[gptalk] Re: Not all Group Policy settings being applied

  • From: Sjövold, Thorbjörn <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 8 Mar 2007 13:54:57 +0100

Pierre,

 

May I suggest a test here, If you add another registry GP setting now in the 
same GPO, does it apply, or is it only the Windows Update settings that does 
not apply?

 

There are some interesting things in your log file, but they are not all 
necessary from GP processing, since the Userenv log also contains profile 
loading/unloading etc. For example 1355  means ”The specified domain either 
does not exist or could not be contacted.” and that could be caused by 
logging on when not connected to the network for example, although I am not 
saying that it is not related to this problem.

 

Every time someone loads the profile the profile ref count is increased, and 
the opposite when unloading and the “Ref Count is not 0 “ means that there 
is something, probably a service, that have loaded the user profile and when 
the user logs of it cannot be unloaded since the service either is still using 
the profile or failed to return the handle and thus the error. The c0000022  
error means Status_Access_Denied (in kernel mode) and is most likely to user 
loading/unloading too. But this should not be related to the problem if it is 
the Windows Update settings since they are AFAIK all HKLM,  and a leaking 
handles to profiles should only affect someone (winlogon in this case) trying 
to write to the user hive.

 

Have you enabled verbose logging as Alan suggested, it feels like this is the 
normal error logging only? If you do that and then run a Gpudate /force you 
should entries similar to this for all Registry keys that are applied:

 

USERENV(24c.4f0) 13:42:43:742 SetRegistryValue: AutoInstallMinorUpdates => 1  
[OK]

USERENV(24c.4f0) 13:42:43:742 SetRegistryValue: NoAutoUpdate => 0  [OK]

USERENV(24c.4f0) 13:42:43:757 SetRegistryValue: AUOptions => 4  [OK]

USERENV(24c.4f0) 13:42:43:773 SetRegistryValue: ScheduledInstallDay => 0  [OK]

USERENV(24c.4f0) 13:42:43:773 SetRegistryValue: ScheduledInstallTime => 5  [OK]

USERENV(24c.4f0) 13:42:43:788 SetRegistryValue: UseWUServer => 1  [OK]

 

That would give use more information regarding this.

 

Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com/> 

thorbjorn.sjovold a t specopssoft.com

 

Download our free tool for remote Gpupdate with graphical reporting,

http://www.specopssoft.com/products/specopsgpupdate/

 

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: den 8 mars 2007 13:03
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied

 


Hi Alan 

What I see in the event log is this: 

Event Type:        Information 
Event Source:        SceCli 
Event Category:        None 
Event ID:        1704 
Date:                08/03/2007 
Time:                12:52:01 
User:                N/A 
Computer:        PRDWW01 
Description: 
Security policy in the Group policy objects has been applied successfully. 

Which means that the Group Policy is being applied which is not true as only 
part of it is being applied. But checking the log again I see the following 
again: 

USERENV(298.bf0) 12:51:58:514 PolicyChangedThread: UpdateUser failed with 6. 

Very weird :-( 

Pierre 




"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx 

08/03/2007 12:58 

Please respond to
gptalk@xxxxxxxxxxxxx

To

<gptalk@xxxxxxxxxxxxx> 

cc

        
Subject

[gptalk] Re: Not all Group Policy settings being applied

 

                




Hi Pierre, 
  
I have seen the problem before but cannot recall exactly what it was. There is 
a Microsoft article that refers to the message, but I don’t think it is your 
error:- http://support.microsoft.com/kb/257580 
  
It is related to the GPO processing not being able to find out the username 
(obviously)  and I am not sure if there is something wrong with the username 
(disabled, or expired) or perhaps the machine needs to be removed and readded 
to the domain, or perhaps it can no longer get to the domain controller for 
some reason. Is there any event log record written? 
  
