Greetings,

According to ?Solutions for Windows-based Hosting with Hosted Exchange 2003? (Volume 6, Book 2) we create couple GPO and import based on Security Templates (DomainControllerV1.inf, mpsserver01.inf, etc.). Then we link those GPO?s to OU?s using GPMC. After moving computers to corresponding OU and applying GPO we receive Warning events in application log:

Source: SceCli
Event ID: 1202
Type: Warning
Description: Security policies were propagated with warning. 0xd : The data is invalid.

This event exists on ALL computers in reference infrastructure, so I will talk only about domain controller as an example because I think the root reason for this warning is the same for ALL Security Templates.

In winlogon.log file I found this messages:

----Configure Security Policy...
Configure password information.
Configure account force logoff information.
Guest account is disabled.

System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
Configure LSA anonymous lookup setting.
Configure log settings.

Audit/Log configuration was completed successfully.

Kerberos Policy configuration was completed successfully.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Configure hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.

Configuration of Registry Values was completed with one or more errors.

To solve this problem I deleted WH-Domain controller GPO, updated DomainControllerV1.inf security template by replacing string ?HKEY_LOCAL_MACHINE? with ?MACHINE?, and recreate WH-Domain controller GPO using updated template. So, it solved the problem with Warning in event log on domain controller (and I think it will solve problem on other computers), but I figured out another problem on domain controller.

Almost all settings for Computer configuration\Windows settings\Local policies\ Security options in WH-Domain controller GPO are ineffective because Default Domain Controllers Policy GPO has higher priority than WH-Domain controller GPO (because of the procedure how to create and link policy to OU). For example Domain Controller: LDAP server signing requirements:

Default Domain Controllers Policy: None
WH-Domain controller: Require signing
Effective setting: None

Here are a couple of questions:
1. Should I worry about those GPO?s or I should live it as is?
2. How those policies affects hosting environment?
3. If this issue is critical then how to fix it?

Regards,

Dmitri Gaikovoi

---

Regards,

Dmitri Gaikovoi

P.S. Checks, mark post as answered, or simple "Thank you" will be really appreciated.


http://services.mail2web.com
http://myhosting.com

I don't believe the templates are required for running Hosted Exchange. That being said they do have some appropriate security settings that you should evaluate deploying with your infrastructure.

I'm checking on the template reg key issue. It has been a long time since I have worked directly with templates so I am setting up a lab. I'll get back to you on that.

I have sent the product team your comments on the Domain Controller policy issue. I checked the documentation and I don't see any mention of prioritizing the policies either. I have sent this question back to the product team for comment.

Thanks!

---

Technical Account Manager
Microsoft Communication Sector North America
This posting is provided "AS IS" with no warranties, and confers no rights. Script samples are subject to the terms at http://www.microsoft.com/info/cpyright.htm"

THanks for point this out.

The Templates are not required to run Hosted Exchange they are samples and mea culpa faulty ones.

I will fix the templates sometime soon and we will release an update.

HTH

---

Mike Kostersitz
Senior Program Manager, Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights. Script samples are subject to the terms at http://www.microsoft.com/info/cpyright.htm"

Thank you, guys.

Does it mean that I can safely delete all this GPOs?

---

Regards,

Dmitri Gaikovoi

P.S. Checks, mark post as answered, or simple "Thank you" will be really appreciated.


http://services.mail2web.com
http://myhosting.com

No you should disable them first so that the Servers pick up the reversion of the settings if you just delete them the 'old' settings are left behind.

Mike

---

Mike Kostersitz
Senior Program Manager, Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights. Script samples are subject to the terms at http://www.microsoft.com/info/cpyright.htm"