Solved

GPOs not updating settings and GPUPDATE not completed in expected time

Posted on 2009-05-05
18
4,239 Views
Last Modified: 2013-12-04
I'm having a few different issues with my GPOs and I'm not sure if they are related or not.  I have a domain with two Windows 2003 R2 Ent. DCs and approximately 75 PCs.  I've never noticed issues with my GPOs until recently when I wanted to push out some changes to the Windows Firewall.  The majority of my PCs are Windows XP SP3.  When I run gpresult it shows that the correct policy is being applied and when I run rsop.msc I find the correct settings for the firewall.  However, when I open up Windows Firewall, the changes haven't been made.  

While I was testing this, I tried running gpupdate and found that on the XP PCs it times out with:
   User Policy Refresh has not completed in the expected time. Exiting...
   User Policy Refresh has completed.
   Computer Policy Refresh has not completed in the expected time. Exiting...
   Computer Policy Refresh has completed.

I placed a test PC and user in an OU that only has one applied GPO (default domain policy which includes both user and computer settings).  When I run gpupdate /target:user it completes successfully but /target:computer times out.

I'm not sure if these two are related.  I'm more concerned about not being able to change the Firewall settings with a GPO.

Any help is appreciated. Thanks.
0
Comment
Question by:drewdat
  • 7
  • 5
  • 3
  • +2
18 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24308727
Turn up userenv logging
http://support.microsoft.com/kb/221833
Just trying to figure out where the delay/timeout is coming from
Log reporter makes it easier to read those logs
http://www.sysprosoft.com/policyreporter.shtml
Thanks
Mike
0
 
LVL 3

Expert Comment

by:btrivett
ID: 24308794
Have you already consulted the following MS TechNet article?
http://technet.microsoft.com/en-us/library/bb490626.aspx

Among other things, that article says the following:

Group Policy Settings in Mixed Windows XP Environments        

A mixed Windows XP environment is one in which there are both Windows XP with SP1 or Windows XP with no service packs installed and Windows XP with SP2-based computers present. For computers running Windows XP with SP1 or Windows XP with no service packs installed, the only way to control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting in Computer Configuration/Administrative Templates/Network/Network Connections. This Group Policy setting is still present when Group Policy objects are updated for the new Windows Firewall settings. Computers running Windows XP with SP1 or Windows XP with no service packs installed only implement the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting.        

Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:                      

If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and there are no changes to the default values of the new Windows Firewall settings, then Windows Firewall is disabled when connected to the network from which the Group Policy object was obtained.          
             
If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections setting is enabled, then Windows Firewall is enabled when connected to the network from which the Group Policy object was obtained with new Windows Firewall settings.          



0
 

Author Comment

by:drewdat
ID: 24309147
MKLINE71:
I just removed the User Profile Hive Cleanup Service (which I had installed earlier due to a recommendation I read somewhere) and installed the policy reporter and now the GPUPDATE finishes on the test PC.  That seems a little odd to me.  I'm going to start linking the other policies to my test OU and see if any cause it to timeout.

BTRIVETT:
I'm looking through my GPOs and I have one GPO with Prohibit use of Internet Connection Firewall on your DNS domain network ENABLED.  I have another GPO with Windows Firewall: Protect all network connections ENABLED.  Both GPOs are linked to the same OU in which all of my PCs reside.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24309188
Are you using roaming profies (is that why you had UPH clean).    It would be interesting to install it again and see if you get the same issues.
Thanks
Mike
0
 

Author Comment

by:drewdat
ID: 24309267
I'm not using roaming profiles... i just read about UPH clean and installed it.  Didn't really understand what all it was for.  I just reinstalled it and gpupdate still works.  Come to think of it, it was not working at first just like the rest of our PCs then I removed the PC and user and put them in a test OU with only the default GPO linked and then gpupdate worked at first and then stopped working for no apparent reason.  Now it's working again.  Crazy.  I'm going to start linking GPOs and see if it breaks on one of them.
0
 

Author Comment

by:drewdat
ID: 24309755
Something screwy is going on here.  I started adding back GPOs to the Test OU and kept doing gpupdate with no issues.  I rebooted and still no issues with gpupdate.  Eventually I added back all of the GPOs (I checked gpresult and they were all there) and still no issues, so I moved the PC back to the OU with all the other desktops, rebooted, and tried to do gpupdate but to no avail.  So I moved it back to the test OU, still didn't work.  So I unlinked all of the GPOs and still gpupdate times out.  I'm waiting for it to refresh right now and then I'll post logs from userenv.  Is there a particular section I should post?
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24310293
Have you tried restarting the computer after a gpupdate?

Restart then try gpupdate /target:computer /force logging in as local admin. yes, local admin.

Then restart again.

You can also check to see if the group policy database is corrupt.
http://www.lockergnome.com/windows/2005/02/04/corrupt-group-policy-database-file/
0
 

Author Comment

by:drewdat
ID: 24317477
OriNetworks:
I tried out your suggestion.  It appears that if the PC is in an OU that is not associated with any GPOs other than the default domain policy then I can run gpupdate /target:computer /force as a local admin.  When I move the PC to an OU that has other associated GPOs then running gpupdate /target:computer /force as a local admin fails (gpupdate /target:user /force fails too).  It gets a little hairy when I'm moving the PC back and forth between OUs as it seems that the gpupdate results aren't always consistent, but I think what I said above is true for the most part.

I also looked at the event logs on the local PC for indications of a corrupt group policy but didn't find anything.  

I tried looking through the userenv logs (i have verbose logging enabled) but I don't really see much going on when I run gpupdate.  

This is all I see when it times out:
USERENV(1e0.1e4) 12:14:18:585 LibMain: Process Name:  C:\WINDOWS\system32\gpupdate.exe
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Entering with force refresh 1
USERENV(1e0.1e8) 12:14:18:632 RefreshPolicyEx: Leaving.
USERENV(27c.2a4) 12:16:57:798 LibMain: Process Name:  C:\WINDOWS\system32\eventvwr.exe
USERENV(2fc.300) 12:16:58:329 LibMain: Process Name:  C:\WINDOWS\system32\mmc.exe
USERENV(2fc.300) 12:17:23:519 GetProfileType:  Profile already loaded.
USERENV(2fc.300) 12:17:23:519 GetProfileType: ProfileFlags is 0
USERENV(6cc.6d4) 12:27:03:678 LibMain: Process Name:  C:\WINDOWS\system32\gpupdate.exe
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Entering with force refresh 0
USERENV(6cc.6e0) 12:27:03:709 RefreshPolicyEx: Leaving.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24317786
Would you like to try downloading the utility suggested in this other EE post? http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_22157505.html
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24317822
0
 

Author Comment

by:drewdat
ID: 24318133
I've installed UPH clean, uninstalled it and then reinstalled it (as I stated above) but it appears to have no effect.  I checked out the MS KB and I'm not seeing those errors in my Event log.
0
 

Author Comment

by:drewdat
ID: 24328694
Well I figured it out and both issues (gpudate time out and Firewall setting not propagating through GPO) were related. Here is how I figured it out:

I went back to adding GPOs to my OU one at a time and made an odd discovery (maybe its common knowledge to others).  I am now certain I know which one of my GPOs is causing the gpupdate issue.  I thought I knew which one was causing the problem earlier but I wasn't getting consistent results.  Until I found this pattern:
1. Remove problem GPO and reboot
 - gpupdate /target:user  -  completes
 - gpupdate /target:computer - times out
 - Firewall settings not updated
2. Reboot a 2nd time
 - gpupdate /target:user  -  completes
 - gpupdate /target:computer - completes
 - Firewall settings updated
3. Add back problem GPO and reboot
 - gpupdate /target:user  -  times out
 - gpupdate /target:computer - completes
4. Reboot a 2nd time
 - gpupdate /target:user  -  times out
 - gpupdate /target:computer - times out

I just repeated the above scenario 3 times in a row and then tried it on multiple PCs with consistent results.  It appears that the user policy is refreshed after one reboot but it takes two reboots to refresh the computer policy (or at least to cause/fix the gpupdate issue and propagation of firewall settings).  If this wasn't the case I would have found the trouble GPO two days ago.  Like I said, maybe this is common knowledge, but I've been searching through lots of forums and websites the past week on this issue and I never ran across it.  Maybe someone else will find it helpful.  

Now I just need to figure out which setting in my GPO is causing the problem, but that shouldn't be a big deal.

Thanks for the help.

Drew
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24329551
I don't think it is common knowledge....well done!!
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24331970
Congrats and thanks for sharing!
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24331982
I think it would be good to keep this question so others know to follow this procedure if they run into a problem like this. Maybe the authors last post could be marked as the answer and hopefully let us know exactly what setting in the GPO was wrong.
0
 
LVL 2

Accepted Solution

by:
DataBitz earned 500 total points
ID: 24332213
Check to make sure you haven't enabled the group policy setting
Disable background refresh of Group Policy
Computer Configuration\Administrative Templates\System\Group Policy\

"Prevents Group Policy from being updated while the computer is in use. This policy applies to Group Policies for computers, users, and domain controllers."
This setting gives the same result you are seeing when you run GPUPDATE
0
 

Author Closing Comment

by:drewdat
ID: 31579505
Good call DataBitz.  This was the setting in my GPO that was causing problems.  After my discovery yesterday, and before disabling this setting, I started rebooting the PCs with my problem GPO twice and noticed that my firewall settings updated after the second reboot, but gpupdate still did not work.  Then I saw your post and disabled that setting.  Now after one reboot gpupdate works and the firewall settings that I changed in the GPO get updated.  If this setting is enabled, GPUPDATE will not work and it appears that GPO computer policies will not take affect until the computer is rebooted twice.
0

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now