Another reason not to have a single label domain name....

I worked on a case recently where the WMI filters for a GPO were not being processed properly in a single label domain. Read here for more gotchas about single label domains - http://support.microsoft.com/kb/300684

 

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1104
Date: 2/22/2007
Time: 10:25:46 AM
User: NT AUTHORITY\SYSTEM
Computer: 2003DOM-XP
Description:
Windows cannot perform filter check for Group Policy object cn={7BCA8B71-ECA8-4C13-B3E8-F201D10F3B49},cn=policies,cn=system,DC=single. The associated filter cannot be found. This Group Policy Object will be skipped.

 

Currently there is a bug pending for this and I will update this post with a KB article if a fix is delivered. Otherwise - why in the world do folks use single labels?

 

There was another issue recently worked on where the users could not retrieve proper effective permissions for certain users. The advanced NTFS permissions would fail.

 

 

Windows cannot calculate the effective permissions for <username>

 

 

Ths happens if the user had SidHistory..This is fixed in q934161 - article soon to be published.

I wish I could make these 2  fixes more interesting , but since most of the work was debugging the internals of how we do these items ... well u understand.

So these are more FYI's than fascinating posts.

 

spatdsg