Thursday, June 28, 2012

Deploying File/Folder security using group policy on 64 bit OSes?

Take a gander at this KB Article

Group Policy Error Events Logged When Unknown Environment Variable Is Used

If you are running an Active Directory forest and using a file system security policy you may see the following events logged:
Log Name: Microsoft-Windows-GroupPolicy/OperationalSource: Microsoft-Windows-GroupPolicyEvent ID: 7016Task Category: NoneLevel: ErrorKeywords: User: SYSTEMDescription:Completed Security Extension Processing in 20984 milliseconds.Event Xml:
20984 1252 Security {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Windows XP and Windows Server 2003 will log this event in the Application log:
Event ID: 1091Category: NoneSource: UserenvType: ErrorMessage: The Group Policy client-side extension Security failed to log RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by that extension.
All Windows version will log this event in the Application log:
Event ID: 1202Category: NoneSource: SceCliType: WarningMessage: Security policies were propagated with warning. 0xd: The data is invalid.
Depending on the actual policy configuration, the settings in the security policies may or may not be present. The More Information section explains the conditions for policy failure or success (despite the errors).


The events are logged because the file system security settings of one policy contain an environment variable that is unknown on the client computer. To find out more about the problem, enable logging of the security configuration client-side extension:
324383 Troubleshooting SCECLI 1202 Events
In the %windir%\security\logs\winlogon.log file, you will see an entry such as:
Process GP template gpt0000x.inf.-------------------------------------------Error 13: The data is invalid. Error converting %PROGRAMFILES(X86)%\MyApplication.
%PROGRAMFILES(X86)% is only an example. It is used when the policy is edited on a 64-bit version of Windows and security settings are made for the folder C:\PROGRAM FILES (X86) or one of its subfolders.
The gpt0000x.inf file, a text file containing the policy settings, can be found in the %windir%\security\templates\policies folder. It also contains the location of the policy in Active Directory in the line starting with GPOPath, allowing you to identify which policy has the unknown environment variable.


To avoid the problem, create a new policy at the same level that receives the settings referencing the missing environment variable. Then use a WMI filter to allow the policy to only apply to machines that have the environment variable defined.
For example, the WMI filter for %PROGRAMFILES(X86)% would be:
Select * from Win32_Envrionment where Name = 'PROGRAMFILES(X86)'

No comments:

Post a Comment