User policies are not applied when you log on to a computer that is running Windows 2000 SP4 (823862)

SYMPTOMS

After you install Microsoft Windows 2000 Service Pack 4 (SP4) on a client computer, logon scripts do not run when you log on to the domain. If you remove Windows 2000 SP4, logon scripts run successfully when you log on. Also, you may see the following entry in the Userenv.log file if the Allow Cross-Forest User Policy and Roaming User Profiles policy is disabled or is not configured:

USERENV(1418.15b8) time CheckXForestLogon: checking x-forest logon, user handle = 124
USERENV(1418.15b8) time CheckXForestLogon: policy set to disable XForest check

On a computer that is running Microsoft Windows Server 2003, the following error message is displayed:

Crossed Forest Roaming Profiles are disabled. Windows did not load your Roaming Profile and is logging you on with the local Profile. Changes to the Profile will not be copied to the Server when you log off. Contact your Administrator.

CAUSE

This issue occurs if both the following conditions are true:

The logon script is contained in a user policy from a trusted Windows 2000 forest (a cross-forest policy).
The Allow Cross-Forest User Policy and Roaming User Profiles policy has not been enabled on the Windows 2000 SP4-based computer.

Windows 2000 SP4 includes a new functionality that prevents cross-forest user policies from being run on the local computer. This functionality helps increase security between Windows 2000 forests. By default, the policy that permits cross-forest user policies to run on the local computer is not enabled.

RESOLUTION

To resolve this issue, permit cross-forest user policies to run on the Windows 2000 SP4-based computer. To do so:

Log on to the computer as a user with administrator rights.
Click Start, click Run, type gpedit.msc, and then click OK.
Double-click Computer Configuration, double-click Administrative Templates, double-click System, and then click Group Policy.
In the right pane, double-click Allow Cross-Forest User Policy and Roaming User Profiles.
Click Enabled, click Apply, and then click OK.
Quit the Group Policy tool.
Allow sufficient time for the computer policy to be automatically updated, or update it yourself. To update the computer policy yourself, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:
  secedit /refreshpolicy machine_policy
For additional information about how to use the Secedit.exe command to update user and computer policies, click the following article numbers to view the articles in the Microsoft Knowledge Base:
227448 Using Secedit.exe to force Group Policy to be applied again
227302 Using SECEDIT to force a Group Policy refresh immediately
Log off from the computer.

Note On a domain controller that is running Windows 2000 SP4, you can also configure the Allow Cross-Forest User Policy and Roaming User Profiles policy by using a domain or organizational unit-based Group Policy object (GPO).

MORE INFORMATION

The following scenario describes this new behavior that is introduced in Windows 2000 SP4:

You have two Windows 2000 forests (forest A and forest B) with a two-way trust configured between them.
A user from forest A logs on to a computer in forest B.

In this case, user policies from forest A are not applied when the user logs on. You must explicitly permit these user policies to be applied from a trusted forest.

For additional information about how to use Group Policy in a Windows 2000 domain, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/docs/grouppolwp.doc

For additional information about how to enable user environment debug logging in retail builds of Windows, click the following article number to view the article in the Microsoft Knowledge Base:

221833 How to enable user environment debug logging in retail builds of Windows