GreenLeaf_61
asked on
Active Directory Group Policy issues
Hello,
just created a group policy within a test Organizational Unit aimed to distribute a package (namely Symantec Enterprise Vault plugins) to a lot of XP users. It's intended to be a computer group policy, not a user group policy. But it's not processed and in the Event Viewer I visualize these entries in sequence:
Event ID 101
"The assignment of application XXX from policy YYY
failed. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh."
Event ID 103
"The removal of the assignment of application XXX from policy
YYY failed. The error was : The group policy framework should
call the extension in the synchronous foreground policy refresh."
Event ID 108
"Failed to apply changes to software installation settings. Software
installation policy application has been delayed until the next logon
because an administrator has enabled logon optimization for group
policy. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh"
Before these errors I get an information entry that apparently points out that the GP is going to be processed, but suddenly it's aborted with the Event IDs above. I'm pretty sure it's kinda classic scenario many of you expert guys have met many times; so what's your immediate, resolutive suggestion? :-)
Many thx in advance!
just created a group policy within a test Organizational Unit aimed to distribute a package (namely Symantec Enterprise Vault plugins) to a lot of XP users. It's intended to be a computer group policy, not a user group policy. But it's not processed and in the Event Viewer I visualize these entries in sequence:
Event ID 101
"The assignment of application XXX from policy YYY
failed. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh."
Event ID 103
"The removal of the assignment of application XXX from policy
YYY failed. The error was : The group policy framework should
call the extension in the synchronous foreground policy refresh."
Event ID 108
"Failed to apply changes to software installation settings. Software
installation policy application has been delayed until the next logon
because an administrator has enabled logon optimization for group
policy. The error was : The group policy framework should call the
extension in the synchronous foreground policy refresh"
Before these errors I get an information entry that apparently points out that the GP is going to be processed, but suddenly it's aborted with the Event IDs above. I'm pretty sure it's kinda classic scenario many of you expert guys have met many times; so what's your immediate, resolutive suggestion? :-)
Many thx in advance!
ASKER
Thx for your suggestion, I'll try it but, obviously, not before monday at Customer's site!
More about it asap.
More about it asap.
The "always wait for network logon" usually does the trick, especially for wireless users. Are you deploing this via startup script or msi package? Don't forget to use /q for quiet mode.
ASKER
Paulsolov,
I'm deploying this via msi package; as for /q for quiet mode, may you please show me how to use it in a more detailed way?
Many thx.
I'm deploying this via msi package; as for /q for quiet mode, may you please show me how to use it in a more detailed way?
Many thx.
the quiet mode is only if you're running it as startup script. If you're deploying it as a msi package ensure that the user doesn't get prompted
ASKER
Hi guys,
this morning I tried the solution suggested by ssmith764 but apparently without success! The only difference is, the error in Event Viewer is changed, actually instead of the sequence 101-103-108 (they were WARNINGS, not ERRORS) I get in sequence 102-108. 102 is indeed an ERROR, at it says "The assignment of application XXX from policy YYY failed. The error was, the installation source for this product is not available. Verify that the source exists and that you can access it". Note a couple of facts that could be helpful to understand what really happens:
- I'm not currently using the NetLogon share of domain controller as a repository of the .msi Enterprise Vault plugin I want to distribute, I'm using another generic share on the EV Server to which I granted Full Access for SYSTEM user; is it correct?
- In the Event Viewer just before getting ERROR ID 102 I get an Information (ID 301) which states that the Policy Group was assigned CORRECTLY to the XP workstation (actually a vrtual one which I'm using for testing); but in a few seconds I get ERROR ID 102 (formerly I got WARNING ID 101, still preceeded by Information ID 301).
Have you got any more tips for me? In case the only solution is, using Netlogon share of Domain Controller for distributing the package, it definetely would mean bad news since the Customer already told me he has no intentions at all to use it for software distribution, for security and best practice reasons I do not annoy you in describing now... :-(
this morning I tried the solution suggested by ssmith764 but apparently without success! The only difference is, the error in Event Viewer is changed, actually instead of the sequence 101-103-108 (they were WARNINGS, not ERRORS) I get in sequence 102-108. 102 is indeed an ERROR, at it says "The assignment of application XXX from policy YYY failed. The error was, the installation source for this product is not available. Verify that the source exists and that you can access it". Note a couple of facts that could be helpful to understand what really happens:
- I'm not currently using the NetLogon share of domain controller as a repository of the .msi Enterprise Vault plugin I want to distribute, I'm using another generic share on the EV Server to which I granted Full Access for SYSTEM user; is it correct?
- In the Event Viewer just before getting ERROR ID 102 I get an Information (ID 301) which states that the Policy Group was assigned CORRECTLY to the XP workstation (actually a vrtual one which I'm using for testing); but in a few seconds I get ERROR ID 102 (formerly I got WARNING ID 101, still preceeded by Information ID 301).
Have you got any more tips for me? In case the only solution is, using Netlogon share of Domain Controller for distributing the package, it definetely would mean bad news since the Customer already told me he has no intentions at all to use it for software distribution, for security and best practice reasons I do not annoy you in describing now... :-(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ssmith764, thx for your attention. But unfortunately, still ERROR 102 followed by ERROR 108.
I have placed EV plugin here:
C:\Install\PluginEV
on the EV Server. The directory above is shared, with permissions for Administrators (Full Control), Authenticated Users (read, read/execute, list folder contents), Domain Computers (Full Control), Everyone (Full Control), System (Full Control), Users (Full Control).
As for Sharing, the directory above has permissions for Authenticated users (Read), Domain Computers (Full Control), Everyone (Full Control), System (Full Control); Caching has the default parametrization selected "only files and programs that users specify are available offline".
Finally, EVClient_it.msi, the file inside C:\install\PluginEV, has permissions identical to the ones for the share C:\Install\PluginEV depicted above. To the Policy Group associated with the test OU I'm using I cancelled Logon Optimization as you suggested last Friday; actually the only computer included such an OU is the virtual machine I'm using for test and troubleshooting (in fact I simply shutdown and resume the virtual workstation in order to check if I get any change at Event Viewer level each time I change the share/Group policy configuration...).
What else?!? Keep in mind I'm really a newbie to AD environment so please, in figuring out what could be the problem don't keep anyting for sure, I could have forgotten even the most trivial configuration parameter! :-)
I have placed EV plugin here:
C:\Install\PluginEV
on the EV Server. The directory above is shared, with permissions for Administrators (Full Control), Authenticated Users (read, read/execute, list folder contents), Domain Computers (Full Control), Everyone (Full Control), System (Full Control), Users (Full Control).
As for Sharing, the directory above has permissions for Authenticated users (Read), Domain Computers (Full Control), Everyone (Full Control), System (Full Control); Caching has the default parametrization selected "only files and programs that users specify are available offline".
Finally, EVClient_it.msi, the file inside C:\install\PluginEV, has permissions identical to the ones for the share C:\Install\PluginEV depicted above. To the Policy Group associated with the test OU I'm using I cancelled Logon Optimization as you suggested last Friday; actually the only computer included such an OU is the virtual machine I'm using for test and troubleshooting (in fact I simply shutdown and resume the virtual workstation in order to check if I get any change at Event Viewer level each time I change the share/Group policy configuration...).
What else?!? Keep in mind I'm really a newbie to AD environment so please, in figuring out what could be the problem don't keep anyting for sure, I could have forgotten even the most trivial configuration parameter! :-)
when you add the software location in the group policy, have you specified the path as \\servername\sharename\EVC
Also be careful with the permissions in your live environment. You don't want to allow 'everyone' full control on shares.
Also be careful with the permissions in your live environment. You don't want to allow 'everyone' full control on shares.
ASKER
Yes, in the group policy under Computer Configuration - Software installation I have exactly \\miaclev00.sistemi.sole24
As for permissions, I already managed to reduce to essentials, I mean all relevant users with read/execute permissions, no more full control to anyone apart from Administrators...
As for permissions, I already managed to reduce to essentials, I mean all relevant users with read/execute permissions, no more full control to anyone apart from Administrators...
So from the client machine, can you browse to the shared folder via the unc path you specified?
ASKER
Unfortunately yes, I perfectly can... :-) (since if I couldn't, I'd have a solution).
Hmmmmm. It sounds as if you have it all set up right. The 102 error does not lie though so for some reason when the machine starts up it does not have access to the share either because of the location or permissions. Try specifically adding read permission for the machine account? Otherwise I am a bit stuck now.
ASKER
Going to try your last suggestion; maybe for any reasons the workstation (which, I remember you, is virtual) is not recognized. In fact I don't believe so since there has been at least a situation where I was able to see a comment scrolling on the video when the workstation was starting, claiming policy group was being taken in charge... and don't forget the information number 301 I read in the Event Viewer, just before getting Error 102, claiming "policy group succesfully applied" (or something like that...). So it seems something goes wrong immediately after Active Directory realizes a workstation is connecting and claims for a policy group at OU level. Really strange. BTW, if you're a bit stuck let's figure out how do feel I! :-(
ASKER
Nothing to do! :-(
I'll try with a different workstation and will come back to explain what happened...
I'll try with a different workstation and will come back to explain what happened...
ASKER
Tried different situations.
On another XP Virtual Workstation same story... actually I have the full picture of the sequence of events:
- Once I insert the workstation inside the OU, at the first attempt (reboot of workstation) I get the sequence of WARNINGS 101-103-108 (well known advice due to XP logon optimization).
- On second reboot (no changes!) the warnings become errors: 102-108 preceeded by Information ID 301 stating that Group policy has been correctly applied (after a few seconds I get the errors).
As a marginal note, I tried with a Windows Vista workstation (not virtual!) and all worked perfectly at the first attempt (unfortunately Vista is not the standard for the customer... :-( ).
Let me know if all that provides you with enlightenment of any kind! :-)
On another XP Virtual Workstation same story... actually I have the full picture of the sequence of events:
- Once I insert the workstation inside the OU, at the first attempt (reboot of workstation) I get the sequence of WARNINGS 101-103-108 (well known advice due to XP logon optimization).
- On second reboot (no changes!) the warnings become errors: 102-108 preceeded by Information ID 301 stating that Group policy has been correctly applied (after a few seconds I get the errors).
As a marginal note, I tried with a Windows Vista workstation (not virtual!) and all worked perfectly at the first attempt (unfortunately Vista is not the standard for the customer... :-( ).
Let me know if all that provides you with enlightenment of any kind! :-)
The events you are seeing are caused by the 'optimised logon' feature of Windows XP which does not always wait for the network to be available at startup so the machine will login faster. Usually the policy will run if you restart the machine again. If it is an ongoing problem you can apply a group policy setting which *I Think* is the in computer settings>administrative tempates>network. The setting is 'always wait for network at logon'