Solved

WIN 2008 32BIT - GPO/Eventviewer query

Posted on 2011-09-08
13
466 Views
Last Modified: 2012-05-12
Hi Ive just installed the OS and setup as a DC/DNS/DHCP integrated with SP2 just for test purposes.

I have not created any accounts or anything and am using 'Admin' logon to access server at this moment in time, but I intend to create a user domain account ready for an individual host pc, in-conjunction with a GPO to test for example the 'Redirection folder' and add a GPO Deploy Software.

What I wanted to know is in the Eventviewer it states: Next policy processing for domain\xxxxxx will be attempted in 5 minutes, but wanted to know even if I do a: gpupdate /force on the server does this then ignore the 5 minutes wait?
0
Comment
Question by:mikey250
  • 7
  • 4
  • 2
13 Comments
 
LVL 13

Accepted Solution

by:
Mohamed ElManakhly earned 168 total points
Comment Utility
yes, gpupdate /force applies the Group policy setting immediately regardless of the scheduled time.
0
 
LVL 13

Assisted Solution

by:Mohamed ElManakhly
Mohamed ElManakhly earned 168 total points
Comment Utility
Refer to this link please to fully understand the different switches for the gpupdate command

http://technet.microsoft.com/en-us/library/bb490983.aspx
0
 

Author Comment

by:mikey250
Comment Utility
OK i will ignore the 98 min wait it states as Ive just run the: gpupdate /force!!

In the GPO windows to the left should I add whatever GPO's ive created in a hierarhical order, as in:

New GPO just created - ?
Middle - Domain controller
Bottom - Default DC

Does this make a difference or what is it for then although I have not changed anything on the DC or Default either!!!
0
 

Author Comment

by:mikey250
Comment Utility
In the passed I kept seeing this message: 'Group Policy client-side extensions ' not enabled but wasn't sure if this was something I had to add separate before completing GPO use!!?
0
 
LVL 3

Assisted Solution

by:OliverLo
OliverLo earned 332 total points
Comment Utility
Hi Mikey,

The GPO application can either be synchronous or asynchronous:
- synchronous means the user policies are applied at logon
- asynchronous means the user can logon and then the policies will be applied in the background
Folder redirection belongs to these policies that needs to be applied at logon. So you mean need more than one logon if your policy processing is set to asynchronous.
You can set the GPO processing mode using:
Configuration\Administrative Templates\System\Logon > Always wait for the network at computer startup and logon
The following document is old but could help you troubleshoot GPO related issues:
http://www.microsoft.com/download/en/details.aspx?id=23086

0
 

Author Comment

by:mikey250
Comment Utility
Hi OliverLo, I successfully installed my GPO Deploy software to the host pc which was my main issue!! - ha ha - Without the need of your notes, but I realise they are relevant!!!!!

Ive just read your comments and regarding 'Folder redirection' I did not add this specifically in the GPO Deploy Sofware, because I thought as I have already added separately a GPO\Edit\'Folder Redirection', so if this is what you are suggesting I should always add a 'Folder Redirection' at least in this scenario I will try this now, as I WONDERED why I was seeing 'Folder Redirection' issues on the host pc Eventviewer, but had NO issues popping up for 'Roaming profile' issues!!!!!!!!

So basically I should have 2 sets of 'Folder Redirection' - 1 in each of the GPO's created!!?

I will look at the 'url'!!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:mikey250
Comment Utility
Hi M-Manakhly, this: gpupdate /force is not as straight forward as you made out!

From my understanding now although I still have not quite grasped it, heres the following:

Qns1.  A adminstrator can run gpupdate /force on the server and depending on what is being updated may resolve the issues automatically without a full blown reboot of server, or if the change is for a specific host pc run: gpupdate /target:computer or gpupdate /target:computer | user - but this did not work!  Why?

Failing that the host pc should be logged off and switch pc off and fully reboot Server and then switch host pc back on!!
0
 
LVL 3

Assisted Solution

by:OliverLo
OliverLo earned 332 total points
Comment Utility
You could try to run the following command to see the resultant set of policies applied to your server:
gpresult /h rsop.html
It will create the rsop.html file and you will be able to list the GPO applied and the setting they contain. Maybe will you see that some settings are being seen but not applied because of a client-side extension that he not properly applying the settings on the computer. You may also see that a GPO has been denied for some of your computer.
Finally you may have applied a GPupdate /force but the computer may still need a restart to apply the changes.
0
 

Author Comment

by:mikey250
Comment Utility
Morning OliverLo,  I have just run your command which appeared to do something, but where do I go to find the log file or whatever?

Normally I open up GPO Management Server and click on the 'Settings' tab which shows a report.. Not that I really know how to troubleshoot although I think Im seeing what I should be seeing.

As for using the 'gpupdate /force', well it was only yesturday that I successfully installed 'software' on the host pc, so this may have also confused my understanding for the last 3 weeks!!!!

Is it right to suggest that if changes are made on the server but no restart or gpupdate is run but instead is run on the host pc, is this the wrong way round?

Qns1. Is this correct:  gpupdate /target:DESKTOP1 or gpupdate /target:DESKTOP1 | jfoster - for example ?  -  If so this did not work from the server....
0
 
LVL 3

Assisted Solution

by:OliverLo
OliverLo earned 332 total points
Comment Utility
Morning Mickey250,

Sorry, I didn't see your last update...
The output of the "gpresult /h rsop.html" will be stored in the rsop.html file.
You should be able to see the file rsop.html when accessing to the directory from which you ran the command line, or from the command prompt just by typing rsop.html and enter (Internet Explorer should automatically open the report).
This file is different from the settings tab you are viewing in Group Policy Management console:
> the settings tab is showing the settings for one group policy
> the gpresult output is showing the resultant set of policy applied to a user on a specific computer.

You have to build your GPO then scope the GPO to the client computers or users. Once you've done it you have to run:
gpupdate /force on the client computer.
If the GPO settings are not applied then you will have to restart the computer and check if it's still not applied.
Gpupdate allows you to force the application of GPO. If you don't do it then a GPO will be applied only under the following conditions:
1. next computer restart
2. next user logon
3. background refresh of GPO every 90 to 120 minutes
Don't forget that the conditions under which a GPO is applied depends on the nature of the GPO settings (some GPO requires the restart).

To answer to your last question, you must execute the GPupdate command line on the target client computer on which you want the GPO to apply (not on the server). The syntax you used is wrong.
The following syntaxes are only used if you want to apply only the computer related settings of a GPO or the user related settings of a GPO:
A. gpupdate /force /target:computer where computer is truly the string computer and not the name of the target computer.
B. gpupdate /force /target:user where user is truly the string user and not the name of the specific user.
FInally to make it simple, just apply "gpupdate /force" on the target client computer on which you want to see the GPO applied.

0
 

Author Comment

by:mikey250
Comment Utility
When I do: gpupdate /h rsop.html - it just shows me the following list:

/force
/wait:(value)
/logoff
/bootings
/sync

but dont know where to find 'rsop.html' - ?

When I created GPO's on the server I run: gpupdate /force on server 1st
I then restart host pc and logon to domain sometimes not doing: gpupdate /force on host pc, so I will then log back onto the Server make more changes then do: gpupdate /force on Server and then log back onto host pc and then do: gpupdate /force on host pc!!!!!!!!!!!

According to your advice Ive been doing things the wrong way!!!!

I think when I was successful in installing the GPO Software it must of happened accidentally via 'Option 3 - background refresh of GPO every 90 to 120 minutes!!!!!

Ok I will keep in mind your comments:

'You have to build your GPO then scope the GPO to the client computers or users. Once you've done it you have to run:
gpupdate /force on the client computer.
If the GPO settings are not applied then you will have to restart the computer and check if it's still not applied.
Gpupdate allows you to force the application of GPO. If you don't do it then a GPO will be applied only under the following conditions:
1. next computer restart
2. next user logon
3. background refresh of GPO every 90 to 120 minutes
Don't forget that the conditions under which a GPO is applied depends on the nature of the GPO settings (some GPO requires the restart).

To answer to your last question, you must execute the GPupdate command line on the target client computer on which you want the GPO to apply (not on the server). The syntax you used is wrong.
The following syntaxes are only used if you want to apply only the computer related settings of a GPO or the user related settings of a GPO:
A. gpupdate /force /target:computer where computer is truly the string computer and not the name of the target computer.
B. gpupdate /force /target:user where user is truly the string user and not the name of the specific user.
FInally to make it simple, just apply "gpupdate /force" on the target client computer on which you want to see the GPO applied.'

I have one more question!!!!

Qns1.  After I create a GPO for 'Deploy Software', via an OU/Gp, should I see the security filter showing 'Allowed' for example, or is it not until an actual host pc logs on that the Server Eventviewer will show 'Allowed' in Security Filter for eg.??

 
0
 
LVL 3

Assisted Solution

by:OliverLo
OliverLo earned 332 total points
Comment Utility
Hi Mickey250,

First of all, regarding the command line gpresult /h rsop.html it may not run on pre-vista client OS.
So if you are running this command on Windows XP you may need to run another command line such as:
gpresult /R
This command would display a summary of the resultant set of policies on a XP client as well.

Regarding your question:
If you want to check if a GPO was denied or disabled then you can run GPresult /R (on the client) and look at the section called:
"The following GPOs were not applied because they were filtered out"

You can also use a graphical interface snap-in called rsop.msc on the client computer:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/rspht1.mspx?mfr=true

This is a default snap-in: it should NOT explicitly display an access denied for your software distribution policy (unlike the gpresult should show that the GPO was denied).
In RSOP you will see that the GPO "software distribution" was not applied because you will not see the configured settings from the rsop console.

Let me know if it's clear enough. If it's not then please paste some screenshot to make it easier for me to understand what you need.

0
 

Author Comment

by:mikey250
Comment Utility
Hi im running 'Win 7'.. 'gpresult /r - does work!!!

I re-installed clean yesturday as may have lost intermitantly services hence continuous issues!!

QNS1. . Correct me if Im wrong, what commands should I run on the server 1st?
After running command on the server do I then run on client:
- gpresult /r

QNS2. so when I have run: gpresult /r are you saying when running an 'xxx.msc' I WOULD see 'Access denied' for software?

QNS3. And gpresult /r - I WILL also see GPO denied ?

'This is a default snap-in: it should NOT explicitly display an access denied for your software distribution policy (unlike the gpresult should show that the GPO was denied).'

QNS4. Not sure if I understand as if ive made changes to a GPO surely I did NOT have to run any extra commands on the server, because I could then switch host pc back on and run: gpupdate /force and restart for changes to happen?

QNS5. How many times do I have to reboot host pc and run: gpupdate /force to ensure changes take place?

QNS6. Or could I just keep host pc switched off?
- Then make changes in GPO on server?
- Then run: gpupdate /force on server also?
- Then reboot server?
- Then check 'Eventviewer' for changes or would I NOT see them in them as per your previous comments below:

'This is a default snap-in: it should NOT explicitly display an access denied for your software distribution policy (unlike the gpresult should show that the GPO was denied).
In RSOP you will see that the GPO "software distribution" was not applied because you will not see the configured settings from the rsop console.

- Then if I 'DO or DONT' see changes in Eventviewer on server do I continue to switch host pc on and run: gpupdate /force for example?

QNS7. I believe my issues may well be down to not knowin the proper sequence???
'
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now