[gptalk] Re: Not all Group Policy settings being applied
- From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 8 Mar 2007 23:29:19 +0100
Pierre,
it looks ok and should do the trick, verify manually that the value
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate really
is updated and set to 1, and if it is I would say that GP is working and you
should try a WSUS list/newsgroup for this specific problem.
Best,
Thorbjörn Sjövold
Special Operations Software
www.specopssoft.com <http://www.specopssoft.com/>
thorbjorn.sjovold a t specopssoft.com
Download our free tool for remote Gpupdate with graphical reporting,
http://www.specopssoft.com/products/specopsgpupdate/
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: den 8 mars 2007 14:48
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied
Hi Alan
I've enabled Verbose logging and when checking the UserEnv log I see the
following entries:
USERENV(3ac.2dc) 13:03:16:078 ParseRegistryFile: Entering with
<\\fosterclark.local\SysVol\fosterclark.local\Policies\{BEA671BC-1917-48C1-8566-0480F2B1819B}\User\registry.pol>.
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoWindowsUpdate => 1 [OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoNetworkConnections => 1 [OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoStartMenuNetworkPlaces => 1
[OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoSMConfigurePrograms => 1
[OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoDesktopCleanupWizard => 1
[OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoAutoUpdate => 1 [OK]
However when checking to see whether Turn off Automatic Updates is enable it is
not but find Automatic enabled instead. According to the above entries in the
log it was supposed to have been switched off.
Thanks
Pierre
P.S. If you want a copy of the log I can e-mail it to you if you wish.
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
08/03/2007 13:53
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Pierre,
I think the event log record refers to the Machine based processing, whereas
the entry in the UserEnv log refers to the User based processing.
Are you sure you have verbose logging enabled? You should be getting a lot more
messages. Refer to http://support.microsoft.com/kb/221833/en-us
<http://support.microsoft.com/kb/221833/en-us>
Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal) 65538(decimal)
Alan Cuthbertson
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 11:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied
Hi Alan
What I see in the event log is this:
Event Type: Information
Event Source: SceCli
Event Category: None
Event ID: 1704
Date: 08/03/2007
Time: 12:52:01
User: N/A
Computer: PRDWW01
Description:
Security policy in the Group policy objects has been applied successfully.
Which means that the Group Policy is being applied which is not true as only
part of it is being applied. But checking the log again I see the following
again:
USERENV(298.bf0) 12:51:58:514 PolicyChangedThread: UpdateUser failed with 6.
Very weird :-(
Pierre
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
08/03/2007 12:58
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Hi Pierre,
I have seen the problem before but cannot recall exactly what it was. There is
a Microsoft article that refers to the message, but I don’t think it is your
error:- http://support.microsoft.com/kb/257580
It is related to the GPO processing not being able to find out the username
(obviously) and I am not sure if there is something wrong with the username
(disabled, or expired) or perhaps the machine needs to be removed and readded
to the domain, or perhaps it can no longer get to the domain controller for
some reason. Is there any event log record written?
Alan Cuthbertson
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 10:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied
Hi Alan
Many thanks for your very interesting e-mail. This is indeed a very strange
problem I'm encountering on some of our workstations.
I've enabled user environment debug logging via the registry and on one of
these problem workstations I have noted the following entries in the log file:
USERENV(378.7b0) 10:54:17:200 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(378.7b0) 10:54:47:699 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(378.7b0) 10:55:18:196 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(378.7b0) 10:55:48:693 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(378.7b0) 10:55:48:693 ProcessGPOs: MyGetUserName failed with 1355.
.
.
.
USERENV(3ac.c60) 09:54:52:042 MyRegUnLoadKey: Failed to unmount hive 00000005
USERENV(3ac.c60) 09:54:52:042 UnLoadClassHive: failed to unload classes key
with 5
USERENV(3ac.c60) 09:54:52:042 DumpOpenRegistryHandle: 2 user registry Handles
leaked from
\Registry\User\S-1-5-21-2676610465-2331551837-1842337626-500_Classes
USERENV(3ac.c60) 09:54:52:042 ReportError: Impersonating user.
USERENV(3ac.c60) 09:54:52:042 CUserProfile::WatchHiveRefCount: Failed to
restore the privilege. error = c0000022
USERENV(3ac.694) 19:47:30:723 CEvents::Report: ReportEvent failed. Error =
1717
USERENV(3ac.3b0) 09:13:48:640 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(3ac.f54) 11:17:14:962 PolicyChangedThread: UpdateUser failed with 6.
So there seems to be something wrong. But the problem is what could be causing
such a problem and how can I resolve it?
Thanks
Pierre
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
07/03/2007 22:34
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Hi Pierre,
One thing that might be catching you is if you have not enabled “process even
if the group Policy Objects have not changed” under “Machine\Administrative
templates\system\group Policy\registry policy processing”. The default is to
only process it if the group policy changes. This means that if the setting is
wrong, it will remain wrong until the policy changes. You can run “GPUPDATE
/Force” which will reapply all policies unconditionally to see if this fixes
the problem. If this is the case, we can work out why the machine thought the
policy was already applied.
If this is not the problem, go for the UserEnv Log!
You can enable logging and check out the log to find out:-
1. Is the Policy being detected in the OU structure?
2. Is it passing security filtering?
3. Is it attempting to apply the ADM component of the policy?
4. Is it trying to apply the registry key that was expected?
You can then check if the registry key is actually in place
Failure at any one of these levels could cause the problem.
You can checkout http://support.microsoft.com/kb/221833/en-us
<http://support.microsoft.com/kb/221833/en-us> to see how to enable
logging…. Or you can download and install my Policy Log Reporter (see below).
By default it checks the machine it is installed on, but you can also point it
at a remote machine. It provides a button to enable logging and it will parse
the log and show it in a more structured way.
If you still can’t understand what is going on, post the log and we can check
it out for you.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 2:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Not all Group Policy settings being applied
Hi Everyone!
I am encountering a problem on certain Windows XP Pro (SP2) workstations where
not all settings of the W2K3 group policy are being applied. The setting which
is not being applied is the Windows Automatic Updates. It is company policy to
disable automatic download of MS updates. The majority of our workstations are
having this policy setting applied correctly but some are not having this
setting applied. They are having other settings applied e.g. disabling the Run
command, etc., but not this one. All the workstations belong to the same AD
domain and all have a common group policy.
Has anyone encountered this problem before? Any comments/help would be very
much appreciated.
Thanks in advance
Pierre
Other related posts:
