[gptalk] Re: Not all Group Policy settings being applied
- From: pierre.camilleri@xxxxxxxxxxxxxxx
- To: gptalk@xxxxxxxxxxxxx
- Date: Thu, 8 Mar 2007 14:48:01 +0100
Hi Alan
I've enabled Verbose logging and when checking the UserEnv log I see the
following entries:
USERENV(3ac.2dc) 13:03:16:078 ParseRegistryFile: Entering with
<\\fosterclark.local\SysVol\fosterclark.local\Policies\{BEA671BC-1917-48C1-8566-0480F2B1819B}\User\registry.pol>.
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoWindowsUpdate => 1 [OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoNetworkConnections => 1
[OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoStartMenuNetworkPlaces
=> 1 [OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoSMConfigurePrograms => 1
[OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoDesktopCleanupWizard =>
1 [OK]
USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoAutoUpdate => 1 [OK]
However when checking to see whether Turn off Automatic Updates is enable
it is not but find Automatic enabled instead. According to the above
entries in the log it was supposed to have been switched off.
Thanks
Pierre
P.S. If you want a copy of the log I can e-mail it to you if you wish.
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
08/03/2007 13:53
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Pierre,
I think the event log record refers to the Machine based processing,
whereas the entry in the UserEnv log refers to the User based processing.
Are you sure you have verbose logging enabled? You should be getting a lot
more messages. Refer to http://support.microsoft.com/kb/221833/en-us
Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal) 65538(decimal)
Alan Cuthbertson
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 11:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied
Hi Alan
What I see in the event log is this:
Event Type: Information
Event Source: SceCli
Event Category: None
Event ID: 1704
Date: 08/03/2007
Time: 12:52:01
User: N/A
Computer: PRDWW01
Description:
Security policy in the Group policy objects has been applied successfully.
Which means that the Group Policy is being applied which is not true as
only part of it is being applied. But checking the log again I see the
following again:
USERENV(298.bf0) 12:51:58:514 PolicyChangedThread: UpdateUser failed with
6.
Very weird :-(
Pierre
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
08/03/2007 12:58
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Hi Pierre,
I have seen the problem before but cannot recall exactly what it was.
There is a Microsoft article that refers to the message, but I don’t think
it is your error:- http://support.microsoft.com/kb/257580
It is related to the GPO processing not being able to find out the
username (obviously) and I am not sure if there is something wrong with
the username (disabled, or expired) or perhaps the machine needs to be
removed and readded to the domain, or perhaps it can no longer get to the
domain controller for some reason. Is there any event log record written?
Alan Cuthbertson
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 10:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Not all Group Policy settings being applied
Hi Alan
Many thanks for your very interesting e-mail. This is indeed a very
strange problem I'm encountering on some of our workstations.
I've enabled user environment debug logging via the registry and on one of
these problem workstations I have noted the following entries in the log
file:
USERENV(378.7b0) 10:54:17:200 MyGetUserName: GetUserNameEx failed with
1355.
USERENV(378.7b0) 10:54:47:699 MyGetUserName: GetUserNameEx failed with
1355.
USERENV(378.7b0) 10:55:18:196 MyGetUserName: GetUserNameEx failed with
1355.
USERENV(378.7b0) 10:55:48:693 MyGetUserName: GetUserNameEx failed with
1355.
USERENV(378.7b0) 10:55:48:693 ProcessGPOs: MyGetUserName failed with 1355.
.
.
.
USERENV(3ac.c60) 09:54:52:042 MyRegUnLoadKey: Failed to unmount hive
00000005
USERENV(3ac.c60) 09:54:52:042 UnLoadClassHive: failed to unload classes
key with 5
USERENV(3ac.c60) 09:54:52:042 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-2676610465-2331551837-1842337626-500_Classes
USERENV(3ac.c60) 09:54:52:042 ReportError: Impersonating user.
USERENV(3ac.c60) 09:54:52:042 CUserProfile::WatchHiveRefCount: Failed to
restore the privilege. error = c0000022
USERENV(3ac.694) 19:47:30:723 CEvents::Report: ReportEvent failed. Error
= 1717
USERENV(3ac.3b0) 09:13:48:640 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count
is not 0
USERENV(3ac.f54) 11:17:14:962 PolicyChangedThread: UpdateUser failed with
6.
So there seems to be something wrong. But the problem is what could be
causing such a problem and how can I resolve it?
Thanks
Pierre
"Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
07/03/2007 22:34
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: Not all Group Policy settings being applied
Hi Pierre,
One thing that might be catching you is if you have not enabled “process
even if the group Policy Objects have not changed” under
“Machine\Administrative templates\system\group Policy\registry policy
processing”. The default is to only process it if the group policy
changes. This means that if the setting is wrong, it will remain wrong
until the policy changes. You can run “GPUPDATE /Force” which will reapply
all policies unconditionally to see if this fixes the problem. If this is
the case, we can work out why the machine thought the policy was already
applied.
If this is not the problem, go for the UserEnv Log!
You can enable logging and check out the log to find out:-
1. Is the Policy being detected in the OU structure?
2. Is it passing security filtering?
3. Is it attempting to apply the ADM component of the policy?
4. Is it trying to apply the registry key that was expected?
You can then check if the registry key is actually in place
Failure at any one of these levels could cause the problem.
You can checkout http://support.microsoft.com/kb/221833/en-us to see how
to enable logging…. Or you can download and install my Policy Log Reporter
(see below). By default it checks the machine it is installed on, but you
can also point it at a remote machine. It provides a button to enable
logging and it will parse the log and show it in a more structured way.
If you still can’t understand what is going on, post the log and we can
check it out for you.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx
Sent: Thursday, 8 March 2007 2:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Not all Group Policy settings being applied
Hi Everyone!
I am encountering a problem on certain Windows XP Pro (SP2) workstations
where not all settings of the W2K3 group policy are being applied. The
setting which is not being applied is the Windows Automatic Updates. It is
company policy to disable automatic download of MS updates. The majority
of our workstations are having this policy setting applied correctly but
some are not having this setting applied. They are having other settings
applied e.g. disabling the Run command, etc., but not this one. All the
workstations belong to the same AD domain and all have a common group
policy.
Has anyone encountered this problem before? Any comments/help would be
very much appreciated.
Thanks in advance
Pierre
Other related posts:
