[gptalk] Re: Puzzler - GP for one OU not being applied

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 6 Sep 2008 08:47:21 +1000

Hi,

 

Just realised that running GPUpdate /force would be a useful test since this
will also force registry processing to occur.

 

Alan Cuthbertson

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Saturday, 6 September 2008 8:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied

 

Hi,

 

I would agree with Darren that the Ntuser.pol file should be in place. Since
it is created by Registry Processing to store the list of Non tattooed
policies to be removed at the next processing cycle,  the only reasons that
it may not be created would be if you did not do registry processing, or if
the registry processing does not contain Non-Tattooed policies (I?m not
saying it won?t be there if there is no non-tattooed policies, just saying
it may not be..)

 

It is possible that the problem is that you do not have ?Process even if
Group Policy has not changed? set for Template processing changed. This
would mean that Policy processing will only run once. If something else is
resetting the entry it will not get fixed on the second run. 

 

I would suggest you turn this on. If nothing else, your userenv log will
then show an entry where it is referencing NtUser.pol and removing the non
tattooed settings from the previous cycle. 

 

Rereading your original post, I am wondering whether you have set up this
account to always get a default profile each session. If so, the ntuser.pol
file may be missing from that default profile which could explain some of
your observed behavior??

 

 

Alan Cuthbertson

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Saturday, 6 September 2008 5:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied

 

Nope. Its definitely there?see the screenshot below of my Vista machine:

 



 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Al Bracco
Sent: Friday, September 05, 2008 12:30 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied

 

Darren,

I was at another client today that use group policy. I looked on one of
their PCs, and again, no trace of an ntuser.pol file. Could that possibly be
something created by pre-2003 versions of  group policy in Windows servers? 

Al



At 12:04 AM 9/5/2008, you wrote:

That really doesn?t tell us much. Basically GP processing is not happening
because nothing has changed since the last cycle. There has to be a
ntuser.pol for both computer and user if you are deploying Admin. Template
policy. Not sure why you can?t find it. You might want to try dropping out
to the cmd shell and doing a dir with the hidden and system attributes
shown.
 
Darren
 
From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx>
mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Al Bracco
Sent: Thursday, September 04, 2008 6:52 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied
 
I used a different tool which looks at the userenv log and here's what it
found:

( I changed the actual domain and server names, the copmuter name is AA41,
the username is OPR427 and the policyname is WH)

Program Hex      Time     Sub Routine     Message Text    Elapased Time
USERENV 2d0.710  21:26:54:548     IsSyncForegroundPolicyRefresh
Asynchronous, Reason: NoNeedForSync      
USERENV 2d0.710  21:26:54:564    ApplyGroupPolicy         Entering. Flags =
e     0.000
USERENV 2d0.710  21:26:54:564    ProcessGPOs               0.000
USERENV 2d0.710  21:26:54:564    ProcessGPOs               0.000
USERENV 2d0.710  21:26:54:564    ProcessGPOs      Starting user Group Policy
(Async forground) processing...      0.000
USERENV 2d0.710  21:26:54:564    ProcessGPOs               0.000
USERENV 2d0.710  21:26:54:564    ProcessGPOs               0.000
USERENV 2d0.710  21:26:54:564     EnterCriticalPolicySectionEx     Entering
with timeout 600000 and flags 0x0      0.000
USERENV 2d0.710  21:26:54:564     EnterCriticalPolicySectionEx    User
critical section has been claimed.  Handle = 0x7bc 0.000
USERENV 2d0.710  21:26:54:642     EnterCriticalPolicySectionEx     Leaving
successfully.   0.078
USERENV 2d0.710  21:26:54:642    ProcessGPOs      Machine role is 2.
0.078
USERENV 2d0.710  21:26:54:658    PingComputer     Adapter speed 100000000
bps     0.094
USERENV 2d0.710  21:26:54:658    PingComputer     First time:  0  0.094
USERENV 2d0.710  21:26:54:658    PingComputer     Fast link.  Exiting.
0.094
USERENV 2d0.710  21:26:54:673    ProcessGPOs      User name is:
CN=OPR427,OU=WH,DC=domainname,DC=LOCAL, Domain name is:  domainname
0.109
USERENV 2d0.710  21:26:54:673    ProcessGPOs      Domain controller is:
\\servname.domainname.LOCAL  Domain DN is domainname.LOCAL        0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for dskquota.dll.    0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for iedkcs32.dll.    0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for scecli.dll.      0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for C:\WINDOWS\System32\cscui.dll.   0.109
USERENV 2d0.710  21:26:54:673    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.109
USERENV 2d0.710  21:26:54:673    ReadExtStatus    Reading Previous Status
for extension {35378EAC-683F-11D2-A89A-00C04FBBCFA2}     0.109
USERENV 2d0.710  21:26:54:673    ReadStatus       Read Extension's Previous
status successfully.  0.109
USERENV 2d0.710  21:26:54:673    ReadExtStatus    Reading Previous Status
for extension {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}     0.109
USERENV 2d0.710  21:26:54:689    ReadExtStatus    Reading Previous Status
for extension {25537BA6-77A8-11D2-9B6C-0000F8080861}     0.125
USERENV 2d0.710  21:26:54:704    ReadExtStatus    Reading Previous Status
for extension {3610eda5-77ef-11d2-8dc5-00c04fa31a66}     0.140
USERENV 2d0.710  21:26:54:704    ReadExtStatus    Reading Previous Status
for extension {426031c0-0b47-4852-b0ca-ac3d37bfcb39}     0.140
USERENV 2d0.710  21:26:54:704    ReadExtStatus    Reading Previous Status
for extension {42B5FAAE-6536-11d2-AE5A-0000F87571E3}     0.140
USERENV 2d0.710  21:26:54:704    ReadExtStatus    Reading Previous Status
for extension {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}     0.140
USERENV 2d0.710  21:26:54:704    ReadExtStatus    Reading Previous Status
for extension {827D319E-6EAC-11D2-A4EA-00C04F79F83A}     0.140
USERENV 2d0.710  21:26:54:720    ReadExtStatus    Reading Previous Status
for extension {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}     0.156
USERENV 2d0.710  21:26:54:720    ReadStatus       Read Extension's Previous
status successfully.  0.156
USERENV 2d0.710  21:26:54:720    ReadExtStatus    Reading Previous Status
for extension {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}     0.156
USERENV 2d0.710  21:26:54:720    ReadExtStatus    Reading Previous Status
for extension {C631DF4C-088F-4156-B058-4375F0853CD8}     0.156
USERENV 2d0.710  21:26:54:720    ReadExtStatus    Reading Previous Status
for extension {c6dc5466-785a-11d2-84d0-00c04fb169f7}     0.156
USERENV 2d0.710  21:26:54:720    ReadExtStatus    Reading Previous Status
for extension {e437bc1c-aa7d-11d2-a382-00c04f991e27}     0.156
USERENV 2d0.710  21:26:54:720    ProcessGPOs      Calling GetGPOInfo for
normal policy mode       0.156
USERENV 2d0.710  21:26:54:720    GetGPOInfo
********************************         0.156
USERENV 2d0.710  21:26:54:736    GetGPOInfo       Entering...      0.172
USERENV 2d0.710  21:26:54:736    GetGPOInfo       Server connection
established.  0.172
USERENV 2d0.710  21:26:54:736    GetGPOInfo       Bound successfully.
0.172
USERENV 2d0.710  21:26:54:736    SearchDSObject   Searching
<OU=WH,DC=domainname,DC=LOCAL>         0.172
USERENV 2d0.710  21:26:54:736    SearchDSObject   Found GPO(s):
<[LDAP://cn={A0F46AC4-BAFE-49B2-85B1-009C9902D073},cn=policies,cn=system,DC=
domainname,DC=LOCAL;2]>       0.172
USERENV 2d0.710  21:26:54:736    ProcessGPO
==============================  0.172
USERENV 2d0.710  21:26:54:736    ProcessGPO       Deferring search for
<LDAP://cn={A0F46AC4-BAFE-49B2-85B1-009C9902D073},cn=policies,cn=system,DC=d
omainname,DC=LOCAL>     0.172
USERENV 2d0.710  21:26:54:751    SearchDSObject   Searching
<DC=domainname,DC=LOCAL>       0.187
USERENV 2d0.710  21:26:54:751    SearchDSObject   Found GPO(s):
<[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=
domainname,DC=LOCAL;1]>       0.187
USERENV 2d0.710  21:26:54:751    SearchDSObject   The link to GPO
LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=do
mainname,DC=LOCAL is disabled.  It will be skipped for processing.  0.187
USERENV 2d0.710  21:26:54:751    SearchDSObject   Searching
<CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=LOCAL
>  0.187
USERENV 2d0.710  21:26:54:751    SearchDSObject   No GPO(s) for this object.
0.187
USERENV 2d0.710  21:26:54:751     EvaluateDeferredGPOs    Searching for GPOs
in cn=policies,cn=system,DC=domainname,DC=LOCAL       0.187
USERENV 2d0.710  21:26:54:783    ProcessGPO       Found common name of:
<{A0F46AC4-BAFE-49B2-85B1-009C9902D073}>  0.219
USERENV 2d0.710  21:26:54:783    ProcessGPO       Found display name of:
<WH User Policy>         0.219
USERENV 2d0.710  21:26:54:783    ProcessGPO       Found user version of:
GPC is 14, GPT is 14    0.219
USERENV 2d0.710  21:26:54:798    ProcessGPO       Found flags of:  0
0.234
USERENV 2d0.710  21:26:54:798    ProcessGPO       Found extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3
}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE
3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79
F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]      0.234
USERENV 2d0.710  21:26:54:798    ProcessGPO
==============================  0.234
USERENV 2d0.710  21:26:54:798    GetGPOInfo       Local GPO's gpt.ini is not
accessible, assuming default state.  0.234
USERENV 2d0.710  21:26:54:798    GetGPOInfo       Leaving with 1  0.234
USERENV 2d0.710  21:26:54:798    GetGPOInfo
********************************         0.234
USERENV 2d0.710  21:26:54:798    ProcessGPOs      Logging Data for Target
<OPR427>.        0.234
USERENV 2d0.710  21:26:54:798    ProcessGPOs      OpenThreadToken failed
with error 1008, assuming thread is not impersonating    0.234
USERENV 2d0.710  21:26:54:798    ProcessGPOs      -----------------------
0.234
USERENV 2d0.710  21:26:54:798    ProcessGPOs      Processing extension
Registry   0.234
USERENV 2d0.710  21:26:54:798    ReadStatus       Read Extension's Previous
status successfully.  0.234
USERENV 2d0.710  21:26:54:798    CompareGPOLists  The lists are the same.
0.234
USERENV 2d0.710  21:26:54:814    CheckGPOs        No GPO changes and no
security group membership change and extension Registry has NoGPOChanges
set.     0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      -----------------------
0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      -----------------------
0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      Processing extension
Wireless   0.250
USERENV 2d0.710  21:26:54:814    CompareGPOLists  The lists are the same.
0.250
USERENV 2d0.710  21:26:54:814    CheckGPOs        No GPO changes but
couldn't read extension Wireless's status or policy time.    0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      Extension Wireless skipped
with flags 0x1000e.  0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      -----------------------
0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      Processing extension
Folder Redirection 0.250
USERENV 2d0.710  21:26:54:814    CompareGPOLists  The lists are the same.
0.250
USERENV 2d0.710  21:26:54:814    CompareGPOLists  The lists are the same.
0.250
USERENV 2d0.710  21:26:54:814    CheckGPOs        No GPO changes but
couldn't read extension Folder Redirection's status or policy time.  0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      Extension Folder
Redirection skipped because both deleted and changed GPO lists are empty.
0.250
USERENV 2d0.710  21:26:54:814    ProcessGPOs      -----------------------
0.250
USERENV 2d0.710  21:26:54:829    ProcessGPOs      Processing extension
Microsoft Disk Quota       0.265
USERENV 2d0.710  21:26:54:829    CompareGPOLists  The lists are the same.
0.265
USERENV 2d0.710  21:26:54:829    CheckGPOs        No GPO changes but
couldn't read extension Microsoft Disk Quota's status or policy time.
0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      Extension Microsoft Disk
Quota skipped with flags 0x1000e.      0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      -----------------------
0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      Processing extension QoS
Packet Scheduler        0.265
USERENV 2d0.710  21:26:54:829    CompareGPOLists  The lists are the same.
0.265
USERENV 2d0.710  21:26:54:829    CheckGPOs        No GPO changes but
couldn't read extension QoS Packet Scheduler's status or policy time.
0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      Extension QoS Packet
Scheduler skipped with flags 0x1000e.      0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      -----------------------
0.265
USERENV 2d0.710  21:26:54:829    ProcessGPOs      Processing extension
Scripts    0.265
USERENV 2d0.710  21:26:54:829    CompareGPOLists  The lists are the same.
0.265
USERENV 2d0.710  21:26:54:845    CheckGPOs        No GPO changes but
couldn't read extension Scripts's status or policy time.     0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      Extension Scripts skipped
because both deleted and changed GPO lists are empty. 0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      -----------------------
0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      Processing extension
Internet Explorer Zonemapping      0.281
USERENV 2d0.710  21:26:54:845    CompareGPOLists  The lists are the same.
0.281
USERENV 2d0.710  21:26:54:845    CheckGPOs        No GPO changes but