Alan Cuthbertson 
  

 

________________________________


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 10:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied 
  

Hi Alan 

Many thanks for your very interesting e-mail. This is indeed a very strange 
problem I'm encountering on some of our workstations. 
I've enabled user environment debug logging via the registry and on one of 
these problem workstations I have noted the following entries in the log file: 

USERENV(378.7b0) 10:54:17:200 MyGetUserName:  GetUserNameEx failed with 1355. 
USERENV(378.7b0) 10:54:47:699 MyGetUserName:  GetUserNameEx failed with 1355. 
USERENV(378.7b0) 10:55:18:196 MyGetUserName:  GetUserNameEx failed with 1355. 
USERENV(378.7b0) 10:55:48:693 MyGetUserName:  GetUserNameEx failed with 1355. 
USERENV(378.7b0) 10:55:48:693 ProcessGPOs: MyGetUserName failed with 1355. 
. 
. 
. 
USERENV(3ac.c60) 09:54:52:042 MyRegUnLoadKey:  Failed to unmount hive 00000005 
USERENV(3ac.c60) 09:54:52:042 UnLoadClassHive: failed to unload classes key 
with 5 
USERENV(3ac.c60) 09:54:52:042 DumpOpenRegistryHandle: 2 user registry Handles 
leaked from 
\Registry\User\S-1-5-21-2676610465-2331551837-1842337626-500_Classes 
USERENV(3ac.c60) 09:54:52:042 ReportError: Impersonating user. 
USERENV(3ac.c60) 09:54:52:042 CUserProfile::WatchHiveRefCount: Failed to 
restore the privilege. error = c0000022 
USERENV(3ac.694) 19:47:30:723 CEvents::Report: ReportEvent failed.  Error = 
1717 
USERENV(3ac.3b0) 09:13:48:640 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is 
not 0 
USERENV(3ac.f54) 11:17:14:962 PolicyChangedThread: UpdateUser failed with 6. 

So there seems to be something wrong. But the problem is what could be causing 
such a problem and how can I resolve it? 

Thanks 
Pierre 

"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx 

07/03/2007 22:34 

 

Please respond to
gptalk@xxxxxxxxxxxxx

 

To

<gptalk@xxxxxxxxxxxxx> 

cc

  

Subject

[gptalk] Re: Not all Group Policy settings being applied


  

 

  

 





Hi Pierre, 
 
One thing that might be catching you is if you have not enabled “process even 
if the group Policy Objects have not changed” under “Machine\Administrative 
templates\system\group Policy\registry policy processing”. The default is to 
only process it if the group policy changes. This means that if the setting is 
wrong, it will remain wrong until the policy changes. You can run “GPUPDATE 
/Force” which will reapply all policies unconditionally to see if this fixes 
the problem. If this is the case, we can work out why the machine thought the 
policy was already applied. 
 
If this is not the problem, go for the UserEnv Log! 
 
You can enable logging and check out the log to find out:- 
1.        Is the Policy being detected in the OU structure? 
2.        Is it passing security filtering? 
3.        Is it attempting to apply the ADM component of the policy? 
4.        Is it trying to apply the registry key that was expected? 
 
You can then check if the registry key is actually in place 
 
Failure at any one of these levels could cause the problem. 
 
You can checkout http://support.microsoft.com/kb/221833/en-us 
<http://support.microsoft.com/kb/221833/en-us>  to see how to enable 
logging…. Or you can download and install my Policy Log Reporter (see below). 
By default it checks the machine it is installed on, but you can also point it 
at a remote machine. It provides a button to enable logging and it will parse 
the log and show it in a more structured way. 
 
If you still can’t understand what is going on, post the log and we can check 
it out for you. 
 
Alan Cuthbertson 
 
 
Policy Management Software:- 
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml 
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>  
 
ADM Template Editor:- 
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml 
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>  
 
Policy Log Reporter(Free) 
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml 
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>  
 
 
 
  


  

________________________________



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 2:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Not all Group Policy settings being applied 
 

Hi Everyone! 

I am encountering a problem on certain Windows XP Pro (SP2) workstations where 
not all settings of the W2K3 group policy are being applied. The setting which 
is not being applied is the Windows Automatic Updates. It is company policy to 
disable automatic download of MS updates. The majority of our workstations are 
having this policy setting applied correctly but some are not having this 
setting applied. They are having other settings applied e.g. disabling the Run 
command, etc., but not this one. All the workstations belong to the same AD 
domain and all have a common group policy. 
Has anyone encountered this problem before? Any comments/help would be very 
much appreciated. 

Thanks in advance 
Pierre 

Other related posts: