GPOs dont always apply correctly(?)

Non-Profit TechieNon-Profit Techie Member Posts: 418 ■■□□□□□□□□
Anyone have any idea how to fix a problem im having. I have a lab of computers (and many more) that the users log into. The users all use a single mandatory profile that loads correctly on every machine, except sometimes they seem to not load all the GPOs. At least thats what i think is happening. The right click context menus and network icon shows up on the desktop. Any idea why that might happen? When it happens, i can log off and back on again and then most of the time it will load fine after a try or two or a reboot.
Im probably gonna call MS premier support tomorrow, but i was just wondering if there is an easy fix.
Aaron

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Off the top of my head I want to say "always wait for the network at computer startup and logon" under Computer Policy>Administrative Templates>System>Logon.
    All things are possible, only believe.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    This is because since Windows XP, GPOs are applied using Asyncronous processing. This means, that when your computer is starting up and winlogon starts to show the logon prompt, your GPOs are most likely still applying, yet you can still logon. This is why it may appear that the policy has applied. When you log off and log back on, that policy had time to finish applying. This feature is called Fast Logon and is a feature you can disable in Group Policy to disable Asyncronous processing which enables Syncronous processing which will require all policies to be applied in proper order before the logon prompt is displayed.

    Additional info:
    http://technet2.microsoft.com/windowsserver/en/library/89d7ec5f-a909-4f61-aded-c5b69f5f730b1033.mspx?mfr=true
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • ilcram19ilcram19 Inactive Imported Users Posts: 206
    well my recomendation is to make diferent OU and apply a gpo for the setting u want for da OU
    it works all the time only the specific access and windows setting set by the gpo are apply to da OU

    p.s. make sure u check block da policy inherintance check box
    p.s.2 gpupdate /force
    If you stop getting better, you cease being good
  • Non-Profit TechieNon-Profit Techie Member Posts: 418 ■■□□□□□□□□
    Thanks for the support guys. I do recall some of that info from when i was studying for the 290. I really appreciate it. I will give it a try tomorrow before calling MS, but im pretty sure your suggestions will work.
    Thanks,
    Aaron
  • bighornsheepbighornsheep Member Posts: 1,506
    I've noticed that this problem with GPO updating is a real problem for alot of people. In my home lab, I use a startup script that loads the gpupdate command and it seems to be working quite nicely. I've previously tried to make it a logon script, but that was too much traffic I think...

    Has anyone tried something like this in a coporate environment, is it feasible to have GPO updated at every startup?
    Jack of all trades, master of none
  • JdotQJdotQ Member Posts: 230
    Has anyone tried something like this in a coporate environment, is it feasible to have GPO updated at every startup?

    GPO's "update" (and apply) at each computer startup (for the computer side of the policy) and each user login (for the user side of the policy). Plus the additional refresh during the uptime (90mins or so)

    There are exceptions; like royal mentioned the Asyncronous processing, and also over a slow-link connection, some GPO settings will not process (like software updates/distributions, login scripts, etc).

    In my opinion, the startup script which loads the gpupdate command is redundant, and you should be able to get away with it if the Asyncronous processing setting is set properly icon_cool.gif
  • Non-Profit TechieNon-Profit Techie Member Posts: 418 ■■□□□□□□□□
    well guys, i still havent completly got everything the way i want, but im closer. The GPO setting solved my computer side gpo settings, but the gpo i have for the users still does not always complete. I havent had much time to look into it more, but i thought i would give you an update. Im still looking into it and im trying to find a way to make the user gpo run perfect upon login without having to set short refresh settings or using a script to force after login. But i will do what I have to do.
    I guess my biggest problem is finding the time to get done all that i need to get done. What a year this has been. Im am thrilled to be learning so much :)
    Aaron
  • Non-Profit TechieNon-Profit Techie Member Posts: 418 ■■□□□□□□□□
    Quick update: problem seems to be resolved.
    The problem was the replication to our third DC. MS had us look at the size of the "domain" folder in the sysvol and noticed it was smaller then the size on the other DCs. The GPOs were not applying when they were retreived from the 3rd DC.
    Wish i had time to write more on how we fixed this and everything, but work is starting now.
    Thanks for all your help guys. We are going to leave the gpo setting that you guys recommended because it will be a great help when i comes to our student pcs. :)
    Aaron
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Thanks for the update, glad you got it working.
    All things are possible, only believe.
Sign In or Register to comment.