Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Turn off SceCli
- Thread starter penauroth
- Start date
- Thread starter
- #2
Somedays I really hate Microsoft. Let me further explain my issue.
I have COTS products that create their own local user accounts. I have added these local accounts to our GPO because the local policy gets overwritten by the GPO. Servers that do not have these accounts defined are generating Event ID 1202 error 0x534.
How can I prevent these particular errors from flooding my event log and removing the local accounts is not an option. Thanks.
Paul
Work on Windows, play on Linux.
I have COTS products that create their own local user accounts. I have added these local accounts to our GPO because the local policy gets overwritten by the GPO. Servers that do not have these accounts defined are generating Event ID 1202 error 0x534.
How can I prevent these particular errors from flooding my event log and removing the local accounts is not an option. Thanks.
Paul
Work on Windows, play on Linux.
you need to utilize OU structures here....this is exactly what they are for...
there is no way to disable scecli, and that is good...there would be no point in group policy or AD domains if you could disable it...tehcnically, there are certain places you can take it out of, but I'm not going to get into those whatsoever
1. create a new OU for the machines with the local user accounts in question
2. move all machines with that account into the OU
3. open teh default domain policy and take note of the current settings for the user rights and GET RID OF THESE LOCAL USER ACCOUNTS & GROUPS (you will need to match these settings in the lower policies to ensure no problems...noteably, the service accounts that should be there....aka, SYSTEM)..
4. on the new OU, with teh servers containing the local user account create a new policy -OR- unlink the policy from where it is currently linked and link it to the new OU (be sure to adjust to add settings needed from domain level policy as well) -AND- get rid of the local users and groups at upper level policies
5. run secedit /refreshpolicy machine_policy /enforce on teh DCs and ensure they get a 1704 from scecli (this is the GP security client side extension telling us that security policy for the domain was applied successfully)..then reboot
6. repeat step 5 for the servers you moved....
bye bye 1202's on boxes that don't have the accounts
the other way to go about it is to:
1. create a group in AD for the servers containing the account
2. add all servers with the local acct to the group
3. create a new policy at whatever level you want
4. adjust teh ACL on teh new policy so that ONLY the group you created has teh read and apply group policy permissions...domain admins should not have apply rights, but keep them in the ACL so you can ensure you can edit the policy if needed.
5. if you altered a default policy, get rid of the local accounts otu of there....
6. run secedit /refreshpolicy machine_policy /enforce on teh servers you added to the group and reboot
those are two ways that will resolve your problem...
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
there is no way to disable scecli, and that is good...there would be no point in group policy or AD domains if you could disable it...tehcnically, there are certain places you can take it out of, but I'm not going to get into those whatsoever
1. create a new OU for the machines with the local user accounts in question
2. move all machines with that account into the OU
3. open teh default domain policy and take note of the current settings for the user rights and GET RID OF THESE LOCAL USER ACCOUNTS & GROUPS (you will need to match these settings in the lower policies to ensure no problems...noteably, the service accounts that should be there....aka, SYSTEM)..
4. on the new OU, with teh servers containing the local user account create a new policy -OR- unlink the policy from where it is currently linked and link it to the new OU (be sure to adjust to add settings needed from domain level policy as well) -AND- get rid of the local users and groups at upper level policies
5. run secedit /refreshpolicy machine_policy /enforce on teh DCs and ensure they get a 1704 from scecli (this is the GP security client side extension telling us that security policy for the domain was applied successfully)..then reboot
6. repeat step 5 for the servers you moved....
bye bye 1202's on boxes that don't have the accounts
the other way to go about it is to:
1. create a group in AD for the servers containing the account
2. add all servers with the local acct to the group
3. create a new policy at whatever level you want
4. adjust teh ACL on teh new policy so that ONLY the group you created has teh read and apply group policy permissions...domain admins should not have apply rights, but keep them in the ACL so you can ensure you can edit the policy if needed.
5. if you altered a default policy, get rid of the local accounts otu of there....
6. run secedit /refreshpolicy machine_policy /enforce on teh servers you added to the group and reboot
those are two ways that will resolve your problem...
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question