[THIN] Re: Group Policies not applying

  • From: "Anthony Green" <agreen@xxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Thu, 15 Jul 2004 21:58:42 +0100

I narrowed down the problem to the all users profile.
Heres the output from the userenv log.  Well, the bit I was interested in
anyway...
 
USERENV(154.67c) 10:43:58:179 ProcessGPOs: Processing extension Registry
USERENV(154.67c) 10:43:58:179 CompareGPOLists:  One list is empty
USERENV(154.67c) 10:43:58:179 ProcessGPOList: Entering for extension
Registry
USERENV(154.67c) 10:43:58:179 ResetPolicies: Entering.
USERENV(154.67c) 10:43:58:179 ParseRegistryFile: Entering with <C:\Documents
and Settings\All Users\ntuser.pol>.
USERENV(154.67c) 10:43:58:179 ParseRegistryFile: Leaving.
USERENV(154.67c) 10:43:58:179 ResetPolicies: Leaving.
USERENV(154.67c) 10:43:58:179 ProcessGPORegistryPolicy: Failed to create
archive file with 5
USERENV(154.67c) 10:43:58:179 ProcessGPOList: ProcessGPORegistryPolicy
failed.
USERENV(154.67c) 10:43:58:179 ProcessGPOs: Extension Registry
ProcessGroupPolicy failed, status 0x80004005.
 
Resetting permissions for "%systemdrive%\documents and settings" fixed the
problem.
 
Its one to watch for as I have seen this on 2000 and 2003 before, especially
if you are restricting all users profile in any way.
 
Thanks,
Anthony.


  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Anthony Green
Sent: 15 July 2004 07:18
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Group Policies not applying


Drive permissions are everyone full control.  I can reboot the server as
many times as I like but unless I reset the permissions the server does not
get the policy.
 
I will go over the usual gp troubleshooting stuff just to make 100% sure Im
not missing anything obvious.  I can check the loopback reg entry you
mentioned as well and post the results.
 
Thanks for your help,
Anthony.

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jeff Durbin
Sent: 15 July 2004 00:35
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Group Policies not applying


Are you sure the file permissions are actually relevant? Maybe it's the
reboot that you do after resetting the file permissions. So, your file
permissions at the root of the system drive are Everyone = Full Control? And
you propogate that change through the whole drive, then reboot, and then you
get the policy? Try the reboot without setting the file permissions.
  When you're NOT getting the policy, have you tried going through the
standard GP troubleshooting? See:
 
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot
.asp
 
  There are also some MS KB's that talk about troubleshooting group policy
application. 
  Another thing you might do when the policy isn't working is look at the
registry value that loopback processing sets just to make sure it's there.
If it's not, then you know the machine isn't getting the machine policy at
boot and will explain why you're not getting the user settings. The value is
at:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\UserPolicyMode.
 
  It should be set to 1 or 2 depending on whether you're doing replace or
merge.


  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Anthony Green
Sent: Thursday, 15 July 2004 10:51 a.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Group Policies not applying


I know, wierd isnt it.
 
Goto properties of root drive->security->advanced->and tick replace
permissions on child objects...
Believe it or not this fixes the problem.
 
FYI - The GPO is linked to a Citrix Servers OU with loopback enabled.
Authenticated Users have "read" and "apply policy".  The policy is enabled,
and no override is set.
 
 
 

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jeff Durbin
Sent: 14 July 2004 23:30
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Group Policies not applying


File permissions shouldn't have anything to do with receiving policy from AD
(unless you're changing file permissions on the SYSVOL share, which could).
Could you be more specific about the file permissions you're applying? Also,
what container is the GPO linked to and what's the security on the GPO
itself?


  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Anthony Green
Sent: Thursday, 15 July 2004 10:22 a.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Group Policies not applying


Have had this a couple of times now and havent found out why the problem is
occuring.
 
Server has local 2000 policy that applies everytime.
The policy that is set up in AD is not applying.
 
To fix this I have to reset permissions and allow inheritable on the system
drive and the AD policy will then start applying after I do a reboot.
Anyone know why this is happening and give me a better fix for this?
 
Thanks,
Anthony.

Other related posts: