Partner Solutions with Stephanie Doakes

Why I Go To Work Each Day!

How to update the Intelligent Message Filter version 2 in Exchange Server 2003 SP2

Getting the Certificate on to your Mobile Device

I don’t want it to be a big dramatization in getting your certificate onto your mobile device. Small Business Server creates a self-signed certificate for the Default Web Site when you run the Configure Exchange and Internet Connection Wizard (CEICW).  This certificate is used for sites that require SSL, such as OWA.  

You can also configure your mobile device to synchronize with the Exchange server using SSL so that your data is not sent over the Internet in clear text.  Below I describe the simplest way of getting that certificate to the device without using any tools.

1. Export the certificate

For SBS servers, go to the C:\ClientApps\SBSCert folder.  If you have ISA installed, you will get the file named ISAcert.cer. If you do not have ISA installed, the file name is Sbscert.cer.

This is the public certificate that you will send to your mobile device.  It is already exported to a .cer file for you.

Note: If you do not have ISA on the server, you can export the certificate directly from the Default Web Site in the IIS Manager snap-in.

If you have IIS installed, you will need to export the certificate using the Certificates MMC snap-in.

To export the certificate using the MMC the steps would be:

• Click Start, click Run, type mmc , and then click OK. 
• On the File menu, click Add/Remove Snap-in, and then click Add. 
• In the Add Standalone Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, and then click Finish. 
• In the Add Standalone Snap-ins dialog box, click Certificates, click Add, click My Computer account, and then click Finish. 
• Click Close, and then click OK. 
• To export the client certificate from the local Computer store, follow these steps: expand Certificates – Local Computer, expand Personal, and then click Certificates. 
• Right-click the computer certificate, click All Tasks, click Export, and then click Next. 
• If the Yes, export the private key option is not available, the ASP.NET Web application cannot use the client certificate. You must obtain another client certificate. To do this, follow the instructions in Step 1 and Step 2. Otherwise, click Yes, export the private key, and then click Next two times. 
• In the Password box and in the Confirm Password box, type a password, and then click Next. 
• In the File name box, type a file name. Click Next, and then click Finish. 
• In the Certificate Export Wizard dialog box, click OK. 

2. Configure the mobile device to sync with the Exchange server, but not using SSL just yet.
3. Send the certificate, from Step1, to the mobile device.  (Exchange cannot be configured to delete attachments with the .cer extension.)
4. Synchronize with the Exchange server to receive the certificate. You may need to sync twice to get the attachment.
5. Click on the attachment and choose Yes to install the certificate.
6. In Microsoft ActiveSync, check the checkbox to use SSL now.
7. You are now synching securely between your mobile device and the Exchange server.

Great day to you!

Stephanie Doakes & Roderick White

Resetting NTFS Permissions on Windows Server 2003

I have seen where permissions had gotten changed in the system folders where the Windows 2003 SP1 was applied and the server was rebooted.  After the reboot, nearly all of our automatic services failed to start.  This was because the Remote Procedure Call service failed to start.  Windows Server 2003 changes the logon for the RPC service to Network Service and because the permissions had been changed, that service was getting “Access Denied” when attempting to start the service. 

Running Chkdsk on a server can also change security descriptors if you have not applied the required hotfixes to the server.  See the following articles:

831375 The CHKDSK utility incorrectly identifies and deletes in-use security descriptors in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;831375

831374 The CHKDSK utility incorrectly identifies and deletes in-use security descriptors

http://support.microsoft.com/default.aspx?scid=kb;EN-US;831374

In order to get the permissions reset, we can use the secedit command to reset the NTFS permissions on the server.

Open a command prompt.

Run the following command where windows is the %systemroot% variable.

If the server has been upgraded you would substitute windows for winnt

On a domain controller, run

secedit /configure /db c:\windows\temp\seceditsv.sdb /cfg

"c:\windows\security\templates\DC security.inf" /log c:\windows\temp\seceditsv.log

On a non-domain controller, run

secedit /configure /db c:\windows\temp\seceditsv.sdb /cfg

"c:\windows\security\templates\setup security.inf" /log c:\windows\temp\seceditsv.log

Note:  I have run the setup security.inf on a domain controller without experiencing any problems.

This sets NTFS permissions back to default.

You will then be able to start services using the Network Service.

Refer to the following article on what each security template contains.

816585 How to apply predefined security templates in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;816585

Have a good week.

Stephanie B. Doakes

Fax Troubleshooting Guidance

The first thing to do if your are having a fax issue is to ensure that your fax device is on a phone line all by itself.  If you are still having problems, here are some things that can be to assist in finding the root cause.

