GPO not applying at logon

What would make a GPO fail to be applied at logon, but work when you run gpupdate?

I've applied a policy to add a desktop shortcut to a group of thin clients. All changes are lost on reboot, so it's easy to test whether this is being applied or not. If the machine is left alone long enough, the policy will be applied. I know this because all the machines that have been up and running for days have the shortcut. But when I reboot one of them it's not there.

If I run gpupdate, it appears.

There is another policy linked to the same OU that maps a couple of drives and it is applied as soon as Windows is up. It was created by someone else.

Am I doing something wrong here? Why don't my policies apply at logon but others do?
CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V

Comments

  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Very good question, and I'll be interested to hear the answers. The only thing I can think of is that something hasn't been initialized properly when the group policy is applied.

    In the meantime, what if you put a batch file in the startup folder to run gpupdate?
    Decide what to be and go be it.
  • -Foxer--Foxer- Member Posts: 151
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?
  • xenodamusxenodamus Member Posts: 758
    -Foxer- wrote: »
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?

    The clients are actually VMs that are sitting out there running until the Citrix provisioning server hands them to the user, so they do have network connections.

    There isn't any script - just a desktop shortcut added via GPO
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • xenodamusxenodamus Member Posts: 758
    Devilsbane wrote: »
    In the meantime, what if you put a batch file in the startup folder to run gpupdate?

    Since these thin clients are running off cookie cutter VMs that are provisioned through Citrix, anything I do has to be via GPO. It's not a mission critical shortcut, so they'll survive the way it is for now, but I do need to fix it somehow.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • kriscamaro68kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□
    -Foxer- wrote: »
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?

    If this script that is setting up the shortcut is on a network share then that is most likely your issue. When rebooting the computer is not getting the network connection setup quick enough to run this script on a network share. Try delaying it till after a connection has been established.
  • xenodamusxenodamus Member Posts: 758
    If this script that is setting up the shortcut is on a network share then that is most likely your issue.

    The GPO that is applying successfully at logon (the mapped drives created by someone else) is actually running via a script on the SYSVOL - so I think I should be ok there.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • willhi1979willhi1979 Member Posts: 191
    You could run Resultant Set of Policy in Logging mode or gpresult from the command line to make sure they will be applied. Do both the GPOs use the User Configuration? It sounds like they do. You could check the refresh interval for both the computer and user configuration in the administrative templates->system->group policy section and make sure the values for your GPO aren't higher than the other.
  • xenodamusxenodamus Member Posts: 758
    I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • undomielundomiel Member Posts: 2,818
    Sounds like it is time to enable userenv debugging. That will give you some log files to look at for why processing is failing. Take a look at this link: Fixing Group Policy problems by using log files: Group Policy

    The specific line you need from there is
    Group Policy core (UserEnv) and registry CSE

    %windir%\debug\usermode\UserEnv.log

    UserEnvDebugLevel = REG_DWORD 30002

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


    This has helped me track down a good number of nefarious GPO problems. You may also want to try turning on:
    Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

    To read more about it look here: Group Policy Processing
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • willhi1979willhi1979 Member Posts: 191
    xenodamus wrote: »
    I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.

    Yeah, it should. Sorry I misread part of the question.
  • bdubbdub Member Posts: 154
    I don't have an answer as to why this is happening or how you can "fix" it but a work around could be to make a script to run gpupdate and put it in the startup folder.
  • CChilderhoseCChilderhose Member Posts: 137
    Try turning on the "Wait for Network" GPO setting that waits for the network before applying certain GPOs, etc.

    This might help and fix the issue possibly. Not 100% sure but something to try. :)
    VCAP-DCA, VCP 55
    MCITP: EA, VA, SA
    VCAP-DCD, VCP6 -- COMING SOON
  • xenodamusxenodamus Member Posts: 758
    Well I made some progress. I actually had 2 GPOs that weren't applying, but I limited the thread to one just to keep things simple. The two policies were 1) desktop shortcut, and 2) certificate installation.

    I tried the "wait for network" option that a couple of people suggested and it solved half my problem - Woot! The certificate is now installed by the time I check after logon.

    The desktop shortcut still doesn't apply, so I'm researching that here and there. One notable difference is that the certificate was a computer policy and the shortcut is a user preference. Not sure if that changes the direction of any thought patterns. I may end up using a gpupdate script for now - just bugs me. Thanks for all the replies/suggestions!
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • undomielundomiel Member Posts: 2,818
    Did a quick search and it looks like you can enable debug logging for preferences as well. I haven't had to use them yet so no guarantees on how helpful it will be. Look in Computer Configuration\Policies\Administrative Templates\System\Group Policy

    Enabling Group Policy Preferences Debug Logging using the RSAT - Ask the Directory Services Team - Site Home - TechNet Blogs
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
Sign In or Register to comment.