|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
Article ID: 839499 - Last Review: April 30, 2012 - Revision: 10.0 You cannot open file shares or Group Policy snap-ins on a domain controllerIf you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business
(http://smallbusiness.support.microsoft.com)
site.
You cannot open file shares or the Group Policy snap-ins on a Windows Server 2003 domain controller or on a Windows 2000 Server domain controller. When you log on to the domain controller locally and then try to open shares on the domain controller, you receive repeated password prompts, and you cannot open the shares. You can resolve this problem by changing the registry. Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Scenario 1 – Server Message Block (SMB) signing is disabled for the Workstation service on a domain controller, but SMB signing is required for the Server service on the same domain controller
Windows Server 2003
When you try to open Group Policy snap-ins on the domain controller, you receive an error message that resembles the following: You do not have permission to perform this operation.
Access is denied.
The domain controller logs the following events in the application event log every five minutes:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Domain_Name,DC=com. The file must be present at the location <\\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied.) Group Policy processing aborted. Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
When you log on to the domain controller locally and then try to open shares on the domain controller, you receive repeated password prompts, and you cannot open the shares.
Windows 2000 Server
When you try to open Group Policy snap-ins on the domain controller, you receive an error message that resembles the following: You do not have permission to perform this operation.
Access is denied. The domain controller logs the following event in the application event log: Event Type: Error
Event Source: Userenv
Event Category: None
Br/>User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the registry information at \\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).
When you log on to the domain controller locally and then try to open shares on the domain controller, you receive repeated password prompts, and you cannot open the shares.
Scenario 2 - SMB signing is disabled for the Server service on a domain controller, but SMB signing is required for the Workstation service on the same domain controller
Windows Server 2003
Failed to open the Group Policy Object. You may not have the appropriate rights.
The account is not authorized to log in from this station.
In a network trace, if SMB signing is enabled and required at the client and is disabled at the server, the connection to the TCP session is gracefully closed after the Dialect Negotiation, and the client receives the following error:
1240 (ERROR_LOGIN_WKSTA_RESTRICTION)
The domain controller logs the following events in the application event log every five minutes:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Domain_Name,DC=com. The file must be present at the location <\\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied.) Group Policy processing aborted.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
When you log on to the domain controller locally and then try to open file shares on the domain controller, you receive an error message that resmbles the following:
\\Server_Name\Share_Name is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
The account is not authorized to log in from this station.
In a network trace, if SMB signing is enabled, and if SMB signing is required at the client and is disabled at the server, the connection to the TCP session is gracefully closed after the dialect negotiation. Also, the client receives the following error message:
1240 (ERROR_LOGIN_WKSTA_RESTRICTION)
Windows 2000 Server
When you try to open Group Policy snap-ins on the domain controller, you receive an error message that is similar to the following:
Failed to open the Group Policy Object. You may not have the appropriate rights.
The account is not authorized to log in from this station.
The domain controller logs the following event in the application event log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Br/>User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the registry information at \\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (1240).
When you log on to the domain controller locally and then try to open file shares on the domain controller, you receive an error message that is similar to the following:
\\Server_Name\Share_Name is not accessible.
The account is not authorized to log in from this station.
Note In a network trace, if SMB signing is enabled, and if SMB signing is required at the client and is disabled at the server, the connection to the TCP session is gracefully closed after the dialect negotiation. Also, the client receives the following error message:
1240 (ERROR_LOGIN_WKSTA_RESTRICTION)
To resolve this behavior, follow these steps:
Collapse this imageExpand this image This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows XP
(http://kbalertz.com/Feedback.aspx?kbNumber=322756)
.
Step 1 - Change the registry
Change the value of the enablesecuritysignature registry entry. To do this, follow these steps:
- On the domain controller, click Start, and then click Run.
- Copy and then paste (or type)Â the following command in the Open box, and then press Enter.
regedit
Collapse this imageExpand this image
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters - In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.
- Double-click requiresecuritysignature, type 1 in the Value data box, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters - In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.
- Double-click requiresecuritysignature, type 0 in the Value data box, and then click OK.
Step 2 - Restart the Server service and the Workstation service
After you change the registry values, restart the Server service and the Workstation service. Collapse this imageExpand this image Do not restart the domain controller, because this action may cause Group Policy to change the registry values back to the earlier values.
To restart the Server service and the Workstation service, follow these steps: - Click Start, point to Administrative Tools, and then click Services.
- Right-click Server, and then click Restart.
Collapse this imageExpand this image - Right-click Workstation, and then click Restart.
Note If you are prompted to restart other services, click Yes.
Step 3 - Update the Sysvol share
Update the domain controller's Sysvol share. To do this, follow these steps:
- Open the domain controller’s Sysvol share. To do this, click Start, click Run, type \\Server_Name\Sysvol in the Open box, and then press Enter.
- If the Sysvol share does not open, repeat Step 1 - Change the registry and Step 2 - Restart the Server and Workstation services.
- Repeat Step 1 - Change the registry and Step 2 - Restart the Server and Workstation services on each affected domain controller to make sure that each domain controller can access its own Sysvol share.
Step 4 - Set up the SMB policy settings
After you connect to the Sysvol share on each domain controller, open the Domain Controller Security Policy snap-in, and then set up the SMB signing policy settings. To do this, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
- In the left pane, expand Local Policies, and then click Security Options.
- In the right pane, double-click Microsoft network server: Digitally sign communications (always).
Note In Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (always).
Collapse this imageExpand this image
Collapse this imageExpand this image - Click to select the Define this policy setting check box, click Enabled, and then click OK.
Collapse this imageExpand this image - Double-click Microsoft network server: Digitally sign communications (if client agrees).
Note For Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (when possible). - Click to select the Define this policy setting check box, and then click Enabled.
- Click OK.
- Double-click Microsoft network client: Digitally sign communications (always).
- Click to clear the Define this policy setting check box, and then click OK.
Collapse this imageExpand this image - Double-click Microsoft network client: Digitally sign communications (if server agrees).
- Click to clear the Define this policy setting check box, and then click OK.
Step 5 - Run the Group Policy Update utility
Run the Group Policy Update utility (Gpupdate.exe) with the force switch. To do this, follow these steps:
- Click Start, and then click Run.
- Copy and paste (or type)Â the following command in the Open box, and then press Enter.
cmd
Collapse this imageExpand this image - At the command prompt, type gpupdate /force, and then press Enter.
For more information about the Group Policy Update utility, see A description of the Group Policy Update Utility.
(http://kbalertz.com/Feedback.aspx?kbNumber=298444)
Note The Group Policy Update utility does not exist in Windows 2000 Server. In Windows 2000 Server, the equivalent command is secedit /refreshpolicy machine_policy /enforce.
For more information about using the Secedit command in Windows 2000 Server, see Using SECEDIT to force a Group Policy refresh immediately
(http://kbalertz.com/Feedback.aspx?kbNumber=227302)
.
Step 6 - Check the application event log
After you run the Group Policy Update utility, check the application event log to make sure that the Group Policy settings were updated successfully. After a successful Group Policy update, the domain controller logs Event ID 1704. To open the Application log in Event Viewer, follow these steps:
- Click Start, point to Administrative Tools, and then click Event Viewer.
- In the left pane, click Application.
Collapse this imageExpand this image - Double-click event ID 1704 and confirm that the Group Policy setting was applied successfully.
Note The source of the event is SceCli.
Collapse this imageExpand this image
Step 7 - Check the registry values
Check the registry values that you changed in Step 1 - Change the registry to make sure that the registry values have not changed.
Note This step makes sure that a conflicting policy setting is not applied at another group or organizational unit (OU) level. For example, if the Microsoft network client: Digitally sign communications (if server agrees) policy is configured as "Not Defined" in Domain Controller Security Policy, but this same policy is configured as disabled in Domain Security Policy, SMB signing will be disabled for the Workstation service.
Step 8 - Check the SMB signing policy settings by using the Resultant Set of Policy (RSoP) snap-in
If the registry values have changed after you run the Group Policy Update utility, check the SMB signing policy settings by using the RSoP snap-in in Windows Server 2003. To do this, follow these steps:
- Click Start, click Run, type rsop.msc in the Open box, and then click OK.
Collapse this imageExpand this image - In the RSoP snap-in, the SMB signing settings are located in the following path:
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options Note If you are running Windows 2000 Server, install the Group Policy Update utility from the Windows 2000 Server Resource Kit, and then type the following at the command prompt:gpresult /scope computer /v - After you run this command, the Applied Group Policy Objects list appears. This list shows all Group Policy Objects that are applied to the computer account. Check the SMB signing policy settings for all these Group Policy Objects.
This behavior occurs if the SMB signing settings for the Workstation service and for the Server service contradict each other. When you configure the domain controller in this way, the Workstation service on the domain controller cannot connect to the domain controller's Sysvol share. Therefore, you cannot start Group Policy snap-ins. Also, if SMB signing policies are set by the default domain controller security policy, the problem affects all the domain controllers on the network. Therefore, Group Policy replication in the Active Directory directory service will fail, and you will not be able to edit Group Policy to undo these settings.
Scenario 1 - If you run the domain controller diagnostic tool (DcDiag.exe), you receive errors that are similar to the following for Windows 2000 Sever and for Windows Server 2003:
Starting test: MachineAccount
Could not open pipe with [SERVERNAME]:failed with 5: Access is denied.
Could not get NetBIOSDomainName
Failed cannot test for HOST SPN
Failed cannot test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... SERVERNAME failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [SERVERNAME]:failed with 5: Access is denied.
......................... SERVERNAME failed test Services
Starting test: ObjectsReplicated
......................... SERVERNAME passed test ObjectsReplicated
Starting test: frssysvol
[SERVERNAME] An net use or LsaPolicy operation failed with error 5, Access is denied..
......................... SERVERNAME failed test frssysvol
Starting test: frsevent
......................... SERVERNAME failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Access is denied.
......................... SERVERNAME failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Access is denied.
......................... SERVERNAME failed test systemlog
Scenario 2 - If you run the domain controller diagnostic tool, you receive errors that are similar to the following for Windows 2000 Server and for Windows Server 2003:
Testing server: Default-First-Site-Name\SERVERNAME
Starting test: Replications
......................... SERVERNAME passed test Replications
Starting test: NCSecDesc
......................... SERVERNAME passed test NCSecDesc
Starting test: NetLogons
[SERVERNAME] An net use or LsaPolicy operation failed with error 1240, The account is not authorized to log in from this station..
......................... SERVERNAME failed test NetLogons
Starting test: Advertising
......................... SERVERNAME passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVERNAME passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVERNAME passed test RidManager
Starting test: MachineAccount
Could not open pipe with [SERVERNAME]:failed with 1240: The account is not authorized to log in from this station.
Could not get NetBIOSDomainName
Failed cannot test for HOST SPN
Failed cannot test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... SERVERNAME failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [SERVERNAME]:failed with 1240: The account is not authorized to log in from this station.
......................... SERVERNAME failed test Services
Starting test: ObjectsReplicated
......................... SERVERNAME passed test ObjectsReplicated
Starting test: frssysvol
[SERVERNAME] An net use or LsaPolicy operation failed with error 1240, The account is not authorized to log in from this station..
......................... SERVERNAME failed test frssysvol
Starting test: frsevent
......................... SERVERNAME failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error The account is not authorized to log in from this station. ......................... SERVERNAME failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error The account is not authorized to log in from this station. ......................... SERVERNAME failed test systemlog
| kbmgmtservices kbfileprintservices kbgrppolicyprob kbregistry kbtshoot kbprb kbsmbportal KB839499 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
|
|
 |
|
 |
|
|
|
| |