Problem with Impersonate client after authentication in GP

Home Forums Server Operating Systems Windows Server 2000 / 2003 / 2003 R2 Problem with Impersonate client after authentication in GP

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Scream at me if this is in the wrong forum. Thanks in advance.

    Setup: Mix of Win2K/SP4 server and Server 2003/some with SP1
    No Problem with the Win2K/SP4 servers.
    The problem seems to occur ‘Intermittently’ and always is after Windows 2003 server SP1 is installed.

    The ‘big’ symptom is that on this intermittent basis, Windows 2003/SP1 servers will dissappear from the network. They are up, can be pinged, no remote desktop however, no application/share, etc.
    Removing SP1 appears to resolve this problem.

    Admins are telling me this is related to a Group Policy:
    We have had a Group Policy, Applied at the OU level (not domain level) for the local security setting: Impersonate client after login
    This facilitates a central logging server.
    The member of the Impersonate client after login is the account which logs into the servers and collects event logs.

    From another forum thread I was reading, and several passes through Microsoft documentation, it seems that there may be differences in the way the Impersonate control is applied to W2k and 2003. In Win 2K, other accounts – Administrators and Service, are members of the policy. In Win 2003 server, the policy is Disabled on install and there are no other members.

    So, Questions:
    1) If the GP is enabling and assigning the ‘‘ to the Impersonate client after authentication for the Win 2003 server, Do the accounts ‘Administrator’ and ‘Service’ need to be added as well?
    Is this the problem? Or might it be something else?
    (If you need more info. to understand me, I’ll gladly comply)

    2) Any clues as to why this would be spurious/intermittent?

    3) Any particular tools available to pin this down? I’m setting up a Win2003 test server, it will be in a test OU in the same domain.
    I will be using GPInventory, ‘whoami /all’ and whatever else I can come up with to try to figure this out.

    Any help is very sincerely appreciated. Thanks for your time.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.