Solved

Group Policy not working.

Posted on 2014-02-12
43
700 Views
Last Modified: 2014-03-01
I’m trying to replace the host file for all computers in the domain through a group policy, this is what I did:
Created a batch file (see attach) and placed it on the share folder in the primary domain controller.
Created an OU and place my computer in it just for testing the policy.
Created a computer policy on startup that points to the batch file to copy the host file and replace the old one.
None of this is working can anyone help? I had been dealing with this for 2 days now.
Thanks for your help
0
Comment
Question by:narce100
  • 25
  • 16
  • +1
43 Comments
 

Author Comment

by:narce100
Comment Utility
Here's the batch file
batch-file.PNG
0
 
LVL 13

Expert Comment

by:SagiEDoc
Comment Utility
The issue you are having is that UNC paths are not supported in scripts (I have no idea why)
To get around this what you can do is the following.
Put your script in a shared folder, everyone must have read and execute rights. Next in your GPO you need to add a registry entry under:
User configuration
 - Preferences
 - Windows Settings
 - Registry

Your Hive and Key path are: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value data will be the path to your script (EG: \\servername\sharename\script.bat

What this will do is call the batch file to run every time the user logs on.
0
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
Also make sure that whatever context the GPO is applying in that access to the host file is available. So if its the computer context the computer must be able to read the file at location \\sjffcc2\share\hosts. If the computer cannot access the location it will not be able to copy the file.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
We are using batch files to copy wallpaper and screensaver from remote servers (UNC) path to local machines via batch file and its working without any issues

You need to ensure that server name and shares are accessible to computers on the network

Also -f parameter is not acceptable. I think there is command fails
Try without -f parameter, then it should works

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
SagiEcoc's solution seems worked only ones. I created another folder share5 and place the host and host.bat files in there. I also modified the registry policy to point to that location but still not working it just does not replace the host file I also delete the -f switch but no luck. See attach.
GP.PNG
Hosts-and-batch-files.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I don't think GP preferences replace hosts files that is stored in windows core folders with new registry Preference item ?

I have tested that -f switch is not working in your command

If you want to use GP preferences, then at least use new File GP Preference item instead of new registry item in replace mode

Then it will work

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
OK, here’s what I did:
I created a share folder in my DC “sharetest” and place a host file in there that I want to apply on all computers in the Domain at startup. See attach1
I placed the host file that I want to create and the batch file inside attach1. See attach
Next I created an OU called “My computer” and placed my computer a Server and a Terminal Server in it to test the policy. See attach3
Next I created a policy under computer configuration – scripts –startup. See attach 4
Hostfile.  See attach5
Batch file. See attach 6
Attch1.PNG
Attach2.PNG
Attach3.PNG
Attach4.PNG
attach5.PNG
Attach6.PNG
0
 

Author Comment

by:narce100
Comment Utility
Not yet resolved
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You are not getting my point

I said that use file GP Preference Item underneath computer configuration\Preferences\windows settings in replace mode
Right click Computer configuration\preferences\windows settings\file and select new file
give shared folder host file path in source (\\server1\share\host) and enter %systemroot%\system32\drivers\etc as destination and select mode as replace and click OK
Apply this GPO on OU containing computers

You do not need to create batch file

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
I actually did that before and just did it again (see attach) I also run a gpupdate and reboot my computer wish is on the OU where the policy has been applied, no luck. I appreciate your help, any ideas?
Capture.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If I look to your screen shot, it is asking for destination file, where you have entered only folder path.
So you need to type complete path of file. For Ex:
%systemroot%\system32\drivers\etc\hosts

Also in source you have mentioned local path, where you actually need to enter UNC path such as \\DC01\netlogon\hosts which is having everyone \ authenticated users read share permissions and read, read and execute NTFS permissions.

In short source file needs to placed in netlogon folder on domain controller to ensure that domain computers can read it and copy at desired location

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
I have done what you suggest but still no luck, can you look at the attachs and let me know if I'm missing something?
Thanks
attach7.PNG
attach8.PNG
0
 

Author Comment

by:narce100
Comment Utility
Here's another one
attach9.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Have you rebooted client computer once after applying GPO since this is computer configuration\Preferences and running gpupdate on computer will not help

Also does your client computer is WinXP ?

In that case you need to install CSE on windows XP 1st
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Also does GPO is replicating to all domain controllers in domain, have you checked on individual DCs by running GPMS and connecting to local domain controller
If there is Sysvol replication issue, then GPO might not get replicated to all DCs and hence client will not GPO applied

Also check that netlogon share is accessible from client computer ?
Also run below command on client computer through run menu

%logonserver%

This must be resolved to local authenticating DC
If here it resolves to some else DC in another site or you get error here, then its likely policy will not apply
If it resolve to DC in another site, then 1st you need to correct client subnet -site latching
You need to ensure client subnet is mapped to local AD site
run gpresult /r and rsop.msc on client computer to check if GPO is applying or not

On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues and GPO issues

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
I rebooted one of the computers in the OU but no luck
All computers are windows7 or server 2008-R
GPO is replicating to all Domain Controllers we only have 2 (see attach 9)
Netlogon is accessible from client computer (see attach 10)
Gpresult /r see attach
I ran Rsop.msc and I can see a file Host2 that I don’t have any idea of what it is. Can this be the problem? See attach 11
All the DNS settings are OK like you suggested (see attach 12)
Any other ideas?
Attach-9.PNG
Attach-10.PNG
Attach-11.PNG
gpresult.txt
Attach-12.PNG
0
 

Author Comment

by:narce100
Comment Utility
The hostfile2 also shows on a different computer in the OU (see attach 13) is this normal?
Attach-13.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Screen shots looks like promising

What happened here, your original startup script is applied through GPO, but its not run \ executed somehow.

Please remove that script from GPO that has configured it and then try by rebooting workstation

Also try below
Instead of using Computer configuration\preference item try with user configuration\preferences item and apply that GPO on OU containing users
Since GP preferences item is running through system account, it should work hopefully

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
Still not working: I did it this time on the user’s side, when I look at the host file I see a red triangle most probably indicating some error somewhere, do you know? See attach 14
Attach-14.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
It is a warning of sorts that tells you that the file is being replaced and you are
aware of your Group Policies and their implications.

Red indicates that old file will be deleted (replaced) with new one.
http://blogs.technet.com/b/grouppolicy/archive/2009/11/02/group-policy-preferences-colorful-and-mysteriously-powerful-just-like-windows-7.aspx

Try turning Off Antivirus software on client workstation, it might block GPP action to modify core windows files.
Perhaps you might require to add proper exception in antivirus software

Also try turning off UAC on client computers if you deploy GPP with user preferences

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
This happens to all computers in the Domain I turn off the virus and UAC with same results. I'm going to try to do it trough a startup policy, using a batch file, any ideas?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Can you check application and system events on client computers with respect to GPO issue

There might be some issue hiding, some thing like access denied events etc

If GP preferences failed to do that, then I believe startup polices will never get success

I believe there is very basic issue exists which is getting overlooked since all computers are getting affected

Mahesh
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:narce100
Comment Utility
I named the policy “host file machine’ and here are the settings see attach 15
Here are the host machine policy properties see attach 16
I rebooted the excserver to apply the policy and here is a gpupdate see attach 17 and gpresult file.
Here’s a print screen of the system log showing the host machine policy id
I already followed the 3 advises; no luck.
Attach-15.PNG
0
 

Author Comment

by:narce100
Comment Utility
Here are the rest.
Attach-16.PNG
0
 

Author Comment

by:narce100
Comment Utility
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If I look path correctly in screen shots, its showing as %systemroot%system32\drivers\etc\host

This destination path is incorrect

The correct destination path is:
 %systemroot%\system32\drivers\etc\hosts

You have missed "\" and "s" is not appended to host

This causing path is returned as invalid as path is wrong

Please correct above and check

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
That seems to do it and I thank you very much for your advice and patience, my boss now wants to do it on the user side; he wants to be able to apply a hosts file to different OU’s depending on who the user is. Can this be done the same way as we did on machine configuration? Should I open a new question to address this other problem? Thank you again.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Definitely you can do this with user configuration\preferences
There is will run as system account, hence it will work
I think previously I already suggested you to configure it with users configuration\preferences only

You can apply same GPO to multiple OUs or if your requirement is to have different hosts file for different users, then you may create multiple GPOs and apply those GPOs to multiple OUs

If you have multiple users in same OU \ sub ou under main parent OU with different host file requirements, still you can achieve it
For that you need to create multiple GPOs with required host files
Then create global security group in that OU and add required users in that group which requires particular hosts file.
IN GPMC, navigate to scope tab of respective GPO, in the security filtering of GPO, remove authenticated users and add that security group there
In this way link all GPOs with required security groups and apply it on main parent OU so that it will apply only to particular security groups (users in group)

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
It works after a gpupdate on the DC where the policy I created resides but not in any other machine. I tried a server and a workstation and after a gpupdate this is what I got (see attach 18) I’m also attaching a settings print screen.
attach-18.PNG
Attach-19.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
The settings are correct

