?
Solved

Group Policy not working

Posted on 2006-06-07
12
Medium Priority
?
736 Views
Last Modified: 2008-01-09
It seems that a WSUS group policy which I have is not working, I've added for some PCs to be added to a WSUS group via client-sided targeting and they're not being picked up.

Here is an extract from the userenv.log from our DC:

USERENV(4b0.750) 12:50:55:513 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0
USERENV(4b0.750) 12:50:55:513 EnterCriticalPolicySectionEx: User critical section has been claimed.  Handle = 0x2e8
USERENV(4b0.750) 12:50:55:513 EnterCriticalPolicySectionEx: Leaving successfully.
USERENV(4b0.750) 12:50:55:513 ProcessGPOs:  Machine role is 3.
USERENV(4b0.750) 12:50:55:529 PingComputer: PingBufferSize set as 2048
USERENV(4b0.750) 12:50:55:544 PingComputer: Adapter speed 10000000 bps
USERENV(4b0.750) 12:50:55:544 PingComputer:  First time:  0
USERENV(4b0.750) 12:50:55:544 PingComputer:  Fast link.  Exiting.
USERENV(4b0.750) 12:50:55:544 ProcessGPOs:  User name is:  CN=Administrator,CN=Users,DC=wedlakebell,DC=local, Domain name is:  WEDLAKEBELL.LOCAL
USERENV(4b0.750) 12:50:55:544 ProcessGPOs: Domain controller is:  \\dc01.wedlakebell.local  Domain DN is WEDLAKEBELL.LOCAL
USERENV(4b0.750) 12:50:55:544 ReadGPExtensions: Rsop entry point not found for dskquota.dll.
USERENV(4b0.750) 12:50:55:544 ReadGPExtensions: Rsop entry point not found for gptext.dll.
USERENV(4b0.750) 12:50:55:544 ReadGPExtensions: Rsop entry point not found for iedkcs32.dll.
USERENV(4b0.750) 12:50:55:544 ReadGPExtensions: Rsop entry point not found for scecli.dll.
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {25537BA6-77A8-11D2-9B6C-0000F8080861}
USERENV(4b0.750) 12:50:55:544 ReadStatus: Read Extension's Previous status successfully.
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {3610eda5-77ef-11d2-8dc5-00c04fa31a66}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {426031c0-0b47-4852-b0ca-ac3d37bfcb39}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {42B5FAAE-6536-11d2-AE5A-0000F87571E3}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {c6dc5466-785a-11d2-84d0-00c04fb169f7}
USERENV(4b0.750) 12:50:55:544 ReadExtStatus: Reading Previous Status for extension {e437bc1c-aa7d-11d2-a382-00c04f991e27}
USERENV(4b0.750) 12:50:55:544 ProcessGPOs: Calling GetGPOInfo for normal policy mode
USERENV(4b0.750) 12:50:55:544 GetGPOInfo:  ********************************
USERENV(4b0.750) 12:50:55:544 GetGPOInfo:  Entering...
USERENV(4b0.750) 12:50:55:544 GetGPOInfo:  Server connection established.
USERENV(4b0.750) 12:50:55:560 GetGPOInfo:  Bound successfully.
USERENV(4b0.750) 12:50:55:560 SearchDSObject:  Searching <DC=wedlakebell,DC=local>
USERENV(4b0.750) 12:50:55:560 SearchDSObject:  Found GPO(s):  <[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=wedlakebell,DC=local;0]>
USERENV(4b0.750) 12:50:55:560 ProcessGPO:  ==============================
USERENV(4b0.750) 12:50:55:560 ProcessGPO:  Deferring search for <LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=wedlakebell,DC=local>
USERENV(4b0.750) 12:50:55:654 SearchDSObject:  Searching <CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wedlakebell,DC=local>
USERENV(4b0.750) 12:50:55:654 SearchDSObject:  No GPO(s) for this object.
USERENV(4b0.750) 12:50:55:654 EvaluateDeferredGPOs:  Searching for GPOs in cn=policies,cn=system,DC=wedlakebell,DC=local
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  ==============================
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  Searching <CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=wedlakebell,DC=local>
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  User has access to this GPO.
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  GPO passes the filter check.
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  Found functionality version of:  2
USERENV(4b0.750) 12:50:55:654 ProcessGPO:  Found file system path of:  <\\wedlakebell.local\sysvol\wedlakebell.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}>
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  Found common name of:  <{31B2F340-016D-11D2-945F-00C04FB984F9}>
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  Found display name of:  <Default Domain Policy>
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  Found user version of:  GPC is 3, GPT is 3
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  Found flags of:  0
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  Found extensions:  [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
USERENV(4b0.750) 12:50:55:669 ProcessGPO:  ==============================
USERENV(4b0.750) 12:50:55:669 GetGPOInfo:  GPO Local Group Policy doesn't contain any data since the version number is 0.  It will be skipped.
USERENV(4b0.750) 12:50:55:669 GetGPOInfo:  Leaving with 1
USERENV(4b0.750) 12:50:55:669 GetGPOInfo:  ********************************
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Logging Data for Target <administrator>.
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Processing extension Registry
USERENV(4b0.750) 12:50:55:669 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:669 CheckGPOs: No GPO changes but couldn't read extension Registry's status or policy time.
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Extension Registry skipped because both deleted and changed GPO lists are empty.
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Processing extension Wireless Group Policy
USERENV(4b0.750) 12:50:55:669 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:669 CheckGPOs: No GPO changes but couldn't read extension Wireless Group Policy's status or policy time.
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Extension Wireless Group Policy skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:669 ProcessGPOs: Processing extension Folder Redirection
USERENV(4b0.750) 12:50:55:669 ReadStatus: Read Extension's Previous status successfully.
USERENV(4b0.750) 12:50:55:669 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:669 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:669 ProcessGPOList: Entering for extension Folder Redirection
USERENV(4b0.750) 12:50:55:669 UserPolicyCallback: Setting status UI to Applying Folder Redirection policy...
USERENV(4b0.750) 12:50:55:669 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
USERENV(4b0.750) 12:50:55:716 UserPolicyCallback: Setting status UI to Applying your personal settings...
USERENV(4b0.750) 12:50:55:716 ProcessGPOList: Extension Folder Redirection returned 0x0.
USERENV(4b0.750) 12:50:55:716 ProcessGPOList: Extension Folder Redirection status was not updated because there was no changes and no transition or rsop wasn't enabled
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension Microsoft Disk Quota
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension Microsoft Disk Quota's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension Microsoft Disk Quota skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension QoS Packet Scheduler
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension QoS Packet Scheduler's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension QoS Packet Scheduler skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension Scripts
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension Scripts's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO lists are empty.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension Internet Explorer Zonemapping
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension Internet Explorer Zonemapping's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension Internet Explorer Zonemapping skipped because both deleted and changed GPO lists are empty.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension Security
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension Security's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension Security skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Processing extension Internet Explorer Branding
USERENV(4b0.750) 12:50:55:732 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:732 CheckGPOs: No GPO changes but couldn't read extension Internet Explorer Branding's status or policy time.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: Extension Internet Explorer Branding skipped because both deleted and changed GPO lists are empty.
USERENV(4b0.750) 12:50:55:732 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Processing extension EFS recovery
USERENV(4b0.750) 12:50:55:748 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:748 CheckGPOs: No GPO changes but couldn't read extension EFS recovery's status or policy time.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Extension EFS recovery skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Processing extension Software Installation
USERENV(4b0.750) 12:50:55:748 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:748 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:748 CheckGPOs: No GPO changes but couldn't read extension Software Installation's status or policy time.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Extension Software Installation skipped because both deleted and changed GPO lists are empty.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: -----------------------
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Processing extension IP Security
USERENV(4b0.750) 12:50:55:748 CompareGPOLists:  The lists are the same.
USERENV(4b0.750) 12:50:55:748 CheckGPOs: No GPO changes but couldn't read extension IP Security's status or policy time.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Extension IP Security skipped with flags 0x6.
USERENV(4b0.750) 12:50:55:748 SetFgRefreshInfo: Previous User Fg policy Synchronous, Reason: SKU.
USERENV(4b0.750) 12:50:55:748 SetFgRefreshInfo: Next User Fg policy Synchronous, Reason: SKU.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: No WMI logging done in this policy cycle.
USERENV(4b0.750) 12:50:55:748 LeaveCriticalPolicySection: Critical section 0x2e8 has been released.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: User Group Policy has been applied.
USERENV(4b0.750) 12:50:55:748 ProcessGPOs: Leaving with 1.
USERENV(4b0.d3c) 12:50:55:748 GPOThread:  Next refresh will happen in 108 minutes
USERENV(4b0.750) 12:50:55:763 ApplyGroupPolicy: Leaving successfully.
USERENV(d30.b88) 12:50:55:951 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
USERENV(4b0.e4c) 12:50:56:935 IsSyncForegroundPolicyRefresh: Synchronous, Reason: policy set to SYNC
USERENV(ac0.628) 12:50:57:482 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
USERENV(9d8.1f8) 12:50:58:779 LibMain: Process Name:  C:\WINDOWS\Explorer.EXE
USERENV(9d8.fe4) 12:50:59:357 GetProfileType:  Profile already loaded.
USERENV(9d8.fe4) 12:50:59:357 GetProfileType: ProfileFlags is 0
USERENV(9d8.c9c) 12:50:59:372 GetProfileType:  Profile already loaded.
USERENV(9d8.c9c) 12:50:59:372 GetProfileType: ProfileFlags is 0
USERENV(db8.b4c) 12:50:59:607 LibMain: Process Name:  C:\WINDOWS\system32\ctfmon.exe
USERENV(db8.b4c) 12:50:59:607 GetProfileType:  Profile already loaded.
USERENV(db8.b4c) 12:50:59:607 GetProfileType: ProfileFlags is 0
USERENV(db8.b4c) 12:50:59:794 GetProfileType:  Profile already loaded.
USERENV(db8.b4c) 12:50:59:794 GetProfileType: ProfileFlags is 0
USERENV(cb4.604) 12:51:05:872 LibMain: Process Name:  C:\WINDOWS\system32\mmc.exe
USERENV(5a8.d9c) 12:51:10:763 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
USERENV(238.dbc) 12:51:22:075 ProcessGPOs:
USERENV(238.dbc) 12:51:22:075 ProcessGPOs:

and in the winlogon.log have found this re-occurring error:


Error 0 to send control flag 1 over to server.

Make a local copy of \\wedlakebell.local\sysvol\wedlakebell.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\wedlakebell.local\sysvol\wedlakebell.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
16 May 2006 08:50:23
      Copy undo values to the merged policy.


----Un-initialize configuration engine...

Process GP template gpt00001.inf.

This is the last GPO : domain policy is ignored on DC.

Can anyone suggest where I should be looking for the cause of these errors?
0
Comment
Question by:dhymers
  • 7
  • 5
12 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 2000 total points
ID: 16852633
I just posted this for another user:

http://technet2.microsoft.com/WindowsServer/en/Library/43bcd87f-9483-4d84-bad5-bdff68761d0d1033.mspx?mfr=true

Make sure your policy is configured properly - and being applied at the domain level.

0
 

Author Comment

by:dhymers
ID: 16852688
Thanks.  I know the policy is Ok as it was working fine last week with no problems - and I have not ammended the policy.  It seems to have stopped working since we had to restart our domain controllers last week.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16852752
Check to make sure all the services have started - including in IIS virtual servers.

0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:dhymers
ID: 16852860
All the usual services appear to have started on the domain controller.   Can you explain what you mean when you say to check the IIS virtual servers as well - i'm not overly techinical.  As far as I know we don't have any IIS virtual servers.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16853433
You do. it should be the Default website for WSUS unless you asked the WSUS installation to create a new site for you.

Open Internet Services Manager.
Make sure the Default Website and any other site linked to WSUS are started.

0
 

Author Comment

by:dhymers
ID: 16859220
Yes you're right, I've checked in IIS manager and all the websites including the default website are started.  At least when I highlight each one, only the stop button is enabled so I imagine this means they are all running.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16869616
OK, what port is WSUS working on?  You may need to add that to the GPO to the end of the WSUS server entries.

Example: http://wsusserver:8530

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16869800
Disregard that last post.  I've just been looking at the log above.

0
 

Author Comment

by:dhymers
ID: 16870084
Apologies - I've led you on a bit of a wild goose chase.  I've subsequently learned that the 3 users I added to the WSUS GPO have received the policy and have been updated.  However for some reason these users are not showing on the WSUS console as being part of the WSUS group even though they are receiving the WSUS policy.  Any ideas?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16871450
Yes.  That much I do know.

If these computers were imaged, then it appears they were not Syspreped properly.  Only the last computer to talk to WSUS will be visible in the console if this is the case.

You need to image machines by running Sysprep before you create the image file to deploy.

Although MS doesn't support this, you can run sysprep now to recreate the machine SID.  You will first be required to place each workstation in a workgroup, then reboot and run sysprep.  After this, you can delete the machine account in AD then rejoin the computer to the domain.

Alternately, (and I DO NOT recommend this) is to use NewSID from Sysinternals: http://www.sysinternals.com/Utilities/NewSid.html.  You will still need to put the workstations into workgroup before you run this, then rejoin them so there is no real timesaver using this tool over Sysprep.  Since this is not an MS tool I would be very cautious with it.

NM


0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16871478
Once you've reimaged or re-Sysprepped them you need to do the following on each workstation.

Delete the values in the following keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

AccountDomainSid
PingID
SusClientId

You then need to run this from a CMD prompt:

net stop wuauserv
net start wuauserv
wuauclt /resetauthorization /detectnow

This will fix your issues.


0
 

Author Comment

by:dhymers
ID: 16871553
That's great, I'll give it a go.  Thanks for all your help/
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Integration Management Part 2
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question