Solved

Local group policy filtered out

Posted on 2007-03-21
24
3,936 Views
Last Modified: 2010-02-23
Hi, I am having a problem with with several workstations not taking an Outlook add-in. I believe it's because of Group Policy(GP). I can't tell which policy at this point. My case is, because GP is filtering out the local policy which contains the registry edits of this add-in. My best guess is a Loopback setting of "replace". I have run a gpresult to prove my point.

-----------------------------------------------------------------------------------------------------------------------------

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/21/2007 at 9:45:59 AM



RSOP results for Coorp\mgarcia on NASH-PC0039 : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 Coorp
Domain Type:                 Windows 2000
Site Name:                   DEFAULT-FIRST-SITE
Roaming Profile:            
Local Profile:               C:\Documents and Settings\mgarcia
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
   
    Last time Group Policy was applied: 3/21/2007 at 9:41:03 AM
    Group Policy was applied from:      DAY-DC01.Domain.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Auto Updates
        Nashville Security Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        NASH-PC0039$
        Domain Computers
       
    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  90

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: Nashville Security Policy
                Groupname: Coorp\SQL Admins
                Members:   Coorp\SQL Admins
                           
            GPO: Nashville Security Policy
                Groupname: Coorp\Nashville Admins
                Members:   Coorp\Nashville Admins
                           
            GPO: Nashville Security Policy
                Groupname: Coorp\Production Turnover
                Members:   Coorp\Production Turnover
                           
        System Services
        ---------------
            GPO: Auto Updates
                ServiceName: wuauserv
                Startup:     disabled

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Garcia\, Marsha,OU=Users and Groups,OU=Nashville,DC=Domain,DC=com
    Last time Group Policy was applied: 3/21/2007 at 9:42:30 AM
    Group Policy was applied from:      germ-dc01.Domain.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Nashville Security Policy
            Filtering:  Disabled (GPO)

        Auto Updates
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        ORA_DBA
        BUILTIN\Administrators
        Remote Desktop Users
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Place Nash
        Nash_Data_Prep
        TECAN Operators
        Analysis
        Citrix-GP US Users
        Nashville Admins
        RSAusers
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A


------------------------------------------------------------------------------------------------------------------------------
I'm unsure if these results prove my case. Inversely, I also contend that in a this corporate environment the enabled policies are incorrectly configured too restrictive. I'm experiencing strange effects of phantom computer hesitations and access denies.

Any advise would be greatly appreciated.

All of our domain controllers are Win2k3.
0
Comment
Question by:blkmworking
  • 14
  • 7
  • 3
24 Comments
 
LVL 30

Expert Comment

by:IanTh
Comment Utility
group policy will always overule local security policy in a domain
0
 

Author Comment

by:blkmworking
Comment Utility
Yes, I agree with domain group policy will always over rule local policy; however, only if the group policy is set to change that policy setting. If the setting is not enabled (or configured) it should follow the local GP setting.
0
 
LVL 30

Expert Comment

by:IanTh
Comment Utility
yes I agree so maybe its profile related as I have seen stuff like this before that was profile related. try a profile reset on one of the effected users
0
 
LVL 30

Expert Comment

by:IanTh
Comment Utility
hmm have you tried gpupdate /force first maybe that will force it to work?
0
 

Author Comment

by:blkmworking
Comment Utility
I have done a gpupdate. My users are receiving the current correct updates. How do you preform a profile update?
0
 

Author Comment

by:blkmworking
Comment Utility
I have done the gpupdate /force on a user with no change. I tried to edit a local policy and recieved a change in the gpresult where local policy is not filtered out on the user side. On the computer side the local policy is still filtered out.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Your output shows clearly that the local policy is filtered because it's empty.

If this is a registry ADM, then you need to import it in a GPO linked high enough to catch all the workstations but not the servers.

0
 

Author Comment

by:blkmworking
Comment Utility
That is not really an option because our AD is a stump rather than a tree. We have a domain & OU's only. No Sites. At this moment I need to find why and where the local GPO is being filtered out at and fix it. I just got a thought. As a test to prove it to my superiors I could change one computer to not inherit any GPO.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Sites really have nothing to do with what you are attempting here.

Create a test OU.
Move one test PC into it.
Create and link a GPO to it.
Make that setting change in that GPO - if it means adding a custom ADM then do so.

If it's a simple registry mod then a script may be all you need.
What are you changing/modifying.

0
 

Author Comment

by:blkmworking
Comment Utility
A registry mod sounds great. I actually have a registry mod to block users from browsing to anything other than approved sites on critical computers; however, GPO is mandatory for us now (SOX). Prior to GPOs implementation I didn't have these problems. My thinking is to initially prove that GPO is guilty of my issues with out a shadow of a doubt by having one computer to not inherit any policy settings. I do realize that an enforce set on any of the higher group policies that will override an enforce. If I create a test OU, the default domain policy and automatic updates would still be applied. True? They are directly on the Domain hierarchal tree.

The default GPO appears to change the computer's lockout time, password length, and expiration. Then there are automatic updates which is intended to turn off automatic updates (per workstation. It appears because we are on a   I suppose I could do it that way. Would
0
 

Author Comment

by:blkmworking
Comment Utility
Excuse me for sending out my last reply with the second paragraph unedited.

The default GPO appears to change the computer's lockout time, password length, and expiration. Then there are automatic updates which is intended to turn off automatic updates on the computer GPO side.

As for setting up Sites, there are several of IT site admins whom have domain level privileges instead of just site level. There has been some unapproved changes.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Your Default Domain Policy will apply to the new OU.

How are you determining the lockout time, password length and expiration are changing - and exactly what are you comparing it to?

Don't confuse physical site with a Site in AD - if it's one flat domain and there are not any servers outside of the main site, then there is no need for any Sites in AD Sites and Services.

It think your issues may stem from too many people making changes that you cannot control.  You speak of SOX and yet these individuals have admin rights to the Domain - this contravenes SOX already.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:blkmworking
Comment Utility
I agree the many individuals with domain admin right goes against SOX and even best practices, but I have no control of that. I'm just a Site admin. My company has a corporate office and several sites around the US and one in Europe. There are domain controllers at each location but yet we are still setup as a flat one domain with many OUs.

I also agree that the Default domain will apply to the new OU. This is why I want to set a not inherit to filter that out also. I have also noticed that our "Group Policy was applied from" has been variable jumping from site to site. In addition, it seems when the Europe site is chosen we have major hesitations in our computers.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You can't block some elements of the Default Domain Policy - that much is known - that control Account policies.

As for why your workstations are using different sites for Group Policy is something I had a 3 hour discussion with Microsoft about last week.

Their response was a little less than I wanted in that it is by design, but they fail to tell me how it works that way.

I am still waiting some formal docs on this from them - which reminds me that I should follow up.  I want to be able to explain this to people correctly so I've requested this stuff from them.

0
 

Author Comment

by:blkmworking
Comment Utility
I was under the impression that the partitioning of your AD had something to do with it. Utilizing the Sites in the hierarchal design would give local domain controllers presidenct over other sites DC's. It makes more sense and seems more efficient. I'll bet that AD isn't aware of a computer's location in relation to DC without Sites & Services.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You're partially correct.

Sites define boundaries for replication and authentication.  Most of the time they correspond to actual physical sites where a DC is present.  In fact, that's how they're supposed to be used.  If a DC is not present at a remote site there is no point defining a Site for it in AD Sites and Services as it serves no purpose.

As for Administrative roles in relation to Sites, there are no correlations at all there.  Normal accounts can be Delegated Control of OUs or added to Administrative groups for the domain, but Sites have nothing to do with that other than to "coin a phrase" that a person has Admin rights to their site.  This simply means they may have Admin rights to their DC for maintenance purposes and/or rights over the OU that represents their site in the AD.

0
 

Author Comment

by:blkmworking
Comment Utility
I see what you mean. In any case, I believe our domain controller admin group needs to be trimmed down and Site & Services should be implemented.

I have done more troubleshooting on my issue. I turned on GP logging on several of my computers. here is a portion of my log files.

Winlogon.log
---------------------------------------------------------------------------------------------------------------------------

Make a local copy of \\DOMAIN>COM\SysVol\DOMAIN>COM\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\DOMAIN>COM\SysVol\DOMAIN>COM\Policies\{363FC14E-98D7-4B1D-8054-A41DBCF0B3F0}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\DOMAIN>COM\sysvol\DOMAIN>COM\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.inf.

This is not the last GPO.
-------------------------------------------
Tuesday, March 06, 2007 2:17:35 AM
      Copy undo values to the merged policy.


----Un-initialize configuration engine...

Process GP template gpt00001.dom.

This is not the last GPO.
-------------------------------------------
Tuesday, March 06, 2007 2:17:35 AM


----Un-initialize configuration engine...

