Computers lose functionality after you upgrade the domain controllers to Windows Server 2003 with Service Pack 1

After you upgrade a domain's domain controllers to Windows Server 2003 with Service Pack 1, computers that are running Microsoft Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1 may encounter one or more of the following symptoms. The following symptoms may appear after the computers restart or after the computers rejoin the domain:

• Network adapter icons do not appear in Network Connections.
• The following services indefinitely maintain the Starting status:
  • COM+
  • Shell Hardware Detection
  • Volume Shadow Copy
• The RPC service does not start.
• You cannot search.
• You cannot use Windows Update.
• You cannot install or remove programs.
• You have trouble opening Microsoft Office documents.
• You cannot access the Computers item in Component Services. A red arrow appears next to the item.
• When you click the Dependencies tab in the properties dialog box of a service that does not start, you receive a "Win32: Access is denied" error message.
• When you try to start Disk Management, you receive an "Access denied" error message.
• On a computer that is running Windows XP with Service Pack 2, Windows Firewall reports that the network setting is corrupted.

These problems occur when a Group Policy setting that defines the Impersonate a client after authentication user right is linked to the domain.

Note This user right should be linked only to a site or to an organizational unit (OU).

To resolve this problem, use one of the following methods.

Method 1: Modify Group Policy settings

On any domain controller in the domain, follow these steps to modify the Group Policy settings:

1. Click Start, click Run, type gpedit.msc, and then click OK.
   
   Note If you receive the following error message, use Method 2 instead of this method:
   There are no more endpoints available from the endpoint mapper.
2. In the console tree, expand Windows Settings under Computer Configuration.
3. Expand Security Settings, expand Local Policies, expand User Rights Assignment, and then examine the groups that are defined in the Impersonate a client after authentication setting.
   
   Note On a domain controller that is running Windows Server 2003 with Service Pack 1, you expect the following groups to be defined in this setting:
   • ADMINISTRATORS
   • SERVICE
   • IIS_WPG
4. Run the Directory Services version of Microsoft Product Support Reporting Tool, and then examine the Computer_Name_GPRESULT.txt file.
5. Search the Computer_Name_GPRESULT.txt file for the word "Impersonate." Then, examine the Group Policy objects (GPOs) that are indicated by the search results.
6. Remove the Impersonate a client after authentication setting from the Default Domain Policy GPO or from the Default Domain Controllers Security Policy GPO if the setting is present. Also, remove the Impersonate a client after authentication setting from any GPO that is linked at the domain level. Make sure that the policy settings that have this setting are only linked at the site level or at the OU level.
7. Restart the computer.

Method 2: Modify the registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

On any domain controller in the domain, follow these steps to modify the registry:

1. Click Start, click Run, type services.msc, and then click OK.
2. Right-click Remote Procedure Call (RPC), and then click Properties.
3. Click the Log On tab, and then click Local System account in the Log on as area.
4. Restart the computer.
5. Click Start, click Run, type gpedit.msc, and then click OK.
6. In the console tree, expand Windows Settings under Computer Configuration.
7. Expand Security Settings, expand Local Policies, expand User Rights Assignment, and then examine the groups that are defined in the Impersonate a client after authentication setting.
   
   Note On a domain controller that is running Windows Server 2003 with Service Pack 1, you expect the following groups to be defined in this setting:
   • ADMINISTRATORS
   • SERVICE
   • IIS_WPG
8. Run the Directory Services version of Microsoft Product Support Reporting Tool, and then examine the Computer_Name_GPRESULT.txt file.
9. Search the Computer_Name_GPRESULT.txt file for the word "Impersonate." Then, examine the Group Policy objects (GPOs) that are indicated by the search results.
10. Remove the Impersonate a client after authentication setting from the Default Domain Policy GPO or from the Default Domain Controllers Security Policy GPO if the setting is present. Also, remove the Impersonate a client after authentication setting from any GPO that is linked at the domain level. Make sure that the policy settings that have this setting are only linked at the site level or at the OU level.
11. Restart the computer.
12. Click Start, click Run, type cmd, and then click OK.
13. At the command prompt, type gpupdate \force, and then press ENTER.
14. Close the Command Prompt window.
15. Click Start, click Run, type regedit, and then click OK.
16. In Registry Editor, locate the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
    Note As a precaution, export a copy of this registry key before you continue.
17. Right-click ObjectName, and then click Modify.
18. Type NT Authority\NetworkService in the Value data box, and then click OK.
19. Restart the computer.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.