[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

GPO not being fully applied when user is added to the local administrators group

Posted on 2012-09-19
8
Medium Priority
?
591 Views
Last Modified: 2012-09-24
We have 4 new laptops all with the same fault HP probook running window 7.
Folder redirection & syncing and logon scripts that run in the group policy object aren’t being applied. When I run the group policy modelling this is the only error that comes up

“The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.”
We have over 20 windows 7 laptop that are in the exact same OU and use the same group policy objects – these laptops are replacements for existing users in the same current OU’s and their current windows 7 laptops work fine but the 4 new ones we’re configuring today all have this same fault.
All computers are in the same OU and all user are in the correct OU – they have not moved.

Any ideas? I tried ‘wait for network’ and setting the time out to a longer period when logging in.  
 I wondered if there was some default software on the probook that was causing an issue so I disabled everything on startup using msconfig but still have the same problem.
Please help lol ¿
0
Comment
Question by:CHSCLM
  • 5
  • 3
8 Comments
 
LVL 1

Author Comment

by:CHSCLM
ID: 38416782
After investigating further i've found that this error only appears to take place if the user is a member of the local administrators group on the laptop?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 38418190
Are they connected via cable or WLAN?
When you setup the computer the first time, it usually ask for a user name. (Common predefinesd OEM setup). Have yoiu used the real username or a dummy account?
0
 
LVL 1

Author Comment

by:CHSCLM
ID: 38418226
Hello, they are connect by cable here in the office. we used a generic laptop naming ID then connected the laptop to the domain and then logged on as the (real) user.

Whats making me scratch my head is that all of our previous windows 7 laptops have worked no problem (with the same users) but the 4 new ones dont. - unless we remove them from the local administrators group, then they work fine. (we need local administrator access as various logging tools are used on site which require local admin access)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:Bembi
ID: 38418310
I cannot see directly a difference of the membership of the local admin group, as it usually enhances permissions, but is not limiting them.

Nevertheless, such laptops are usually equiped with a lot of additional nonsense, starting with evaluation virus scanner, customized firewall settings etc.  And the products changes.
Also TPM may be an issue, if the older laptop don't have.

So first at all, I would remove all products and eval software, what is not needed. Especially virus scanners have their own opinions.
For testing purposes, just disable the local firewall, if something changes.

Can you see something inside the policy result set with and without admin membership?
Does it change if you boot a second or third time?
0
 
LVL 1

Author Comment

by:CHSCLM
ID: 38421821
Thanks, I’ve removed all the software that comes with it.

I can’t see anything in the policy result - the modelling result comes back ok but in reality it's not correct.

I have found if I turn UAC control completely off (which isn’t ideal) it functions correctly? - As it does when in the non admin group.

I wouldn’t have thought that should make a difference.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 2000 total points
ID: 38424981
This would leed me to 3 question,...
a. is UAC turned off for your admin on the older laptops too?
b.) what are the UAC settings for the user on other machines?
c.) Do you get the error again, if you disable UAC for the first initial folder redirection task (which moves files from the local machine to the redirected folders), and after first movement to enable UAC back to the original value?

The UAC settings are user and machine based, so it is set for each profile on each machine.
If you logon with the same account on a different machine, the user takes the default setting from the machine the first time, and do not take over settings from other machines.
The default is 2 and has to be changed on any machine.

The admin group does not change UAC, but it changes permissions.

As enabled UAC redirects the access to some protected folders and to the HCLM registry part to a sandbox subfolder in the local user profile, a program, which accesses such directories or regkeys is not really aware, that it accesses the sandbox directory instead of the real ones. The difference with the admin group is only, that admins have access permissions to the real directories while the user has not.

It is possible, that excacly this situation struggles the first movement for the redirected folders as - dependend from the folders you try to redirect - as the redirection policy may access folders, which are part of the UAC protected folders.

At least I would try the following two szenarios - as long as you have laptops in the original state.

a.) Disable UAC and wait, until all folders which are redirected are, where they should be. Then change the settings and membership of the user back to the settings you want to have.Keep in mind, that chaning the UAC settings also change the folder, which si really accessed, as far as some programs write files into the original directories. After the changes, the user reads the same files from the sandbox directy.

b.) Logon as a neutral admin (without folder redirection), put the Laptop into the domain, let him patch through MS Update to the latest version. Remove / Install programs as needed.
After ihe laptop is fully patched and installed, then logon as the user, who should work with and set UAC and membership as needed.

the b.) is my usual procedure, dependend from the manufaturer, the laptops take about 200 and more updates from Microsoft and as I work with folder redirection too in any combination (normal users up to admin users), I have seen some issues with folder redirection, but they usually disapear after a while.
0
 
LVL 1

Author Comment

by:CHSCLM
ID: 38428618
Thanks, I started from scratch and followed the method above and the sync now appears to be fine, no problems :-)

The drives still didnt map but i came across this article which fixed the problem.

http://support.microsoft.com/kb/937624/en-us



Thanks for the help :-)
0
 
LVL 1

Author Closing Comment

by:CHSCLM
ID: 38428621
Great help
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question