Failed to open key with 2 error

[similler]

I'm having a problem getting a new group policy to apply. Here are the particulars.

I've created an OU called ARMS and another OU under it called USERS. I then applied a new group policy to the USERS OU. In the USERS OU I have 3 users. One of those users was created as a control logon for a mandatory profile. That user (PSFINPROD) is in the same groups as the other 2 users but is also in the domain admins groups so that I can make changes. Both of the other two logons are using the mandatory profile created by PSFINPROD. The mandatory profile is working fine and the group policy is working fine for the FSFINPROD logon. However, the group policy is not applying to the other 2 logons. When I run the utility "gpresult.exe" on the logons that are not working with the group policy I get the message "Failed to open key with 2" listed in the disply under the heading "The user is a member of the following security groups". If I add the other 2 logons to the domain admin group then the group policy is applied to them correctly.

Does anyone have any ideas? I've been working on this for a few days now and don't really know what to do for my next step in debugging this problem.

Can you send a screenshot for us to see?

I'm curious about this one..

What does your event log say RIGHT after you log on?
Any events?

[rooky]

Hi

I am curious as well....
A few questions;

1) it seems you have set up the mandatory profile with a "template" domain account that is a member of the Domain Admins group, correct?

2) so when you did create the single Roaming Profile (assuming you wrote the locally created Profile to \\server\profiledir) did you set the permissions straight for the everyone group before making it mandatory?

Just to be sure that the Administrator rights did not caugt up in the mandatory profile that the other two users are using;

Try to test by removing the profile path from the domain user account that has the error occuring and log on as user without a roaming profile this will again create a local profile with default user contents, than run GPResult again to see what happens and if the error returns,

3) What is the Som of the GPO is it applied to authenticated users or did you setup a Security group for it?

I wil try and look in to it but i never encountered this so it is difficult

[similler]

Can you send a screenshot for us to see?

I'm curious about this one..

What does your event log say RIGHT after you log on?
Any events?

There is nothing new in the event log after logging in. There is not really a screen shot to send. There are just things that I setup in the group policy that are not working. Here is the text of what I get when I run the gpresult utility.

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, May 31, 2005 at 7:56:31 AM


Operating System Information:

Operating System Type: Server
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Application Server

################################################## #############

User Group Policy results for:

CN=Aizel Cabungcal,OU=Users,OU=ARMS & Ereports,DC=itprod,DC=ohio-state,DC=edu

Domain Name: ITPROD
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: \\ITPROD-FS1\Profiles\PSFINPROD.MAN
Local profile: M:\Documents and Settings\cabungcal.4

The user is a member of the following security groups:



################################################## #############

Failed to open key with 2



################################################## #############

Computer Group Policy results for:

CN=ERP02,OU=Servers,OU=ARMS & Ereports,DC=itprod,DC=ohio-state,DC=edu

Domain Name: ITPROD
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
ITPROD\ERP02$
ITPROD\Domain Computers

################################################## #############

Last time Group Policy was applied: Tuesday, May 31, 2005 at 7:33:31 AM
Group Policy was applied from: DC2.itprod.ohio-state.edu


================================================== =============


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy
Delete Cached Profiles


================================================== =============
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy


================================================== =============
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy

[similler]

Hi

I am curious as well....
A few questions;

1) it seems you have set up the mandatory profile with a "template" domain account that is a member of the Domain Admins group, correct?

2) so when you did create the single Roaming Profile (assuming you wrote the locally created Profile to \\server\profiledir) did you set the permissions straight for the everyone group before making it mandatory?

Just to be sure that the Administrator rights did not caugt up in the mandatory profile that the other two users are using;

Try to test by removing the profile path from the domain user account that has the error occuring and log on as user without a roaming profile this will again create a local profile with default user contents, than run GPResult again to see what happens and if the error returns,

3) What is the Som of the GPO is it applied to authenticated users or did you setup a Security group for it?

I wil try and look in to it but i never encountered this so it is difficult

1) Correct
2) Yes. I did as you suggested and removed the madatory profile from 2 of the users and just let them create their own local profiles and the group policy now works. So it has something to do with the mandatory profile. Do I need to apply all group policies and then create the madatory profile? I setup the profile first and then created and applied the group policy.
3) I tried it both ways with the same result.

At least I now know that it appears to have something to do with the mandatory profile. I'm going to try deleting the mandatory profile and doing it over from scratch.

[rooky]

Hi similler

I do not think applying the GPO´s before you make the profile mandatory is effective, because just the same, later on (after you made a Mandatory Roaming Profile) if you wish to change GPO settings then the GPO´s wouldn´t Proces those changes because the Profile is mandatory so i don´t think thats the problem, but to be honest i posted the same question under the "Profile Woes" topic and didn´t yet receive a answer to that question and yes i also have problems with GPO changes processing and propegating to mandatory user profiles.

I have tried to recreate your situation but it didn´t workout your way (with the specified error) and i see that you are setting up Super Mandatory profiles (\\server\share\xx.man) ?
I only rename the NTUser.dat file.

I hope by setting up a new Roaming Profile things got better for you, i quess it was the Security or SID of the original profile creator account, that gave the normal Domain\users the big problem with using the template account, Please let me know if it works out!!

just to cheer you up :wink: in your task :arrow:
http://www.windowsitpro.com/Windows/Articles/ArticleID/41654/pg/1/1.html

The GPresult is freaky.

Have you tried other machines?

Does it do the same thing on all your XP machines?

[similler]

The GPresult is freaky.

Have you tried other machines?

Does it do the same thing on all your XP machines?

In looking back over my previous post I just realized that I left out a key piece of information (sorry about that). All of these users are logging onto a Citrix server running MetaFrame Presentation Server 3.0 which is running on top of Windows 2000 server.