On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.	For each source GPO identified in step 2, correct the specific User Rights or 
Restricted Groups that were flagged with a red X in step 2. These User Rights or 
Restricted Groups can be corrected by removing or correcting any references to the  
problem accounts that were identified in step 1.

Cause

Account HelpAssistant is defined in ECE-Enable Remote Assistance GPO but does not appear to exist in Vista. This causes an error in the Event Log.

Solution