Greetings,
According to “Solutions for Windows-based Hosting with Hosted Exchange 2003” (Volume 6, Book 2) we create couple GPO and import based on Security Templates (DomainControllerV1.inf, mpsserver01.inf, etc.). Then we link those GPO’s to OU’s using GPMC. After moving computers to corresponding OU and applying GPO we receive Warning events in application log:
Source: SceCli
Event ID: 1202
Type: Warning
Description: Security policies were propagated with warning. 0xd : The data is invalid.
This event exists on ALL computers in reference infrastructure, so I will talk only about domain controller as an example because I think the root reason for this warning is the same for ALL Security Templates.
In winlogon.log file I found this messages:
----Configure Security Policy...
Configure password information.
Configure account force logoff information.
Guest account is disabled.
System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
Configure LSA anonymous lookup setting.
Configure log settings.
Audit/Log configuration was completed successfully.
Kerberos Policy configuration was completed successfully.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Configure hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Configuration of Registry Values was completed with one or more errors.
To solve this problem I deleted WH-Domain controller GPO, updated DomainControllerV1.inf security template by replacing string “HKEY_LOCAL_MACHINE” with “MACHINE”, and recreate WH-Domain controller GPO using updated template. So, it solved the problem with Warning in event log on domain controller (and I think it will solve problem on other computers), but I figured out another problem on domain controller.
Almost all settings for Computer configuration\Windows settings\Local policies\ Security options in WH-Domain controller GPO are ineffective because Default Domain Controllers Policy GPO has higher priority than WH-Domain controller GPO (because of the procedure how to create and link policy to OU). For example Domain Controller: LDAP server signing requirements:
Default Domain Controllers Policy: None
WH-Domain controller: Require signing
Effective setting: None
Here are a couple of questions:
1. Should I worry about those GPO’s or I should live it as is?
2. How those policies affects hosting environment?
3. If this issue is critical then how to fix it?
Regards,
Dmitri Gaikovoi
Regards,
Dmitri Gaikovoi