drewdat
asked on
GPOs not updating settings and GPUPDATE not completed in expected time
I'm having a few different issues with my GPOs and I'm not sure if they are related or not. I have a domain with two Windows 2003 R2 Ent. DCs and approximately 75 PCs. I've never noticed issues with my GPOs until recently when I wanted to push out some changes to the Windows Firewall. The majority of my PCs are Windows XP SP3. When I run gpresult it shows that the correct policy is being applied and when I run rsop.msc I find the correct settings for the firewall. However, when I open up Windows Firewall, the changes haven't been made.
While I was testing this, I tried running gpupdate and found that on the XP PCs it times out with:
User Policy Refresh has not completed in the expected time. Exiting...
User Policy Refresh has completed.
Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
I placed a test PC and user in an OU that only has one applied GPO (default domain policy which includes both user and computer settings). When I run gpupdate /target:user it completes successfully but /target:computer times out.
I'm not sure if these two are related. I'm more concerned about not being able to change the Firewall settings with a GPO.
Any help is appreciated. Thanks.
While I was testing this, I tried running gpupdate and found that on the XP PCs it times out with:
User Policy Refresh has not completed in the expected time. Exiting...
User Policy Refresh has completed.
Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
I placed a test PC and user in an OU that only has one applied GPO (default domain policy which includes both user and computer settings). When I run gpupdate /target:user it completes successfully but /target:computer times out.
I'm not sure if these two are related. I'm more concerned about not being able to change the Firewall settings with a GPO.
Any help is appreciated. Thanks.
Have you already consulted the following MS TechNet article?
http://technet.microsoft.c
Among other things, that article says the following:
Group Policy Settings in Mixed Windows XP Environments
A mixed Windows XP environment is one in which there are both Windows XP with SP1 or Windows XP with no service packs installed and Windows XP with SP2-based computers present. For computers running Windows XP with SP1 or Windows XP with no service packs installed, the only way to control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting in Computer Configuration/Administrati
Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:
If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and there are no changes to the default values of the new Windows Firewall settings, then Windows Firewall is disabled when connected to the network from which the Group Policy object was obtained.
If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections setting is enabled, then Windows Firewall is enabled when connected to the network from which the Group Policy object was obtained with new Windows Firewall settings.
http://technet.microsoft.c
Among other things, that article says the following:
Group Policy Settings in Mixed Windows XP Environments
A mixed Windows XP environment is one in which there are both Windows XP with SP1 or Windows XP with no service packs installed and Windows XP with SP2-based computers present. For computers running Windows XP with SP1 or Windows XP with no service packs installed, the only way to control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting in Computer Configuration/Administrati
Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:
If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and there are no changes to the default values of the new Windows Firewall settings, then Windows Firewall is disabled when connected to the network from which the Group Policy object was obtained.
If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections setting is enabled, then Windows Firewall is enabled when connected to the network from which the Group Policy object was obtained with new Windows Firewall settings.
ASKER
MKLINE71:
I just removed the User Profile Hive Cleanup Service (which I had installed earlier due to a recommendation I read somewhere) and installed the policy reporter and now the GPUPDATE finishes on the test PC. That seems a little odd to me. I'm going to start linking the other policies to my test OU and see if any cause it to timeout.
BTRIVETT:
I'm looking through my GPOs and I have one GPO with Prohibit use of Internet Connection Firewall on your DNS domain network ENABLED. I have another GPO with Windows Firewall: Protect all network connections ENABLED. Both GPOs are linked to the same OU in which all of my PCs reside.
I just removed the User Profile Hive Cleanup Service (which I had installed earlier due to a recommendation I read somewhere) and installed the policy reporter and now the GPUPDATE finishes on the test PC. That seems a little odd to me. I'm going to start linking the other policies to my test OU and see if any cause it to timeout.
BTRIVETT:
I'm looking through my GPOs and I have one GPO with Prohibit use of Internet Connection Firewall on your DNS domain network ENABLED. I have another GPO with Windows Firewall: Protect all network connections ENABLED. Both GPOs are linked to the same OU in which all of my PCs reside.
Are you using roaming profies (is that why you had UPH clean). It would be interesting to install it again and see if you get the same issues.
Thanks
Mike
Thanks
Mike
ASKER
I'm not using roaming profiles... i just read about UPH clean and installed it. Didn't really understand what all it was for. I just reinstalled it and gpupdate still works. Come to think of it, it was not working at first just like the rest of our PCs then I removed the PC and user and put them in a test OU with only the default GPO linked and then gpupdate worked at first and then stopped working for no apparent reason. Now it's working again. Crazy. I'm going to start linking GPOs and see if it breaks on one of them.
ASKER
Something screwy is going on here. I started adding back GPOs to the Test OU and kept doing gpupdate with no issues. I rebooted and still no issues with gpupdate. Eventually I added back all of the GPOs (I checked gpresult and they were all there) and still no issues, so I moved the PC back to the OU with all the other desktops, rebooted, and tried to do gpupdate but to no avail. So I moved it back to the test OU, still didn't work. So I unlinked all of the GPOs and still gpupdate times out. I'm waiting for it to refresh right now and then I'll post logs from userenv. Is there a particular section I should post?
Have you tried restarting the computer after a gpupdate?
Restart then try gpupdate /target:computer /force logging in as local admin. yes, local admin.
Then restart again.
You can also check to see if the group policy database is corrupt.
http://www.lockergnome.com/windows/2005/02/04/corrupt-group-policy-database-file/
Restart then try gpupdate /target:computer /force logging in as local admin. yes, local admin.
Then restart again.
You can also check to see if the group policy database is corrupt.
http://www.lockergnome.com/windows/2005/02/04/corrupt-group-policy-database-file/
ASKER
OriNetworks:
I tried out your suggestion. It appears that if the PC is in an OU that is not associated with any GPOs other than the default domain policy then I can run gpupdate /target:computer /force as a local admin. When I move the PC to an OU that has other associated GPOs then running gpupdate /target:computer /force as a local admin fails (gpupdate /target:user /force fails too). It gets a little hairy when I'm moving the PC back and forth between OUs as it seems that the gpupdate results aren't always consistent, but I think what I said above is true for the most part.
I also looked at the event logs on the local PC for indications of a corrupt group policy but didn't find anything.
I tried looking through the userenv logs (i have verbose logging enabled) but I don't really see much going on when I run gpupdate.
This is all I see when it times out:
USERENV(1e0.1e4) 12:14:18:585 LibMain: Process Name: C:\WINDOWS\system32\gpupda
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Entering with force refresh 1
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Leaving.
USERENV(27c.2a4) 12:16:57:798 LibMain: Process Name: C:\WINDOWS\system32\eventv
USERENV(2fc.300) 12:16:58:329 LibMain: Process Name: C:\WINDOWS\system32\mmc.ex
USERENV(2fc.300) 12:17:23:519 GetProfileType: Profile already loaded.
USERENV(2fc.300) 12:17:23:519 GetProfileType: ProfileFlags is 0
USERENV(6cc.6d4) 12:27:03:678 LibMain: Process Name: C:\WINDOWS\system32\gpupda
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Entering with force refresh 0
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Leaving.
I tried out your suggestion. It appears that if the PC is in an OU that is not associated with any GPOs other than the default domain policy then I can run gpupdate /target:computer /force as a local admin. When I move the PC to an OU that has other associated GPOs then running gpupdate /target:computer /force as a local admin fails (gpupdate /target:user /force fails too). It gets a little hairy when I'm moving the PC back and forth between OUs as it seems that the gpupdate results aren't always consistent, but I think what I said above is true for the most part.
I also looked at the event logs on the local PC for indications of a corrupt group policy but didn't find anything.
I tried looking through the userenv logs (i have verbose logging enabled) but I don't really see much going on when I run gpupdate.
This is all I see when it times out:
USERENV(1e0.1e4) 12:14:18:585 LibMain: Process Name: C:\WINDOWS\system32\gpupda
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Entering with force refresh 1
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Leaving.
USERENV(27c.2a4) 12:16:57:798 LibMain: Process Name: C:\WINDOWS\system32\eventv
USERENV(2fc.300) 12:16:58:329 LibMain: Process Name: C:\WINDOWS\system32\mmc.ex
USERENV(2fc.300) 12:17:23:519 GetProfileType: Profile already loaded.
USERENV(2fc.300) 12:17:23:519 GetProfileType: ProfileFlags is 0
USERENV(6cc.6d4) 12:27:03:678 LibMain: Process Name: C:\WINDOWS\system32\gpupda
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Entering with force refresh 0
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Leaving.
