Symptoms
After you install Microsoft Windows 2000 Service Pack 4 (SP4) on a client computer, logon scripts do not run when you log on to the domain. If you remove Windows 2000 SP4, logon scripts run successfully when you log on. Also, you may see the following entry in the Userenv.log file if the
Allow Cross-Forest User Policy and Roaming User Profiles policy is disabled or is not configured:
USERENV(1418.15b8) time CheckXForestLogon: checking x-forest logon, user handle = 124
USERENV(1418.15b8) time CheckXForestLogon: policy set to disable XForest check
On a computer that is running Microsoft Windows Server 2003, the following error message is displayed:
Crossed Forest Roaming Profiles are disabled. Windows did not load your Roaming Profile and is logging you on with the local Profile. Changes to the Profile will not be copied to the Server when you log off. Contact your Administrator.
Cause
This issue occurs if both the following conditions are true:
-
The logon script is contained in a user policy from a trusted Windows 2000 forest (a cross-forest policy).
-
The Allow Cross-Forest User Policy and Roaming User Profiles policy has not been enabled on the Windows 2000 SP4-based computer.
Windows 2000 SP4 includes a new functionality that prevents cross-forest user policies from being run on the local computer. This functionality helps increase security between Windows 2000 forests. By default, the policy that permits cross-forest user policies to run on the local computer is not enabled.
Resolution
To resolve this issue, permit cross-forest user policies to run on the Windows 2000 SP4-based computer. To do so:
-
Log on to the computer as a user with administrator rights.
-
Click Start, click Run, type gpedit.msc, and then click
OK. -
Double-click Computer Configuration, double-click Administrative Templates, double-click
System, and then click Group Policy. -
In the right pane, double-click Allow Cross-Forest User Policy and Roaming User Profiles.
-
Click Enabled, click
Apply, and then click OK. -
Quit the Group Policy tool.
-
Allow sufficient time for the computer policy to be automatically updated, or update it yourself. To update the computer policy yourself, follow these steps:
-
Click Start, click
Run, type cmd, and then click
OK. -
Type the following command, and then press ENTER:
secedit /refreshpolicy machine_policy
For additional information about how to use the Secedit.exe command to update user and computer policies, click the following article numbers to view the articles in the Microsoft Knowledge Base:
227448 Using Secedit.exe to force Group Policy to be applied again
227302 Using SECEDIT to force a Group Policy refresh immediately
-
-
Log off from the computer.
Note On a domain controller that is running Windows 2000 SP4, you can also configure the Allow Cross-Forest User Policy and Roaming User Profiles policy by using a domain or organizational unit-based Group Policy object (GPO).
More Information
The following scenario describes this new behavior that is introduced in Windows 2000 SP4:
-
You have two Windows 2000 forests (forest A and forest B) with a two-way trust configured between them.
-
A user from forest A logs on to a computer in forest B.
In this case, user policies from forest A are not applied when the user logs on. You must explicitly permit these user policies to be applied from a trusted forest.
For additional information about how to use Group Policy in a Windows 2000 domain, visit the following Microsoft Web site:
http://download.microsoft.com/download/5/2/f/52f3dbd6-2864-4d97-8792-276544ad6426/grouppolwp.doc For additional information about how to enable user environment debug logging in retail builds of Windows, click the following article number to view the article in the Microsoft Knowledge Base:
221833 How to enable user environment debug logging in retail builds of Windows
