Computer Management and Group Policy

[Tom Penharston]

If all of my client computers are accessible through Active Directory
computer management, why wouldn't they also respond to GPs? Some
computers respond to GPs and others are having problem. The domain
membership seems correct on the problem computers, but there must be
something I'm missing.

 

[Paul Williams [MVP]]

There could be any number of reasons why the GPOs aren't being processed,
some might not even be problems, e.g. not within scope of a GPO. To
troubleshoot this, check the computer in questions application event log for
warnings and errors from the sources Userenv and Scecli. A good place to
get info. on these errors is www.eventid.net. You should also check
%systemroot%\debug\usermode\userenv.log

Post back events and relevant sections of the userenv.log here for more
help.

 

[Tom Penharston]

I was afraid it would come down to logs


Event ID 101
"The assignment of application Jack's Beard from policy OBJECT TEST
failed. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh."

Event ID 103
"The removal of the assignment of application Jack's Beard from policy
OBJECT TEST failed. The error was : The group policy framework should
call the extension in the synchronous foreground policy refresh."

Event ID 108
"Failed to apply changes to software installation settings. Software
installation policy application has been delayed until the next logon
because an administrator has enabled logon optimization for group
policy. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh"

Initial Processing of Group Policy

For computers, Group Policy is applied at computer startup. For users,
Group Policy is applied just after log on. This initial processing of
policy can also be referred to as a foreground policy application.

Windows 2000: On Windows 2000, the foreground application of Group
Policy is synchronous. This means that computer policy is applied
before the log on dialog box is presented, and user policy is applied
before the shell is available to the user.

http://msdn.microsoft.com/library/d...policy/initial_processing_of_group_policy.asp

"Windows XP: On Windows XP, the foreground application of Group Policy
can be synchronous or asynchronous. In synchronous mode, the computer
does not complete the system boot until computer policy is applied
successfully, and the user logon process does not complete until user
policy is applied successfully. In asynchronous mode, if there are no
policy changes that require synchronous processing, the computer can
complete the system boot before the application of computer policy is
complete, and the shell can be available to the user before the
application of user policy is complete.

There is a limit of 60 minutes during which all policy processing must
complete on the client. There is no method to modify this time-out
period."


- - - -
So what do I do about it?
-Tom Penharston

 

[Paul Williams [MVP]]

So what do I do about it?

First, check the suggestions over on www.eventid.net

If that's no good, paste about 30 lines from
%systemroot%\debug\usermode\userenv.log here and we'll take a look.

 

[Guest]

Hi
I've had similar problems in the past. The majority of the time it was
because plug and play had picked the wrong NIC driver (something like Intel
Pro100 instead of Intel Pro1000vm). The NIC was working but not correctly.
Updating to the correct drivers solved the problems.
hope that helps
cheers
Stuart

 

[Tom Penharston]

I've looked at several things:

Microsoft support article "Description of the Windows XP Fast Logon
Optimization" 305293 describes how to enable "Always wait for the
network at computer startup and logon" on XP clients. Based on the
event IDs above, 101, 103, 108 the problem was asyncronous logon,
therefore I tried this local policy. The policy had little or no
effect. I was unable to deploy my msi.

Now I'm looking at a pattern of
event 7 kerberos, event 29 w32time, warning 18 w32time, evernt 29
w32time, warning 18 w32time, event 5719 kerberos

Maybe Kerberos is failing because the time isn't synching with the DC.
Possible?

 

[Paul Williams [MVP]]

Let me see some of the userenv.log file once you've enabled verbosity. That
will give me an idea of non-GPO related errors too.

 

[Tom Penharston]

I should back-up a little bit. My computers belong to an OU and I'm
applying the MSI to the computer OU. This computer-based installation
worked on my test system (a very simple test system) but not in the
actual systems.

Regarding users, my departmet never intended for domain users to login
to these systems. This is a computer lab environment where we provide
a generic local user account on each machine. For reasons involving
legacy, network traffic, and simplicity we've never had to support
domain authentication or roaming profiles on these systems. Your
suggestion that we are troubleshooting the userenv.log isn't resonating
with me yet; if I'm mistaken please let me know. It's my understanding
that the system and application logs are still my best resource, rather
than userenv.log.

Fortunately, I've used verbose userenv logging in the past in regards
to other issues, and I can easily go that route if it still applies.

 

[Paul Williams [MVP]]

Ah, don't be mistaken by the name. Although it does log profile loads and
unloads, it also logs standard policy application - both user and computer.
So we should look at this log. When there are errors in the event log, this
can provide additional info.

 

[Lewis Howell]

Cheers Stuart - I have seen this happen in about 1 out of every 4 clients in
a domain. Update/Replace NIC driver - adjust speed and voila GP's are
processing.

I have also seen a hub cause the same types of problems...

2c

 

[Tom Penharston]

The lab is too busy. I reimaged a test machine and I managed to
duplicate

event 101
event 103
event 108

Then after another reboot the GPO finally worked and the MSI installed.
Then I enabled verbose logging.
Then I selected immediate removal of the app and the GPO from the
server:

event 101,

- - - - - - - - - -

USERENV(110.21c) 15:53:26:968 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(110.21c) 15:53:32:250 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(110.114) 15:53:36:125 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(29c.2a0) 15:54:13:031 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(fc.20c) 16:08:49:405 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(d4.290) 16:09:12:593 LoadUserProfileI: LoadUserProfileP failed
with 21
USERENV(fc.788) 16:09:12:593 LoadUserProfile: Calling LoadUserProfileI
failed. err = 21
USERENV(d4.a8) 16:09:12:655 LoadUserProfileI: LoadUserProfileP failed
with 21
USERENV(fc.788) 16:09:12:655 LoadUserProfile: Calling LoadUserProfileI
failed. err = 21
USERENV(d4.a8) 16:12:11:421 LoadUserProfileI: LoadUserProfileP failed
with 21
USERENV(fc.170) 16:12:11:421 LoadUserProfile: Calling LoadUserProfileI
failed. err = 21
USERENV(d4.4c8) 16:15:59:108 LoadUserProfileI: LoadUserProfileP failed
with 21
USERENV(fc.788) 16:15:59:108 LoadUserProfile: Calling LoadUserProfileI
failed. err = 21
USERENV(2b4.2a4) 16:16:09:280 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(2b4.2a4) 16:16:09:343 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(2b4.2a4) 16:16:09:765 ProcessAutoexec: Cannot process
autoexec.bat.
USERENV(110.5c0) 16:16:42:312 CompileMof: Failed to get delete the rsop
namespace. Error 0x80041002. Continuing..
USERENV(238.23c) 16:23:02:062 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.254) 16:23:06:734 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.254) 16:23:06:750 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.254) 16:23:06:750 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.254) 16:23:08:546 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.254) 16:23:08:546 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.19c) 16:46:35:296 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.19c) 16:46:35:296 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.19c) 16:46:35:296 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.19c) 16:46:35:906 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.19c) 16:46:35:906 GetUserGuid: Failed to get user guid with
1355.
USERENV(238.3e0) 16:48:58:750 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(238.598) 16:49:07:281 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(234.238) 16:55:42:625 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 16:55:42:625 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 16:55:42:625 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 17:22:41:578 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 17:22:41:578 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 17:22:41:578 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 19:39:34:609 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 19:39:34:609 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 19:39:34:609 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(240.244) 19:54:19:765 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(240.244) 19:54:19:765 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(240.244) 19:54:19:765 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(244.248) 12:37:45:296 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(244.248) 12:37:45:296 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(244.248) 12:37:45:296 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:02:26:796 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:02:26:796 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:02:26:796 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:09:54:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:09:54:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(238.23c) 13:09:54:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 15:39:52:375 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 15:39:52:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(234.238) 15:39:52:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0

- - - - - - - - - -

Anything good here?

 

[Tom Penharston]

So, the userenv events above are from a failed removal. (On the next
restart the removal worked and nothing new was written to the
userenv.log.) I don't mind one failed GPO attempt if the second is
gauranteed to work, but it's not clean administration, and in the big
picture my GPO deploys thus far have only worked on the same subnet as
the server. I haven't crossed the subnet yet. That might be a
concern.