When troubleshooting fax issues for Windows 2000/SBS2003 there are 3 set of log files to work with for incoming and outgoingfaxes.

1)        Activity Logging – can be found within the Fax Service Manager.  Right-click on Fax (Local) and select Properties.  Select the Activity Logging TAB.  From there you’ll see the “Activity Log Folder Location” path.  Highlight the path and copy it into the Start\Run\<path>.   Within the ActivityLog folder you’ll find Inboxlog.txt and Outboxlog.txt

2)       PSS Logging – can be found within the C:\Windows\System32\Logfile\Fax folder. You’ll find two folders with this directory Incoming and Outgoing.  If the folders are empty or you can’t find the folder with the appropriate date then the modem isn’t picking you as a fax call.   (Most of the times this denotes a problem with Modem drivers or a bad modem. I’ve seen many cases where people are able to send faxes but can’t receive faxes.   This is still a problem with the modem is nothing is written to this folder.

3)       T.30 logging  - T.30 logging is not enabled by default in Windows Server 2003 and SBS 2003 and must be enabled manually via the registry.  To enable T.30 debug logging of fax transmissions on your PC, please do the following:

1. Using regedit, browse to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Device Providers\{2172FD8F-11F6-11D3-90BF-006094EB630B}. Create the following DWORDS and set their registry values as follows:

            DebugLevelEx to 0xffffffff (8 f’s)

            DebugContextEx to 0xffffffff (8 f’s)

            DebugFormatEx to 0xbbffffff (2 b’s and 6 f’s)

2. Stop and restart the Fax Service so these settings will take effect.

Debug log – this file is named T30DebugLogFile.txt and can be found at %windir%\temp or at %SystemDrive%\Documents and Settings\NetworkService\Local Settings\Temp

Note: The NetworkService folder is hidden by default therefore you will have to unhide this folder to get to the file.

After you are done, please delete (or set to zero) all the values set/created above to stop debug logging. Restart the Fax Service.

Thanks,

Roderick White

Windows 2003 R2 Active Directory Features & SBS R2 Features

Windows 2003 R2 Active Directory Related Features

Windows Server 2003 R2 Identity and Access Management Features

Windows Server 2003 R2 offers functionality that extends connectivity and control of identity management for internal and external collaboration. The following Windows Server 2003 R2 features deliver distinct advantages for identity and access management:

1.       Active Directory Federation Services (ADFS): ADFS provides Web-based extranet authentication/authorization, single sign-on (SSO), and federated identity services for Windows Server environments, which increases the value of existing Active Directory deployments to B2C extranet, intra-company (multi-forest) federation, and B2B internet federation scenarios.

2.       Extranet authentication and SSO services extend the strong authentication and distributed session capabilities Windows has for internal networks to internet-facing perimeter networks. Identity federation makes it possible for two organizations to share a user's Active Directory identity information securely over federation trusts, facilitating collaboration with partners and delegating user management.

3.       Active Directory Application Mode (ADAM): ADAM, an independent mode of Active Directory without infrastructure features, provides directory services for applications. Operating as a stand-alone data store or interacting with an Active Directory domain controller, ADAM's flexibility enables administrators to tailor their directory services infrastructure to varying degrees of local control/autonomy or shared services. ADAM provides a data store and services for accessing that data store, uses standard application programming interfaces (APIs) for accessing application data, and works with ADFS to provide a user store for extranet application authentication

4.       UNIX Identity Management: Windows Server 2003 R2 provides Windows and UNIX integration, which helps to establish uninterrupted user access and efficient management of network resources across operating systems, through the following updated identity management solutions:

·         Server for NIS helps integrate Windows and UNIX-based Network Information Service (NIS) servers by enabling an Active Directory domain controller to act as a master NIS server for one or more NIS domains. Identity Management for UNIX includes an easy-to-use wizard that a Windows domain administrator can use to export NIS domain maps to Active Directory entries.

·         Password Synchronization helps integrate Windows and UNIX servers by simplifying the process of maintaining secure passwords. With Password Synchronization, users do not need to maintain separate passwords for their Windows and UNIX accounts or remember to change the password in multiple locations. Password Synchronization automatically changes a user password on both UNIX and Windows networks whenever the user changes his or her password.

II. Extends connectivity and reliability to and from the branch office while controlling the total cost of ownership of branch IT infrastructure.

Windows Server 2003 R2, the first instance in a series of upcoming branch office technologies from Microsoft and industry partners, offers functionality that streamlines operations for remote file and print servers. The following Windows Server 2003 R2 features deliver distinct advantages for branch office integration:

1.       Robust File Replication: Windows Server 2003 R2 includes a completely rewritten replication engine for the Distributed File System (DFS). DFS Replication provides a robust multimaster file replication service, which is significantly more scalable and efficient in synchronizing file servers than its predecessor, File Replication Services (FRS). DFS Replication schedules and throttles replication schemes, supports multiple replication topologies, and utilizes Remote Differential Compression (RDC) to increase WAN efficiency. If WAN connections fail, data can be stored and forwarded when WAN connections become available.

2.       Advanced Compression Technologies: Remote Differential Compression (RDC) is a WAN-friendly compression technology that replicates only the changes needed to ensure global file consistency.

3.       Enhanced Management Tools:

·         The Print Management Console (PMC) provides a richer view of a network's printer topology, with which an IT administrator can monitor and react quickly to printer situations, allowing seamless productivity for branch office print users.

·         Microsoft Management Console (MMC) 2.1 has been expanded to inlcude an enterprise-wide administration framework for managing file and print services. Businesses can mitigate the need for on-site administrators or third-party consultants for resolving local issues.

·         The enhanced DFS Namespaces technology user interface allows for easier management of file system roots within a network infrastructure.

R2 Home: http://www.microsoft.com/windowsserver2003/default.mspx

Small Business Server R2 Features

Automated, network-wide patch and update management for all Microsoft Update supported products lowering the costs of managing a Microsoft-based network and helping to maintain a more secure infrastructure

Increased mailbox limits from 16 GB to 75 GB, enabling improved productivity for employees

Inclusion of SQL Server 2005 Workgroup Edition technology in SBS 2003 R2 Premium Edition

Expanded client access license (CAL) rights, including access to additional Exchange Server 2003 and SQL Server 2005 Workgroup Edition servers in the SBS 2003 R2 network, allowing customers more flexibility in growth

Once available (RTM slated for Q2 2006), SBS 2003 R2 may be obtained through the following channels:

SBS customers with Software Assurance* will be able to obtain SBS 2003 R2 without purchasing a new server license** for a nominal shipping and handling fee.

SBS customers without Software Assurance will be able to purchase a new version upgrade SKU via retail, which will enable them to cost-effectively upgrade from any version of SBS (4.0, 4.5, 2000, 2003) to SBS 2003 R2.

SBS FAQ: http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx

Good day,

Stephanie B. Doakes

More on Group Policies

Administrators can use Group Policy to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory directory service environment. The majority of available policy settings is provided through Administrative Template files (.adm files) and is designed to modify specific keys in the registry. This is known as registry-based policy. For many applications, the use of registry-based policy delivered by .adm files is the simplest and best way to support centralized management of policy settings.

True Policies vs. Preferences

Group Policy settings that administrators can fully manage are known as “true policies.” In contrast, settings that users configure or that reflect the default state of the operating system at installation time are known as “preferences.” Both true policies and preferences contain information that modifies the registry on users’ computers. True policy settings take precedence over preference settings.

Registry values true for polices are stored under the following approved registry locations.  Users cannot change or disable these settings.

For Computer Policy Settings:

HKLM\Software\Policies (The preferred location) and also

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

For User Policy Settings:

HKCU\Software\Policies (The preferred location) and also

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

Changing the link order

Within each domain, site, and organizational unit, the link order controls when links are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit. For example, if you add six GPO links and later decide that you want the last one that you added to have highest precedence, you can move the GPO link to the top of the list.

Blocking Group Policy inheritance

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied.

Enforcing a GPO link

You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced" was known as "No override."

Backup, Restore, Import, Copy and Migration Tables

With Group Policy Management Console (GPMC) you can back up, restore, import, or copy Group Policy objects (GPOs). When you copy or import a Group Policy object (GPO) from one domain to another, you can use a migration table to tell Group Policy Management Console (GPMC) how domain-specific data should be treated.

 Policy State and Associate Behavior

Enabled – Turns on the behavior indicated by the policy name

Disabled – Turns off the behavior indicated by the policy name

Not Configured – Has no effect – default behavior

“String Too Long...” Hotfix for Earlier Operating Systems and Service Packs

If you or other administrators in your organization are going to manage policy settings on computers running earlier operating systems or service packs (for example, Windows Server 2003 or Windows XP with SP1), you need to install a hotfix in order for policy settings to appear correctly in the Group Policy Object Editor.

These hotfixes are available for the following:

·        Windows Server 2003

·        Windows XP with SP1

·        Windows 2000

To obtain these hotfixes, see article 842933, ""The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000," in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.

If you are going to manage policy settings from workstation computers running Windows XP with SP2 only, you will be able to manage policy settings without applying any hotfixes. For example, you will be able to run the Group Policy Object Editor and view all the new policy settings delivered with Windows XP SP2.

Important: Opening a GPO on a computer running Windows XP with SP2 causes all other administrative workstations to use the new .adm files (note that no changes need be made to the GPO for this to occur). This will generate error messages when earlier versions of gpedit are loaded. For more information about this issue, see article 842933, ""The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000," in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.

By installing the hotfix for Windows Server 2003, Windows XP with Service Pack 1, and Windows 2000, you ensure that the Windows XP SP2 .adm files load correctly on these platforms.

Enough on group policies for the day!

Stephanie B. Doakes

Volume Shadow Copy Service and DLLs

Backing up the system state using NTBackup or Veritas Backup Exec may fail if you are having issues with the dll registrations for the Volume Shadow Copy service. 

Running the vssadmin utility and using the “list writers” parameters returns nothing. The syntax "vssadmin list writers".

Usually this issue can be resolved by registering the dlls that are needed by the VSS service.

1.   From command prompt:

Cd windows\system32

Net stop vss

Net stop swprv

regsvr32 ole32.dll

regsvr32 vss_ps.dll

Vssvc /Register

regsvr32 /i swprv.dll

regsvr32 /i eventcls.dll

regsvr32 es.dll

regsvr32 stdprov.dll

regsvr32 vssui.dll

regsvr32 msxml.dll

regsvr32 msxml3.dll

regsvr32 msxml4.dll

2.         After completing the registration of the DLL’s open an command prompt and type: vssadmin list writers

3.         You should see the writers listed.

4.         Open Ntbackup and attempt to backup file or systemstate.

Have a nice weekend.

Roderick White

Group Policy Processing and Precedence

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

Group Policy settings are processed in the following order:

1. Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2. Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3. Domain—processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

·         A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.

 ·         A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.

 ·         An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.

 ·         A computer that is a member of a workgroup processes only the local Group Policy object.

 ·         Loopback may be enabled.

 Have a nice weekend!

Stephanie B. Doakes

Small Business Server's Internet Connection Wizard

So you say you don't like wizards?  Well do you know just how much we do for you when you run the Configure E-mail and Internet Connection Wizard? 

The features of the CEICW include:

1. Configuring the networking such as ensuring the binding order is correct on the server.

2.  Setting the DNS forwarders on the server.

3. Automatic certificate creation.

4. SSL enabling of web sites.

5. Configuring ISA access rules and web publishing if ISA is installed or via RRAS if no ISA.

6. PPPoE dial-up options.

7. Automatic scripting options

8. UPnP device provisioning.

9. Automatic removal of selected e-mail attachments.

10. Configuring Exchange recipient policy.

11. Configuring Exchange POP3 configuration.

Without knowing how to configure Exchange to send and receive e-mail. Without having to know how to publish websites in ISA 2004 or how to create access rules in ISA 2000/2004, the wizard has you up and running connected to the Internet, securely sending and receiving e-mail.  Who says you get what you pay for?  You get well above what you pay for here!

Check ouf Small Business Server and some of the features that are included out of the box such as Remote Web Workplace which is the main portal to your SBS network.

You can find out more at www.microsoft.com/sbs.

Enjoy

File Replication Service

The file replication service maintains identical sets of files and directories on different servers and workstations running Windows NT. When files are updated on one server, the file replication service replaces the corresponding files on other servers and workstations with the updated files. The replication process simplifies the task of updating and coordinating files, and maintains the integrity of the replicated data.

FRS relies on containers, objects, and attributes that are stored in Active Directory and that are replicated among domain controllers in a given domain to function. Critical objects include FRS member and subscriber objects. Required and optional attributes include the schedule, the file filters, the folder filters, and the database location. Schema definitions define the containers or the location where FRS objects are located. 

FRS supports two replica sets, DFS and SYSVOL. When you use Dcpromo.exe to promote domain controllers, containers, objects, and attributes for SYSVOL, replica sets are created (they are created indirectly). You can use the DFS snap-in (Dfsgui.msc) to create objects when you configure replication between two or more targets in a DFS root or link, or when you add new members to an existing FRS set.

NTFRSUTL.EXE is the diagnostic utility for the File Replication Service. It is included with the Support Tools.

Before you attempt to add a replica domain controller to your domain, ensure that your source DC is healthy and can replicate its SYSVOL share to the partner.

Install the Support Tools and run the NTFRSUTL command with two switches:

ntfrsutl ds > c:\ntfrsutlds.txt

ntfrsutl sets > c:\ntfrsutlsets.txt

The ntfrsutil ds output will show your subscription information for replica sets in your domain.  If you have not set up any DFS then you should only see the domain system volume.

The main thing to look for in the ntfrsutl ds output is the "Server Ref" value.  Ensure that the value is not set to "null".  If it is then you have a problem. It can be fixed.

The ntfrsutl sets shows active replica sets and deleted replica sets along with pertinent information about those replica sets.

A successful initialization of the domain system volume by the file replication service will return an Event ID 13516 in the File Replication Service log.  If you have not received this event in a while, do not add any additional domain controllers until your source domain controller is healthy.

Articles that you can reference for more information include the following:

296183 Overview of Active Directory Objects That Are Used by FRS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;296183

312862 Recovering missing FRS objects and FRS attributes in Active Directory
http://support.microsoft.com/default.aspx?scid=kb;EN-US;312862

Antivirus Test File Public Website

Let's get Sharepoit backed up - and schedule it!

I know we do a lot for our SBS customers, but one thing that we do not do is back up your Sharepoint website, http://companyweb, for you.  Start the new year out by taking proactive measures to back up your Sharepoint website(s). 

Should you get in that undesireable situation of needing to restore, you will have a good backup from which to restore.  You can also restore to a different server with the stsadm backup.

Here is the syntax: 

a. Click "Start", and then click "Run".
  

 b. In the "Open: "box, type "cmd", and then click OK.

 c. At the command prompt, type the following, and then press ENTER:
  
  < "cd <%programfiles%>\Common Files\Microsoft Shared\web server extensions\60\BIN" (without the quotation marks)>

 d. At the command prompt, type the following, where Backup_Path is the path of the backup file, and then press ENTER:
  
   "stsadm -o backup -url http://companyweb -filename <Backup_Path>" (without the quotation marks)

You can find this valuable information in the following article:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;829112

Hope everyone had a great New Year!

Stephanie

SBS with Replica Domain Controllers

There is a myth about SBS stating that SBS does not support additional domain controllers. That is completely untrue.  An SBS domain can have multiple domain controllers.  The onlly requirement is that the SBS server holds the FSMO roles. 

So for the record "You can have multiple domain controllers in your SBS domain".

Tools that you can use to check/transfer the FSMO roles include: netdom, ntdsutil, replmon, AD snap-ins to name a few.

P.S.  We even have a way for you to add SBS to an existing domain if necessary.

Happy New Year!

Replmon Utility to View Group Policy Objects List

Replmon is a GUI tool that enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. It is included with the Windows Server 2003 Support Tools.

Support Tools are included on the Windows Server 2003 media.  Go to the Support\Tools folder and click on the setup.exe or the msi file to start the installation.b

Replmon is a great utility for troubleshooting replication but did you know that you can enumerate your group policy object status and find out what GUID goes to which group policy object.  When you see those events that are pointing to the GPO for CN={31B2F340-016D-11D2-945F-00C04FB984F9}and you have no clue to which GPO it is referring, you can load up replmon and enumerate your GPOs and find out.

After installing the Support Tools, from the run line type "replmon" to start the utility.

Right-click on Monitored Servers and select "Add Monitored Server".  Add your server either by name or by searching the directory.

Once your server is added, right-click on your servername and select "Show Group Policy Object Status".

The Group Policy Object Status window shows you all of your group policy objects that are present in your environment along with their corresponding GUIDs.  It also gives you Version and Sysvol Version information for replication purposes.

You can save this file out to a text file for safe keeping.  Should you get a Userenv event that is pointing to a GPO GUID, you can open this file and see which group policy is giving you a problem or to which GPO the event is referring.

If the event if referring to a problem with the GPO, unlink the GPO and do a gpupdate on the server.  Confirm that you get your ID 1704 in the application log.  That event means that your group policies have been applied successfully.  If group policies do not get applied successfully, you will get a Userenv error instead of the ID 1704. If unlinking the GPO resolves the problem, you have just isolated and confirmed that this GPO is your only problem.  Either fix the GPO or delete it and recreate it if you don't want to try to figure out what is wrong with it.  (If the GPO is either the Default Domain or the Default Domain Controllers GPO you can use the dcgpofix command to get those recreated.)

Hopes are that you used the RSOP to test your custom GPOs prior to introducing them into your production environment.  You can get yourself in a situation that you, nor PSS, may not be able to get you out of if you don't take the time to pilot and test your GPOs first.  Please take that extra time.

Enjoy and Merry Christmas to you all.

Stephanie