Solved

Active Directory Group Policy issues

Posted on 2009-05-08
16
1,333 Views
Last Modified: 2012-05-06
Hello,

just created a group policy within a test Organizational Unit aimed to distribute a package (namely Symantec Enterprise Vault plugins) to a lot of XP users. It's intended to be a computer group policy, not a user group policy. But it's not processed and in the Event Viewer I visualize these entries in sequence:

Event ID 101
"The assignment of application XXX from policy YYY
failed. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh."

Event ID 103
"The removal of the assignment of application XXX from policy
YYY failed. The error was : The group policy framework should
call the extension in the synchronous foreground policy refresh."

Event ID 108
"Failed to apply changes to software installation settings. Software
installation policy application has been delayed until the next logon
because an administrator has enabled logon optimization for group
policy. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh"

Before these errors I get an information entry that apparently points out that the GP is going to be processed, but suddenly it's aborted with the Event IDs above. I'm pretty sure it's kinda classic scenario many of you expert guys have met many times; so what's your immediate, resolutive suggestion? :-)

Many thx in advance!
0
Comment
Question by:GreenLeaf_61
  • 9
  • 5
  • 2
16 Comments
 
LVL 5

Expert Comment

by:ssmith764
ID: 24339987
The Evault plugins must be deployed to machines - not users - as you have already noted. I know from experience that they will not deploy to users.
The events you are seeing are caused by the 'optimised logon' feature of Windows XP which does not always wait for the network to be available at startup so the machine will login faster. Usually the policy will run if you restart the machine again. If it is an ongoing problem you can apply a group policy setting which *I Think* is the in computer settings>administrative tempates>network. The setting is 'always wait for network at logon'
0
 

Author Comment

by:GreenLeaf_61
ID: 24340474
Thx for your suggestion, I'll try it but, obviously, not before monday at Customer's site!

More about it asap.
0
 
LVL 42

Expert Comment

by:paulsolov
ID: 24344883
The "always wait for network logon" usually does the trick, especially for wireless users.  Are you deploing this via startup script or msi package?   Don't forget to use /q for quiet mode.

0
 

Author Comment

by:GreenLeaf_61
ID: 24349163
Paulsolov,

I'm deploying this via msi package; as for /q for quiet mode, may you please show me how to use it in a more detailed way?

Many thx.
0
 
LVL 42

Expert Comment

by:paulsolov
ID: 24350081
the quiet mode is only if you're running it as startup script.  If you're deploying it as a msi package ensure that the user doesn't get prompted
0
 

Author Comment

by:GreenLeaf_61
ID: 24353053
Hi guys,

this morning I tried the solution suggested by ssmith764 but apparently without success! The only difference is, the error in Event Viewer is changed, actually instead of the sequence 101-103-108 (they were WARNINGS, not ERRORS) I get in sequence 102-108. 102 is indeed an ERROR, at it says  "The assignment of application XXX from policy YYY failed. The error was, the installation source for this product is not available. Verify that the source exists and that you can access it". Note a couple of facts that could be helpful to understand what really happens:

- I'm not currently using the NetLogon share of domain controller as a repository of the .msi Enterprise Vault plugin I want to distribute, I'm using another generic share on the EV Server to which I granted Full Access for SYSTEM user; is it correct?

- In the Event Viewer just before getting ERROR ID 102 I get an Information (ID 301) which states that the Policy Group was assigned CORRECTLY to the XP workstation (actually a vrtual one which I'm using for testing); but in a few seconds I get ERROR ID 102 (formerly I got WARNING ID 101, still preceeded by Information ID 301).

Have you got any more tips for me? In case the only solution is, using Netlogon share of Domain Controller for distributing the package, it definetely would mean bad news since the Customer already told me he has no intentions at all to use it for software distribution, for security and best practice reasons I do not annoy you in describing now... :-(
0
 
LVL 5

Accepted Solution

by:
ssmith764 earned 500 total points
ID: 24353116
Do not use the Netlogon share for software distribution. Use the share you have already created and allow the group of machines or users you want to apply the policy to 'read access'. If you are not filtering who the policy applies to, just allow the group 'authenticated users' read access as this means machines and users. Remember to allow read access in the share permissions as well as the NTFS permissions.
0
 

Author Comment

by:GreenLeaf_61
ID: 24353725
ssmith764, thx for your attention. But unfortunately, still ERROR 102 followed by ERROR 108.

I have placed EV plugin here:

C:\Install\PluginEV

on the EV Server. The directory above is shared, with permissions for Administrators (Full Control), Authenticated Users (read, read/execute, list folder contents), Domain Computers (Full Control), Everyone (Full Control), System (Full Control), Users (Full Control).

As for Sharing, the directory above has permissions for Authenticated users (Read), Domain Computers (Full Control), Everyone (Full Control), System (Full Control); Caching has the default parametrization selected "only files and programs that users specify are available offline".

Finally, EVClient_it.msi, the file inside C:\install\PluginEV, has permissions identical to the ones for the share C:\Install\PluginEV depicted above. To the Policy Group associated with the test OU I'm using I cancelled Logon Optimization as you suggested last Friday; actually the only computer included such an OU is the virtual machine I'm using for test and troubleshooting (in fact I simply shutdown and resume the virtual workstation in order to check if I get any change at Event Viewer level each time I change the share/Group policy configuration...).

What else?!? Keep in mind I'm really a newbie to AD environment so please, in figuring out what could be the problem don't keep anyting for sure, I could have forgotten even the most trivial configuration parameter! :-)
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24354002
when you add the software location in the group policy, have you specified the path as \\servername\sharename\EVClient_it.msi?
Also be careful with the permissions in your live environment. You don't want to allow 'everyone' full control on shares.
0
 

Author Comment

by:GreenLeaf_61
ID: 24354195
Yes, in the group policy under Computer Configuration - Software installation I have exactly \\miaclev00.sistemi.sole24.net\PluginEV\EVClient_it.msi. And as I told, phisically on EV Server I have C:\install\PluginEV\EVClient_it.msi; with PluginEV as the shared folder.

As for permissions, I already managed to reduce to essentials, I mean all relevant users with read/execute permissions, no more full control to anyone apart from Administrators...
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24354242
So from the client machine, can you browse to the shared folder via the unc path you specified?
0
 

Author Comment

by:GreenLeaf_61
ID: 24354377
Unfortunately yes, I perfectly can... :-) (since if I couldn't, I'd have a solution).
0
 
LVL 5

Expert Comment

by:ssmith764
ID: 24354562
Hmmmmm. It sounds as if you have it all set up right. The 102 error does not lie though so for some reason when the machine starts up it does not have access to the share either because of the location or permissions. Try specifically adding read permission for the machine account? Otherwise I am a bit stuck now.
0
 

Author Comment

by:GreenLeaf_61
ID: 24354708
Going to try your last suggestion; maybe for any reasons the workstation (which, I remember you, is virtual) is not recognized. In fact I don't believe so since there has been at least a situation where I was able to see a comment scrolling on the video when the workstation was starting, claiming policy group was being taken in charge... and don't forget the information number 301 I read in the Event Viewer, just before getting Error 102, claiming "policy group succesfully applied" (or something like that...). So it seems something goes wrong immediately after Active Directory realizes a workstation is connecting and claims for a policy group at OU level. Really strange. BTW, if you're a bit stuck let's figure out how do feel I! :-(
0
 

Author Comment

by:GreenLeaf_61
ID: 24355031
Nothing to do! :-(

I'll try with a different workstation and will come back to explain what happened...
0
 

Author Comment

by:GreenLeaf_61
ID: 24362410
Tried different situations.

On another XP Virtual Workstation same story... actually I have the full picture of the sequence of events:

- Once I insert the workstation inside the OU, at the first attempt (reboot of workstation) I get the sequence of WARNINGS 101-103-108 (well known advice due to XP logon optimization).

- On second reboot (no changes!) the warnings become errors: 102-108 preceeded by Information ID 301 stating that Group policy has been correctly applied (after a few seconds I get the errors).

As a marginal note, I tried with a Windows Vista workstation (not virtual!) and all worked perfectly at the first attempt (unfortunately Vista is not the standard for the customer... :-( ).

Let me know if all that provides you with enlightenment of any kind! :-)
0

Join & Write a Comment

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now