Group Policy Troubleshooting

bjaxx

Hello,

i'm kind of at a loss here, group policy settings only apply after a reboot of the machine.
Ran User Profile Hive Cleanup Service
Tried gpupdate /force - times out with: User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
Tried gpupdate /target:user - same error for user settings only
tried gpupdate /target:computer - same error for computer settings only


Enviroment:
2 server 2003 DC
DCDiags check out just fine
Nslookups check out fine


Usernv.log
USERENV(2f4.2f 18:03:41:906 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 18:03:41:921 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:03:43:093 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3f0) 18:03:43:390 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(900.a1c) 18:04:35:082 LoadUserProfile: Failed to impersonate user with 5.
USERENV(518.edc) 18:12:37:469 GetUserNameAndDomain: MyGetUserNameEx failed for NT4 style name with 1115
USERENV(2f4.2f 18:14:46:703 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 18:14:46:718 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3dc) 18:14:47:906 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 18:14:48:234 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(b38.bac) 18:15:19:187 LoadUserProfile: Failed to impersonate user with 5.
USERENV(1ec.e1c) 18:34:51:342 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(1ec.e1c) 18:34:51:810 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(2f4.c9 22:19:16:681 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(2f4.2f 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(2f4.2f 22:27:37:031 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.3a4) 22:27:37:765 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(330.380) 22:27:38:078 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(99c.9d 22:28:02:437 LoadUserProfile: Failed to impersonate user with 5.
USERENV(bc8.63 22:47:40:974 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(bc8.63 22:47:41:395 ProcessAutoexec: Cannot process autoexec.bat.


Note* Other group policies apply succesfully

Let me know if you need more information...

TechJunky

What is the group policy doing? That may help us a little more.

Mishra

Is this a single machine or multiple machines?

bjaxx

Mishra wrote:

Is this a single machine or multiple machines?

The time out is across-the-board for the ou's under that GPO. Its frustrating because the previous sys admin before me used the default domain policy and just through everyone underneath it and applied some pretty strong settings from top to bottom.

I've gone through the GPO checklist to no avail...

http://support.microsoft.com/kb/887303

I have checked my dns, and I see all my SRV records in the respective places.
Logged in with domain admin, still times out.

Sysol permissions are
Administrators, System - FC
Authenticated Users, List, Read & Exec

I would believe it would be a DNS issue, but other Policies apply succesfully?





Thanks guys

undomiel

Is it doing a cached logon? Have you checked that it can communicate with the DC? You're saying the policies apply after a reboot successfully but if you create a new policy it won't apply until the machine is rebooted? Have you made sure the clocks are synched? $SYSVOL is accessible on the DC? Is it one machine or several machines, as others have asked? Have you checked the Event Viewer? Maybe this is applicable though it may not: http://support.microsoft.com/kb/840669

bjaxx

undomiel wrote:

Is it doing a cached logon? Have you checked that it can communicate with the DC? You're saying the policies apply after a reboot successfully but if you create a new policy it won't apply until the machine is rebooted? Have you made sure the clocks are synched? $SYSVOL is accessible on the DC? Is it one machine or several machines, as others have asked? Have you checked the Event Viewer? Maybe this is applicable though it may not: http://support.microsoft.com/kb/840669

I did check the NTP group policy settings this AM, all server were pointing to bigben.cac.washington.edu I redirected the computers to the PDC in group policy.

http://www.techexams.net/forums/viewtopic.php?t=36285


I had some event logs stating that the time was off synch... The event log doesn't state anything about the group policy update... "usernv errors"

Explain a cached logon?

TechJunky

Cached logons are using so you dont have to authenticate with a domain controller. If you set them to 0 then it will require you to authenticate with the domain controller using kerebos.

That's the simple version anyhow.

Mishra

Can you re-create the GPO in error here?

undomiel

This gives some of the details of cached logins: http://support.microsoft.com/kb/913485

Basically it will allow a person who has logged into the machine before to login to their domain account on the machine even if it is unable to contact a DC at the time.

Is your userenv logging turned up all the way?

TechJunky

have you tried gpupdate /force from the workstation?

Are you sure you are communicating with the DC? Are your DNS settings correct? This could also cause you not to be able to communicate with the DC.

I am just throwing some ideas out there.

undomiel

You could also try rejoining the computer to the domain.

RTmarc

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

bjaxx

TechJunky wrote:

have you tried gpupdate /force from the workstation?

Are you sure you are communicating with the DC? Are your DNS settings correct? This could also cause you not to be able to communicate with the DC.

I am just throwing some ideas out there.

Tech,

the whole thing is that the group policy applies after I restart my computer, if I try gpupdate from a command prompt, it times out...

Tried gpupdate /force - times out with: User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.
Tried gpupdate /target:user - same error for user settings only
tried gpupdate /target:computer - same error for computer settings only

Mishra

RTmarc wrote:

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

bjaxx

RTmarc wrote:

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

RT,

I think you are correct, my best option will probably be to start from scratch...

care to join me in a night of misery?

bjaxx

undomiel wrote:

You could also try rejoining the computer to the domain.

Undomiel,

I even changed my computer name and rejoined. I authenticate just fine to the domain...


Again, thanks for all the ideas.

bjaxx

bjaxx wrote:

undomiel wrote:

You could also try rejoining the computer to the domain.

Undomiel,

I even changed my computer name and rejoined. I authenticate just fine to the domain...


Again, thanks for all the ideas.

Question, is the group policy to big and its taking to much time so it times out?


I printed the group policy out and its 34 pages...

RTmarc

Mishra wrote:

RTmarc wrote:

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

bjaxx

RTmarc wrote:

Mishra wrote:

RTmarc wrote:

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

RT,

This article is just for the default domain policy correct?

RTmarc

bjaxx wrote:

bjaxx wrote:

undomiel wrote:

You could also try rejoining the computer to the domain.

Undomiel,

I even changed my computer name and rejoined. I authenticate just fine to the domain...


Again, thanks for all the ideas.

Question, is the group policy to big and its taking to much time so it times out?


I printed the group policy out and its 34 pages...

That's a crap load of policies. The best thing to do is create a very loose domain policy and tighten as you go down through the OUs. Domain-wide policies should be something that is similar on every machine and for every department. Obviously I can't comment on your structure since I don't know the size or complexity of your organization. For my company, however, there are quite a few locations, around ten departments or so, and varying levels within each.

RTmarc

bjaxx wrote:

RTmarc wrote:

Mishra wrote:

RTmarc wrote:

I also inherited a network from a totally incompetent hack of a "network admin" who did some totally off the wall things with Group Policy. After fighting with it for a few weeks trying to get it back to some level of normalcy, I gave up. It was easier to create a new GPO at the top level and disable the default domain policy than try to manipulate it back to viability.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

RT,

This article is just for the default domain policy correct?

Looks to be.

Mishra

RTmarc wrote:

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

Just letting everyone know there are ways to recreate it.

undomiel

More info on dcgpofix:

http://technet2.microsoft.com/windowsserver/en/library/48872034-1907-4149-b6aa-9788d38209d21033.mspx?mfr=true

Mishra

bjaxx wrote:

Question, is the group policy to big and its taking to much time so it times out?


I printed the group policy out and its 34 pages...

GPOs have a tendency to get corrupt. So I would imagine the bigger they are the more problems you can run into. I would 100% create yourself a nice new GPO structure and switch everyone over to a cleaned up version, then remove all the old GPOs (I'm confused if you are having problems with the default domain or just one individual policy). Don't remove the default domain if you aren't having problems obviously.

RTmarc

Mishra wrote:

RTmarc wrote:

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

Just letting everyone know there are ways to recreate it.

That's a good article though. Thanks for posting!

Mishra

By the way, 34 pages of policy changes is an extreme amount for everyone in the first place. I would also spend sometime and find all the unnecessary gpos/false-positives in your GPO schema and remove them. (example: if you aren't ever going to use NetMeeting then there is no reason to have a bunch of policies configured for it).

bjaxx

RTmarc wrote:

Mishra wrote:

RTmarc wrote:

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

Just letting everyone know there are ways to recreate it.

That's a good article though. Thanks for posting!

Thanks for the help guys,

I already have in place the policies, disabled of course how I want the structure to go. starting loose from top and tightening as I work my way down.

Its just the default domain policy that is giving me issues.

bjaxx

RTmarc wrote:

Mishra wrote:

RTmarc wrote:

Problem is, that article was posted two years after my ordeal. I created a new policy back in 2005 and we've had zero problems since that time.

Just letting everyone know there are ways to recreate it.

That's a good article though. Thanks for posting!

sorry you misinterrupted what I was saying I printed the default domain policy out and its 34 pages...

The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.

Mishra

bjaxx wrote:

sorry you misinterupt what I was saying I printed the default domain policy out and its 34 pages...

The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.

Right, I would still sort through your default domain policy and get rid of the stuff you don't need. 34 pages of policies will put some pretty large drag on your machines when they reboot and when users log in. I work in government and we have to adhere to the FDCC (google it if you care) and it is an extreme amount of policies. However it is still only a 10 or so page doc.

bjaxx

Mishra wrote:

bjaxx wrote:

sorry you misinterupt what I was saying I printed the default domain policy out and its 34 pages...

The problem I have is with one policy and its the default domain policy not updating when I do a GPUPDATE. However the policy updates only with a corresponding reboot.

Right, I would still sort through your default domain policy and get rid of the stuff you don't need. 34 pages of policies will put some pretty large drag on your machines when they reboot and when users log in. I work in government and we have to adhere to the FDCC (google it if you care) and it is an extreme amount of policies. However it is still only a 10 or so page doc.

Yeah, i'm finding out alot of things the previous sys admin had done have caused me alot of grief...


Can't thank you enough for all the replys.