Pierre, it looks ok and should do the trick, verify manually that the value HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate really is updated and set to 1, and if it is I would say that GP is working and you should try a WSUS list/newsgroup for this specific problem. Best, Thorbjörn Sjövold Special Operations Software www.specopssoft.com <http://www.specopssoft.com/> thorbjorn.sjovold a t specopssoft.com Download our free tool for remote Gpupdate with graphical reporting, http://www.specopssoft.com/products/specopsgpupdate/ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx Sent: den 8 mars 2007 14:48 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Not all Group Policy settings being applied Hi Alan I've enabled Verbose logging and when checking the UserEnv log I see the following entries: USERENV(3ac.2dc) 13:03:16:078 ParseRegistryFile: Entering with <\\fosterclark.local\SysVol\fosterclark.local\Policies\{BEA671BC-1917-48C1-8566-0480F2B1819B}\User\registry.pol>. USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoWindowsUpdate => 1 [OK] USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoNetworkConnections => 1 [OK] USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoStartMenuNetworkPlaces => 1 [OK] USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoSMConfigurePrograms => 1 [OK] USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoDesktopCleanupWizard => 1 [OK] USERENV(3ac.2dc) 13:03:16:078 SetRegistryValue: NoAutoUpdate => 1 [OK] However when checking to see whether Turn off Automatic Updates is enable it is not but find Automatic enabled instead. According to the above entries in the log it was supposed to have been switched off. Thanks Pierre P.S. If you want a copy of the log I can e-mail it to you if you wish. "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> Sent by: gptalk-bounce@xxxxxxxxxxxxx 08/03/2007 13:53 Please respond to gptalk@xxxxxxxxxxxxx To <gptalk@xxxxxxxxxxxxx> cc Subject [gptalk] Re: Not all Group Policy settings being applied Pierre, I think the event log record refers to the Machine based processing, whereas the entry in the UserEnv log refers to the User based processing. Are you sure you have verbose logging enabled? You should be getting a lot more messages. Refer to http://support.microsoft.com/kb/221833/en-us <http://support.microsoft.com/kb/221833/en-us> Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Entry: UserEnvDebugLevel Type: REG_DWORD Value data: 10002 (Hexadecimal) 65538(decimal) Alan Cuthbertson ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx Sent: Thursday, 8 March 2007 11:03 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Not all Group Policy settings being applied Hi Alan What I see in the event log is this: Event Type: Information Event Source: SceCli Event Category: None Event ID: 1704 Date: 08/03/2007 Time: 12:52:01 User: N/A Computer: PRDWW01 Description: Security policy in the Group policy objects has been applied successfully. Which means that the Group Policy is being applied which is not true as only part of it is being applied. But checking the log again I see the following again: USERENV(298.bf0) 12:51:58:514 PolicyChangedThread: UpdateUser failed with 6. Very weird :-( Pierre "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> Sent by: gptalk-bounce@xxxxxxxxxxxxx 08/03/2007 12:58 Please respond to gptalk@xxxxxxxxxxxxx To <gptalk@xxxxxxxxxxxxx> cc Subject [gptalk] Re: Not all Group Policy settings being applied Hi Pierre, I have seen the problem before but cannot recall exactly what it was. There is a Microsoft article that refers to the message, but I don’t think it is your error:- http://support.microsoft.com/kb/257580 It is related to the GPO processing not being able to find out the username (obviously) and I am not sure if there is something wrong with the username (disabled, or expired) or perhaps the machine needs to be removed and readded to the domain, or perhaps it can no longer get to the domain controller for some reason. Is there any event log record written? Alan Cuthbertson ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx Sent: Thursday, 8 March 2007 10:02 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Not all Group Policy settings being applied Hi Alan Many thanks for your very interesting e-mail. This is indeed a very strange problem I'm encountering on some of our workstations. I've enabled user environment debug logging via the registry and on one of these problem workstations I have noted the following entries in the log file: USERENV(378.7b0) 10:54:17:200 MyGetUserName: GetUserNameEx failed with 1355. USERENV(378.7b0) 10:54:47:699 MyGetUserName: GetUserNameEx failed with 1355. USERENV(378.7b0) 10:55:18:196 MyGetUserName: GetUserNameEx failed with 1355. USERENV(378.7b0) 10:55:48:693 MyGetUserName: GetUserNameEx failed with 1355. USERENV(378.7b0) 10:55:48:693 ProcessGPOs: MyGetUserName failed with 1355. . . . USERENV(3ac.c60) 09:54:52:042 MyRegUnLoadKey: Failed to unmount hive 00000005 USERENV(3ac.c60) 09:54:52:042 UnLoadClassHive: failed to unload classes key with 5 USERENV(3ac.c60) 09:54:52:042 DumpOpenRegistryHandle: 2 user registry Handles leaked from \Registry\User\S-1-5-21-2676610465-2331551837-1842337626-500_Classes USERENV(3ac.c60) 09:54:52:042 ReportError: Impersonating user. USERENV(3ac.c60) 09:54:52:042 CUserProfile::WatchHiveRefCount: Failed to restore the privilege. error = c0000022 USERENV(3ac.694) 19:47:30:723 CEvents::Report: ReportEvent failed. Error = 1717 USERENV(3ac.3b0) 09:13:48:640 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:13:48:656 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:58:42:531 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:42:19:375 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:30:38:859 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 08:29:26:343 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.3b0) 09:27:06:406 CUserProfile::CleanupUserProfile: Ref Count is not 0 USERENV(3ac.f54) 11:17:14:962 PolicyChangedThread: UpdateUser failed with 6. So there seems to be something wrong. But the problem is what could be causing such a problem and how can I resolve it? Thanks Pierre "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> Sent by: gptalk-bounce@xxxxxxxxxxxxx 07/03/2007 22:34 Please respond to gptalk@xxxxxxxxxxxxx To <gptalk@xxxxxxxxxxxxx> cc Subject [gptalk] Re: Not all Group Policy settings being applied Hi Pierre, One thing that might be catching you is if you have not enabled “process even if the group Policy Objects have not changed” under “Machine\Administrative templates\system\group Policy\registry policy processing”. The default is to only process it if the group policy changes. This means that if the setting is wrong, it will remain wrong until the policy changes. You can run “GPUPDATE /Force” which will reapply all policies unconditionally to see if this fixes the problem. If this is the case, we can work out why the machine thought the policy was already applied. If this is not the problem, go for the UserEnv Log! You can enable logging and check out the log to find out:- 1. Is the Policy being detected in the OU structure? 2. Is it passing security filtering? 3. Is it attempting to apply the ADM component of the policy? 4. Is it trying to apply the registry key that was expected? You can then check if the registry key is actually in place Failure at any one of these levels could cause the problem. You can checkout http://support.microsoft.com/kb/221833/en-us <http://support.microsoft.com/kb/221833/en-us> to see how to enable logging…. Or you can download and install my Policy Log Reporter (see below). By default it checks the machine it is installed on, but you can also point it at a remote machine. It provides a button to enable logging and it will parse the log and show it in a more structured way. If you still can’t understand what is going on, post the log and we can check it out for you. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of pierre.camilleri@xxxxxxxxxxxxxxx Sent: Thursday, 8 March 2007 2:42 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Not all Group Policy settings being applied Hi Everyone! I am encountering a problem on certain Windows XP Pro (SP2) workstations where not all settings of the W2K3 group policy are being applied. The setting which is not being applied is the Windows Automatic Updates. It is company policy to disable automatic download of MS updates. The majority of our workstations are having this policy setting applied correctly but some are not having this setting applied. They are having other settings applied e.g. disabling the Run command, etc., but not this one. All the workstations belong to the same AD domain and all have a common group policy. Has anyone encountered this problem before? Any comments/help would be very much appreciated. Thanks in advance Pierre