Process GP template gpt00002.dom.
-------------------------------------------
Tuesday, March 06, 2007 2:17:36 AM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure Group Membership...
      Configure 1OMAINBIO\SQL Admins.
      Configure 1OMAINBIO\Nashville Admins.
      Configure 1OMAINBIO\Production Turnover.

      Group Membership configuration was completed successfully.


----Configure General Service Settings...
      Configure wuauserv.

      General Service configuration was completed successfully.


----Configure available attachment engines...

      Configuration of attachment engines was completed successfully.


----Configure Security Policy...
      Configure password information.
      Configure account force logoff information.
      LSA anonymous lookup names setting : existing SD = D:(A;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
      Configure LSA anonymous lookup setting.

      System Access configuration was completed successfully.

      Audit/Log configuration was completed successfully.

      Configuration of Registry Values was completed successfully.


----Configure available attachment engines...

      Configuration of attachment engines was completed successfully.


----Un-initialize configuration engine...

this is the last GPO.
**************************
------------------------------------------------------------------------------------------------------------------------


USERENV.LOG
-----------------------------------------------------------------------------------------------------------------------
USERENV(1ac.c2c) 10:24:10:196 EnterCriticalPolicySectionEx: Wait timed out on the mutex.
USERENV(2a8.1e4) 10:54:39:348 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2a8.d2c) 12:17:54:177 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2a8.1e4) 12:46:21:547 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2a8.d2c) 14:23:22:584 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2a8.1e4) 14:28:42:586 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(538.32c) 14:32:12:900 LibMain: Process Name:  C:\WINDOWS\regedit.exe
USERENV(94c.df0) 14:33:14:635 LibMain: Process Name:  C:\WINDOWS\system32\gpupdate.exe
USERENV(94c.c18) 14:33:14:682 RefreshPolicyEx: Entering with force refresh 0
USERENV(94c.808) 14:33:14:682 RefreshPolicyEx: Entering with force refresh 1
USERENV(94c.c18) 14:33:14:682 RefreshPolicyEx: Leaving.
USERENV(2a8.1e4) 14:33:14:682 ProcessGPOs:
USERENV(94c.808) 14:33:14:682 RefreshPolicyEx: Leaving.
USERENV(2a8.d2c) 14:33:19:588 ProcessGPOs:
USERENV(2a8.1e4) 14:34:24:589 ProcessGPOs:
USERENV(d94.58c) 14:35:33:667 LibMain: Process Name:  C:\WINDOWS\system32\rundll32.exe
USERENV(6a8.644) 14:35:15:964 LibMain: Process Name:  C:\WINDOWS\system32\mmc.exe
USERENV(b80.918) 14:35:39:667 LibMain: Process Name:  C:\WINDOWS\system32\rundll32.exe
USERENV(2a8.d2c) 14:37:14:590 ProcessGPOs:
USERENV(2c0.5dc) 14:37:14:762 LibMain: Process Name:  C:\WINDOWS\system32\mmc.exe
USERENV(2a8.1e4) 14:38:09:590 ProcessGPOs:  Starting computer Group Policy (Background) processing...
USERENV(204.964) 14:39:09:684 LibMain: Process Name:  C:\WINDOWS\system32\rundll32.exe
USERENV(430.47c) 14:39:09:700 LibMain: Process Name:  C:\WINDOWS\system32\rundll32.exe
USERENV(2a8.d2c) 14:39:54:591 ProcessGPOs: Starting user Group Policy (Background) processing...
USERENV(ce8.fcc) 14:39:20:184 LibMain: Process Name:  C:\WINDOWS\system32\taskmgr.exe
USERENV(6a8.644) 14:40:23:856 GetProfileType:  Profile already loaded.
USERENV(30c.1f0) 14:39:55:122 LibMain: Process Name:  C:\WINDOWS\system32\taskmgr.exe
USERENV(2a8.1e4) 14:40:54:591 ProcessGPOs:
USERENV(ea4.9ac) 14:42:26:264 LibMain: Process Name:  C:\WINDOWS\system32\taskmgr.exe
USERENV(af0.4e8) 14:42:53:936 LibMain: Process Name:  C:\WINDOWS\system32\taskmgr.exe
USERENV(2a8.d2c) 14:43:49:592 ProcessGPOs:
USERENV(524.fdc) 14:43:29:373 LibMain: Process Name:  C:\WINDOWS\system32\taskmgr.exe
USERENV(6a8.644) 14:43:49:639 GetProfileType: ProfileFlags is 0
USERENV(8c0.d4c) 14:44:14:670 LibMain: Process Name:  C:\WINDOWS\system32\dumprep.exe
USERENV(2a8.1e4) 14:44:44:280 ProcessGPOs:
USERENV(2a8.d2c) 14:44:44:296 ProcessGPOs:
USERENV(2a8.1e4) 14:44:44:296 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0
USERENV(2a8.d2c) 14:44:44:296 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0
USERENV(2a8.1e4) 14:44:44:296 EnterCriticalPolicySectionEx: Machine critical section has been claimed.  Handle = 0x898
USERENV(2a8.d2c) 14:44:44:296 EnterCriticalPolicySectionEx: User critical section has been claimed.  Handle = 0x91c
USERENV(2a8.d2c) 14:44:44:296 EnterCriticalPolicySectionEx: Leaving successfully.
USERENV(2a8.1e4) 14:44:44:296 EnterCriticalPolicySectionEx: Leaving successfully.
USERENV(2a8.d2c) 14:44:44:311 ProcessGPOs:  Machine role is 2.
USERENV(2a8.1e4) 14:44:44:311 ProcessGPOs:  Machine role is 2.
USERENV(2a8.d2c) 14:44:44:311 PingComputer: Adapter speed 100000000 bps
USERENV(f50.fc0) 14:44:44:468 LibMain: Process Name:  C:\WINDOWS\system32\dumprep.exe
USERENV(2a8.d2c) 14:44:44:577 PingComputer:  First time:  240
USERENV(d64.87c) 14:44:44:733 LibMain: Process Name:  C:\WINDOWS\system32\dumprep.exe
USERENV(2a8.d2c) 14:44:45:046 PingComputer:  Second time:  106
USERENV(2a8.d2c) 14:44:45:046 PingComputer:  Second time less than first time.
USERENV(2a8.d2c) 14:44:45:139 PingComputer:  First time:  68
USERENV(2a8.d2c) 14:44:45:249 PingComputer:  Second time:  106
USERENV(2a8.d2c) 14:44:45:311 PingComputer:  First time:  68
USERENV(2a8.d2c) 14:44:45:421 PingComputer:  Second time:  107
USERENV(2a8.d2c) 14:44:45:421 PingComputer:  Transfer rate:  842 Kbps  Loop count:  2
USERENV(2a8.1e4) 14:44:45:436 PingComputer: Adapter speed 100000000 bps
USERENV(2a8.1e4) 14:44:45:811 PingComputer:  First time:  70
USERENV(2a8.1e4) 14:44:45:936 PingComputer:  Second time:  110
USERENV(2a8.1e4) 14:44:46:014 PingComputer:  First time:  68
USERENV(2a8.1e4) 14:44:46:124 PingComputer:  Second time:  106
USERENV(2a8.d2c) 14:44:51:593 ProcessGPOs:  User name is:  CN=Graham\, Ashlie,OU=Users and Groups,OU=Nashville,DC=MIANOD,DC=com, Domain name is:  MIANODBIO
USERENV(2a8.1e4) 14:44:51:593 PingComputer:  First time:  68
USERENV(2a8.d2c) 14:44:53:639 ProcessGPOs: Domain controller is:  \\dal-dc01.MIANOD.com  Domain DN is MIANOD.com
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for gptext.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for dskquota.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for gptext.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for iedkcs32.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for scecli.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for C:\WINDOWS\System32\cscui.dll.
USERENV(2a8.d2c) 14:44:53:655 ReadGPExtensions: Rsop entry point not found for gptext.dll.
USERENV(2a8.d2c) 14:44:53:671 ReadExtStatus: Reading Previous Status for extension {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
USERENV(2a8.d2c) 14:44:53:686 ReadExtStatus: Reading Previous Status for extension {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
USERENV(2a8.d2c) 14:44:53:686 ReadExtStatus: Reading Previous Status for extension {25537BA6-77A8-11D2-9B6C-0000F8080861}
USERENV(2a8.d2c) 14:44:53:686 ReadExtStatus: Reading Previous Status for extension {3610eda5-77ef-11d2-8dc5-00c04fa31a66}
USERENV(2a8.d2c) 14:44:53:686 ReadExtStatus: Reading Previous Status for extension {426031c0-0b47-4852-b0ca-ac3d37bfcb39}
USERENV(2a8.d2c) 14:44:53:686 ReadExtStatus: Reading Previous Status for extension {42B5FAAE-6536-11d2-AE5A-0000F87571E3}
USERENV(2a8.d2c) 14:44:53:702 ReadExtStatus: Reading Previous Status for extension {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
USERENV(2a8.d2c) 14:44:53:702 ReadExtStatus: Reading Previous Status for extension {827D319E-6EAC-11D2-A4EA-00C04F79F83A}

-----------------------------------CUT TO CONSERVER --------------------------------------------

USERENV(2a8.1e4) 14:45:05:968 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2a8.1e4) 14:45:05:968 GetGPOInfo:  Leaving with 1
USERENV(2a8.1e4) 14:45:05:968 GetGPOInfo:  ********************************
USERENV(2a8.1e4) 14:45:05:968 ProcessGPOs: Logging Data for Target <NASH-LAB02>.
USERENV(2a8.1e4) 14:45:05:968 GetWbemServices: CoCreateInstance succeeded
USERENV(2a8.1e4) 14:45:05:983 ConnectToNameSpace: ConnectServer returned 0x0
USERENV(2a8.1e4) 14:45:06:046 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(2a8.1e4) 14:45:06:046 CSessionLogger::Log: restoring old security grps
USERENV(2a8.1e4) 14:45:06:093 LogRsopData: Successfully logged Rsop data
USERENV(2a8.1e4) 14:45:06:093 ProcessGPOs: Logged Rsop Data successfully.
USERENV(2a8.1e4) 14:45:06:124 ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating
USERENV(2a8.1e4) 14:45:06:124 ProcessGPOs: -----------------------
USERENV(2a8.1e4) 14:45:06:124 ProcessGPOs: Processing extension Registry
USERENV(2a8.1e4) 14:45:06:124 ReadStatus: Read Extension's Previous status successfully.
USERENV(2a8.1e4) 14:45:06:124 CompareGPOLists:  The lists are the same.
USERENV(2a8.1e4) 14:45:06:124 CheckGPOs: No GPO changes but called in force refresh flag or extension Registry needs to run force refresh in foreground processing
USERENV(2a8.1e4) 14:45:06:140 ProcessGPOList: Entering for extension Registry
USERENV(2a8.1e4) 14:45:06:140 ProcessGPOList: Passing in the force refresh flag to Extension Registry
USERENV(2a8.1e4) 14:45:06:171 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(2a8.1e4) 14:45:06:171 EnterCriticalPolicySectionEx: Entering with timeout 60000 and flags 0x2
USERENV(2a8.1e4) 14:45:06:171 EnterCriticalPolicySectionEx: Machine critical section has been claimed.  Handle = 0xa38
USERENV(2a8.1e4) 14:45:06:186 EnterCriticalPolicySectionEx: Leaving successfully.
USERENV(2a8.1e4) 14:45:06:186 ResetPolicies: Entering.
USERENV(2a8.1e4) 14:45:06:186 ParseRegistryFile: Entering with <C:\Documents and Settings\All Users\ntuser.pol>.
USERENV(2a8.1e4) 14:45:06:218 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\
USERENV(2a8.1e4) 14:45:06:233 DeleteRegistryValue: Deleted Software\Policies\Microsoft\Windows\
USERENV(2a8.1e4) 14:45:06:374 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\ACRS\Certificates\
USERENV(2a8.1e4) 14:45:06:374 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\ACRS\CRLs\
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs\
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\EFS\EFSBlob
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\E43FFA9F1535464C5981CCD944E748C761669647\Blob
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\EFS\CRLs\
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\EFS\CTLs\
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
USERENV(2a8.1e4) 14:45:06:390 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Root\CRLs\
USERENV(2a8.1e4) 14:45:06:405 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Root\CTLs\
USERENV(2a8.1e4) 14:45:06:405 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Trust\Certificates\
USERENV(2a8.1e4) 14:45:06:405 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Trust\CRLs\
USERENV(2a8.1e4) 14:45:06:405 DeleteRegistryValue: Deleted Software\Policies\Microsoft\SystemCertificates\Trust\CTLs\
USERENV(2a8.1e4) 14:45:06:405 ParseRegistryFile: Leaving.
USERENV(2a8.1e4) 14:45:06:421 ResetPolicies: Leaving.
USERENV(2a8.1e4) 14:45:06:468 ParseRegistryFile: Entering with <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Machine\registry.pol>.
USERENV(2a8.1e4) 14:45:07:155 ParseRegistryFile: Leaving.
USERENV(2a8.1e4) 14:45:07:452 AllocAdmFileInfo: Adding File name <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Adm\conf.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:07:608 AllocAdmFileInfo: Adding File name <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Adm\inetres.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:07:749 AllocAdmFileInfo: Adding File name <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Adm\system.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:07:905 AllocAdmFileInfo: Adding File name <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Adm\wmplayer.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:08:046 AllocAdmFileInfo: Adding File name <\\MIANOD.com\SysVol\MIANOD.com\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A}\Adm\wuau.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:08:046 ParseRegistryFile: Entering with <\\MIANOD.com\sysvol\MIANOD.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol>.
USERENV(2a8.1e4) 14:45:08:765 SetRegistryValue: EFSBlob was set successfully
USERENV(2a8.1e4) 14:45:08:780 SetRegistryValue: Blob was set successfully
USERENV(2a8.1e4) 14:45:08:796 ParseRegistryFile: Leaving.
USERENV(2a8.1e4) 14:45:09:093 AllocAdmFileInfo: Adding File name <\\MIANOD.com\sysvol\MIANOD.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\conf.adm> to the Adm list.
USERENV(2a8.1e4) 14:45:09:249 AllocAdmFileInfo: Adding File name <\\MIANOD.com\sysvol\MIANOD.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\inetres.adm> to the Adm list.
0
 

Author Comment

by:blkmworking
Comment Utility
From looking at this I think gpt00000.inf policy is coping empty values to the local policy which is effectively clearing it out. Causing massive GP errors and computer processing.

-----------------------------------------------------------------------------
Process GP template gpt00000.inf.

This is not the last GPO.
-------------------------------------------
Tuesday, March 06, 2007 2:17:35 AM
      Copy undo values to the merged policy.
---------------------------------------------------------------------------

What do you think?
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
It looks like that policy has loopback enabled.

It also appears the local Group Policy templates are not available.  This could be the permissions on the local System32\Group Policy hidden folder, but if it's happening across all systems then this is doubtful.

Policy is applied like so:

Local
Site
Domain
OU

Local is the first policy loaded, but if any settings are changed in other GPOs that affect the workstation or user that were set locally then these elements take precendence.

When it hits OU then it processes GPOs from highest to lowest OU in the inheritance tree where the closest OU to the object is applied last.

Setting things in the local Group Policy is not a generally accepted way to do things as it's the first policy that's overwritten.
0
 

Author Comment

by:blkmworking
Comment Utility
THANK YOU!!!!! You have confirmed my suspicions.  I just checked the system32\Group Policy folder on several machines. Some are missing the folder completely and others don't have any policy files within the machine or user files.  What I'm thinking is that the ones that are missing the folder completely haven't been restarted since GP's start. The policy settings within

Make a local copy of \\DOMAIN>COM\SysVol\DOMAIN>COM\Policies\{CCCFEE19-8408-4084-A5D0-415B8C51EE1A

are "not configured" (which I know for a fact are not) with loopback enabled. The loopback enable setting is causing the local policy to be cleared out.
0
 

Author Comment

by:blkmworking
Comment Utility
UPDATE--- I was not able to find an enabled loopback setting. All if not most of the workstation "System32\Group Policy" folders are not there. What would cause them to be deleted? This local file should have been there.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Not sure.

0
 

Author Comment

by:blkmworking
Comment Utility
Ok, I believe I have found the solution. It's not a loopback setting. This was shown in the USERENV.LOG file which said "Normal". This is a caused by a merging of several policy restrictions and extensions (or templates). We have 3 GPO's acting on this one OU.

Default Domain Policy
Auto Updates
Nashville Security Policy

There are 2 policies that are the responsible for my computer's performance issues, local policy being filtered out, and Outlook add-ins not working. I turned on userenv logging and ran a gpupdate /force and watched how the policies were applied from start to finish. The Default Domain and Nashville Security Policy both had imported default administration templates: conf, inetries, system, wmplayer, and wuau which were left un-configured. The Software restriction was set on the Default and Nashville policy. Software restriction is applied by merging the policy settings.

I will update of my results once they are implemented.
0
 

Author Comment

by:blkmworking
Comment Utility
Solution:

Software restriction on either Nashville Security Policy. They were configured with no settings or at one time had configurations. These configurations were registry edits which were out of Microsoft's normal scope. Since the current GP admin didn't know of these settings , he erased the policies without reversing them. This tattooed our systems. We attempted to set the Nashville policy to defaults with no change. Then we created a new policy with known correct configs. I then replaced the troubled boxes with no re-occurrences of the issue. The Outlook add-in worked after rebuilding the user's profile which didn't work before the GP changes.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now