[gptalk] Re: Long logon times when switching between metaframe servers.

  • From: <bart.schillebeeks@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 30 Jul 2007 13:20:07 +0200

Hello Hans :-)
 
All the servers are in the same OU receiving the same gpo's.
 
they logon to the first and recieve all settings
they logon to the second and recieve all settings
they logon to the first again and again recieve all settings!!
 
if they
 
they logon to the first recieve all settings
they logon to the first again  it skippes the settings
 
 
So it happens when switching servers in the same silo and metaframe farm, as we 
have silo's with for example 60 servers in them, this practically means the 
settings are applied all the time.
 
it probably has something to do with the GPO history contained in the 
NTuser.pol file from the roaming profile, but can't figure out how this could 
be fixed.
 
Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Bart.schillebeeks@xxxxxxxxxx
AD Internet Consulting BVBA 
"When once you have tasted flight, you will always walk with your eyes turned 
skyward, for there you have been and there you always will be."
Leonardo da Vinci, 1452-1519 
Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx


 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of hans straat
Sent: Monday, July 30, 2007 1:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Long logon times when switching between metaframe servers.


As you state they logon to two different servers, does it also happen if they 
logon to two servers in the same OU? Or only if they logon to another farm or 
silo server(s).
 
regards,
hans straat
www.datacrash.net 





________________________________

        Subject: [gptalk] Long logon times when switching between metaframe 
servers. 
        Date: Mon, 30 Jul 2007 11:40:27 +0200
        From: bart.schillebeeks@xxxxxxxxxx
        To: gptalk@xxxxxxxxxxxxx
        