Would you like to try downloading the utility suggested in this other EE post? https://www.experts-exchange.com/questions/22157505/Gpupdate-User-Computer-Policy-Refresh-has-not-completed-in-the-expected-time.html
How about this MS KB http://support.microsoft.com/kb/840669/en-us
ASKER
I've installed UPH clean, uninstalled it and then reinstalled it (as I stated above) but it appears to have no effect. I checked out the MS KB and I'm not seeing those errors in my Event log.
ASKER
Well I figured it out and both issues (gpudate time out and Firewall setting not propagating through GPO) were related. Here is how I figured it out:
I went back to adding GPOs to my OU one at a time and made an odd discovery (maybe its common knowledge to others). I am now certain I know which one of my GPOs is causing the gpupdate issue. I thought I knew which one was causing the problem earlier but I wasn't getting consistent results. Until I found this pattern:
1. Remove problem GPO and reboot
- gpupdate /target:user - completes
- gpupdate /target:computer - times out
- Firewall settings not updated
2. Reboot a 2nd time
- gpupdate /target:user - completes
- gpupdate /target:computer - completes
- Firewall settings updated
3. Add back problem GPO and reboot
- gpupdate /target:user - times out
- gpupdate /target:computer - completes
4. Reboot a 2nd time
- gpupdate /target:user - times out
- gpupdate /target:computer - times out
I just repeated the above scenario 3 times in a row and then tried it on multiple PCs with consistent results. It appears that the user policy is refreshed after one reboot but it takes two reboots to refresh the computer policy (or at least to cause/fix the gpupdate issue and propagation of firewall settings). If this wasn't the case I would have found the trouble GPO two days ago. Like I said, maybe this is common knowledge, but I've been searching through lots of forums and websites the past week on this issue and I never ran across it. Maybe someone else will find it helpful.
Now I just need to figure out which setting in my GPO is causing the problem, but that shouldn't be a big deal.
Thanks for the help.
Drew
I went back to adding GPOs to my OU one at a time and made an odd discovery (maybe its common knowledge to others). I am now certain I know which one of my GPOs is causing the gpupdate issue. I thought I knew which one was causing the problem earlier but I wasn't getting consistent results. Until I found this pattern:
1. Remove problem GPO and reboot
- gpupdate /target:user - completes
- gpupdate /target:computer - times out
- Firewall settings not updated
2. Reboot a 2nd time
- gpupdate /target:user - completes
- gpupdate /target:computer - completes
- Firewall settings updated
3. Add back problem GPO and reboot
- gpupdate /target:user - times out
- gpupdate /target:computer - completes
4. Reboot a 2nd time
- gpupdate /target:user - times out
- gpupdate /target:computer - times out
I just repeated the above scenario 3 times in a row and then tried it on multiple PCs with consistent results. It appears that the user policy is refreshed after one reboot but it takes two reboots to refresh the computer policy (or at least to cause/fix the gpupdate issue and propagation of firewall settings). If this wasn't the case I would have found the trouble GPO two days ago. Like I said, maybe this is common knowledge, but I've been searching through lots of forums and websites the past week on this issue and I never ran across it. Maybe someone else will find it helpful.
Now I just need to figure out which setting in my GPO is causing the problem, but that shouldn't be a big deal.
Thanks for the help.
Drew
I don't think it is common knowledge....well done!!
Congrats and thanks for sharing!
I think it would be good to keep this question so others know to follow this procedure if they run into a problem like this. Maybe the authors last post could be marked as the answer and hopefully let us know exactly what setting in the GPO was wrong.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good call DataBitz. This was the setting in my GPO that was causing problems. After my discovery yesterday, and before disabling this setting, I started rebooting the PCs with my problem GPO twice and noticed that my firewall settings updated after the second reboot, but gpupdate still did not work. Then I saw your post and disabled that setting. Now after one reboot gpupdate works and the firewall settings that I changed in the GPO get updated. If this setting is enabled, GPUPDATE will not work and it appears that GPO computer policies will not take affect until the computer is rebooted twice.
http://support.microsoft.c
Just trying to figure out where the delay/timeout is coming from
Log reporter makes it easier to read those logs
http://www.sysprosoft.com/
Thanks
Mike