couldn't read extension Internet Explorer Zonemapping's status or policy
time.       0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      Extension Internet
Explorer Zonemapping skipped because both deleted and changed GPO lists are
empty.   0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      -----------------------
0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      Processing extension
Security   0.281
USERENV 2d0.710  21:26:54:845    CompareGPOLists  The lists are the same.
0.281
USERENV 2d0.710  21:26:54:845    CheckGPOs        No GPO changes but
couldn't read extension Security's status or policy time.    0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      Extension Security skipped
with flags 0x1000e.  0.281
USERENV 2d0.710  21:26:54:845    ProcessGPOs      -----------------------
0.281
USERENV 2d0.710  21:26:54:861    ProcessGPOs      Processing extension
Internet Explorer Branding 0.297
USERENV 2d0.710  21:26:54:861    ReadStatus       Read Extension's Previous
status successfully.  0.297
USERENV 2d0.710  21:26:54:861    CompareGPOLists  The lists are the same.
0.297
USERENV 2d0.710  21:26:54:861    CheckGPOs        No GPO changes and no
security group membership change and extension Internet Explorer Branding
has NoGPOChanges set.   0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      -----------------------
0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      -----------------------
0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      Processing extension EFS
recovery       0.297
USERENV 2d0.710  21:26:54:861    CompareGPOLists  One list is empty
0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      Extension EFS recovery
skipped with flags 0x1000e.      0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      -----------------------
0.297
USERENV 2d0.710  21:26:54:861    ProcessGPOs      Processing extension
Microsoft Offline Files    0.297
USERENV 2d0.710  21:26:54:861    CompareGPOLists  The lists are the same.
0.297
USERENV 2d0.710  21:26:54:876    CheckGPOs        No GPO changes but
couldn't read extension Microsoft Offline Files's status or policy time.
0.312
USERENV 2d0.710  21:26:54:876    ProcessGPOs      Extension Microsoft
Offline Files skipped with flags 0x1000e.   0.312
USERENV 2d0.710  21:26:54:876    ProcessGPOs      -----------------------
0.312
USERENV 2d0.710  21:26:54:876    ProcessGPOs      Processing extension
Software Installation      0.312
USERENV 2d0.710  21:26:54:876    CompareGPOLists  The lists are the same.
0.312
USERENV 2d0.710  21:26:54:876    CompareGPOLists  The lists are the same.
0.312
USERENV 2d0.710  21:26:54:876    CheckGPOs        No GPO changes but
couldn't read extension Software Installation's status or policy time.
0.312
USERENV 2d0.710  21:26:54:876    ProcessGPOs      Extension Software
Installation skipped because both deleted and changed GPO lists are empty.
0.312
USERENV 2d0.710  21:26:54:892    ProcessGPOs      -----------------------
0.328
USERENV 2d0.710  21:26:54:892    ProcessGPOs      Processing extension IP
Security         0.328
USERENV 2d0.710  21:26:54:892    CompareGPOLists  The lists are the same.
0.328
USERENV 2d0.710  21:26:54:892    CheckGPOs        No GPO changes but
couldn't read extension IP Security's status or policy time. 0.328
USERENV 2d0.710  21:26:54:892    ProcessGPOs      Extension IP Security
skipped with flags 0x1000e.       0.328
USERENV 2d0.710  21:26:54:892    SetFgRefreshInfo         Previous User Fg
policy Asynchronous, Reason: NoNeedForSync.    0.328
USERENV 2d0.710  21:26:54:892    ProcessGPOs      No WMI logging done in
this policy cycle.       0.328
USERENV 2d0.710  21:26:54:892     LeaveCriticalPolicySection       Critical
section 0x7bc has been released.        0.328
USERENV 2d0.710  21:26:54:892    ProcessGPOs      User Group Policy has been
applied.     0.328
USERENV 2d0.36c  21:29:26:311     IsSyncForegroundPolicyRefresh
Asynchronous, Reason: NoNeedForSync     0.000
USERENV 2d0.36c  21:29:26:311    ApplyGroupPolicy         Entering. Flags =
e     0.000
USERENV 2d0.36c  21:29:26:311    ProcessGPOs               0.000
USERENV 2d0.36c  21:29:26:311    ProcessGPOs               0.000
USERENV 2d0.36c  21:29:26:311    ProcessGPOs      Starting user Group Policy
(Async forground) processing...      0.000
USERENV 2d0.36c  21:29:26:311    ProcessGPOs               0.000
USERENV 2d0.36c  21:29:26:311    ProcessGPOs               0.000
USERENV 2d0.36c  21:29:26:327     EnterCriticalPolicySectionEx     Entering
with timeout 600000 and flags 0x0      0.016
USERENV 2d0.36c  21:29:26:327     EnterCriticalPolicySectionEx    User
critical section has been claimed.  Handle = 0x988 0.016
USERENV 2d0.36c  21:29:26:327     EnterCriticalPolicySectionEx     Leaving
successfully.   0.016
USERENV 2d0.36c  21:29:26:327    ProcessGPOs      Machine role is 2.
0.016
USERENV 2d0.36c  21:29:26:389    PingComputer     Adapter speed 100000000
bps     0.078
USERENV 2d0.36c  21:29:26:405    PingComputer     First time:  0  0.094
USERENV 2d0.36c  21:29:26:405    PingComputer     Fast link.  Exiting.
0.094
USERENV 2d0.36c  21:29:26:420    ProcessGPOs      User name is:
CN=Administrator,CN=Users,DC=domainname,DC=LOCAL, Domain name is:
domainname    0.109
USERENV 2d0.36c  21:29:26:420    ProcessGPOs      Domain controller is:
\\servname.domainname.LOCAL  Domain DN is domainname.LOCAL        0.109
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for dskquota.dll.    0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for iedkcs32.dll.    0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for scecli.dll.      0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for C:\WINDOWS\System32\cscui.dll.   0.125
USERENV 2d0.36c  21:29:26:436    ReadGPExtensions         Rsop entry point
not found for gptext.dll.      0.125
USERENV 2d0.36c  21:29:26:436    ReadExtStatus    Reading Previous Status
for extension {35378EAC-683F-11D2-A89A-00C04FBBCFA2}     0.125
USERENV 2d0.36c  21:29:26:436    ReadExtStatus    Reading Previous Status
for extension {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}     0.125
USERENV 2d0.36c  21:29:26:436    ReadExtStatus    Reading Previous Status
for extension {25537BA6-77A8-11D2-9B6C-0000F8080861}     0.125
USERENV 2d0.36c  21:29:26:436    ReadExtStatus    Reading Previous Status
for extension {3610eda5-77ef-11d2-8dc5-00c04fa31a66}     0.125
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {426031c0-0b47-4852-b0ca-ac3d37bfcb39}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {42B5FAAE-6536-11d2-AE5A-0000F87571E3}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {827D319E-6EAC-11D2-A4EA-00C04F79F83A}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {C631DF4C-088F-4156-B058-4375F0853CD8}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {c6dc5466-785a-11d2-84d0-00c04fb169f7}     0.141
USERENV 2d0.36c  21:29:26:452    ReadExtStatus    Reading Previous Status
for extension {e437bc1c-aa7d-11d2-a382-00c04f991e27}     0.141
USERENV 2d0.36c  21:29:26:561    ProcessGPOs      Calling GetGPOInfo for
normal policy mode       0.250
USERENV 2d0.36c  21:29:26:561    GetGPOInfo
********************************         0.250
USERENV 2d0.36c  21:29:26:561    GetGPOInfo       Entering...      0.250
USERENV 2d0.36c  21:29:26:561    GetGPOInfo       Server connection
established.  0.250
USERENV 2d0.36c  21:29:26:577    GetGPOInfo       Bound successfully.
0.266
USERENV 2d0.36c  21:29:26:577    SearchDSObject   Searching
<DC=domainname,DC=LOCAL>       0.266
USERENV 2d0.36c  21:29:26:577    SearchDSObject   Found GPO(s):
<[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=
domainname,DC=LOCAL;1]>       0.266
USERENV 2d0.36c  21:29:26:577    SearchDSObject   The link to GPO
LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=do
mainname,DC=LOCAL is disabled.  It will be skipped for processing.  0.266
USERENV 2d0.36c  21:29:26:577    SearchDSObject   Searching
<CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=LOCAL
>  0.266
USERENV 2d0.36c  21:29:26:577    SearchDSObject   No GPO(s) for this object.
0.266
USERENV 2d0.36c  21:29:26:577    GetGPOInfo       Local GPO's gpt.ini is not
accessible, assuming default state.  0.266
USERENV 2d0.36c  21:29:26:592    GetGPOInfo       Leaving with 1  0.281
USERENV 2d0.36c  21:29:26:592    GetGPOInfo
********************************         0.281
USERENV 2d0.36c  21:29:26:592    ProcessGPOs      Logging Data for Target
<administrator>.         0.281
USERENV 2d0.36c  21:29:26:592    ProcessGPOs      OpenThreadToken failed
with error 1008, assuming thread is not impersonating    0.281
USERENV 2d0.36c  21:29:26:592    ProcessGPOs      -----------------------
0.281
USERENV 2d0.36c  21:29:26:592    ProcessGPOs      Processing extension
Registry   0.281
USERENV 2d0.36c  21:29:26:592    CompareGPOLists  The lists are the same.
0.281
USERENV 2d0.36c  21:29:26:592    CheckGPOs        No GPO changes but
couldn't read extension Registry's status or policy time.    0.281
USERENV 2d0.36c  21:29:26:592    ProcessGPOs      Extension Registry skipped
because both deleted and changed GPO lists are empty.         0.281
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      -----------------------
0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      Processing extension
Wireless   0.297
USERENV 2d0.36c  21:29:26:608    CompareGPOLists  The lists are the same.
0.297
USERENV 2d0.36c  21:29:26:608    CheckGPOs        No GPO changes but
couldn't read extension Wireless's status or policy time.    0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      Extension Wireless skipped
with flags 0x1000e.  0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      -----------------------
0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      Processing extension
Folder Redirection 0.297
USERENV 2d0.36c  21:29:26:608    CompareGPOLists  The lists are the same.
0.297
USERENV 2d0.36c  21:29:26:608    CompareGPOLists  The lists are the same.
0.297
USERENV 2d0.36c  21:29:26:608    CheckGPOs        No GPO changes but
couldn't read extension Folder Redirection's status or policy time.  0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      Extension Folder
Redirection skipped because both deleted and changed GPO lists are empty.
0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      -----------------------
0.297
USERENV 2d0.36c  21:29:26:608    ProcessGPOs      Processing extension
Microsoft Disk Quota       0.297
USERENV 2d0.36c  21:29:26:624    CompareGPOLists  The lists are the same.
0.313
USERENV 2d0.36c  21:29:26:624    CheckGPOs        No GPO changes but
couldn't read extension Microsoft Disk Quota's status or policy time.
0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      Extension Microsoft Disk
Quota skipped with flags 0x1000e.      0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      -----------------------
0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      Processing extension QoS
Packet Scheduler        0.313
USERENV 2d0.36c  21:29:26:624    CompareGPOLists  The lists are the same.
0.313
USERENV 2d0.36c  21:29:26:624    CheckGPOs        No GPO changes but
couldn't read extension QoS Packet Scheduler's status or policy time.
0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      Extension QoS Packet
Scheduler skipped with flags 0x1000e.      0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      -----------------------
0.313
USERENV 2d0.36c  21:29:26:624    ProcessGPOs      Processing extension
Scripts    0.313
USERENV 2d0.36c  21:29:26:639    CompareGPOLists  The lists are the same.
0.328
USERENV 2d0.36c  21:29:26:639    CheckGPOs        No GPO changes but
couldn't read extension Scripts's status or policy time.     0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      Extension Scripts skipped
because both deleted and changed GPO lists are empty. 0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      -----------------------
0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      Processing extension
Internet Explorer Zonemapping      0.328
USERENV 2d0.36c  21:29:26:639    CompareGPOLists  The lists are the same.
0.328
USERENV 2d0.36c  21:29:26:639    CheckGPOs        No GPO changes but
couldn't read extension Internet Explorer Zonemapping's status or policy
time.       0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      Extension Internet
Explorer Zonemapping skipped because both deleted and changed GPO lists are
empty.   0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      -----------------------
0.328
USERENV 2d0.36c  21:29:26:639    ProcessGPOs      Processing extension
Security   0.328
USERENV 2d0.36c  21:29:26:655    CompareGPOLists  The lists are the same.
0.344
USERENV 2d0.36c  21:29:26:655    CheckGPOs        No GPO changes but
couldn't read extension Security's status or policy time.    0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      Extension Security skipped
with flags 0x1000e.  0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      -----------------------
0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      Processing extension
Internet Explorer Branding 0.344
USERENV 2d0.36c  21:29:26:655    CompareGPOLists  The lists are the same.
0.344
USERENV 2d0.36c  21:29:26:655    CheckGPOs        No GPO changes but
couldn't read extension Internet Explorer Branding's status or policy time.
0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      Extension Internet
Explorer Branding skipped because both deleted and changed GPO lists are
empty.      0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      -----------------------
0.344
USERENV 2d0.36c  21:29:26:655    ProcessGPOs      Processing extension EFS
recovery       0.344
USERENV 2d0.36c  21:29:26:655    CompareGPOLists  The lists are the same.
0.344
USERENV 2d0.36c  21:29:26:655    CheckGPOs        No GPO changes but
couldn't read extension EFS recovery's status or policy time.         0.344
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      Extension EFS recovery
skipped with flags 0x1000e.      0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      -----------------------
0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      Processing extension
Microsoft Offline Files    0.359
USERENV 2d0.36c  21:29:26:670    CompareGPOLists  The lists are the same.
0.359
USERENV 2d0.36c  21:29:26:670    CheckGPOs        No GPO changes but
couldn't read extension Microsoft Offline Files's status or policy time.
0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      Extension Microsoft
Offline Files skipped with flags 0x1000e.   0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      -----------------------
0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      Processing extension
Software Installation      0.359
USERENV 2d0.36c  21:29:26:670    CompareGPOLists  The lists are the same.
0.359
USERENV 2d0.36c  21:29:26:670    CompareGPOLists  The lists are the same.
0.359
USERENV 2d0.36c  21:29:26:670    CheckGPOs        No GPO changes but
couldn't read extension Software Installation's status or policy time.
0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      Extension Software
Installation skipped because both deleted and changed GPO lists are empty.
0.359
USERENV 2d0.36c  21:29:26:670    ProcessGPOs      -----------------------
0.359
USERENV 2d0.36c  21:29:26:686    ProcessGPOs      Processing extension IP
Security         0.375
USERENV 2d0.36c  21:29:26:686    CompareGPOLists  The lists are the same.
0.375
USERENV 2d0.36c  21:29:26:686    CheckGPOs        No GPO changes but
couldn't read extension IP Security's status or policy time. 0.375
USERENV 2d0.36c  21:29:26:686    ProcessGPOs      Extension IP Security
skipped with flags 0x1000e.       0.375
USERENV 2d0.36c  21:29:26:686    SetFgRefreshInfo         Previous User Fg
policy Asynchronous, Reason: NoNeedForSync.    0.375
USERENV 2d0.36c  21:29:26:686    ProcessGPOs      No WMI logging done in
this policy cycle.       0.375
USERENV 2d0.36c  21:29:26:686     LeaveCriticalPolicySection       Critical
section 0x988 has been released.        0.375
USERENV 2d0.36c  21:29:26:686    ProcessGPOs      User Group Policy has been
applied.     0.375





At 02:01 PM 9/4/2008, you wrote:

Al-
Absolutely the file exists when the user is not logged in. You will see it
under c:\documents and settings\username if you are logged in as
Administrator, which should work.

Darren
 
From: gptalk-bounce@xxxxxxxxxxxxx [  <mailto:gptalk-bounce@xxxxxxxxxxxxx>
mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Al Bracco
Sent: Thursday, September 04, 2008 10:13 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied
 
Darren,

I suppose I have a bit of a catch-22. The "store" policy set that seems to
be getting enforced incorrectly will not allow the user to do what you
suggest. That means I would have to change the policy and that would affect
everyone else. Since this is behaving badly, I'm hesitant to do that. Is the
file you reference (ntuser.pol) only in existence when the user is logged
in, or does it hang around after logoff and I could I find it somehow if
logged in as administrator?

Al

At 04:28 PM 9/1/2008, you wrote:

Just out of curiosity, can you do the following:
 
Get either the command-line Regview.exe from the 2003 resource kit tools or
my GUI PolViewer.exe utility (  <http://www.gpoguy.com/polviewer.htm>
www.gpoguy.com/polviewer.htm).
While logged in as the user who is getting the errant policies, open the
file within %userprofile% called ntuser.pol (it might be hidden), from one
of the tools above. That file contains an archive of all of the GP registry
settings that are applying to the user. See if the errant policy is in that
list. If so, you might want to try renaming that file to something else and
then doing a gpupdate /force and see if that helps.
 
Darren
 
 
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glance&n=283155>  Group Policy Guide, the
definitive resource for Group Policy information. 
 
Group Policy Management, Troubleshooting & Reporting Solutions at:
http://www.sdmsoftware.com/products
 
 
 
From: gptalk-bounce@xxxxxxxxxxxxx [  <mailto:gptalk-bounce@xxxxxxxxxxxxx>
mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Al Bracco
Sent: Monday, September 01, 2008 1:13 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Puzzler - GP for one OU not being applied
 
I have previously posted this on Tek-tips = here is the transcript so far.
 
