GPO not applying at logon
xenodamus
Member Posts: 758
What would make a GPO fail to be applied at logon, but work when you run gpupdate?
I've applied a policy to add a desktop shortcut to a group of thin clients. All changes are lost on reboot, so it's easy to test whether this is being applied or not. If the machine is left alone long enough, the policy will be applied. I know this because all the machines that have been up and running for days have the shortcut. But when I reboot one of them it's not there.
If I run gpupdate, it appears.
There is another policy linked to the same OU that maps a couple of drives and it is applied as soon as Windows is up. It was created by someone else.
Am I doing something wrong here? Why don't my policies apply at logon but others do?
I've applied a policy to add a desktop shortcut to a group of thin clients. All changes are lost on reboot, so it's easy to test whether this is being applied or not. If the machine is left alone long enough, the policy will be applied. I know this because all the machines that have been up and running for days have the shortcut. But when I reboot one of them it's not there.
If I run gpupdate, it appears.
There is another policy linked to the same OU that maps a couple of drives and it is applied as soon as Windows is up. It was created by someone else.
Am I doing something wrong here? Why don't my policies apply at logon but others do?
CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
Comments
-
Devilsbane Member Posts: 4,214 ■■■■■■■■□□Very good question, and I'll be interested to hear the answers. The only thing I can think of is that something hasn't been initialized properly when the group policy is applied.
In the meantime, what if you put a batch file in the startup folder to run gpupdate?Decide what to be and go be it. -
-Foxer- Member Posts: 151Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located? -
xenodamus Member Posts: 758Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located?
The clients are actually VMs that are sitting out there running until the Citrix provisioning server hands them to the user, so they do have network connections.
There isn't any script - just a desktop shortcut added via GPOCISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
xenodamus Member Posts: 758Devilsbane wrote: »In the meantime, what if you put a batch file in the startup folder to run gpupdate?
Since these thin clients are running off cookie cutter VMs that are provisioned through Citrix, anything I do has to be via GPO. It's not a mission critical shortcut, so they'll survive the way it is for now, but I do need to fix it somehow.CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located?
If this script that is setting up the shortcut is on a network share then that is most likely your issue. When rebooting the computer is not getting the network connection setup quick enough to run this script on a network share. Try delaying it till after a connection has been established. -
xenodamus Member Posts: 758kriscamaro68 wrote: »If this script that is setting up the shortcut is on a network share then that is most likely your issue.
The GPO that is applying successfully at logon (the mapped drives created by someone else) is actually running via a script on the SYSVOL - so I think I should be ok there.CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
willhi1979 Member Posts: 191You could run Resultant Set of Policy in Logging mode or gpresult from the command line to make sure they will be applied. Do both the GPOs use the User Configuration? It sounds like they do. You could check the refresh interval for both the computer and user configuration in the administrative templates->system->group policy section and make sure the values for your GPO aren't higher than the other.
-
xenodamus Member Posts: 758I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
-
undomiel Member Posts: 2,818Sounds like it is time to enable userenv debugging. That will give you some log files to look at for why processing is failing. Take a look at this link: Fixing Group Policy problems by using log files: Group Policy
The specific line you need from there is
Group Policy core (UserEnv) and registry CSE
%windir%\debug\usermode\UserEnv.log
UserEnvDebugLevel = REG_DWORD 30002
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
This has helped me track down a good number of nefarious GPO problems. You may also want to try turning on:
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
To read more about it look here: Group Policy ProcessingJumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
willhi1979 Member Posts: 191I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.
Yeah, it should. Sorry I misread part of the question. -
bdub Member Posts: 154I don't have an answer as to why this is happening or how you can "fix" it but a work around could be to make a script to run gpupdate and put it in the startup folder.
-
CChilderhose Member Posts: 137Try turning on the "Wait for Network" GPO setting that waits for the network before applying certain GPOs, etc.
This might help and fix the issue possibly. Not 100% sure but something to try.VCAP-DCA, VCP 55
MCITP: EA, VA, SA
VCAP-DCD, VCP6 -- COMING SOON -
xenodamus Member Posts: 758Well I made some progress. I actually had 2 GPOs that weren't applying, but I limited the thread to one just to keep things simple. The two policies were 1) desktop shortcut, and 2) certificate installation.
I tried the "wait for network" option that a couple of people suggested and it solved half my problem - Woot! The certificate is now installed by the time I check after logon.
The desktop shortcut still doesn't apply, so I'm researching that here and there. One notable difference is that the certificate was a computer policy and the shortcut is a user preference. Not sure if that changes the direction of any thought patterns. I may end up using a gpupdate script for now - just bugs me. Thanks for all the replies/suggestions!CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
undomiel Member Posts: 2,818Did a quick search and it looks like you can enable debug logging for preferences as well. I haven't had to use them yet so no guarantees on how helpful it will be. Look in Computer Configuration\Policies\Administrative Templates\System\Group Policy
Enabling Group Policy Preferences Debug Logging using the RSAT - Ask the Directory Services Team - Site Home - TechNet BlogsJumping on the IT blogging band wagon -- http://www.jefferyland.com/