GPO not being fully applied when user is added to the local administrators group

Posted on 2012-09-19
Last Modified: 2012-09-24
We have 4 new laptops all with the same fault HP probook running window 7.
Folder redirection & syncing and logon scripts that run in the group policy object aren’t being applied. When I run the group policy modelling this is the only error that comes up

“The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.”
We have over 20 windows 7 laptop that are in the exact same OU and use the same group policy objects – these laptops are replacements for existing users in the same current OU’s and their current windows 7 laptops work fine but the 4 new ones we’re configuring today all have this same fault.
All computers are in the same OU and all user are in the correct OU – they have not moved.

Any ideas? I tried ‘wait for network’ and setting the time out to a longer period when logging in.  
 I wondered if there was some default software on the probook that was causing an issue so I disabled everything on startup using msconfig but still have the same problem.
Please help lol ¿
Question by:CHSCLM
    LVL 1

    Author Comment

    After investigating further i've found that this error only appears to take place if the user is a member of the local administrators group on the laptop?
    LVL 35

    Expert Comment

    Are they connected via cable or WLAN?
    When you setup the computer the first time, it usually ask for a user name. (Common predefinesd OEM setup). Have yoiu used the real username or a dummy account?
    LVL 1

    Author Comment

    Hello, they are connect by cable here in the office. we used a generic laptop naming ID then connected the laptop to the domain and then logged on as the (real) user.

    Whats making me scratch my head is that all of our previous windows 7 laptops have worked no problem (with the same users) but the 4 new ones dont. - unless we remove them from the local administrators group, then they work fine. (we need local administrator access as various logging tools are used on site which require local admin access)
    LVL 35

    Expert Comment

    I cannot see directly a difference of the membership of the local admin group, as it usually enhances permissions, but is not limiting them.

    Nevertheless, such laptops are usually equiped with a lot of additional nonsense, starting with evaluation virus scanner, customized firewall settings etc.  And the products changes.
    Also TPM may be an issue, if the older laptop don't have.

    So first at all, I would remove all products and eval software, what is not needed. Especially virus scanners have their own opinions.
    For testing purposes, just disable the local firewall, if something changes.

    Can you see something inside the policy result set with and without admin membership?
    Does it change if you boot a second or third time?
    LVL 1

    Author Comment

    Thanks, I’ve removed all the software that comes with it.

    I can’t see anything in the policy result - the modelling result comes back ok but in reality it's not correct.

    I have found if I turn UAC control completely off (which isn’t ideal) it functions correctly? - As it does when in the non admin group.

    I wouldn’t have thought that should make a difference.
    LVL 35

    Accepted Solution

    This would leed me to 3 question,...
    a. is UAC turned off for your admin on the older laptops too?
    b.) what are the UAC settings for the user on other machines?
    c.) Do you get the error again, if you disable UAC for the first initial folder redirection task (which moves files from the local machine to the redirected folders), and after first movement to enable UAC back to the original value?

    The UAC settings are user and machine based, so it is set for each profile on each machine.
    If you logon with the same account on a different machine, the user takes the default setting from the machine the first time, and do not take over settings from other machines.
    The default is 2 and has to be changed on any machine.

    The admin group does not change UAC, but it changes permissions.

    As enabled UAC redirects the access to some protected folders and to the HCLM registry part to a sandbox subfolder in the local user profile, a program, which accesses such directories or regkeys is not really aware, that it accesses the sandbox directory instead of the real ones. The difference with the admin group is only, that admins have access permissions to the real directories while the user has not.

    It is possible, that excacly this situation struggles the first movement for the redirected folders as - dependend from the folders you try to redirect - as the redirection policy may access folders, which are part of the UAC protected folders.

    At least I would try the following two szenarios - as long as you have laptops in the original state.

    a.) Disable UAC and wait, until all folders which are redirected are, where they should be. Then change the settings and membership of the user back to the settings you want to have.Keep in mind, that chaning the UAC settings also change the folder, which si really accessed, as far as some programs write files into the original directories. After the changes, the user reads the same files from the sandbox directy.

    b.) Logon as a neutral admin (without folder redirection), put the Laptop into the domain, let him patch through MS Update to the latest version. Remove / Install programs as needed.
    After ihe laptop is fully patched and installed, then logon as the user, who should work with and set UAC and membership as needed.

    the b.) is my usual procedure, dependend from the manufaturer, the laptops take about 200 and more updates from Microsoft and as I work with folder redirection too in any combination (normal users up to admin users), I have seen some issues with folder redirection, but they usually disapear after a while.
    LVL 1

    Author Comment

    Thanks, I started from scratch and followed the method above and the sync now appears to be fine, no problems :-)

    The drives still didnt map but i came across this article which fixed the problem.

    Thanks for the help :-)
    LVL 1

    Author Closing Comment

    Great help

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now