QUESTION:
Windows 2003 SP2 server (single DC). Had previously setup an OU and GP for 8
PCs located in stores that needed to be very locked down. Now one of those
PCs needs some additional functionality enable. I created a new OU and moved
that user account into it. I am using GPM. I created a new policy for that
OU with my user configuration changes. It has been linked and enforced. I
saw it work once for about 5 minutes after doing a gpupdate. After rebooting
the PC, it stopped working. Instead of the new policy being applied, the old
policy seems to be enforced. However, the new policy is the only one listed
for this OU in GPM. I am not enforcing a domain default policy, either.
 
If I run the Group Policy Results wizard for this computer/user, it shows my
new GP0 as being the only one applied. I know the settings in the policy
itself are correct.
 
Any ideas on where to look next?
 
Al
 
-------------------------------------------------------------------
 
HANDLE: gmail2
POSTED ON: Aug 21, 2008
 
REPLY: 
that sounds very strange indeed !!! You say that RSoP shows the policy being
applied so this should mean that the policies you have on place are being
applied .. why so you think thwy're not ??  Can you give us some examples of
what you configured that isn't working as expected ?
 
 
 
HANDLE: albracco
POSTED ON: Aug 22, 2008
 
REPLY: 
The store PCS are extremely locked down, so they can't change anything in
Windows - just run the retail sql application they need. One example is
printers. From the store PCs, they do not have the ability to get to Control
Panel at all, never mind do anything with printers. The one PC in question
is actually in the warehouse. That PC has 4 printers attached, and he needs
the ability to select a printer from various applications. So, we need to
unblock most restrictions to do with printers. When it worked for that brief
time, the user could see control panel, and the only thing in it was
Printers. And, from the various Windows applications, he could select the
printer he needed. When the policy is not applied, he is completely locked
out of those functions. We have had to keep him logged in as administrator
so he can do what he needs. Obviously, we don't want to continue that.
 
It seems like the old policy is still being applied, rather than the new
one. Maybe it had something to do with when I moved the user account to the
new OU? Perhaps I should try deleting the user account and creating a new
one? 
 
Al
-------------------------------------------------------------------
 
HANDLE: gmail2
POSTED ON: Aug 30, 2008
 
REPLY: 
sorry for the late reply on this.  I wouldn't go deleting the account, but
you could create a new one in the same environment, same group membership
etc, and see if the policies have been applied ok
 
Also, I presume you've already checked, but are there any warnings/errors in
eventviewer or RSoP that indicate group policy processing failed?
 
I still can't quiet understand how RSoP could show the settings you want yet
they're not being applied.  If you want you can use GPMC to save a HTML
report of group policy results (RSoP) and list it here, and I'll have a
look.  Change any company/user names etc on the report as you see fit.
 
Sorry I haven't been able to provide you with a concrete solution, but we
don't have to admit defeat just yet !!!
 
 
 
HANDLE: Lemon13
POSTED ON: Aug 31, 2008
 
REPLY: 
that i understand, the computers are in one ou and the restrictions apply,
the u created another ou where u put in a user that weakens the restrictions
for him on one of the pc´s in the other ou afik that wont work the
restrictions are cumulativ with the most restrictive in place
-------------------------------------------------------------------
 
HANDLE: gmail2
POSTED ON: Aug 31, 2008
 
REPLY: 
I don't think that's the case here because logging as admin means the
restrictions are not in place.  If the restrictions were per machine, it
would apply to all accounts, even local ones
 
 
[link 
-------------------------------------------------------------------
 
HANDLE: albracco
POSTED ON: Sep 1, 2008
 
REPLY: 
yes, the policies are per user, not computer. I don't have a default policy
that applies to everyone, just individual policies per OU and no policy for
admin. If I log into that computer with a username from the "stores" OU, it
applies the correct policies. if I login with the more restricted username,
I still get the store policy characteristics, even though that policy is
only linked to the stores OU.
 
A real puzzler...
-------------------------------------------------------------------
 
 

Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional

Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.go2unix.com/> 
www.go2unix.com <http://www.go2unix.com/>  

Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional

Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.go2unix.com/> 
www.go2unix.com 

Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional

Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.opensystemscomputing.com/> 
www.go2unix.com <http://www.go2unix.com/> 


JPEG image

Other related posts: