|
We have a bunch of GPOs filtered by security group membership: mostly software installs, where the software install GPO is attached to the OU that contains all our computers, and the helpdesk can add the computer to a security group to install the software. It works rather well. A very small subset of computers are not applying group policy because the computer security group membership is not refreshing on reboot. Event viewer also shows that the computer cannot contact a DC while booting, and NTP throws errors about not contacting the time server, and the NIC actually gets an APIPA address before it starts normal operation and contacts DHCP. All of this happens in the normal <30 second XP boot process. Just wondering, has anyone run into this before?
|
#
?
Aug 16, 2011 16:40
|
|
|
|
| # ? May 16, 2024 23:25 |
|
|
Is there anything in particular differentiating those machines? Have you tried hooking a logger to a mirror port to see what's actually going on?
|
|
#
?
Aug 16, 2011 18:48
|
|
|
KS posted:Just wondering, has anyone run into this before? 1) Check the usual pitfalls (GPO getting blocked/overridden, machine account doesn't have privileges to read from SYSVOL, loopback policy, a local GPO is set etc.) Even though the problem doesn't seem related, it's always a good start. 2) DNS is also a well-known culprit for GPOs going wild. 3) Try enabling 100mbit full duplex on your NIC manually (if wired). Check out: http://support.microsoft.com/kb/326152 4) Try swapping out the NIC driver. As for my own question: We are having problems with GPO preferences on Win7 clients in a mixed 2003/2008 domain with several RODCs. Symptoms are usually clients getting stuck during application of GPO preferences (whichever one that gets applied first, doesn't matter if its shortcuts or drivemaps etc.) This is happening randomly, but it seems to happen more often after a policy has been changed, and usually on a client connecting to a RODC (95% of our clients connect to RODCs). We have tried deploying a couple of hotfixes and SP1 for the DCs and the clients aswell. Event logs aren't showing anything interesting either. Any ideas?
|
|
#
?
Aug 17, 2011 21:42
|
|
|
Ifan posted:1) Check the usual pitfalls (GPO getting blocked/overridden, machine account doesn't have privileges to read from SYSVOL, loopback policy, a local GPO is set etc.) Even though the problem doesn't seem related, it's always a good start. I think I'm running into the same issues as you. Single 2008R2 RODC in our site, domain is still at 2003 level. Mine just about always hangs on applying registry preferences. I notice it on 2008, very occasionally 2008R2 and I haven't seen it happen on Windows 7 yet. I'm sure it's tied in with these somehow but it seems to be hit and miss at making a difference so far. http://support.microsoft.com/kb/983531 - 7/2008R2 http://support.microsoft.com/kb/2414013 - 2008 http://support.microsoft.com/kb/977983 - Vista
|
|
#
?
Aug 18, 2011 12:27
|
|
|
What happens if you try to disable the registry preferences? Does it still hang at some other preference? Does it happen often? Have you enabled "Run in logged on users context", but you manipulate settings in HKLM? Never heard of my issue happening on a server or anything else than a Win7 client yet. The first link you provided was indeed an issue we had early in the project i was working on. If you use security group filters on your item-level targeting i would recommend this hotfix. Worked wonders for us (pre Win7 SP1 atleast, not sure if it's a part of SP1) We don't have any statistics for how often the problem occurs, but as said, it happens more often after i have changed something in the policies. It seems to be a "pretty common" occurrence on our ~11k clients. The guys at each site might have 5-10 computers a day having this problem after a change, but maybe 2-3 a week after everything is settled. I'm hoping that getting rid of our 2003 DCs and finally getting our domain in 2008 native mode with a central admx repository or whatever it's called will work.
|
|
#
?
Aug 18, 2011 22:26
|
|
|
KS posted:We have a bunch of GPOs filtered by security group membership: mostly software installs, where the software install GPO is attached to the OU that contains all our computers, and the helpdesk can add the computer to a security group to install the software. It works rather well. If you're using managed switches, make sure portfast is enabled. The switch may not have the port up by the time the networking components start in Windows.
|
|
#
?
Aug 19, 2011 13:19
|
|
|
FISHMANPET posted:Power Plans are pissing me off... Yeah, the GUID changes with a sysprep and that will screw up the windows experience index stuff too. Instead of trying to specify a specific plan, just enforce the specific timeouts you want in the policy object for sleep and monitor off settings and then people can click whatever they want but it won't do anything. Or you can create your own custom power profile with powercfg.exe that has a unique GUID and then make sure it is pre-loaded on all your systems. Then you won't have the problem with your default GUIDs changing because you aren't using them.
|
|
#
?