        
        Hello, 
        I'm a litlle plagued by this annoying problem. Our metaframe people are 
complaining about long logon times for GPO's for certain servers. 
        I've studied their userenv logs and found it relates to following 
behaviour. 
        I've got loopback processing enabled with merge, and it merges several 
more restrictive settings when logging on to a metaframe server. 
        When a user logs on the first time al his gpo settings are applied 
which takes about 30 seconds, when they logon a second time to the same server 
their settings are marked "same" and the application is skipped. 
        This is how it should work obviously.
         Now when they logon to another server in the metaframe farm i see 
NTuser.pol from their profile first erasing all settings in the registry 
extension part, and then reapplying them again from the GPO on the domain. 
        Only the registry extension has this behaviour , all the other ones 
don't do this. 
        Why does this happen? and why is the gpo history not transferred via 
the roaming profile to another server ? 
        Can this be reversed somehow ? 
        Even if in userenv it says: "the lists are the same" it still deletes 
and reapplies. 
        see example 
        USERENV 14:34:43:370    ProcessGPOs     Processing extension Registry   
4.906 
        USERENV 14:34:43:370    ReadStatus      Read Extension's Previous 
status successfully.  4.906 
        USERENV 14:34:43:370    CompareGPOLists The lists are the same. 4.906 
        USERENV 14:34:43:370    ProcessGPOList  Entering for extension Registry 
4.906 
        USERENV 14:34:43:370    UserPolicyCallback      Setting status UI to 
Applying Registry policy...        4.906 
        USERENV 14:34:43:401    LogExtSessionStatus     Successfully logged 
Extension Session data      4.937 
        USERENV 14:34:43:401    EnterCriticalPolicySectionEx    Entering with 
timeout 60000 and flags 0x2       4.937 
        USERENV 14:34:43:401    EnterCriticalPolicySectionEx    User critical 
section has been claimed.  Handle = 0x464 4.937 
        USERENV 14:34:43:401    EnterCriticalPolicySectionEx    Leaving 
successfully.   4.937 
        USERENV 14:34:43:401    ResetPolicies   Entering.       4.937 
        USERENV 14:34:43:401    SetRegPermissionsOnPoliciesKey  Resetting 
permission on the policy key  4.937 
        USERENV 14:34:43:401    SetRegPermissionsOnPoliciesKey  Resetting 
permission on the policy key  4.937 
        USERENV 14:34:43:401    ParseRegistryFile       Entering with 
<C:\Profiles\g60057\ntuser.pol>.  4.937 
        USERENV 14:34:43:401    DeleteRegistryValue     Deleted 
Software\Policies\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3\1001       4.937
        USERENV 14:34:43:401    DeleteRegistryValue     Deleted 
Software\Policies\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3\1004       4.937
        USERENV 14:34:43:401    DeleteRegistryValue     Deleted 
Software\Policies\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3\1C00       4.937
        USERENV 14:34:43:401    DeleteRegistryValue     Deleted 
Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig  4.937
        USERENV 14:34:43:401    DeleteRegistryValue     Deleted 
Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings 
4.937 
        and then the reapplication 
        SERENV  14:34:45:886    ParseRegistryFile       Entering with 
<\\int.sys.shared.fortis\sysvol\int.sys.shared.fortis\Policies\{4120ED14-6346-4964-ABCD-F578457BC151}\User\registry.pol>.
 7.422
        USERENV 14:34:45:932    SetRegistryValue        NoComponents => 1  [OK] 
7.468 
        USERENV 14:34:45:995    SetRegistryValue        
DisablePersonalDirChange => 1  [OK]     7.531 
        USERENV 14:34:46:057    SetRegistryValue        
ForceClassicControlPanel => 1  [OK]     7.593 
        USERENV 14:34:46:104    SetRegistryValue        NoDesktopCleanupWizard 
=> 1  [OK]       7.640 
        USERENV 14:34:46:167    SetRegistryValue        NoHardwareTab => 1  
[OK]        7.703 
        USERENV 14:34:46:214    SetRegistryValue        NoManageMyComputerVerb 
=> 1  [OK]       7.750 
        USERENV 14:34:46:276    SetRegistryValue        NoSMConfigurePrograms 
=> 1  [OK]        7.812 
        USERENV 14:34:46:323    SetRegistryValue        NoSMMyPictures => 1  
[OK]       7.859 
        normally it should be like this (same user again on same server) 
        USERENV 14:12:54:275    ProcessGPOs     Processing extension Registry   
1.359 
        USERENV 14:12:54:275    ReadStatus      Read Extension's Previous 
status successfully.  1.359 
        USERENV 14:12:54:275    CompareGPOLists The lists are the same. 1.359 
        USERENV 14:12:54:275    CheckGPOs       No GPO changes and no security 
group membership change and extension Registry has NoGPOChanges set.     1.359
        USERENV 14:12:54:275    ProcessGPOs     ----------------------- 1.359 
        As we have multiple metaframe's in multiple farms and silo's this 
actually mean that mostly all of these settings are constantly being reapplied 
costing the user 30 seconds every time.
        If anyone can shed some light on this it would be greatly appreciated. 
        Thanks 
        
        
        Vriendelijke groeten,
        Cordialement,
        Kind Regards, 
        Schillebeeks Bart
        Active Directory Security Consultant
        Bart.schillebeeks@xxxxxxxxxx
        AD Internet Consulting BVBA 
        "When once you have tasted flight, you will always walk with your eyes 
turned skyward, for there you have been and there you always will be."
        Leonardo da Vinci, 1452-1519 
        Disclaimer:
        Any views expressed in this message are those of the individual sender, 
except where the message states otherwise and the sender is authorised to state 
them to be the views of any such entity.This Message is in no way legally 
binding and has to be viewed as a personal opinion of the sender. This message 
reflects in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.
        AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal 
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx 
<mailto:Sales@xxxxxxxxxxxxxx> 
        
        
        

= = = = = = = = = = = = = = = = = = = = = = = = =
Fortis disclaimer :
http://www.fortis.be/legal/disclaimer.htm

Privacy policy related to banking activities of Fortis:
http://www.fortis.be/legal/privacy_policy.htm
= = = = = = = = = = = = = = = = = = = = = = = = =

Other related posts: