• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 607
  • Last Modified:

GPO not being fully applied when user is added to the local administrators group

We have 4 new laptops all with the same fault HP probook running window 7.
Folder redirection & syncing and logon scripts that run in the group policy object aren’t being applied. When I run the group policy modelling this is the only error that comes up

“The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.”
We have over 20 windows 7 laptop that are in the exact same OU and use the same group policy objects – these laptops are replacements for existing users in the same current OU’s and their current windows 7 laptops work fine but the 4 new ones we’re configuring today all have this same fault.
All computers are in the same OU and all user are in the correct OU – they have not moved.

Any ideas? I tried ‘wait for network’ and setting the time out to a longer period when logging in.  
 I wondered if there was some default software on the probook that was causing an issue so I disabled everything on startup using msconfig but still have the same problem.
Please help lol ¿
  • 5
  • 3
1 Solution
CHSCLMAuthor Commented:
After investigating further i've found that this error only appears to take place if the user is a member of the local administrators group on the laptop?
Are they connected via cable or WLAN?
When you setup the computer the first time, it usually ask for a user name. (Common predefinesd OEM setup). Have yoiu used the real username or a dummy account?
CHSCLMAuthor Commented:
Hello, they are connect by cable here in the office. we used a generic laptop naming ID then connected the laptop to the domain and then logged on as the (real) user.

Whats making me scratch my head is that all of our previous windows 7 laptops have worked no problem (with the same users) but the 4 new ones dont. - unless we remove them from the local administrators group, then they work fine. (we need local administrator access as various logging tools are used on site which require local admin access)
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

I cannot see directly a difference of the membership of the local admin group, as it usually enhances permissions, but is not limiting them.

Nevertheless, such laptops are usually equiped with a lot of additional nonsense, starting with evaluation virus scanner, customized firewall settings etc.  And the products changes.
Also TPM may be an issue, if the older laptop don't have.

So first at all, I would remove all products and eval software, what is not needed. Especially virus scanners have their own opinions.
For testing purposes, just disable the local firewall, if something changes.

Can you see something inside the policy result set with and without admin membership?
Does it change if you boot a second or third time?
CHSCLMAuthor Commented:
Thanks, I’ve removed all the software that comes with it.

I can’t see anything in the policy result - the modelling result comes back ok but in reality it's not correct.

I have found if I turn UAC control completely off (which isn’t ideal) it functions correctly? - As it does when in the non admin group.

I wouldn’t have thought that should make a difference.
This would leed me to 3 question,...
a. is UAC turned off for your admin on the older laptops too?
b.) what are the UAC settings for the user on other machines?
c.) Do you get the error again, if you disable UAC for the first initial folder redirection task (which moves files from the local machine to the redirected folders), and after first movement to enable UAC back to the original value?

The UAC settings are user and machine based, so it is set for each profile on each machine.
If you logon with the same account on a different machine, the user takes the default setting from the machine the first time, and do not take over settings from other machines.
The default is 2 and has to be changed on any machine.

The admin group does not change UAC, but it changes permissions.

As enabled UAC redirects the access to some protected folders and to the HCLM registry part to a sandbox subfolder in the local user profile, a program, which accesses such directories or regkeys is not really aware, that it accesses the sandbox directory instead of the real ones. The difference with the admin group is only, that admins have access permissions to the real directories while the user has not.

It is possible, that excacly this situation struggles the first movement for the redirected folders as - dependend from the folders you try to redirect - as the redirection policy may access folders, which are part of the UAC protected folders.

At least I would try the following two szenarios - as long as you have laptops in the original state.

a.) Disable UAC and wait, until all folders which are redirected are, where they should be. Then change the settings and membership of the user back to the settings you want to have.Keep in mind, that chaning the UAC settings also change the folder, which si really accessed, as far as some programs write files into the original directories. After the changes, the user reads the same files from the sandbox directy.

b.) Logon as a neutral admin (without folder redirection), put the Laptop into the domain, let him patch through MS Update to the latest version. Remove / Install programs as needed.
After ihe laptop is fully patched and installed, then logon as the user, who should work with and set UAC and membership as needed.

the b.) is my usual procedure, dependend from the manufaturer, the laptops take about 200 and more updates from Microsoft and as I work with folder redirection too in any combination (normal users up to admin users), I have seen some issues with folder redirection, but they usually disapear after a while.
CHSCLMAuthor Commented:
Thanks, I started from scratch and followed the method above and the sync now appears to be fine, no problems :-)

The drives still didnt map but i came across this article which fixed the problem.


Thanks for the help :-)
CHSCLMAuthor Commented:
Great help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now