Hello experts - I know I'm not posting this in a Group Policy group,
but there were only 6 or 7 members of those groups, so I'm guessing I
might have better luck here (plus, it might not just be a group policy
problem).

On a Windows Server (2003 R1 Standard) I have setup automatic logon
for a domain admin account (in a locked/secured room) that
automatically launches a piece of software after logged in. The
problem is, the screensaver starts after 900 seconds, and a password
is required to get back into the machine afterwords. However, users
who access the program launched on this computer should not be given
the admin's password.

Therefore, I added a new OU, put this domain admin's user account in
the OU, and created a group policy to disable the screensaver requires
password option.

Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult,
and sure enough, the policy I just added did not show up. I rebooted
the server, rebooted the domain server, same result.

I then ran rsop.msc. When this box appears, red x's appear on
Computer Configuration and User Configuration (as well as the top
level where it says username on computername - RSoP). Clicking on any
of the twisties/plus signs freezes the rsop.msc program. I right
clicked User and Computer Configuration, clicked the Error Information
tab, and it says:
_________________________________________________
Group Policy Infrastructure failed due to the error listed below.
The system cannot find the path specified.

Note: Due to the GP Core failure, none of the other Group Policy
components processed their policy. Consequently, status information
for the other components is not available.
Additional Information:
Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine
that describes the reason for this.



Windows cannot access the file gpt.ini for GPO cn=
{1DDFFB81-0EE1-4103-8F53-
A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
must be present at the location <\\domainname.local\sysvol
\domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
Group Policy processing aborted.

What in the world am I supposed to do? Does it have anything to do
with the auto logon feature? Where else can I look? All of your
answers are GREATLY appreciated, and essential!

Thank!

"Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053@newsgroup

> Hello experts - I know I'm not posting this in a Group Policy group,
> but there were only 6 or 7 members of those groups, so I'm guessing I
> might have better luck here (plus, it might not just be a group policy
> problem).
>
> On a Windows Server (2003 R1 Standard) I have setup automatic logon
> for a domain admin account (in a locked/secured room) that
> automatically launches a piece of software after logged in. The
> problem is, the screensaver starts after 900 seconds, and a password
> is required to get back into the machine afterwords. However, users
> who access the program launched on this computer should not be given
> the admin's password.
>
> Therefore, I added a new OU, put this domain admin's user account in
> the OU, and created a group policy to disable the screensaver requires
> password option.
>
> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult,
> and sure enough, the policy I just added did not show up. I rebooted
> the server, rebooted the domain server, same result.
>
> I then ran rsop.msc. When this box appears, red x's appear on
> Computer Configuration and User Configuration (as well as the top
> level where it says username on computername - RSoP). Clicking on any
> of the twisties/plus signs freezes the rsop.msc program. I right
> clicked User and Computer Configuration, clicked the Error Information
> tab, and it says:
> _________________________________________________
> Group Policy Infrastructure failed due to the error listed below.
> The system cannot find the path specified.
>
> Note: Due to the GP Core failure, none of the other Group Policy
> components processed their policy. Consequently, status information
> for the other components is not available.
> Additional Information:
> Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine
> that describes the reason for this.
>
> Windows cannot access the file gpt.ini for GPO cn=
> {1DDFFB81-0EE1-4103-8F53-
> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
> must be present at the location <\\domainname.local\sysvol
> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
> Group Policy processing aborted.
>
> What in the world am I supposed to do? Does it have anything to do
> with the auto logon feature? Where else can I look? All of your
> answers are GREATLY appreciated, and essential!
>
> Thank!

Hi Robert,

First, you could have posted this to the AD group and GPO groups, which are
more specific to the question. But not a prob that you posted it here. I
actually cross-posted my response to both groups. When you reply, make sure
you have both groups in the "To:" field.


What I would suggest is to not host such an application on a DC. When
creating a GPO for users to apply for something such as this, you may need
to use Loopback. However, I highly suggest and recommend to not do this
because it is a domain controller. A DC has a specific Default Domain
Controller Policy that affects it by default, and the loopback can possibly
cause problems with it.

As for the errors you are seeing, they may be stemming from an underlying
issue that may be something more serious. To better diagnose this, we'll
need additional information. Please post the following:

Unedited ipconfig /all from the DC
Sample workstation unedited ipconfig /all
Event log errors on the DC (EventID# and Source name).
Event log errors on the workstation (EventID# and Source name).
Indicate how many DCs and domains you have.

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

as a suggestion:

check if you have enforsed policy above this new OU. try to apply this
policy to both computers and users.

serggry

"Robert Jacobs" <robertjacobsit@newsgroup> ???????/???????? ? ????????
?????????:
news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053@newsgroup

> Hello experts - I know I'm not posting this in a Group Policy group,
> but there were only 6 or 7 members of those groups, so I'm guessing I
> might have better luck here (plus, it might not just be a group policy
> problem).
>
> On a Windows Server (2003 R1 Standard) I have setup automatic logon
> for a domain admin account (in a locked/secured room) that
> automatically launches a piece of software after logged in. The
> problem is, the screensaver starts after 900 seconds, and a password
> is required to get back into the machine afterwords. However, users
> who access the program launched on this computer should not be given
> the admin's password.
>
> Therefore, I added a new OU, put this domain admin's user account in
> the OU, and created a group policy to disable the screensaver requires
> password option.
>
> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult,
> and sure enough, the policy I just added did not show up. I rebooted
> the server, rebooted the domain server, same result.
>
> I then ran rsop.msc. When this box appears, red x's appear on
> Computer Configuration and User Configuration (as well as the top
> level where it says username on computername - RSoP). Clicking on any
> of the twisties/plus signs freezes the rsop.msc program. I right
> clicked User and Computer Configuration, clicked the Error Information
> tab, and it says:
> _________________________________________________
> Group Policy Infrastructure failed due to the error listed below.
> The system cannot find the path specified.
>
> Note: Due to the GP Core failure, none of the other Group Policy
> components processed their policy. Consequently, status information
> for the other components is not available.
> Additional Information:
> Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine
> that describes the reason for this.
>
> Windows cannot access the file gpt.ini for GPO cn=
> {1DDFFB81-0EE1-4103-8F53-
> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
> must be present at the location <\\domainname.local\sysvol
> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
> Group Policy processing aborted.
>
> What in the world am I supposed to do? Does it have anything to do
> with the auto logon feature? Where else can I look? All of your
> answers are GREATLY appreciated, and essential!
>
> Thank!
>

I'm sorry if this comes across rude it is not intended to.

You are handing over the keys to your enterprise by providing this sort of
access. I don't believe you need to have this program run as a domain
admin. All some user has to do is run a command (At this terminal) to have
them be joined to the domain admins (DA) group and they are then full DA
right's and can go about doing what they please anywhere in the enterprise.
Putting this in a secure location means nothing. If I were your supervisor
I would remove your admin rights and contemplate terminating you. I am
serious!

Forget about the screensaver not working and due the work to get this
application running w/o the elevated rights.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP-DS, MCT]" <aceman@newsgroup> wrote in message
news:eWFO6OfmKHA.3840@newsgroup

> "Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
> news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053@newsgroup

>> Hello experts - I know I'm not posting this in a Group Policy group,
>> but there were only 6 or 7 members of those groups, so I'm guessing I
>> might have better luck here (plus, it might not just be a group policy
>> problem).
>>
>> On a Windows Server (2003 R1 Standard) I have setup automatic logon
>> for a domain admin account (in a locked/secured room) that
>> automatically launches a piece of software after logged in. The
>> problem is, the screensaver starts after 900 seconds, and a password
>> is required to get back into the machine afterwords. However, users
>> who access the program launched on this computer should not be given
>> the admin's password.
>>
>> Therefore, I added a new OU, put this domain admin's user account in
>> the OU, and created a group policy to disable the screensaver requires
>> password option.
>>
>> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult,
>> and sure enough, the policy I just added did not show up. I rebooted
>> the server, rebooted the domain server, same result.
>>
>> I then ran rsop.msc. When this box appears, red x's appear on
>> Computer Configuration and User Configuration (as well as the top
>> level where it says username on computername - RSoP). Clicking on any
>> of the twisties/plus signs freezes the rsop.msc program. I right
>> clicked User and Computer Configuration, clicked the Error Information
>> tab, and it says:
>> _________________________________________________
>> Group Policy Infrastructure failed due to the error listed below.
>> The system cannot find the path specified.
>>
>> Note: Due to the GP Core failure, none of the other Group Policy
>> components processed their policy. Consequently, status information
>> for the other components is not available.
>> Additional Information:
>> Windows cannot query for the list of Group Policy objects. Check the
>> event log for possible messages previously logged by the policy engine
>> that describes the reason for this.
>>
>> Windows cannot access the file gpt.ini for GPO cn=
>> {1DDFFB81-0EE1-4103-8F53-
>> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
>> must be present at the location <\\domainname.local\sysvol
>> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
>> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
>> Group Policy processing aborted.
>>
>> What in the world am I supposed to do? Does it have anything to do
>> with the auto logon feature? Where else can I look? All of your
>> answers are GREATLY appreciated, and essential!
>>
>> Thank!

>
>
>
> Hi Robert,
>
> First, you could have posted this to the AD group and GPO groups, which
> are more specific to the question. But not a prob that you posted it here.
> I actually cross-posted my response to both groups. When you reply, make
> sure you have both groups in the "To:" field.
>
>
> What I would suggest is to not host such an application on a DC. When
> creating a GPO for users to apply for something such as this, you may need
> to use Loopback. However, I highly suggest and recommend to not do this
> because it is a domain controller. A DC has a specific Default Domain
> Controller Policy that affects it by default, and the loopback can
> possibly cause problems with it.
>
> As for the errors you are seeing, they may be stemming from an underlying
> issue that may be something more serious. To better diagnose this, we'll
> need additional information. Please post the following:
>
> Unedited ipconfig /all from the DC
> Sample workstation unedited ipconfig /all
> Event log errors on the DC (EventID# and Source name).
> Event log errors on the workstation (EventID# and Source name).
> Indicate how many DCs and domains you have.
>
> Thank you,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>

On Jan 21, 7:31*am, "Paul Bergson [MVP-DS]" <pbbergs@newsgroup_spammsn.com>
wrote:

> I'm sorry if this comes across rude it is not intended to.
>
> You are handing over the keys to your enterprise by providing this sort of
> access. *I don't believe you need to have this program run as a domain
> admin. *All some user has to do is run a command (At this terminal) to have
> them be joined to the domain admins (DA) group and they are then full DA
> right's and can go about doing what they please anywhere in the enterprise.
> Putting this in a secure location means nothing. *If I were your supervisor
> I would remove your admin rights and contemplate terminating you. *I am
> serious!
>
> Forget about the screensaver not working and due the work to get this
> application running w/o the elevated rights.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Ace Fekay [MVP-DS, MCT]" <ace...@newsgroup> wrote in messagenews:eWFO6OfmKHA.3840@newsgroup
>
>
>

> > "Robert Jacobs" <robertjacob...@newsgroup> wrote in message
> >news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053@newsgroup

> >> Hello experts - I know I'm not posting this in a Group Policy group,
> >> but there were only 6 or 7 members of those groups, so I'm guessing I
> >> might have better luck here (plus, it might not just be a group policy
> >> problem).

>

> >> On a Windows Server (2003 R1 Standard) I have setup automatic logon
> >> for a domain admin account (in a locked/secured room) that
> >> automatically launches a piece of software after logged in. *The
> >> problem is, the screensaver starts after 900 seconds, and a password
> >> is required to get back into the machine afterwords. *However, users
> >> who access the program launched on this computer should not be given
> >> the admin's password.

>

> >> Therefore, I added a new OU, put this domain admin's user account in
> >> the OU, and created a group policy to disable the screensaver requires
> >> password option.

>

> >> Nothing happened. *I ran gpupdate /force. *Nothing. *I ran gpresult,
> >> and sure enough, the policy I just added did not show up. *I rebooted
> >> the server, rebooted the domain server, same result.

>

> >> I then ran rsop.msc. *When this box appears, red x's appear on
> >> Computer Configuration and User Configuration (as well as the top
> >> level where it says username on computername - RSoP). *Clicking on any
> >> of the twisties/plus signs freezes the rsop.msc program. *I right
> >> clicked User and Computer Configuration, clicked the Error Information
> >> tab, and it says:
> >> _________________________________________________
> >> Group Policy Infrastructure failed due to the error listed below.
> >> The system cannot find the path specified.

>

> >> Note: *Due to the GP Core failure, none of the other Group Policy
> >> components processed their policy. *Consequently, status information
> >> for the other components is not available.
> >> Additional Information:
> >> Windows cannot query for the list of Group Policy objects. Check the
> >> event log for possible messages previously logged by the policy engine
> >> that describes the reason for this.

>

> >> Windows cannot access the file gpt.ini for GPO cn=
> >> {1DDFFB81-0EE1-4103-8F53-
> >> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
> >> must be present at the location <\\domainname.local\sysvol
> >> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
> >> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
> >> Group Policy processing aborted.

>

> >> What in the world am I supposed to do? *Does it have anything to do
> >> with the auto logon feature? *Where else can I look? *All of your
> >> answers are GREATLY appreciated, and essential!

>

> >> Thank!

>

> > Hi Robert,

>

> > First, you could have posted this to the AD group and GPO groups, which
> > are more specific to the question. But not a prob that you posted it here.
> > I actually cross-posted my response to both groups. When you reply, make
> > sure you have both groups in the "To:" field.

>

> > What I would suggest is to not host such an application on a DC. When
> > creating a GPO for users to apply for something such as this, you may need
> > to use Loopback. However, I highly suggest and recommend to not do this
> > because it is a domain controller. A DC has a specific Default Domain
> > Controller Policy that affects it by default, and the loopback can
> > possibly cause problems with it.

>

> > As for the errors you are seeing, they may be stemming from an underlying
> > issue that may be something more serious. To better diagnose this, we'll
> > need additional information. Please post the following:

>

> > Unedited ipconfig /all from the DC
> > Sample workstation unedited ipconfig /all
> > Event log errors on the DC (EventID# and Source name).
> > Event log errors on the workstation (EventID# and Source name).
> > Indicate how many DCs and domains you have.

>

> > Thank you,

>

> > --
> > Ace

>

> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.

>

> > Please reply back to the newsgroup or forum for collaboration benefit
> > among responding engineers, and to help others benefit from your
> > resolution.

>

> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> > MCSA 2003/2000, MCSA Messaging 2003
> > Microsoft Certified Trainer
> > Microsoft MVP - Directory Services

>

> > If you feel this is an urgent issue and require immediate assistance,
> > please contact Microsoft PSS directly. Please check
> >http://support.microsoft.comfor regional support phone numbers.- Hide quoted text -

>
> - Show quoted text -

The server is not a DC, it's simply a standard windows server with SQL
running as well as a test program - And thanks Paul for your advice on
my being fired. I would love to tell you that this is being performed
on a utility server domain (only utility servers and utility 'domain
admin' accounts are used (testing domain)), and that none of our
enterprise data is at any risk from any user at any time - and I'd
love to tell you what I'm trying to accomplish is for testing purposes
only - and would be applied on our actual domain in the future with
accounts that only have permissions to specific directories required
for that specific application to run - I'm just trying to get any bugs
worked out on our TESTING domain before attempting to go live with
COMPLETELY DIFFERENT accounts, but accounts that need to auto logon,
none-the-less. And, finally, I would like to thank you for all of
your help in resolving the issues I'm running into - you're a huge
help. Thank goodness you put all of your fancy certifications (Mr.
Early Achiever) to good use, by not asking any follow up questions, or
asking the nature of this project before telling me you are serious
about my lack of intelligence, my threat to my company, and the fact
that I should (seriously) be fired. Again - great help, MVP.

You are risking your company and its assets, I don't feel you are doing this
properly and it needs to be resolved. The answer I might provide might not
be popular but it is the correct one.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
news:e48cb556-2e2e-43f2-a075-b50912e5b455@newsgroup
On Jan 21, 7:31 am, "Paul Bergson [MVP-DS]" <pbbergs@newsgroup_spammsn.com>
wrote:

> I'm sorry if this comes across rude it is not intended to.
>
> You are handing over the keys to your enterprise by providing this sort of
> access. I don't believe you need to have this program run as a domain
> admin. All some user has to do is run a command (At this terminal) to have
> them be joined to the domain admins (DA) group and they are then full DA
> right's and can go about doing what they please anywhere in the
> enterprise.
> Putting this in a secure location means nothing. If I were your supervisor
> I would remove your admin rights and contemplate terminating you. I am
> serious!
>
> Forget about the screensaver not working and due the work to get this
> application running w/o the elevated rights.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Ace Fekay [MVP-DS, MCT]" <ace...@newsgroup> wrote in
> messagenews:eWFO6OfmKHA.3840@newsgroup
>
>
>

> > "Robert Jacobs" <robertjacob...@newsgroup> wrote in message
> >news:d977a4db-0fa2-4f7c-a2b1-10e143e4c053@newsgroup

> >> Hello experts - I know I'm not posting this in a Group Policy group,
> >> but there were only 6 or 7 members of those groups, so I'm guessing I
> >> might have better luck here (plus, it might not just be a group policy
> >> problem).

>

> >> On a Windows Server (2003 R1 Standard) I have setup automatic logon
> >> for a domain admin account (in a locked/secured room) that
> >> automatically launches a piece of software after logged in. The
> >> problem is, the screensaver starts after 900 seconds, and a password
> >> is required to get back into the machine afterwords. However, users
> >> who access the program launched on this computer should not be given
> >> the admin's password.

>

> >> Therefore, I added a new OU, put this domain admin's user account in
> >> the OU, and created a group policy to disable the screensaver requires
> >> password option.

>

> >> Nothing happened. I ran gpupdate /force. Nothing. I ran gpresult,
> >> and sure enough, the policy I just added did not show up. I rebooted
> >> the server, rebooted the domain server, same result.

>

> >> I then ran rsop.msc. When this box appears, red x's appear on
> >> Computer Configuration and User Configuration (as well as the top
> >> level where it says username on computername - RSoP). Clicking on any
> >> of the twisties/plus signs freezes the rsop.msc program. I right
> >> clicked User and Computer Configuration, clicked the Error Information
> >> tab, and it says:
> >> _________________________________________________
> >> Group Policy Infrastructure failed due to the error listed below.
> >> The system cannot find the path specified.

>

> >> Note: Due to the GP Core failure, none of the other Group Policy
> >> components processed their policy. Consequently, status information
> >> for the other components is not available.
> >> Additional Information:
> >> Windows cannot query for the list of Group Policy objects. Check the
> >> event log for possible messages previously logged by the policy engine
> >> that describes the reason for this.

>

> >> Windows cannot access the file gpt.ini for GPO cn=
> >> {1DDFFB81-0EE1-4103-8F53-
> >> A2C2F1ED2D21},cn=policies,cn=system,DC=domainname,DC=local. The file
> >> must be present at the location <\\domainname.local\sysvol
> >> \domainname.local\Policies\{1DDFFB81-0EE1-4103-8F53-
> >> A2C2F1ED2D21}\gpt.ini>. (The system cannot find the path specified. ).
> >> Group Policy processing aborted.

>

> >> What in the world am I supposed to do? Does it have anything to do
> >> with the auto logon feature? Where else can I look? All of your
> >> answers are GREATLY appreciated, and essential!

>

> >> Thank!

>

> > Hi Robert,

>

> > First, you could have posted this to the AD group and GPO groups, which
> > are more specific to the question. But not a prob that you posted it
> > here.
> > I actually cross-posted my response to both groups. When you reply, make
> > sure you have both groups in the "To:" field.

>

> > What I would suggest is to not host such an application on a DC. When
> > creating a GPO for users to apply for something such as this, you may
> > need
> > to use Loopback. However, I highly suggest and recommend to not do this
> > because it is a domain controller. A DC has a specific Default Domain
> > Controller Policy that affects it by default, and the loopback can
> > possibly cause problems with it.

>

> > As for the errors you are seeing, they may be stemming from an
> > underlying
> > issue that may be something more serious. To better diagnose this, we'll
> > need additional information. Please post the following:

>

> > Unedited ipconfig /all from the DC
> > Sample workstation unedited ipconfig /all
> > Event log errors on the DC (EventID# and Source name).
> > Event log errors on the workstation (EventID# and Source name).
> > Indicate how many DCs and domains you have.

>

> > Thank you,

>

> > --
> > Ace

>

> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.

>

> > Please reply back to the newsgroup or forum for collaboration benefit
> > among responding engineers, and to help others benefit from your
> > resolution.

>

> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> > MCSA 2003/2000, MCSA Messaging 2003
> > Microsoft Certified Trainer
> > Microsoft MVP - Directory Services

>

> > If you feel this is an urgent issue and require immediate assistance,
> > please contact Microsoft PSS directly. Please check
> >http://support.microsoft.comfor regional support phone numbers.- Hide
> >quoted text -

>
> - Show quoted text -

The server is not a DC, it's simply a standard windows server with SQL
running as well as a test program - And thanks Paul for your advice on
my being fired. I would love to tell you that this is being performed
on a utility server domain (only utility servers and utility 'domain
admin' accounts are used (testing domain)), and that none of our
enterprise data is at any risk from any user at any time - and I'd
love to tell you what I'm trying to accomplish is for testing purposes
only - and would be applied on our actual domain in the future with
accounts that only have permissions to specific directories required
for that specific application to run - I'm just trying to get any bugs
worked out on our TESTING domain before attempting to go live with
COMPLETELY DIFFERENT accounts, but accounts that need to auto logon,
none-the-less. And, finally, I would like to thank you for all of
your help in resolving the issues I'm running into - you're a huge
help. Thank goodness you put all of your fancy certifications (Mr.
Early Achiever) to good use, by not asking any follow up questions, or
asking the nature of this project before telling me you are serious
about my lack of intelligence, my threat to my company, and the fact
that I should (seriously) be fired. Again - great help, MVP.

"Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
news:e48cb556-2e2e-43f2-a075-b50912e5b455@newsgroup

> help. Thank goodness you put all of your fancy certifications (Mr.
> Early Achiever) to good use, by not asking any follow up questions, or
> asking the nature of this project before telling me ....

We make just as many people mad by asking those "follow up questions"
because people have no patients and want an instant answer without giving
everyone the details they need to make such an answer possible.

So from our position it is a "no win situation". Someone is going to get
ticked off no matter how we approach it.


--
Phillip Windell [not an MVP, MCSE or anything else,...the CCNA is expired]

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On Jan 21, 12:31*pm, "Phillip Windell" <philwind...@newsgroup>
wrote:

> "Robert Jacobs" <robertjacob...@newsgroup> wrote in message
>
> news:e48cb556-2e2e-43f2-a075-b50912e5b455@newsgroup
>

> > help. *Thank goodness you put all of your fancy certifications (Mr.
> > Early Achiever) to good use, by not asking any follow up questions, or
> > asking the nature of this project before telling me ....

>
> We make just as many people mad by asking those "follow up questions"
> because people have no patients and want an instant answer without giving
> everyone the details they need to make such an answer possible.
>
> So from our position it is a "no win situation". *Someone is going to get
> ticked off no matter how we approach it.
>
> --
> Phillip Windell [not an MVP, MCSE or anything else,...the CCNA is expired]
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

However Paul decided to not ask any questions, as well as not answer
any questions - only to tell me I'm doing everything wrong. On top of
that, AFTER I informed him that the problem I'm running into is on a
test domain, and will (when implemented into our enterprise domain)
have completely different user accounts with practically no
permissions to company data or other company computers, he still
decided to tell me I'm risking my company's assets - and I still have
yet to hear one piece of advice on how to resolve my group policy
issue.

It has nothing to do with a popular or correct answer. The simple
fact is that the specialized software that is running on this computer
REQUIRES a user to be logged in at all times, REQUIRES access to only
specific folders (which WILL BE USED, NOT A DOMAIN ADMIN LIKE IN THE
TEEESSSSTTT DOMAIN), and requires other users to use the software
directly from the machine without needing the username/password of the
specialized NON ADMIN account (therefore screen shouldn't lock).
However, the Group Policy changes are not being implemented on the
computer... I'm trying to resolve this on my TEST DOMAIN before
implementing it with different accounts and permissions on my
enterprise domain - but all I hear is I should be fired. Thanks again.

Robert,

If I might chime in here....

I am a former MVP (a few years ago when I had a lot more time to partake in
the news groups). I spent a lot of time in here and helped a lot of people
and learned a lot from everyone...MVPs and non-MVPs alike. There are lots
of ways to skin a cat, as it were.

Anyway, right off the bat I would like to make very clear that the MVPs are
doing this in their free time. There is no compensation at all from
Microsoft (other than access to some really cool things and trips to the
Redmond campus....never made it there because my wife was pregnant both
years). These MS forums are public and are right up at the top of the list
as far as I am concerned. I used to spend a lot of time in the AD and GPO
and Exchange Admin news groups. Top notch places. There should be no
expectation (and I use that word very specifically) of immediate help or of
useful help. Do not assume that what you receive in the way of advise is
accurate for your specific environment | issue. If you have a really
serious issue then please contact MS - PSS. If you do that then having
those expectations (not saying that YOU have those expectations....just
saying) is completely within reason.

Paul is one of the good guys. He helps a lot of people, does a lot of great
work - in and out of the new groups - and is always willing to share his
knowledge and ideas and insight. If Paul states that you could get fired
for doing what you are doing then I might respectfully suggest that you take
a step back and evaluate what it is that Paul is saying and look at why he
is saying it.

For you to attack Paul the way you did is really uncalled for and not cool
at all. Paul would not ever say this - so I will: you really need to
rethink your personal attack on him and make that right. But, that is
between you and Paul.

It is not easy knowing what is happening in an environment. It is not easy
knowing what the thought process is of the person making a post. I can tell
you that there is a lot of crappola out there. I see it every day. The
clients that we take over from other IT Consultants and in-house IT staff
are seriously messed up. There is - I can assure you - a lot of that out
there. I just shake my head (actually, most of the time) when we take over
a new client. Absolutely incredible what people do. There are also
different levels of 'competency'. So, what I am saying is that no one in
this forum knows your skill set level and how you do things (I know - and I
speak for myself - that I do things a very specific way...which is very very
very different from all of my colleagues...if I have done something at one
of our clients EVERYONE at my company knows who did it!). It is prudent to
ask questions (which - as Phillip stated - often pi$$es off people).
Remember, it is sometimes rather difficult to help with an issue where we
have never seen the environment, can not touch the environment and can
simply go on "what I know".

Ace also initiated contact with you and suggested that you reconsider what
you are doing. Ace is also one of the good guys. Now, from what I can
see - there was no mention of a test domain (which, btw, is *EXACTLY* the
correct way to do things....so, megekudos there). I do not want to speak
for either Paul or Ace, but I can only ass/u/me that the thought process was
that this was in a production environment. It is my opinion that anyone who
intentionally learns / tests / plays in a production environment ought to be
fired. Granted, no one knows everything so that is sometimes necessary
(well.......).

Anyway, if you would like or need help I will gladly assist you.

Cary

"Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
news:e7d34b91-3b6e-40ee-939c-1c2bd18a5da1@newsgroup
On Jan 21, 12:31 pm, "Phillip Windell" <philwind...@newsgroup>
wrote:

> "Robert Jacobs" <robertjacob...@newsgroup> wrote in message
>
> news:e48cb556-2e2e-43f2-a075-b50912e5b455@newsgroup
>

> > help. Thank goodness you put all of your fancy certifications (Mr.
> > Early Achiever) to good use, by not asking any follow up questions, or
> > asking the nature of this project before telling me ....

>
> We make just as many people mad by asking those "follow up questions"
> because people have no patients and want an instant answer without giving
> everyone the details they need to make such an answer possible.
>
> So from our position it is a "no win situation". Someone is going to get
> ticked off no matter how we approach it.
>
> --
> Phillip Windell [not an MVP, MCSE or anything else,...the CCNA is expired]
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

However Paul decided to not ask any questions, as well as not answer
any questions - only to tell me I'm doing everything wrong. On top of
that, AFTER I informed him that the problem I'm running into is on a
test domain, and will (when implemented into our enterprise domain)
have completely different user accounts with practically no
permissions to company data or other company computers, he still
decided to tell me I'm risking my company's assets - and I still have
yet to hear one piece of advice on how to resolve my group policy
issue.

It has nothing to do with a popular or correct answer. The simple
fact is that the specialized software that is running on this computer
REQUIRES a user to be logged in at all times, REQUIRES access to only
specific folders (which WILL BE USED, NOT A DOMAIN ADMIN LIKE IN THE
TEEESSSSTTT DOMAIN), and requires other users to use the software
directly from the machine without needing the username/password of the
specialized NON ADMIN account (therefore screen shouldn't lock).
However, the Group Policy changes are not being implemented on the
computer... I'm trying to resolve this on my TEST DOMAIN before
implementing it with different accounts and permissions on my
enterprise domain - but all I hear is I should be fired. Thanks again.

"Cary Shultz" <cshultz@newsgroup> wrote in message
news:enVWUexmKHA.5520@newsgroup

> Robert,
>
> If I might chime in here....
>
> I am a former MVP (a few years ago when I had a lot more time to partake
> in the news groups). I spent a lot of time in here and helped a lot of
> people and learned a lot from everyone...MVPs and non-MVPs alike. There
> are lots of ways to skin a cat, as it were.
>
> Anyway, right off the bat I would like to make very clear that the MVPs
> are doing this in their free time. There is no compensation at all from
> Microsoft (other than access to some really cool things and trips to the
> Redmond campus....never made it there because my wife was pregnant both
> years). These MS forums are public and are right up at the top of the
> list as far as I am concerned. I used to spend a lot of time in the AD
> and GPO and Exchange Admin news groups. Top notch places. There should
> be no expectation (and I use that word very specifically) of immediate
> help or of useful help. Do not assume that what you receive in the way of
> advise is accurate for your specific environment | issue. If you have a
> really serious issue then please contact MS - PSS. If you do that then
> having those expectations (not saying that YOU have those
> expectations....just saying) is completely within reason.
>
> Paul is one of the good guys. He helps a lot of people, does a lot of
> great work - in and out of the new groups - and is always willing to share
> his knowledge and ideas and insight. If Paul states that you could get
> fired for doing what you are doing then I might respectfully suggest that
> you take a step back and evaluate what it is that Paul is saying and look
> at why he is saying it.
>
> For you to attack Paul the way you did is really uncalled for and not cool
> at all. Paul would not ever say this - so I will: you really need to
> rethink your personal attack on him and make that right. But, that is
> between you and Paul.
>
> It is not easy knowing what is happening in an environment. It is not
> easy knowing what the thought process is of the person making a post. I
> can tell you that there is a lot of crappola out there. I see it every
> day. The clients that we take over from other IT Consultants and in-house
> IT staff are seriously messed up. There is - I can assure you - a lot of
> that out there. I just shake my head (actually, most of the time) when we
> take over a new client. Absolutely incredible what people do. There are
> also different levels of 'competency'. So, what I am saying is that no
> one in this forum knows your skill set level and how you do things (I
> know - and I speak for myself - that I do things a very specific
> way...which is very very very different from all of my colleagues...if I
> have done something at one of our clients EVERYONE at my company knows who
> did it!). It is prudent to ask questions (which - as Phillip stated -
> often pi$$es off people). Remember, it is sometimes rather difficult to
> help with an issue where we have never seen the environment, can not touch
> the environment and can simply go on "what I know".
>
> Ace also initiated contact with you and suggested that you reconsider what
> you are doing. Ace is also one of the good guys. Now, from what I can
> see - there was no mention of a test domain (which, btw, is *EXACTLY* the
> correct way to do things....so, megekudos there). I do not want to speak
> for either Paul or Ace, but I can only ass/u/me that the thought process
> was that this was in a production environment. It is my opinion that
> anyone who intentionally learns / tests / plays in a production
> environment ought to be fired. Granted, no one knows everything so that
> is sometimes necessary (well.......).
>
> Anyway, if you would like or need help I will gladly assist you.
>
> Cary
>
> "Robert Jacobs" <robertjacobsit@newsgroup> wrote in message
> news:e7d34b91-3b6e-40ee-939c-1c2bd18a5da1@newsgroup
> On Jan 21, 12:31 pm, "Phillip Windell" <philwind...@newsgroup>
> wrote:

>> "Robert Jacobs" <robertjacob...@newsgroup> wrote in message
>>
>> news:e48cb556-2e2e-43f2-a075-b50912e5b455@newsgroup
>>

>> > help. Thank goodness you put all of your fancy certifications (Mr.
>> > Early Achiever) to good use, by not asking any follow up questions, or
>> > asking the nature of this project before telling me ....

>>
>> We make just as many people mad by asking those "follow up questions"
>> because people have no patients and want an instant answer without giving
>> everyone the details they need to make such an answer possible.
>>
>> So from our position it is a "no win situation". Someone is going to get
>> ticked off no matter how we approach it.
>>
>> --
>> Phillip Windell [not an MVP, MCSE or anything else,...the CCNA is
>> expired]
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------

>
> However Paul decided to not ask any questions, as well as not answer
> any questions - only to tell me I'm doing everything wrong. On top of
> that, AFTER I informed him that the problem I'm running into is on a
> test domain, and will (when implemented into our enterprise domain)
> have completely different user accounts with practically no
> permissions to company data or other company computers, he still
> decided to tell me I'm risking my company's assets - and I still have
> yet to hear one piece of advice on how to resolve my group policy
> issue.
>
> It has nothing to do with a popular or correct answer. The simple
> fact is that the specialized software that is running on this computer
> REQUIRES a user to be logged in at all times, REQUIRES access to only
> specific folders (which WILL BE USED, NOT A DOMAIN ADMIN LIKE IN THE
> TEEESSSSTTT DOMAIN), and requires other users to use the software
> directly from the machine without needing the username/password of the
> specialized NON ADMIN account (therefore screen shouldn't lock).
> However, the Group Policy changes are not being implemented on the
> computer... I'm trying to resolve this on my TEST DOMAIN before
> implementing it with different accounts and permissions on my
> enterprise domain - but all I hear is I should be fired. Thanks again.

Cary,

Very well put.

From Robert's original post, he stated symptoms without configuration
information and *hinted* that it's on a DC, hence all of our reactions. I
did request configuration information, however that seemed to be overlooked
among the barrage of personal attacks against Paul and I ass/u/me Phillip
and I.

As you stated, we do try to help, and we never know what skill level a
poster owns, and sometimes we do lend personal comments regarding a
scenario. When there isn't enough provided in an intial post, we always ask
for additional information in order to diagnose the issue, which I had
asked, otherwise it leads to assumptions. I must admit I also fell under
that category in my response, but that stemmed from the original post's
context believing this was a DC and using a domain admin account to allow
users to logon with. It was never stated this was a test environment and the
eventual production rollout would be on a non-DC using plain-Jane user
accounts.

My bet is because it's a domain admin account, it may be due to the
AdminSDHolder, but we will never know, and I will no longer ass/u/me
anything at this point in this thread.

And quite unfortunate it got this far. <sigh>

Ace