Group Policies destroys networking in Vista

Sure, in the eventlogs are the entries: Access is denied.
The problem seems to be in the group policies.
There exist Keys like Registry and Filesystem keys in there but I have no
idea where they come from.... I have two other domains where these keys not
exist!


"Richard G. Harper" wrote:

> I haven't seen anything like this and I have several Vista computers running
> on our domain just fine. Check the event logs for possible errors and
> solutions.
>
> --
> Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> * PLEASE post all messages and replies in the newsgroups
> * The Website - http://rgharper.mvps.org/
> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
> "DBuedenbender" <DBuedenbender@discussions.microsoft.com> wrote in message
> news:39CE4C41-4C9B-4E0D-A58D-C697F6C1F32B@microsoft.com...

> > Hi,
> > I have added my new Vista RTM machine to our existing W2K3 domain.
> > Now if the policies get active several services stop working: BFE (and
> > everything that depends), the W32-Time, DHCP and some more.
> > After joining the domain some rights in the registy seem to have changed:
> > "Local Service" and "Network Service" are no longer allowed to access
> > several
> > keys.
> >
> > After changing the rights in the registry all services exept BFE work
> > until
> > the next reboot.
> >
> > I could not find any entries in the policies that could change the rights.
> > Does anybody has an idea? All our XP machines run fine with the group
> > policies!
> >
> > Regards,
> > Dirk

>
>
>

I have the same problem. Did you ever import security templates? I believe,
that thes settings came from there.
I removed those entries from group policy, but still my diagnostic and
dhcp-cleitn services refuse to start...
Which registry keys' security are you changing?

"Dirk Buedenbender" wrote:

> Sure, in the eventlogs are the entries: Access is denied.
> The problem seems to be in the group policies.
> There exist Keys like Registry and Filesystem keys in there but I have no
> idea where they come from.... I have two other domains where these keys not
> exist!
>
>
> "Richard G. Harper" wrote:
>

> > I haven't seen anything like this and I have several Vista computers running
> > on our domain just fine. Check the event logs for possible errors and
> > solutions.
> >
> > --
> > Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> > * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> > * PLEASE post all messages and replies in the newsgroups
> > * The Website - http://rgharper.mvps.org/
> > * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> >
> >
> > "DBuedenbender" <DBuedenbender@discussions.microsoft.com> wrote in message
> > news:39CE4C41-4C9B-4E0D-A58D-C697F6C1F32B@microsoft.com...

> > > Hi,
> > > I have added my new Vista RTM machine to our existing W2K3 domain.
> > > Now if the policies get active several services stop working: BFE (and
> > > everything that depends), the W32-Time, DHCP and some more.
> > > After joining the domain some rights in the registy seem to have changed:
> > > "Local Service" and "Network Service" are no longer allowed to access
> > > several
> > > keys.
> > >
> > > After changing the rights in the registry all services exept BFE work
> > > until
> > > the next reboot.
> > >
> > > I could not find any entries in the policies that could change the rights.
> > > Does anybody has an idea? All our XP machines run fine with the group
> > > policies!
> > >
> > > Regards,
> > > Dirk

> >
> >
> >

Hi Wolfgang,
yes, I suppose someone did import the security templates before I started
with the company....
As the XP clients are fine with the policies I have copied them all to a new
OU for all vista clients and removed the security guideslines there.

To get track of the missing rights, the best method is to try the process
monitor and filter for all results "Access is denied". I got most of the
services working again but at least the basic filtering engine never started
so I have reinstalled the system as this was much faster than digging deeper
in the system.

Rgs,
Dirk

"Wolfgang Bures" wrote:

> I have the same problem. Did you ever import security templates? I believe,
> that thes settings came from there.
> I removed those entries from group policy, but still my diagnostic and
> dhcp-cleitn services refuse to start...
> Which registry keys' security are you changing?
>
> "Dirk Buedenbender" wrote:
>

> > Sure, in the eventlogs are the entries: Access is denied.
> > The problem seems to be in the group policies.
> > There exist Keys like Registry and Filesystem keys in there but I have no
> > idea where they come from.... I have two other domains where these keys not
> > exist!
> >
> >
> > "Richard G. Harper" wrote:
> >

> > > I haven't seen anything like this and I have several Vista computers running
> > > on our domain just fine. Check the event logs for possible errors and
> > > solutions.
> > >
> > > --
> > > Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> > > * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> > > * PLEASE post all messages and replies in the newsgroups
> > > * The Website - http://rgharper.mvps.org/
> > > * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> > >
> > >
> > > "DBuedenbender" <DBuedenbender@discussions.microsoft.com> wrote in message
> > > news:39CE4C41-4C9B-4E0D-A58D-C697F6C1F32B@microsoft.com...
> > > > Hi,
> > > > I have added my new Vista RTM machine to our existing W2K3 domain.
> > > > Now if the policies get active several services stop working: BFE (and
> > > > everything that depends), the W32-Time, DHCP and some more.
> > > > After joining the domain some rights in the registy seem to have changed:
> > > > "Local Service" and "Network Service" are no longer allowed to access
> > > > several
> > > > keys.
> > > >
> > > > After changing the rights in the registry all services exept BFE work
> > > > until
> > > > the next reboot.
> > > >
> > > > I could not find any entries in the policies that could change the rights.
> > > > Does anybody has an idea? All our XP machines run fine with the group
> > > > policies!
> > > >
> > > > Regards,
> > > > Dirk
> > >
> > >
> > >

You "reinstalled the system", meaning you re-installed the vista machien and
it worked, or you set-up the domain anew?
I have had this issue again and again after clean installing a vista
machine. Maybe this link
(http://blogs.technet.com/asiasupp/ar...00-domain.aspx)
helps, I have to try it out. My domain was upgraded from W2K.....

"Dirk Buedenbender" wrote:

> Hi Wolfgang,
> yes, I suppose someone did import the security templates before I started
> with the company....
> As the XP clients are fine with the policies I have copied them all to a new
> OU for all vista clients and removed the security guideslines there.
>
> To get track of the missing rights, the best method is to try the process
> monitor and filter for all results "Access is denied". I got most of the
> services working again but at least the basic filtering engine never started
> so I have reinstalled the system as this was much faster than digging deeper
> in the system.
>
> Rgs,
> Dirk
>
> "Wolfgang Bures" wrote:
>

> > I have the same problem. Did you ever import security templates? I believe,
> > that thes settings came from there.
> > I removed those entries from group policy, but still my diagnostic and
> > dhcp-cleitn services refuse to start...
> > Which registry keys' security are you changing?
> >
> > "Dirk Buedenbender" wrote:
> >

> > > Sure, in the eventlogs are the entries: Access is denied.
> > > The problem seems to be in the group policies.
> > > There exist Keys like Registry and Filesystem keys in there but I have no
> > > idea where they come from.... I have two other domains where these keys not
> > > exist!
> > >
> > >
> > > "Richard G. Harper" wrote:
> > >
> > > > I haven't seen anything like this and I have several Vista computers running
> > > > on our domain just fine. Check the event logs for possible errors and
> > > > solutions.
> > > >
> > > > --
> > > > Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> > > > * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> > > > * PLEASE post all messages and replies in the newsgroups
> > > > * The Website - http://rgharper.mvps.org/
> > > > * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> > > >
> > > >
> > > > "DBuedenbender" <DBuedenbender@discussions.microsoft.com> wrote in message
> > > > news:39CE4C41-4C9B-4E0D-A58D-C697F6C1F32B@microsoft.com...
> > > > > Hi,
> > > > > I have added my new Vista RTM machine to our existing W2K3 domain.
> > > > > Now if the policies get active several services stop working: BFE (and
> > > > > everything that depends), the W32-Time, DHCP and some more.
> > > > > After joining the domain some rights in the registy seem to have changed:
> > > > > "Local Service" and "Network Service" are no longer allowed to access
> > > > > several
> > > > > keys.
> > > > >
> > > > > After changing the rights in the registry all services exept BFE work
> > > > > until
> > > > > the next reboot.
> > > > >
> > > > > I could not find any entries in the policies that could change the rights.
> > > > > Does anybody has an idea? All our XP machines run fine with the group
> > > > > policies!
> > > > >
> > > > > Regards,
> > > > > Dirk
> > > >
> > > >
> > > >

I tried your approach with procMon, but I didnt get any Denials. Some buffer
overflows and some reparses but nothing to wierd... No ideas from here.

"Dirk Buedenbender" wrote:

> Hi Wolfgang,
> yes, I suppose someone did import the security templates before I started
> with the company....
> As the XP clients are fine with the policies I have copied them all to a new
> OU for all vista clients and removed the security guideslines there.
>
> To get track of the missing rights, the best method is to try the process
> monitor and filter for all results "Access is denied". I got most of the
> services working again but at least the basic filtering engine never started
> so I have reinstalled the system as this was much faster than digging deeper
> in the system.
>
> Rgs,
> Dirk
>
> "Wolfgang Bures" wrote:
>

> > I have the same problem. Did you ever import security templates? I believe,
> > that thes settings came from there.
> > I removed those entries from group policy, but still my diagnostic and
> > dhcp-cleitn services refuse to start...
> > Which registry keys' security are you changing?
> >
> > "Dirk Buedenbender" wrote:
> >

> > > Sure, in the eventlogs are the entries: Access is denied.
> > > The problem seems to be in the group policies.
> > > There exist Keys like Registry and Filesystem keys in there but I have no
> > > idea where they come from.... I have two other domains where these keys not
> > > exist!
> > >
> > >
> > > "Richard G. Harper" wrote:
> > >
> > > > I haven't seen anything like this and I have several Vista computers running
> > > > on our domain just fine. Check the event logs for possible errors and
> > > > solutions.
> > > >
> > > > --
> > > > Richard G. Harper [MVP Shell/User] rgharper@gmail.com
> > > > * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
> > > > * PLEASE post all messages and replies in the newsgroups
> > > > * The Website - http://rgharper.mvps.org/
> > > > * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> > > >
> > > >
> > > > "DBuedenbender" <DBuedenbender@discussions.microsoft.com> wrote in message
> > > > news:39CE4C41-4C9B-4E0D-A58D-C697F6C1F32B@microsoft.com...
> > > > > Hi,
> > > > > I have added my new Vista RTM machine to our existing W2K3 domain.
> > > > > Now if the policies get active several services stop working: BFE (and
> > > > > everything that depends), the W32-Time, DHCP and some more.
> > > > > After joining the domain some rights in the registy seem to have changed:
> > > > > "Local Service" and "Network Service" are no longer allowed to access
> > > > > several
> > > > > keys.
> > > > >
> > > > > After changing the rights in the registry all services exept BFE work
> > > > > until
> > > > > the next reboot.
> > > > >
> > > > > I could not find any entries in the policies that could change the rights.
> > > > > Does anybody has an idea? All our XP machines run fine with the group
> > > > > policies!
> > > > >
> > > > > Regards,
> > > > > Dirk
> > > >
> > > >
> > > >