+ Reply to Thread
Results 1 to 15 of 15
  1. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #1

    Default GPO not applying at logon

    What would make a GPO fail to be applied at logon, but work when you run gpupdate?

    I've applied a policy to add a desktop shortcut to a group of thin clients. All changes are lost on reboot, so it's easy to test whether this is being applied or not. If the machine is left alone long enough, the policy will be applied. I know this because all the machines that have been up and running for days have the shortcut. But when I reboot one of them it's not there.

    If I run gpupdate, it appears.

    There is another policy linked to the same OU that maps a couple of drives and it is applied as soon as Windows is up. It was created by someone else.

    Am I doing something wrong here? Why don't my policies apply at logon but others do?
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #2
    Very good question, and I'll be interested to hear the answers. The only thing I can think of is that something hasn't been initialized properly when the group policy is applied.

    In the meantime, what if you put a batch file in the startup folder to run gpupdate?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2010
    Location
    Utah
    Posts
    151

    Certifications
    MCITP: EA, C|EH, CHFI, EDRP, G2700, A+, Network +, Project+, Security+, plus some CIW certs.
    #3
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?
    Reply With Quote Quote  

  5. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #4
    Quote Originally Posted by -Foxer- View Post
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?
    The clients are actually VMs that are sitting out there running until the Citrix provisioning server hands them to the user, so they do have network connections.

    There isn't any script - just a desktop shortcut added via GPO
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  6. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #5
    Quote Originally Posted by Devilsbane View Post
    In the meantime, what if you put a batch file in the startup folder to run gpupdate?
    Since these thin clients are running off cookie cutter VMs that are provisioned through Citrix, anything I do has to be via GPO. It's not a mission critical shortcut, so they'll survive the way it is for now, but I do need to fix it somehow.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  7. Senior Member kriscamaro68's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    1,149

    Certifications
    MCSA: 2012R2, MCS: Server Virtualization, MCTS-Win7, Security+, Server+, Net+, A+
    #6
    Quote Originally Posted by -Foxer- View Post
    Do the clients have network connections before the user logs on?
    Does the GPO apply a script the put the shortcut there? Where is the script located?
    If this script that is setting up the shortcut is on a network share then that is most likely your issue. When rebooting the computer is not getting the network connection setup quick enough to run this script on a network share. Try delaying it till after a connection has been established.
    Reply With Quote Quote  

  8. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #7
    Quote Originally Posted by kriscamaro68 View Post
    If this script that is setting up the shortcut is on a network share then that is most likely your issue.
    The GPO that is applying successfully at logon (the mapped drives created by someone else) is actually running via a script on the SYSVOL - so I think I should be ok there.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2010
    Location
    Raleigh, North Carolina
    Posts
    185

    Certifications
    A+, Network+, Security+, MCSE: Security, VCP (v4 and v5), GPEN, MCSA, CCNA
    #8
    You could run Resultant Set of Policy in Logging mode or gpresult from the command line to make sure they will be applied. Do both the GPOs use the User Configuration? It sounds like they do. You could check the refresh interval for both the computer and user configuration in the administrative templates->system->group policy section and make sure the values for your GPO aren't higher than the other.
    Reply With Quote Quote  

  10. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #9
    I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  11. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #10
    Sounds like it is time to enable userenv debugging. That will give you some log files to look at for why processing is failing. Take a look at this link: Fixing Group Policy problems by using log files: Group Policy

    The specific line you need from there is
    Group Policy core (UserEnv) and registry CSE

    %windir%\debug\usermode\UserEnv.log

    UserEnvDebugLevel = REG_DWORD 30002

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


    This has helped me track down a good number of nefarious GPO problems. You may also want to try turning on:
    Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

    To read more about it look here: Group Policy Processing
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Apr 2010
    Location
    Raleigh, North Carolina
    Posts
    185

    Certifications
    A+, Network+, Security+, MCSE: Security, VCP (v4 and v5), GPEN, MCSA, CCNA
    #11
    Quote Originally Posted by xenodamus View Post
    I did run gpresult and verified that the policy is being applied, but shouldn't it still run at logon regardless of the interval? I thought that just determined how often it ran after the initial application at logon.
    Yeah, it should. Sorry I misread part of the question.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Apr 2010
    Location
    Minnesota
    Posts
    151

    Certifications
    A+, Network+, Security+, Project+, MCSA 2003, MCSA 2008, MCITP:EA
    #12
    I don't have an answer as to why this is happening or how you can "fix" it but a work around could be to make a script to run gpupdate and put it in the startup folder.
    Reply With Quote Quote  

  14. Senior Member CChilderhose's Avatar
    Join Date
    Feb 2009
    Location
    Oshawa, Ontario
    Posts
    137

    Certifications
    VCAP-DCA, VCP 55, MCITP: EA, VA & SA, MCSA 2003: Messaging, MCTS: Windows 7 and working on VCAP-DCD
    #13
    Try turning on the "Wait for Network" GPO setting that waits for the network before applying certain GPOs, etc.

    This might help and fix the issue possibly. Not 100% sure but something to try.
    Reply With Quote Quote  

  15. Senior Member xenodamus's Avatar
    Join Date
    Feb 2010
    Location
    Jackson, MS
    Posts
    755
    #14
    Well I made some progress. I actually had 2 GPOs that weren't applying, but I limited the thread to one just to keep things simple. The two policies were 1) desktop shortcut, and 2) certificate installation.

    I tried the "wait for network" option that a couple of people suggested and it solved half my problem - Woot! The certificate is now installed by the time I check after logon.

    The desktop shortcut still doesn't apply, so I'm researching that here and there. One notable difference is that the certificate was a computer policy and the shortcut is a user preference. Not sure if that changes the direction of any thought patterns. I may end up using a gpupdate script for now - just bugs me. Thanks for all the replies/suggestions!
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
    Reply With Quote Quote  

  16. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #15
    Did a quick search and it looks like you can enable debug logging for preferences as well. I haven't had to use them yet so no guarantees on how helpful it will be. Look in Computer Configuration\Policies\Administrative Templates\System\Group Policy

    Enabling Group Policy Preferences Debug Logging using the RSAT - Ask the Directory Services Team - Site Home - TechNet Blogs
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks