aneky
asked on
Implement Group Policy to hide Control Panel Items
I have been having hell of problem in hiding or disable Control Panel Items especially Administrator Tools. As I want prevent user from access the Computer Management and other template in Admin Tools. I have try a few solution in EE with no success. I hope someone can help me out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well I got a problem that is the change I created in the Software Restriction Group Policy Object GPO is not push to the client. I did a gpresult which indicate otherwise. Is there anyway to check why the changes I made is not push down to the user in that computer that is join to the domain.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/21/2006 at 7:11:56 PM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
-------------------------- ---------- ---------- ---------- --
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
Software Restriction Group Policy Object
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
The following are the configuration I set in the Software Restriction Policy.
User Configuration
---------------------
Windows Settings
---------------------
Scripts
---------------------
Logon
Name Parameters
mapdrive.bat (net use P: \\bc2l\test)
Security Settings
-------------------
Public Key Policies/Autoenrollment Settings
-------------------------- ---------- ---------- ---
Policy Setting
----------------
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Software Restriction Policies/Additional Rules
-------------------------- ---------- ---------- -----
C:\Program Files\Messenger\msmsgs.exe
Security Level Disallowed
C:\Program Files\Yahoo!\Messenger\YPa ger.exe
Security Level Disallowed
C:\Windows\System32\format .exe
Security Level Disallowed
Administrative Templates
-------------------------- ---
Start Menu and Taskbar
-------------------------- ---
Remove Run menu from Start Menu Enabled
System/Group Policy
-----------------------
Group Policy refresh interval for users Enabled
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 90
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
System/Scripts
------------------
Run logon scripts visible Enabled
Windows Components/Microsoft Management Console/Restricted/Permitt ed snap-ins
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -
Local Users and Groups Disabled
Windows Components/Microsoft Management Console/Restricted/Permitt ed snap-ins/Group Policy
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------
Group Policy Management Disabled
Windows Components/Windows Installer
-------------------------- ---------- ---------- -
Prevent removable media source for any install Enabled
JayJay, I did try the method u advised but it just doesn't work. I dunno why the policy is not applied at all. I need all the help I can get.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/21/2006 at 7:11:56 PM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
Software Restriction Group Policy Object
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
The following are the configuration I set in the Software Restriction Policy.
User Configuration
---------------------
Windows Settings
---------------------
Scripts
---------------------
Logon
Name Parameters
mapdrive.bat (net use P: \\bc2l\test)
Security Settings
-------------------
Public Key Policies/Autoenrollment Settings
--------------------------
Policy Setting
----------------
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Software Restriction Policies/Additional Rules
--------------------------
C:\Program Files\Messenger\msmsgs.exe
Security Level Disallowed
C:\Program Files\Yahoo!\Messenger\YPa
Security Level Disallowed
C:\Windows\System32\format
Security Level Disallowed
Administrative Templates
--------------------------
Start Menu and Taskbar
--------------------------
Remove Run menu from Start Menu Enabled
System/Group Policy
-----------------------
Group Policy refresh interval for users Enabled
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 90
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
System/Scripts
------------------
Run logon scripts visible Enabled
Windows Components/Microsoft Management Console/Restricted/Permitt
--------------------------
Local Users and Groups Disabled
Windows Components/Microsoft Management Console/Restricted/Permitt
--------------------------
Group Policy Management Disabled
Windows Components/Windows Installer
--------------------------
Prevent removable media source for any install Enabled
JayJay, I did try the method u advised but it just doesn't work. I dunno why the policy is not applied at all. I need all the help I can get.
Reboot the PC a few times. Sometimes that's all it takes.
gpupdate /force
also if you set computer policies then you will need to reboot as netman said and sometimes it seems to take a few times - very intermittent issue but a known issue with windows
also if you set computer policies then you will need to reboot as netman said and sometimes it seems to take a few times - very intermittent issue but a known issue with windows
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What I did is I unjoin the computer from the domain and rejoin again. Then the GPO is applied, however it is not complete applied as the simple logon script mapdrive.bat ( net use P: \\bc2l\public) did not run.
Before I check in the AD under Computers I cannot locate the computer name of the computer I joined to domain. After I disjoin and rejoin back to the domain, I still cannot locate the computer name under Computer in AD. Could this be part of the problem why the GPO not applied.
Before I check in the AD under Computers I cannot locate the computer name of the computer I joined to domain. After I disjoin and rejoin back to the domain, I still cannot locate the computer name under Computer in AD. Could this be part of the problem why the GPO not applied.
indeed it could maybe try changing the computer name and run the network ID wizard
ASKER
Netman66
I did try out your suggestion, it work my logon script manage to run; but it take minutes before the Logon screen is displayed. It did apply all the policy I created in the GPO. However, the users over here will not find it acceptable to wait for minutes before they can login into their computer.
How can I make every setting I set in the GPO is implemented into the client computer and yet dun need to sacrifice time taken for the login screen to come up?
JayJay
Well it my fault I move the computer to another OU which I wanted to test out another policy that why I couldn't find it Computers under AD.
I did try out your suggestion, it work my logon script manage to run; but it take minutes before the Logon screen is displayed. It did apply all the policy I created in the GPO. However, the users over here will not find it acceptable to wait for minutes before they can login into their computer.
How can I make every setting I set in the GPO is implemented into the client computer and yet dun need to sacrifice time taken for the login screen to come up?
JayJay
Well it my fault I move the computer to another OU which I wanted to test out another policy that why I couldn't find it Computers under AD.
how about DNS settings on the client? is it pointing towards your DC?
ASKER
We are using dhcp for the client computer. The first line of the DNS IP setting is the DC IP address.
good good as that can often slow down log on times if its not pointing in the right directions - which settings arent holding now?
ASKER
Problem is the GPO only apply to client PC if I apply Netman66 solution that is
You can disable this default behavior here:
Computer Configuration>Administrati ve Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED.
But if I apply this setting, it will take 4 mins before I can see the logon screen after I boot up the PC. If I dun apply this setting, my GPO cannot apply to the computer.
Jay & Net, please advice me what should I do so that I could have faster logon screen with GPO applied properly when the user login?
You can disable this default behavior here:
Computer Configuration>Administrati
But if I apply this setting, it will take 4 mins before I can see the logon screen after I boot up the PC. If I dun apply this setting, my GPO cannot apply to the computer.
Jay & Net, please advice me what should I do so that I could have faster logon screen with GPO applied properly when the user login?
you havent edited any of the security features on the policy itself have you? is the policy sitting at the domain root?
ASKER
This is not the domain root GPO. This GPO I set is applied only on the OU level. I set disable enforce on the domain root GPO and set the OU GPO to enforce.
ASKER
Nope I didn't edit the security features on the policy.
If it's taking that long, then either you have far too many GPOs to process on startup, your script is hanging, or you have ISP DNS settings on the clients.
You should NOT have any ISP DNS settings anywhere inside your LAN - only on the Forwarder tab of your DNS server.
Also, make sure all of your servers are correctly registered with your DNS server - especially, the DCs underneath _msdcs.
You should NOT have any ISP DNS settings anywhere inside your LAN - only on the Forwarder tab of your DNS server.
Also, make sure all of your servers are correctly registered with your DNS server - especially, the DCs underneath _msdcs.
ASKER
I only have 2 GPO that is enabled under the OU which is
Default Domain Policy
Software Restriction Group Policy Object
No, there is no client that have ISP DNS settings.
I did a test yesterday. In the first round, if I login as domain user the GPO will not apply. Then, I went to comand prompt to run gpupdate /force. At the second round, I logout after completing gpupdate and login again as domain user. The GPO then will applied. This is the only way I can get the GPO to apply.
If I shutdown the laptop and restart it and login. The GPO will not apply. What could be the cause of this?
Default Domain Policy
Software Restriction Group Policy Object
No, there is no client that have ISP DNS settings.
I did a test yesterday. In the first round, if I login as domain user the GPO will not apply. Then, I went to comand prompt to run gpupdate /force. At the second round, I logout after completing gpupdate and login again as domain user. The GPO then will applied. This is the only way I can get the GPO to apply.
If I shutdown the laptop and restart it and login. The GPO will not apply. What could be the cause of this?
Your Group Policy must think that you're on a slow link.
If you run GPRESULT from one of these machines, right near the beginning of the output it tells you what it "thinks" the link is.
Can you post a gpresult here?
If you run GPRESULT from one of these machines, right near the beginning of the output it tells you what it "thinks" the link is.
Can you post a gpresult here?
ASKER
Netman66
This the gpresult I get after login from the machines that is startup from cold.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>
If I run gpresult again after this, I will be able get the result as shown below.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/21/2006 at 7:11:56 PM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
-------------------------- ---------- ---------- ---------- --
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
Software Restriction Group Policy Object
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
The following are the configuration I set in the Software Restriction Policy.
User Configuration
---------------------
Windows Settings
---------------------
Scripts
---------------------
Logon
Name Parameters
mapdrive.bat (net use P: \\bc2l\test)
Security Settings
-------------------
Public Key Policies/Autoenrollment Settings
-------------------------- ---------- ---------- ---
Policy Setting
----------------
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Software Restriction Policies/Additional Rules
-------------------------- ---------- ---------- -----
C:\Program Files\Messenger\msmsgs.exe
Security Level Disallowed
C:\Program Files\Yahoo!\Messenger\YPa ger.exe
Security Level Disallowed
C:\Windows\System32\format .exe
Security Level Disallowed
Administrative Templates
-------------------------- ---
Start Menu and Taskbar
-------------------------- ---
Remove Run menu from Start Menu Enabled
System/Group Policy
-----------------------
Group Policy refresh interval for users Enabled
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 90
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
System/Scripts
------------------
Run logon scripts visible Enabled
Windows Components/Microsoft Management Console/Restricted/Permitt ed snap-ins
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -
Local Users and Groups Disabled
Windows Components/Microsoft Management Console/Restricted/Permitt ed snap-ins/Group Policy
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------
Group Policy Management Disabled
Windows Components/Windows Installer
-------------------------- ---------- ---------- -
Prevent removable media source for any install Enabled
The problem is weird so I dunno wat wrong. if based on the subsequent gpresult, it didn't indicate the machines in slow link. I hope you can help me diagnose out what the problem Netman.
This the gpresult I get after login from the machines that is startup from cold.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>
If I run gpresult again after this, I will be able get the result as shown below.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/21/2006 at 7:11:56 PM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
Software Restriction Group Policy Object
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
The following are the configuration I set in the Software Restriction Policy.
User Configuration
---------------------
Windows Settings
---------------------
Scripts
---------------------
Logon
Name Parameters
mapdrive.bat (net use P: \\bc2l\test)
Security Settings
-------------------
Public Key Policies/Autoenrollment Settings
--------------------------
Policy Setting
----------------
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Software Restriction Policies/Additional Rules
--------------------------
C:\Program Files\Messenger\msmsgs.exe
Security Level Disallowed
C:\Program Files\Yahoo!\Messenger\YPa
Security Level Disallowed
C:\Windows\System32\format
Security Level Disallowed
Administrative Templates
--------------------------
Start Menu and Taskbar
--------------------------
Remove Run menu from Start Menu Enabled
System/Group Policy
-----------------------
Group Policy refresh interval for users Enabled
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 90
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
System/Scripts
------------------
Run logon scripts visible Enabled
Windows Components/Microsoft Management Console/Restricted/Permitt
--------------------------
Local Users and Groups Disabled
Windows Components/Microsoft Management Console/Restricted/Permitt
--------------------------
Group Policy Management Disabled
Windows Components/Windows Installer
--------------------------
Prevent removable media source for any install Enabled
The problem is weird so I dunno wat wrong. if based on the subsequent gpresult, it didn't indicate the machines in slow link. I hope you can help me diagnose out what the problem Netman.
>>>>>>
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
is this profile specific? if you log on with a different user do you get the same set of issues??
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
is this profile specific? if you log on with a different user do you get the same set of issues??
ASKER
well I only create 1 domain user account under this GPO. I did not create any other domain user implementing this GPO.
You just copied the GPRESULT you first posted.
Please do a current one.
Also, where is this policy linked?
Please do a current one.
Also, where is this policy linked?
ASKER
Netman.
OK. Sorry I kinda lazy. This is a current one with gpresult all execute in consecutive. The "Software Restriction Group Policy Object" GPO is enforce while the "Default Domain Policy" is set to link.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/27/2006 at 10:48:27 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
-------------------------- ---------- ---------- ---------- --
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO M
Last time Group Policy was applied: 3/27/2006 at 10:46:50 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO M
Last time Group Policy was applied: 3/27/2006 at 10:48:27 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OK. Sorry I kinda lazy. This is a current one with gpresult all execute in consecutive. The "Software Restriction Group Policy Object" GPO is enforce while the "Default Domain Policy" is set to link.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/27/2006 at 10:48:27 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO
Last time Group Policy was applied: 3/27/2006 at 10:46:50 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO
Last time Group Policy was applied: 3/27/2006 at 10:48:27 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
How many machines are affected by this problem?
I'm also a little wary of the ERROR: Access Denied thing you see the first run.
I'm also a little wary of the ERROR: Access Denied thing you see the first run.
ASKER
Well it is prevalent in all the machine as they all are running WinXP Pro SP2. The issue seem to reflect in the same way why the GPO dun apply in the first instance, while it will apply after I login for a while.
The urgency of gpresult is of least importance as my main problem is the GPO dun apply Computer Configuration>Administrati ve Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED. But if I enable this it will take ages for the machine to login, if based on the GPRESULT, the client I login to the domain is not connected on a slow link. If I set to asynchronous update the GPO will not apply.
The urgency of gpresult is of least importance as my main problem is the GPO dun apply Computer Configuration>Administrati
Hmmm...
Can you try this on ONE test PC?
http://support.microsoft.com/kb/244474/en-us
Let me know if the problem goes away.
I suspect there is switching problems and this may confirm it.
Can you try this on ONE test PC?
http://support.microsoft.com/kb/244474/en-us
Let me know if the problem goes away.
I suspect there is switching problems and this may confirm it.
I should stress, do not yet use the ADM template that is provided. Manually change one PC to see if this is actually the cause.
Set this again:
Configuration>Administrati ve Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED
Set this again:
Configuration>Administrati
ASKER
Netman
I have make the changes to the registry as well as add the gpo setting you indicate and run gpupdate /force. Then I shutdown the computer and start it up again. I came to the login screen rather quick which I suspect the GPO did not apply. I check it again with gpresult. The first run of the result I got Access Denied. It go through all the process until "Creating the RSOP session for HQ\aneky" then it stop and prompt with Access Denied.
I run it a second time. Seem like the processing lack in speed compare to the time I haven't tweak the registry setting in the machine. However, the gpresult is process fully. Here is the result I copied out
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/29/2006 at 9:17:32 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
-------------------------- ---------- ---------- ---------- --
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/29/2006 at 9:16:58 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/29/2006 at 9:16:51 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
I have make the changes to the registry as well as add the gpo setting you indicate and run gpupdate /force. Then I shutdown the computer and start it up again. I came to the login screen rather quick which I suspect the GPO did not apply. I check it again with gpresult. The first run of the result I got Access Denied. It go through all the process until "Creating the RSOP session for HQ\aneky" then it stop and prompt with Access Denied.
I run it a second time. Seem like the processing lack in speed compare to the time I haven't tweak the registry setting in the machine. However, the gpresult is process fully. Here is the result I copied out
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/29/2006 at 9:17:32 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 3/29/2006 at 9:16:58 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
Last time Group Policy was applied: 3/29/2006 at 9:16:51 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
ASKER
Updates:
I shutdown the machine 2nd time and restart. The GPO kick in and it took about 3 mins for the machine to display the login message. Once in I try running the gpresult and it display in a jiffy as shown below.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/29/2006 at 9:54:06 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
-------------------------- ---------- ---------- ---------- --
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO M
Last time Group Policy was applied: 3/29/2006 at 9:53:57 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO M
Last time Group Policy was applied: 3/29/2006 at 9:51:37 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
I shutdown the machine 2nd time and restart. The GPO kick in and it took about 3 mins for the machine to display the login message. Once in I try running the gpresult and it display in a jiffy as shown below.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\aneky>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/29/2006 at 9:54:06 AM
RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\aneky
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO
Last time Group Policy was applied: 3/29/2006 at 9:53:57 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SAPL-JAMESKOH$
Domain Computers
USER SETTINGS
--------------
CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=CO
Last time Group Policy was applied: 3/29/2006 at 9:51:37 AM
Group Policy was applied from: BC2L.HQ.BC2L.COM
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Software Restriction Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
ASKER
Netman:
I timed the how long it takes the machine to display the login screen. Seem like after applying the registry tweak, the logon screen took about 2min 17sec as compared to previous whole 5 mins for it appear. So what do you think is probable cause for this issue.
I timed the how long it takes the machine to display the login screen. Seem like after applying the registry tweak, the logon screen took about 2min 17sec as compared to previous whole 5 mins for it appear. So what do you think is probable cause for this issue.
It sounds like this may be the problem.
Your startup time is not unreasonable at all now - in fact, I have mostly P4 - 3.2GB machines with SATA drives that take at least that long.
Since you effectively forced Kerberos to use TCP rather than UDP, that packet sizes can be better controlled. Some switching equipment can cause problems if not setup properly to allow large UDP traffic.
You can safely create that ADM file and copy it to the Templates folder on the server. You can create a new GPO at the domain level and import this template into it then make the setting changes so that the entire domain will work off TCP rather than UDP Kerberos traffic.
Do NOT import this into the Default Domain Policy - create a new GPO and do if from there.
If you have a complex switch or VLAN configuration you might want to get the network people involved too. They might be able to "sniff" the traffic and confirm what we are seeing. If you are using Hubs rather than switches, then this might be the problem too.
NM
Your startup time is not unreasonable at all now - in fact, I have mostly P4 - 3.2GB machines with SATA drives that take at least that long.
Since you effectively forced Kerberos to use TCP rather than UDP, that packet sizes can be better controlled. Some switching equipment can cause problems if not setup properly to allow large UDP traffic.
You can safely create that ADM file and copy it to the Templates folder on the server. You can create a new GPO at the domain level and import this template into it then make the setting changes so that the entire domain will work off TCP rather than UDP Kerberos traffic.
Do NOT import this into the Default Domain Policy - create a new GPO and do if from there.
If you have a complex switch or VLAN configuration you might want to get the network people involved too. They might be able to "sniff" the traffic and confirm what we are seeing. If you are using Hubs rather than switches, then this might be the problem too.
NM
ASKER
Netman,
Unfortunately, I brought the test machine (laptop) home but when I arrive in office and startup to login it took more than 5 minutes comming to infinity as compared to the time I timed previously. I practically need to pull out the lan cable in order to see the login screen. I dun think the solution you gave me woirk though as the timing for the login screen appear seem to be erratic.
No we did not implement vlan here as it is only a 50 strength company. but we using different type of dumb switch to extend the number more port out.
Unfortunately, I brought the test machine (laptop) home but when I arrive in office and startup to login it took more than 5 minutes comming to infinity as compared to the time I timed previously. I practically need to pull out the lan cable in order to see the login screen. I dun think the solution you gave me woirk though as the timing for the login screen appear seem to be erratic.
No we did not implement vlan here as it is only a 50 strength company. but we using different type of dumb switch to extend the number more port out.
I think you need to look at the switch layout. If you have a hub connected to a single port on a switch then you will have issues on the hub.
If you plug the laptop into the main switch directly (or the same one the server is on) will it log on any different?
If you plug the laptop into the main switch directly (or the same one the server is on) will it log on any different?
ASKER
Netman,
The condition worsen. Today, it does not even prompt for the login scfreen at all. I tried connecting to the switch which the server is connected it improved to 1mins 40 secs. But I not sure if the result is accurate as it is based on 1 test.
The condition worsen. Today, it does not even prompt for the login scfreen at all. I tried connecting to the switch which the server is connected it improved to 1mins 40 secs. But I not sure if the result is accurate as it is based on 1 test.
Hard to say.
I would unplug the power to all the switches and the router. Wait one minute. Start by powering up the router, then each switch one by one.
It sounds like (maybe) the routing tables are getting corrupt.
I would unplug the power to all the switches and the router. Wait one minute. Start by powering up the router, then each switch one by one.
It sounds like (maybe) the routing tables are getting corrupt.
ASKER
But I don't think it is routing table corruption as the dc server and clients all fall under the same subnet address.
Each switch (if not a basic switch) will build a table up in their memory. Routing is not just for going outside your own subnet. A switch has the capacity of "learning" where an IP address is in relation to each port - and thus can "route" directly between hosts rather than forward the packets to the router to be bounced back inside.
Of course, all this is a little more complex but you get the idea.
Reset your switches and see what happens.
This sounds like a network issue - either switching on at the router. Something isn't right there.
Your server and clients all perform as expected when they can communicate with each other.
Of course, all this is a little more complex but you get the idea.
Reset your switches and see what happens.
This sounds like a network issue - either switching on at the router. Something isn't right there.
Your server and clients all perform as expected when they can communicate with each other.
Prevents Control Panel, Printers, and Network Connections from running. This setting removes the Control Panel, Printers, and Network and Connection folders from Settings on the Start menu, and from My Computer and Windows Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking My Computer to start System. Also, see the Disable Control Panel, Disable Display in Control Panel, and Remove Network Connections from Start Menu settings.
Administrative Templates\Control Panel\Prohibit access to the Control Panel
Disables all Control Panel programs. This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items. This setting also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This setting also removes the Control Panel folder from Windows Explorer. If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. Also, see the Remove Display in Control Panel and Remove programs on Settings menu settings.
have you tried those settings? if so what are the issues you are getting