Group Policy Troubleshooting

bjaxxbjaxx Member Posts: 217
Hello,

i'm kind of at a loss here, group policy settings only apply after a reboot of the machine.
Ran User Profile Hive Cleanup Service
Tried gpupdate /force - times out with: User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
Tried gpupdate /target:user - same error for user settings only
tried gpupdate /target:computer - same error for computer settings only


Enviroment:
2 server 2003 DC
DCDiags check out just fine
Nslookups check out fine


Usernv.log
USERENV(2f4.2ficon_cool.gif 18:03:41:906 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(900.a1c) 18:04:35:082 LoadUserProfile: Failed to impersonate user with 5.
USERENV(518.edc) 18:12:37:469 GetUserNameAndDomain: MyGetUserNameEx failed for NT4 style name with 1115
USERENV(2f4.2ficon_cool.gif 18:14:46:703 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(b38.bac) 18:15:19:187 LoadUserProfile: Failed to impersonate user with 5.
USERENV(1ec.e1c) 18:34:51:342 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(1ec.e1c) 18:34:51:810 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(2f4.c9icon_cool.gif 22:19:16:681 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(2f4.2ficon_cool.gif 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2ficon_cool.gif 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(99c.9dicon_cool.gif 22:28:02:437 LoadUserProfile: Failed to impersonate user with 5.
USERENV(bc8.63icon_cool.gif 22:47:40:974 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(bc8.63icon_cool.gif 22:47:41:395 ProcessAutoexec: Cannot process autoexec.bat.


Note* Other group policies apply succesfully

Let me know if you need more information...
"You have to hate to lose more than you love to win"

Comments

  • TechJunkyTechJunky Member Posts: 881
    What is the group policy doing? That may help us a little more.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Is this a single machine or multiple machines?
    My blog http://www.calegp.com

    You may learn something!
  • bjaxxbjaxx Member Posts: 217
    Mishra wrote:
    Is this a single machine or multiple machines?

    The time out is across-the-board for the ou's under that GPO. Its frustrating because the previous sys admin before me used the default domain policy and just through everyone underneath it and applied some pretty strong settings from top to bottom.

    I've gone through the GPO checklist to no avail...

    http://support.microsoft.com/kb/887303

    I have checked my dns, and I see all my SRV records in the respective places.
    Logged in with domain admin, still times out.

    Sysol permissions are
    Administrators, System - FC
    Authenticated Users, List, Read & Exec

    I would believe it would be a DNS issue, but other Policies apply succesfully?





    Thanks guys
    "You have to hate to lose more than you love to win"
  • undomielundomiel Member Posts: 2,818
    Is it doing a cached logon? Have you checked that it can communicate with the DC? You're saying the policies apply after a reboot successfully but if you create a new policy it won't apply until the machine is rebooted? Have you made sure the clocks are synched? $SYSVOL is accessible on the DC? Is it one machine or several machines, as others have asked? Have you checked the Event Viewer? Maybe this is applicable though it may not: http://support.microsoft.com/kb/840669
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • bjaxxbjaxx Member Posts: 217
    undomiel wrote:
    Is it doing a cached logon? Have you checked that it can communicate with the DC? You're saying the policies apply after a reboot successfully but if you create a new policy it won't apply until the machine is rebooted? Have you made sure the clocks are synched? $SYSVOL is accessible on the DC? Is it one machine or several machines, as others have asked? Have you checked the Event Viewer? Maybe this is applicable though it may not: http://support.microsoft.com/kb/840669


    I did check the NTP group policy settings this AM, all server were pointing to bigben.cac.washington.edu I redirected the computers to the PDC in group policy.

    http://www.techexams.net/forums/viewtopic.php?t=36285


    I had some event logs stating that the time was off synch... The event log doesn't state anything about the group policy update... "usernv errors"

    Explain a cached logon?
    "You have to hate to lose more than you love to win"
  • TechJunkyTechJunky Member Posts: 881
    Cached logons are using so you dont have to authenticate with a domain controller. If you set them to 0 then it will require you to authenticate with the domain controller using kerebos.

    That's the simple version anyhow.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Can you re-create the GPO in error here?
    My blog http://www.calegp.com

    You may learn something!
  • undomielundomiel Member Posts: 2,818
    This gives some of the details of cached logins: http://support.microsoft.com/kb/913485

    Basically it will allow a person who has logged into the machine before to login to their domain account on the machine even if it is unable to contact a DC at the time.

    Is your userenv logging turned up all the way?
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • TechJunkyTechJunky Member Posts: 881
    have you tried gpupdate /force from the workstation?

    Are you sure you are communicating with the DC? Are your DNS settings correct? This could also cause you not to be able to communicate with the DC.

    I am just throwing some ideas out there.
  • undomielundomiel Member Posts: 2,818
    You could also try rejoining the computer to the domain.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.
  • bjaxxbjaxx Member Posts: 217
    TechJunky wrote:
    have you tried gpupdate /force from the workstation?

    Are you sure you are communicating with the DC? Are your DNS settings correct? This could also cause you not to be able to communicate with the DC.

    I am just throwing some ideas out there.

    Tech,

    the whole thing is that the group policy applies after I restart my computer, if I try gpupdate from a command prompt, it times out...

    Tried gpupdate /force - times out with: User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting...
    Computer Policy Refresh has completed.
    Tried gpupdate /target:user - same error for user settings only
    tried gpupdate /target:computer - same error for computer settings only
    "You have to hate to lose more than you love to win"
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    RTmarc wrote:
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

    http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx
    My blog http://www.calegp.com

    You may learn something!
  • bjaxxbjaxx Member Posts: 217
    RTmarc wrote:
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

    RT,

    I think you are correct, my best option will probably be to start from scratch...

    care to join me in a night of misery?
    "You have to hate to lose more than you love to win"
  • bjaxxbjaxx Member Posts: 217
    undomiel wrote:
    You could also try rejoining the computer to the domain.

    Undomiel,

    I even changed my computer name and rejoined. I authenticate just fine to the domain...


    Again, thanks for all the ideas.
    "You have to hate to lose more than you love to win"
  • bjaxxbjaxx Member Posts: 217
    bjaxx wrote:
    undomiel wrote:
    You could also try rejoining the computer to the domain.

    Undomiel,

    I even changed my computer name and rejoined. I authenticate just fine to the domain...


    Again, thanks for all the ideas.

    Question, is the group policy to big and its taking to much time so it times out?


    I printed the group policy out and its 34 pages...
    "You have to hate to lose more than you love to win"
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Mishra wrote:
    RTmarc wrote:
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

    http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.
  • bjaxxbjaxx Member Posts: 217
    RTmarc wrote:
    Mishra wrote:
    RTmarc wrote:
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

    http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    RT,

    This article is just for the default domain policy correct?
    "You have to hate to lose more than you love to win"
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    bjaxx wrote:
    bjaxx wrote:
    undomiel wrote:
    You could also try rejoining the computer to the domain.

    Undomiel,

    I even changed my computer name and rejoined. I authenticate just fine to the domain...


    Again, thanks for all the ideas.

    Question, is the group policy to big and its taking to much time so it times out?


    I printed the group policy out and its 34 pages...
    That's a crap load of policies. The best thing to do is create a very loose domain policy and tighten as you go down through the OUs. Domain-wide policies should be something that is similar on every machine and for every department. Obviously I can't comment on your structure since I don't know the size or complexity of your organization. For my company, however, there are quite a few locations, around ten departments or so, and varying levels within each.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    bjaxx wrote:
    RTmarc wrote:
    Mishra wrote:
    RTmarc wrote:
    I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

    http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    RT,

    This article is just for the default domain policy correct?
    Looks to be.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    RTmarc wrote:
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    Just letting everyone know there are ways to recreate it. :)
    My blog http://www.calegp.com

    You may learn something!
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    bjaxx wrote:

    Question, is the group policy to big and its taking to much time so it times out?


    I printed the group policy out and its 34 pages...

    GPOs have a tendency to get corrupt. So I would imagine the bigger they are the more problems you can run into. I would 100% create yourself a nice new GPO structure and switch everyone over to a cleaned up version, then remove all the old GPOs (I'm confused if you are having problems with the default domain or just one individual policy). Don't remove the default domain if you aren't having problems obviously.
    My blog http://www.calegp.com

    You may learn something!
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Mishra wrote:
    RTmarc wrote:
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    Just letting everyone know there are ways to recreate it. :)
    That's a good article though. Thanks for posting!
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    By the way, 34 pages of policy changes is an extreme amount for everyone in the first place. I would also spend sometime and find all the unnecessary gpos/false-positives in your GPO schema and remove them. (example: if you aren't ever going to use NetMeeting then there is no reason to have a bunch of policies configured for it).
    My blog http://www.calegp.com

    You may learn something!
  • bjaxxbjaxx Member Posts: 217
    RTmarc wrote:
    Mishra wrote:
    RTmarc wrote:
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    Just letting everyone know there are ways to recreate it. :)
    That's a good article though. Thanks for posting!

    Thanks for the help guys,

    I already have in place the policies, disabled of course how I want the structure to go. starting loose from top and tightening as I work my way down.

    Its just the default domain policy that is giving me issues.
    "You have to hate to lose more than you love to win"
  • bjaxxbjaxx Member Posts: 217
    RTmarc wrote:
    Mishra wrote:
    RTmarc wrote:
    Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

    Just letting everyone know there are ways to recreate it. :)
    That's a good article though. Thanks for posting!

    sorry you misinterrupted what I was saying I printed the default domain policy out and its 34 pages...

    The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.
    "You have to hate to lose more than you love to win"
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    bjaxx wrote:

    sorry you misinterupt what I was saying I printed the default domain policy out and its 34 pages...

    The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.

    Right, I would still sort through your default domain policy and get rid of the stuff you don't need. 34 pages of policies will put some pretty large drag on your machines when they reboot and when users log in. I work in government and we have to adhere to the FDCC (google it if you care) and it is an extreme amount of policies. However it is still only a 10 or so page doc.
    My blog http://www.calegp.com

    You may learn something!
  • bjaxxbjaxx Member Posts: 217
    Mishra wrote:
    bjaxx wrote:

    sorry you misinterupt what I was saying I printed the default domain policy out and its 34 pages...

    The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.

    Right, I would still sort through your default domain policy and get rid of the stuff you don't need. 34 pages of policies will put some pretty large drag on your machines when they reboot and when users log in. I work in government and we have to adhere to the FDCC (google it if you care) and it is an extreme amount of policies. However it is still only a 10 or so page doc.


    Yeah, i'm finding out alot of things the previous sys admin had done have caused me alot of grief...


    Can't thank you enough for all the replys.
    "You have to hate to lose more than you love to win"
Sign In or Register to comment.