Please try with logoff and logon

Also try running gpupdate /force

I can see there is some error with GPO itself

Can you post screen shot of GPO within GPMC with Scope tab please
0
 

Author Comment

by:narce100
Comment Utility
OK; I created a logon GPO, you can see the settings in attach 20
There’s a print screen of GPMC showing the scope in attach 21
After I created and assigned the policy to IT OU (where my acct. is) I log off and then on into the client computer but the host file remains the same.
See the batch file on attach 22
When I run gpupdate /force it says that the policy ran fine but is not changing the host file.
I’m a Domain Administrator and have all rights but I wonder since this policy will be applied to regular users can security be a problem to execute this batch file?
Attach-20.PNG
Attach-21.PNG
Attach-22.PNG
Attach-23.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
1st of all not sure why you are using logon script instead of GP preferences ?

You will never find accurate method other than GP preferences to deploy such things
If you are trying with XP machines just ensure that you apply below patch on XP machines 1st, other wise it will fail on XP
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Since you want to deploy hosts file per user basis as per your earlier comment
Try below
Create a new GPO with user configuration\preferences and add there host file

Then apply this GPO to OU containing users, it will work on there machines
As I already told you, GP Preferences for user configuration always run with system account

Just ensure that those users must be reside in OU where you apply that GPO

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
Misunderstanding I thought you referred on your previous comment to log on and log off as to a policy. I will follow your advice but we need the policy to be applied right after the user login without having to do a policy update, is this possible?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Yes, basically user preferences will apply on every logon
OR if you hit gpupdate /force
You can test that

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
I created a GP under user preferences (attach 24) and tried it on a server with perfect results; it actually applies the policy at logon but I also tried it on my own workstation in the Domain and didn’t work, see attach 25, there’s a print screen of GPO within GPMC attach 27 and another one of the resulting hosts file in the server where it worked attach 26. I’m also attaching a gpreport for more detail.
Attach-24.PNG
Attach-25.PNG
Attach-26.PNG
Attach-27.PNG
gpreport.html
0
 

Author Comment

by:narce100
Comment Utility
I just tried another workstations and servers and worked fine, I guess is just my computer so far the policy have been applied inmediately after I logon, can I expect this all the time?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If you apply this policy on OU containing computers (IT OU in your case), your computer account must reside in that OU in order to apply that policy
Then it will work during user logon or whenever you run gpupdate /force
also you need to enable one more setting in that GPO
Enable loop back processing mode in replace mode

Enable Loop back processing mode in replace mode
Also in gpresult output I can see still hosts.bat is applying through logon scripts
You need to remove that from GPO in order to avoid conflicts

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
I’m a little puzzled on how this policy works for some computers and not for all. My own computer (it-lapto-1) gives the errors (see attach 28) when I run gpupdate. I’m also attaching the group policy results file on my computer. I also add my computer account to the IT OU and did the GP loopback processing mode but still no success, any ideas?
Attach-28.PNG
gpreport.html
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Try creating new GPO, unlink existing GPO

Also ensure that you are moving all required computers in the OU where GPO is applied

If still issue not resolved,
Lastly add below code in .bat file and run on affected machines

net stop winmgmt /y
%SYSTEMDRIVE%
CD %windir%\system32\wbem
rd /S /Q repository
net start winmgmt
for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s
for /f %%s in ('dir /b *.mof') do mofcomp %%s

http://www.madanmohan.com/2010/10/rebuilding-wmi-repository.html

Open cmd with run as administrator on affected client machine manually and run above batch file, then reboot the machine and check if GPO is applying

Mahesh
0
 

Author Comment

by:narce100
Comment Utility
The GPO is linked to the IT OU where we have some users; I moved my computer there and ran the gpupdate command with same results already but I'll do it again. I’m going to disable the link and create a new policy the same as the old one, is this correct?
0
 

Author Comment

by:narce100
Comment Utility
After creating a new policy (see attach 30) and running the batch file, I ran gpupdate again on my computer with same results (see Attach 29) the computer account was added to the IT OU (attach 31), any other thing we should try?
Attach-29.PNG
Attach-30.PNG
Attach-31.PNG
0
 

Author Comment

by:narce100
Comment Utility
I also rebooted my machine after running the batch file
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Create brand new GPO.
For source path in GP preferences keep source hosts file on netlogon share on DC and provide source path as \\DC_IP\netlogon\hosts
Then try to apply this policy on OU containing Computers OR users, it should work.
If you are applying policy on Computers, then enable loop back processing setting in GPO as stated earlier

Mahesh
0
 

Author Closing Comment

by:narce100
Comment Utility
That seems to work fine in wrokstations and Servers. Once more I want to Thank You for all your help and patience, until the next time.

Nestor
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now