GPO not applying at logon

xenodamus

What would make a GPO fail to be applied at logon, but work when you run gpupdate?

I've applied a policy to add a desktop shortcut to a group of thin clients. All changes are lost on reboot, so it's easy to test whether this is being applied or not. If the machine is left alone long enough, the policy will be applied. I know this because all the machines that have been up and running for days have the shortcut. But when I reboot one of them it's not there.

If I run gpupdate, it appears.

There is another policy linked to the same OU that maps a couple of drives and it is applied as soon as Windows is up. It was created by someone else.

Am I doing something wrong here? Why don't my policies apply at logon but others do?

Devilsbane

Very good question, and I'll be interested to hear the answers. The only thing I can think of is that something hasn't been initialized properly when the group policy is applied.

In the meantime, what if you put a batch file in the startup folder to run gpupdate?

-Foxer-

Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located?

xenodamus

-Foxer- wrote: »

Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located?

The clients are actually VMs that are sitting out there running until the Citrix provisioning server hands them to the user, so they do have network connections.

There isn't any script - just a desktop shortcut added via GPO

xenodamus

Devilsbane wrote: »

In the meantime, what if you put a batch file in the startup folder to run gpupdate?

Since these thin clients are running off cookie cutter VMs that are provisioned through Citrix, anything I do has to be via GPO. It's not a mission critical shortcut, so they'll survive the way it is for now, but I do need to fix it somehow.

kriscamaro68

-Foxer- wrote: »

Do the clients have network connections before the user logs on?
Does the GPO apply a script the put the shortcut there? Where is the script located?

If this script that is setting up the shortcut is on a network share then that is most likely your issue. When rebooting the computer is not getting the network connection setup quick enough to run this script on a network share. Try delaying it till after a connection has been established.

xenodamus

kriscamaro68 wrote: »

If this script that is setting up the shortcut is on a network share then that is most likely your issue.

The GPO that is applying successfully at logon (the mapped drives created by someone else) is actually running via a script on the SYSVOL - so I think I should be ok there.

willhi1979

You could run Resultant Set of Policy in Logging mode or gpresult from the command line to make sure they will be applied. Do both the GPOs use the User Configuration? It sounds like they do. You could check the refresh interval for both the computer and user configuration in the administrative templates->system->group policy section and make sure the values for your GPO aren't higher than the other.

xenodamus

I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.

undomiel

Sounds like it is time to enable userenv debugging. That will give you some log files to look at for why processing is failing. Take a look at this link: Fixing Group Policy problems by using log files: Group Policy

The specific line you need from there is
Group Policy core (UserEnv) and registry CSE

%windir%\debug\usermode\UserEnv.log

UserEnvDebugLevel = REG_DWORD 30002

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


This has helped me track down a good number of nefarious GPO problems. You may also want to try turning on:
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

To read more about it look here: Group Policy Processing

willhi1979

xenodamus wrote: »

I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.

Yeah, it should. Sorry I misread part of the question.

bdub

I don't have an answer as to why this is happening or how you can "fix" it but a work around could be to make a script to run gpupdate and put it in the startup folder.

CChilderhose

Try turning on the "Wait for Network" GPO setting that waits for the network before applying certain GPOs, etc.

This might help and fix the issue possibly. Not 100% sure but something to try.

xenodamus

Well I made some progress. I actually had 2 GPOs that weren't applying, but I limited the thread to one just to keep things simple. The two policies were 1) desktop shortcut, and 2) certificate installation.

I tried the "wait for network" option that a couple of people suggested and it solved half my problem - Woot! The certificate is now installed by the time I check after logon.

The desktop shortcut still doesn't apply, so I'm researching that here and there. One notable difference is that the certificate was a computer policy and the shortcut is a user preference. Not sure if that changes the direction of any thought patterns. I may end up using a gpupdate script for now - just bugs me. Thanks for all the replies/suggestions!

undomiel

Did a quick search and it looks like you can enable debug logging for preferences as well. I haven't had to use them yet so no guarantees on how helpful it will be. Look in Computer Configuration\Policies\Administrative Templates\System\Group Policy

Enabling Group Policy Preferences Debug Logging using the RSAT - Ask the Directory Services Team - Site Home - TechNet Blogs