Aug 23, 2011 18:26
|
|
|
KS posted:We have a bunch of GPOs filtered by security group membership: mostly software installs, where the software install GPO is attached to the OU that contains all our computers, and the helpdesk can add the computer to a security group to install the software. It works rather well. Make sure that the switch ports that feed to workstations have that fastport option (or whatever it is called on your vendor) enabled. This stops the port from trying to negotiate spanning tree protocol with the workstation connected to it which it obviously can't do since it isn't another switch. If you don't do that, then the link takes upwards of 30 seconds before it starts passing frames and we found that now we are getting faster computers (faster disks, EFI boot, Win7) they come up so quickly that they time out waiting for a proper IP and for packets to start moving. Older computers only worked because they were so much slower to come up.
|
|
#
?
Aug 23, 2011 18:30
|
|
|
BangersInMyKnickers posted:Make sure that the switch ports that feed to workstations have that fastport option (or whatever it is called on your vendor) enabled. This stops the port from trying to negotiate spanning tree protocol with the workstation connected to it which it obviously can't do since it isn't another switch. If you don't do that, then the link takes upwards of 30 seconds before it starts passing frames and we found that now we are getting faster computers (faster disks, EFI boot, Win7) they come up so quickly that they time out waiting for a proper IP and for packets to start moving. Older computers only worked because they were so much slower to come up. There is also a registry option you can specify that actually increases the timeout from the default of 30 seconds to whatever you want. I actually ran into a similar program with boot scripts not firing off when the system boots, but it turns out that it'll actually delay any network activity until this timer has elapsed, which includes pulling down GPOs. Due to our environment that some of my machines are on, we can't use the fastport option on some of our switches (don't ask me, it's not my network) and I had to dig for it. At any rate, from there, you can manually hit these workstations with gpupdate /force, reboot, and it'll work. If anyone is interested, I'll dig through my GPOs and try to find the exact registry settings.
|
|
#
?
Aug 24, 2011 00:36
|
|
|
Running into a minor issue with redirecting My Documents in a 2003 domain. I changed the redirection path from: \\servername\path\user to \\newservername\path\user Scripted the copy of files by hand / made sure permissions were appropriate on shares. About 1/3 of users got the update and new location all happy. About 2/3 did not. So far, manually deleting their user profile and logging back in sorts the issue right away. Any suggestions? The profile delete fixing it leaves me almost 100% sure its something client side, a conflicting GPO setting, or something similar - not an issue with the share.
|
|
#
?
Aug 31, 2011 14:17
|
|
|
Is there a way to enable Volume Shadow Copies on all local drives via GPO? Google doesn't seem to have much promising.
|
|
#
?
Aug 31, 2011 14:46
|
|
|
TheFlyingDutchman posted:There is also a registry option you can specify that actually increases the timeout from the default of 30 seconds to whatever you want. I'd be interested in this. We apparently have Fastport enabled everywhere and I have the policy to wait for network before processing but I am running into all sorts of "Cannot connect all network drives" and some software is deploying like it should.
|
|
#
?
Aug 31, 2011 14:56
|
|
|
Naramyth posted:I'd be interested in this. We apparently have Fastport enabled everywhere and I have the policy to wait for network before processing but I am running into all sorts of "Cannot connect all network drives" and some software is deploying like it should. This is the hack of a template I wrote that may work for your issue. Since mapping network drives and getting software deployments over AD takes place after group policy processing, this should work for you. At any rate, save it into a .adm file, import it, and apply it to whatever GPOs you need. code:
|
|
#
?
Sep 1, 2011 02:22
|
|
|
Richard Noggin posted:If you're using managed switches, make sure portfast is enabled. The switch may not have the port up by the time the networking components start in Windows. BangersInMyKnickers posted:Make sure that the switch ports that feed to workstations have that fastport option (or whatever it is called on your vendor) enabled. This stops the port from trying to negotiate spanning tree protocol with the workstation connected to it which it obviously can't do since it isn't another switch. If you don't do that, then the link takes upwards of 30 seconds before it starts passing frames and we found that now we are getting faster computers (faster disks, EFI boot, Win7) they come up so quickly that they time out waiting for a proper IP and for packets to start moving. Older computers only worked because they were so much slower to come up. I can't thank you guys enough. This was exactly it, and it's something I wouldn't have thought to check because I thought it was turned on everywhere. Explains why the problem is isolated to two offices rather nicely.
|
|
#
?
