The policy Engine did not attempt to configure the setting

[PreviousPoster]

Hi all,

On our default Domain policy we had an entry which was to allow our helpdesk people to add computers to the domain. The entry is

computer configuration\windows settings\security settings\local polcies\user rights assignment\add workstations to domain

This has been working fine until earlier this week when it stopped working. the entry is still there. members of the group, Helpdesk_staff, can still manually create a computer account in the computers container, they can still delete computers and they can still access network resources using the helpdesk_staff group to authenticate so we've ruled out a permission's problem ( I hope, if I've missed anything please say )

when I run RSOP on a test user that is a member of the Helpdesk_staff group and run it on the computers container when I look at the entry, its there, and defined and but it has a red circle with a white cross in it (a bad sign I'm assuming ) when I check the properties of the entry, then the precidence tab, I see a message 'The policy engine did not attempt to confugure the setting. For more information, see %windir%\security\logs\winlogon.log on the target machine.

I've had a look at the log file on one of the DC's and it wasn't very helpful (to me anyway)

Here's copy of the last section of the log file.

This is not the last GPO.
-------------------------------------------
Thursday, 2 August 2007 1:23:11 p.m.
Copy undo values to the merged policy.


----Un-initialize configuration engine...

Process GP template gpt00001.dom.

This is not the last GPO.
-------------------------------------------
Thursday, 2 August 2007 1:23:13 p.m.


----Un-initialize configuration engine...

Process GP template gpt00002.inf.

This is the last GPO : domain policy is ignored on DC.
-------------------------------------------
Thursday, 2 August 2007 1:23:13 p.m.


----Un-initialize configuration engine...
-------------------------------------------
Thursday, 2 August 2007 1:23:14 p.m.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure User Rights...
SeSystemtimePrivilege must be assigned to administrators. This setting is adjusted.
Configure S-1-5-21-3216351012-234443501-1401547774-1115.
Configure S-1-5-20.
Configure S-1-5-19.
Configure S-1-5-21-3216351012-234443501-1401547774-14605.
Configure S-1-5-32-549.
Configure S-1-5-32-551.
Configure S-1-5-32-544.
Configure S-1-5-21-3216351012-234443501-1401547774-15104.
Configure S-1-5-21-3216351012-234443501-1401547774-14604.
Configure S-1-5-21-3216351012-234443501-1401547774-1114.
Configure S-1-5-21-3216351012-234443501-1401547774-1001.
Configure S-1-5-21-3216351012-234443501-1401547774-1116.
Configure S-1-5-21-3216351012-234443501-1401547774-500.
Configure S-1-5-21-3216351012-234443501-1401547774-15106.
Configure S-1-5-32-554.
Configure S-1-5-11.
Configure S-1-1-0.
Configure S-1-5-32-548.
Configure S-1-5-32-550.
Configure S-1-5-21-3216351012-234443501-1401547774-13363.
Configure S-1-5-21-3216351012-234443501-1401547774-512.
Configure S-1-5-9.
Configure S-1-5-21-3216351012-234443501-1401547774-1112.
Configure S-1-5-21-3216351012-234443501-1401547774-10889.

User Rights configuration was completed successfully.


----Configure Security Policy...
Configure password information.
Configure account force logoff information.

System Access configuration was completed successfully.

Audit/Log configuration was completed successfully.

Kerberos Policy configuration was completed successfully.
Configure machine\system\currentcontrolset\control\lsa\lmcom patibilitylevel.
Configure machine\system\currentcontrolset\services\lanmanse rver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanse rver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\netlogon \parameters\requiresignorseal.
Configure machine\system\currentcontrolset\services\ntds\par ameters\ldapserverintegrity.

Configuration of Registry Values was completed successfully.


----Configure available attachment engines...

Configuration of attachment engines was completed successfully.


----Un-initialize configuration engine...

To check further check that it wasn't specific to the security group (helpdesk_staff) I removed the entry from the default domain policy, and created a separate GPO just for adding computers to the domain (just incase the default domain GPO was messed up) and created a new securtity group (helpdesk_staff_2) and we still get the same problem. The RSOP does update to show that the entry is coming from the new GPO but it still has the same problem (red circle and white cross).

anyone have an idea's please? i've been pulling my hair out over this.

thanks

Stu

[PreviousPoster]

Check the log-file on a client computer and not on the DC and post result here.

[PreviousPoster]

Make a local copy of \\*****\SysVol\*****\Policies\{4D354724-BCA8-4A54-86A2-8441B2F464FA}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\******\sysvol\*******\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
Monday, 6 August 2007 9:06:30 a.m.
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.do m.
Copy undo values to the merged policy.


----Un-initialize configuration engine...

Process GP template gpt00001.dom.
-------------------------------------------
Monday, 6 August 2007 9:06:32 a.m.
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00001.do m.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure User Rights...
Undo value for group policy setting <SeMachineAccountPrivilege> was saved.
Undo value for group policy setting <SeInteractiveLogonRight> was saved.
Configure S-1-5-21-436374069-1085031214-725345543-501.
remove SeInteractiveLogonRight.
Configure S-1-5-32-545.
remove SeInteractiveLogonRight.
Configure S-1-5-32-547.
remove SeInteractiveLogonRight.
Configure S-1-5-32-551.
remove SeInteractiveLogonRight.
Configure S-1-5-21-3216351012-234443501-1401547774-513.
add SeInteractiveLogonRight.
Configure S-1-5-21-3216351012-234443501-1401547774-512.
add SeInteractiveLogonRight.
Configure S-1-5-32-544.
Configure S-1-5-21-3216351012-234443501-1401547774-14984.
add SeMachineAccountPrivilege.

User Rights configuration was completed successfully.


----Configure Security Policy...
Start processing undo values for 7 settings.
0
Undo value for group policy setting <MinimumPasswordLength> was saved.
0
Undo value for group policy setting <PasswordHistorySize> was saved.
42
Undo value for group policy setting <MaximumPasswordAge> was saved.
0
Undo value for group policy setting <MinimumPasswordAge> was saved.
0
Undo value for group policy setting <PasswordComplexity> was saved.
0
Undo value for group policy setting <RequireLogonToChangePassword> was saved.
0
Undo value for group policy setting <ClearTextPassword> was saved.
Configure password information.
Start processing undo values for 3 settings.
0
Undo value for group policy setting <LockoutBadCount> was saved.
5
Undo value for group policy setting <ResetLockoutCount> was saved.
5
Undo value for group policy setting <LockoutDuration> was saved.
Configure account lockout information.
0
Undo value for group policy setting <ForceLogoffWhenHourExpire> was saved.
Configure account force logoff information.

System Access configuration was completed successfully.

Audit/Log configuration was completed successfully.

Configuration of Registry Values was completed successfully.


----Configure available attachment engines...

Configuration of attachment engines was completed successfully.


----Un-initialize configuration engine...

this is the last GPO.

[PreviousPoster]

Hi,

Anyone able to help please? I'm really stuck here.

thanks

[PreviousPoster]

I'm not really sure but you might need to change this setting back to what it was and change it on the "Default Domain Controllers GPO" instead in the "Domain Controllers" OU instead since it's a policy that affects them only.

Check if the "Default Domain Controllers GPO" has no override on it!

Edit: Sorry for a late answer but I had a week not in front of my computer