[gptalk] Re: Not all Group Policy settings being applied

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 8 Mar 2007 22:58:17 +1100

Hi Pierre,

 

I have seen the problem before but cannot recall exactly what it was. There
is a Microsoft article that refers to the message, but I don't think it is
your error:- http://support.microsoft.com/kb/257580

 

It is related to the GPO processing not being able to find out the username
(obviously)  and I am not sure if there is something wrong with the username
(disabled, or expired) or perhaps the machine needs to be removed and
readded to the domain, or perhaps it can no longer get to the domain
controller for some reason. Is there any event log record written?

 

Alan Cuthbertson

  

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 10:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied

 


Hi Alan 

Many thanks for your very interesting e-mail. This is indeed a very strange
problem I'm encountering on some of our workstations. 
I've enabled user environment debug logging via the registry and on one of
these problem workstations I have noted the following entries in the log
file: 

USERENV(378.7b0) 10:54:17:200 MyGetUserName:  GetUserNameEx failed with
1355. 
USERENV(378.7b0) 10:54:47:699 MyGetUserName:  GetUserNameEx failed with
1355. 
USERENV(378.7b0) 10:55:18:196 MyGetUserName:  GetUserNameEx failed with
1355. 
USERENV(378.7b0) 10:55:48:693 MyGetUserName:  GetUserNameEx failed with
1355. 
USERENV(378.7b0) 10:55:48:693 ProcessGPOs: MyGetUserName failed with 1355. 
. 
. 
. 
USERENV(3ac.c60) 09:54:52:042 MyRegUnLoadKey:  Failed to unmount hive
00000005 
USERENV(3ac.c60) 09:54:52:042 UnLoadClassHive: failed to unload classes key
with 5 
USERENV(3ac.c60) 09:54:52:042 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-2676610465-2331551837-1842337626-500_Classes 
USERENV(3ac.c60) 09:54:52:042 ReportError: Impersonating user. 
USERENV(3ac.c60) 09:54:52:042 CUserProfile::WatchHiveRefCount: Failed to
restore the privilege. error = c0000022 
USERENV(3ac.694) 19:47:30:723 CEvents::Report: ReportEvent failed.  Error =
1717 
USERENV(3ac.3b0) 09:13:48:640 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0 
USERENV(3ac.f54) 11:17:14:962 PolicyChangedThread: UpdateUser failed with 6.


So there seems to be something wrong. But the problem is what could be
causing such a problem and how can I resolve it? 

Thanks 
Pierre 





"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx 

07/03/2007 22:34 


Please respond to
gptalk@xxxxxxxxxxxxx


To

<gptalk@xxxxxxxxxxxxx> 


cc

 


Subject

[gptalk] Re: Not all Group Policy settings being applied

 


 

 




Hi Pierre, 
  
One thing that might be catching you is if you have not enabled "process
even if the group Policy Objects have not changed" under
"Machine\Administrative templates\system\group Policy\registry policy
processing". The default is to only process it if the group policy changes.
This means that if the setting is wrong, it will remain wrong until the
policy changes. You can run "GPUPDATE /Force" which will reapply all
policies unconditionally to see if this fixes the problem. If this is the
case, we can work out why the machine thought the policy was already
applied. 
  
If this is not the problem, go for the UserEnv Log! 
  
You can enable logging and check out the log to find out:- 
1.        Is the Policy being detected in the OU structure? 
2.        Is it passing security filtering? 
3.        Is it attempting to apply the ADM component of the policy? 
4.        Is it trying to apply the registry key that was expected? 
  
You can then check if the registry key is actually in place 
  
Failure at any one of these levels could cause the problem. 
  
You can checkout  <http://support.microsoft.com/kb/221833/en-us>
http://support.microsoft.com/kb/221833/en-us to see how to enable logging..
Or you can download and install my Policy Log Reporter (see below). By
default it checks the machine it is installed on, but you can also point it
at a remote machine. It provides a button to enable logging and it will
parse the log and show it in a more structured way. 
  
If you still can't understand what is going on, post the log and we can
check it out for you. 
  
Alan Cuthbertson 
  
  
 Policy Management Software:- 
 <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml 
  
ADM Template Editor:- 
 <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml 
  
Policy Log Reporter(Free) 
 <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml 
  
  
  
  

 

  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 2:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Not all Group Policy settings being applied 
  

Hi Everyone! 

I am encountering a problem on certain Windows XP Pro (SP2) workstations
where not all settings of the W2K3 group policy are being applied. The
setting which is not being applied is the Windows Automatic Updates. It is
company policy to disable automatic download of MS updates. The majority of
our workstations are having this policy setting applied correctly but some
are not having this setting applied. They are having other settings applied
e.g. disabling the Run command, etc., but not this one. All the workstations
belong to the same AD domain and all have a common group policy. 
Has anyone encountered this problem before? Any comments/help would be very
much appreciated. 

Thanks in advance 
Pierre 

Other related posts: