Problem with group policy

Posted on 2013-05-10
Last Modified: 2013-06-19
I have recently started working with a customer that has multiple POS systems.  We migrated from a Windows SBS 2003 server to a 2011 SBS machine.  They had implemented group policy some years back for the purpose of preventing employees from accessing the internet and only allowing them access to the POS application.
All POS computers are in a container called POS.  All are XP machines.
So here is the problem.  Because these are all 32-bit computers, the 32-bit print drivers wouldn't work on the server.  This was fine; installed them locally.  However, one of the workstations 'XP6' isn't acting like the others.
I deleted the old printers, reinstalled the new ones.  Rebooted the computer and they all came up fine...or so it appeared.  I uninstalled an outdated AVG, which went fine.  Again, so it appeared.  When I rebooted the machine all my changes made were reversed.  The printers were still mapped to the old 32-bit server which is no longer on the network, and AVG acted like it never was uninstalled.
I used Your Uninstaller, reran the uninstall of AVG.  Same results.  There is no reinstallation of software as would happen; it's almost like a roaming profile or something is keeping not only all the settings but applications as well.  I'm at a loss and hoping for some direction here.
Oh; the person that put this system together has moved on and documented nothing.  I am shooting in the dark here.
Thanks everyone for the help!
Question by:BadPanda
  • 5
  • 2
  • 2
  • +2

Expert Comment

ID: 39157544
My guess is that there is a group policy that is mapping the printers and installing AVG.  You need to check the settings on your group policies.

Expert Comment

ID: 39157733
Go into GPMC and go thru your Policies.  Being SBS there are a number of default GP's, so hopefully the tech who created any additional ones used some sort of naming convention that allows you to identify the ones created that are not defaults.  If not just trawl thru the ones that are there using the technique below.

To do this:
Go to Administrative tools and look for Group Policy Management Console
The GPMC management console will display the Forest, then the domain, Your domain name
You'll see a folder call Group Policy Objects
For each item in the list, select it and then in the right hand pane, select the Settings tab
You will now see the settings for the GP selected.  Click somewhere in the Right Hand Pane, press Control+F to search the values in the GPO, and enter the name of the device you are looking for

You could go direct to the printer mapping section, but this is a quicker way to go thru all of them.

When you find the GPO Object that has the redundant printer mapping, go back to the left pane and right click the GPO and choose Edit.
This will open the Group Policy Management Editor
The GP is divided into 2 areas User and Computer.
Drill down thru User then Preferences then Printers you'll see the printers being mapped by the GP in the right hand pane
Click on the redundant one in the right hand pane and chose delete

Author Comment

ID: 39158994
Thanks for the tips everyone.  I'll be onsite tomorrow to check things out and see what I can do.
Best regards,

Author Comment

ID: 39159023
While this may address the mapped printer problem, this doesn't seem to address my inability to make changes to the machine locally(i.e. installing local printers.)  Remember that part of the problem is that any changes I made were automatically prevented by the system, even though the changes I made APPEARED to occur in the system.

Expert Comment

ID: 39159347
I would try to find out where this behaviour is coming from.

To check if it comes from Active Directory or is something happening locally on the PC, you could disconnect if from the network, and perform the software installation with a local copy of the setup program.

To find out if it's a default setting in Active Directory, or some specific AD configuration for this one machine, take it out of the domain, rename it, then put it back in (using a local admin account to login after the first reboot). Group Policy settings are always bound to the name of machines. It may end up in a different OU. If the restore doesn't happen after bringing it back into the domain, but happens after moving it into the previous OU, then the settings must be there.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 39159683
msifox, that is a great idea.  Removal from the domain may be just what the doctor ordered.
Will try monday morning and let everyone know the results.  Thanks for the suggestions!

Expert Comment

ID: 39160215
Hi BadPanda,

Group Policy settings can be applied in a number of ways, and removing it from the domain may provide a temporary reprieve, until you reconnect, at which time you'll most likely see the apps re-appear.  As an example, we use GP to lock laptops that are mobile so that the configuration is controlled and remains consistent with our PC config.

There are tools that allow you to identify these settings, but If you aren't familiar its best you walk thru the places these sorts of things can be set to get your mind around it.

Deployment Via Group Policy
Check to see if there are any Software deployment policies in place
Go into the GPMC and expand Computer Configuration > Policies > Software Settings > Software Installations.  You may find your AVG is being deployed from here (as well as other packages).  This GP setting automatically installs an app when a machine doesn't have it (such as when a new machine is joined to the domain, the Policy detects that AVG isnt there and installs it.
I'd also look in "User Configuration > POlicies > Software Settings > Software Installation while in the GPMC.

I'd also look to see if there are any Startup or login scripts running

While in the GPMC go to Computer Configuration > Windows Settings > Scripts > Startup, right Click Startup and see if any scripts are listed
While in GPMC go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).  Right click Logon to see if any scripts are being executed here.
Go into Active Directory Users & Computers, drill down Your Domain > My Business > Users > SBSUsers.  Right click a users account and and choose properties, then go to the Profile Tab, and look at the Login script field.
Group Policy allows you the administrator to enforce settings on Workstations on your domain.  In some cases you can set a config item, but allow the user to modify it.  On the other end you can set a config item and even when not physically connected to the domain, remains in force.

If you are supporting systems that use Group Policy (which is a powerful and very worthwhile tool) then I'd suggest doing some study on it.

Group Policy Preferences Overview
Group Policy Preferences Getting Started Guide

Group Policy is NOT the kind of place you "Tinker in" especially in your situation.  You run the risk of killing all the machines governed by the GP and be back to rebuilding all to get back to square 1
LVL 12

Accepted Solution

Gary Coltharp earned 500 total points
ID: 39161702
This sounds like a system that has deepfreeze or a similar management tool installed. It behaves normally while booted but at reboot reverts to the "frozen" image.

Expert Comment

ID: 39163003
There is a hint that can show you if this is a local feature or coming from the server:
If shutdown and reboot are both quick, then t's probably done locally on the PC.
There are tools that work like the snapshot feature of virtual machines.
In this case restoring the previous state means just deleting the snapshot.
This takes seconds, whereas reinstalling the old software would take minutes.

Author Comment

ID: 39163142
Deepfreeze IS installed Gcoltharp.  How do you get rid of it?

Author Closing Comment

ID: 39259854
Sorry for the delay in closing.  Forgot the ticket was open.
Deepfreeze was installed and was the problem.  However, because I had worked at removing the computer from the domain at the domain controller but the PC still kept thinking it was in the domain (bacause of Deepfreeze) this really caused a lot of problems.
Problem was eventually solved once Deepfreeze was removed.  Thanks for the help everyone.

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now