Lesson 7: Troubleshooting a Security Configuration | MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

This lesson describes problems you may encounter that relate to security configuration and presents solutions to those problems.

After this lesson, you will be able to

Troubleshoot a security configuration

Estimated lesson time: 5 minutes

Troubleshooting a Security Configuration

Table 21.15 describes scenarios in which there are problems using a security configuration and presents solutions to those problems.

Table 21.15 Security Configuration Troubleshooting Scenarios

Symptom: Received error message: Event message: Event ID 1202, Event source: scecli, Warning (0x%x) occurs to apply security policies
Cause	Solution
Group policy was not refreshed after changes were made.	Trigger another application of group policy settings or local policy refresh by using the Secedit command-line tool to refresh security settings.
Symptom: Received error message: Failed to open the Group Policy Object
Cause	Solution
The most likely causes for this error are network-related.	Check the DNS configuration for the following: Make sure that there are no stale entries in the DNS database. Resolve local DNS servers and Internet service provider (ISP) DNS server entries. For example, the DNS settings for a local LAN network adapter points to two DNS servers: the local DNS server (possibly the same com- puter) and the DNS server of an ISP. If you try to ping your domain, a message may indicate that this is an unknown host. Even with correct local DNS entries, the ISP DNS server cannot identify your domain, so there is a difference in their databases. To resolve this error, remove the second and add the ISP DNS server IPAddress to the forwarders in the local DNS server.
Symptom: Modified security settings are not taking effect
Cause	Solution
Any policies configured locally may be overridden by like policies specified in the domain. If your setting shows up in local policy but not in effective policy, it implies that there is a policy from the domain that is overriding your setting. Also, as group policy changes are applied periodically, it is likely that the policy changes made in the directory have not yet been refreshed in your computer	Manually do a policy refresh by typing secedit / refreshpolicy machine_policy at the command line.
Symptom: Policies do not migrate from Windows NT 4.0 to Windows 2000
Cause	Solution
Windows NT 4.0 policies cannot be migrated to Windows 2000. In Windows NT 4.0, system policies were stored in one .pol file with group information embedded; no method is available to translate that information to the Windows 2000 Active Directory structure. Groups are handled very differently in Windows 2000.	Windows NT 4.0 clients accessing a Windows 2000 Server computer and Windows 2000 Professional clients accessing a Windows NT 4.0 Server computer will use the Netlogon share (the Windows NT 4.0 model). With Windows 2000 Server, when a Windows NT 4.0 client is upgraded to Windows 2000, it gets only Active Directory-based group policy settings and not Windows NT 4.0-style policies. Although Windows NT 4.0-style policies may be enabled (using a group policy setting) if the administrator chooses to do so, this practice is strongly discouraged. Windows NT 4.0-style policies are applied only during the logon process. This means that both com- puter and user settings are processed. This is not optimal behavior for the following reasons. The Windows NT 4.0-style computer settings override the group policy settings that have already been applied to the computer during startup. During the group policy settings re- fresh cycle, the group policy settings change any conflicting settings back. This creates an indeterminate state. Windows NT 4.0-style policies result in persistent settings in the registry (tattooing). Note also that Terminal Server cannot allow computer settings to be set based on a user logon.

Lesson Summary

In this lesson you examined some security problems that you may encounter and possible solutions.