We help IT Professionals succeed at work.

Group Policy only applies on Restarts

1,088 Views
Last Modified: 2009-05-07
Hello,

i'm kind of at a loss here, group policy settings only apply after a reboot of the machine.  
Ran User Profile Hive Cleanup Service
Tried gpupdate /force - times out with: User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
Tried gpupdate /target:user - same error for user settings only
tried gpupdate /target:computer - same error for computer settings only


Enviroment:
2 server 2003 DC
DCDiags check out just fine
Nslookups check out fine


Usernv.log
USERENV(2f4.2f8) 18:03:41:906 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(900.a1c) 18:04:35:082 LoadUserProfile: Failed to impersonate user with 5.
USERENV(518.edc) 18:12:37:469 GetUserNameAndDomain:  MyGetUserNameEx failed for NT4 style name with 1115
USERENV(2f4.2f8) 18:14:46:703 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(b38.bac) 18:15:19:187 LoadUserProfile: Failed to impersonate user with 5.
USERENV(1ec.e1c) 18:34:51:342 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(1ec.e1c) 18:34:51:810 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(2f4.c98) 22:19:16:681 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(2f4.2f8) 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f8) 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(99c.9d8) 22:28:02:437 LoadUserProfile: Failed to impersonate user with 5.
USERENV(bc8.638) 22:47:40:974 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(bc8.638) 22:47:41:395 ProcessAutoexec: Cannot process autoexec.bat.


Note* Other group policies apply succesfully

Let me know if you need more information...
Comment
Watch Question

Commented:
I haven't seen that error before but I'd start with checking DNS, not just nslookups but review the SRV records on the servers, and also the Sysvol permissions.  Perhaps try logging in with a different user account - do you get the same errors?

Author

Commented:
I have checked my dns, and I see all my SRV records in the respective places.
Logged in with domain admin, still times out.

Sysol permissions are
Administrators, System - FC
Authenticated Users, List, Read & Exec

I would believe it would be a DNS issue, but other Policies apply succesfully?

Author

Commented:
I moved the computer account and the user account to a test OU and applied the GPO. Attempted gpupdate /force and still times out. Perhaps it is related from a setting from the group policy?

Guess i'm just not hitting something...

Author

Commented:
I used the Hive Clean up Service and ran gpupdate /target:user and it runs under the new GPO that has been applied. Still times out on the computer.


HELP!!!!

Commented:
Is the time-out an across-the-board behavior (all clients) or just on some?

Author

Commented:
The time out is across-the-board for the ou's under that GPO. Its frustrating because the previous sys admin before me used the default domain policy and just through everyone underneath it and applied some pretty strong settings from top to bottom.

Commented:
Here is a checklist for GPOs:

____http://support.microsoft.com/kb/887303

Since you are running into UserNV time outs, I think you may have a problem with the list of prefered DNS servers on the client's NIC. They should be pointing to only intra-LAN DNS servers, (your DNS server).
______________________________________________________________________________
In a VPN world:
Group policy is not shared out as you might have originally thought. It is shared out through DFS. DFS uses netbios/WINS, instead of FQDN names/DNS. However, DNS is important for the Active directory Permissions side of things.

On this page you can see what ports DFS uses:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx

You may experience problems with the following if you have a Netbios problem.
****NOTE: netbios is not routeable. So it will not go over NAT or through a VPN tunnel without a transport, like WINS.

1) DFS (Distributive file shares will share out Group policies)
2) Browser service (The browser service internally uses netbios broadcasts and going to different subnets uses WINS)
3) Fax service
4) license logging service
5) netlogon
6) messanger
7) performance logs and alerts
8) Print spooler
9) RPC locator
10) server service
11) system management server
12) WINS of course

With that said, you might be able to route most everything over DNS. For instance DFS (distributive file service) can use DNS.
http://support.microsoft.com/kb/244380
____________________________________________________________________________
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
Oh man, Background Refresh!  Sorry ghpap, that setting never crossed my mind.  Thanks for posting an update.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.