Sep 1, 2011 02:24
|
|
|
I recently created a group policy that enables Remote Assistance on users' machines. The policy applies just fine to the computers in our CA facility (the one I currently work out of and has the PDC), but it won't apply to users' machines in our two facilities on the east coast. Whenever I force a group policy update on a computer in those facilities, I get the following error message:quote:Computer policy could not be updated successfully. The following errors were encountered: What could be causing the issue? This is the first new policy I've made since I've been here that hasn't replicated over, and I'm stumped. A couple of places online said to recreate the Default Domain Policy and then replace the existing one with it, but I hesitate to do so unless that's the only thing left to do. I get the feeling there's something easy I'm missing.
|
|
#
?
Sep 8, 2011 16:52
|
|
|
So I'm new to AD, and I've been tasked with moving our workgroup over to an AD environment. I've got network shares and folder redirects set up and working, but I'm looking for a GPO that will disable the user from saving anything locally. Basically we want all their data to be on our file server, and remove the ability for them to save anything important locally in case that machine crashes. Is there an easy for to get this done, or will this cause issues with installing programs?
|
|
#
?
Sep 8, 2011 20:43
|
|
|
You likely want to look into Roaming Profiles (aka: user state virtualization). Are the users local administrators?
|
|
#
?
Sep 8, 2011 21:41
|
|
|
I'm banging my head against a wall with my legacy GPOs right now. We have one site specific GPO that disables offline file caching and redirects My Documents to a network location (we have a ton of users at remote sites that need to work if the central office goes down.) The computers and users are part of the same OUs within the site OU. It goes domain.com - CityOU - DepartmentOU - User - Computer The OU in place now is a direct replica of the GPO for the other sites, except it excludes offline files. But I can't get the damned thing to apply. When I look at RSOP or the gp modeling wizard on the server, I see the GPO as empty, even though it has the settings. The clients are XP, with the 2008 client side extensions hotfix installed, the domain is 2003/2008 mixed. This is the GP: User Configuration - Windows Setting -- Folder Redirection --- My Documents ---- Setting: Basic (Redirect everyone's folder to the same location) ---- Path: \\fileserver\userfolders\%USERNAME% ---Options ----Grant user exclusive rights to My Documents Enabled ----Move the contents of My Documents to the new location Enabled ----Policy Removal Behavior Leave contents Any help is much appreciated. Edit: I also tried running the modeling wizard with loopback processing enabled (I'm stabbing in the dark) and nothing. SmellsOfFriendship fucked around with this message at 22:10 on Sep 8, 2011 |
|
#
?
Sep 8, 2011 21:55
|
|
|
Walked posted:Running into a minor issue with redirecting My Documents in a 2003 domain. I'm dealing with something similar with My Docs Redirect. Just endless amounts of problems: - Security issues on the remote directory - 1GB autonegotiate - Logon optimization - Policies that have mysterious settings in them that don't belong I'm not sure how much of that might apply but by far the biggest is login optimization combined with the network coming up after the user logs in with cached credentials.
|
|
#
?
Sep 8, 2011 21:59
|
|
|
KS posted:We have a bunch of GPOs filtered by security group membership: mostly software installs, where the software install GPO is attached to the OU that contains all our computers, and the helpdesk can add the computer to a security group to install the software. It works rather well. Yep, constantly. As someone said below, force the NIC at 100MB full duplex (if you have a 10/100 network.) It's been my experience that gig nics and logon optimization are not friends when it comes to group policy.
|
|
#
?
Sep 8, 2011 22:07
|
|
|
I'm confused about password policies. I see that they're configured on the machine level. Which makes sense for the local password policy. But how is it configured for domain users? Does it come down to whatever policy is applied to the domain controller? What if two domain controllers have different password policy? All this boils down to me wanting to make local accounts without a password some domain laptops, but I can't because the default domain policy is cockblocking me. I'd like to make a policy to override the domain password policies, but for it to not break everything else. Can I put the laptops into a sub OU of my workstation OU, and have a policy that has no password requirement? What will that do to people that change their domain password on those laptops?
|
|
#
?
Sep 12, 2011 18:01
|
|
|
You can override the local security policy via GPO, just create an OU for the laptops as you already suggested. Edit: The setting you want is Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, Password Policy Make sure you set the GPO to Enforced. Thanks Ants fucked around with this message at 22:15 on Sep 12, 2011 |
|
#
?
Sep 12, 2011 22:12
|
|
|
Caged posted:You can override the local security policy via GPO, just create an OU for the laptops as you already suggested. Yeah, I did this, it didn't work, I went to lunch, talked to the head Windows guy that said it wasn't possible, came back from lunch, and the policy had applied itself. Although I tried to use GPP to create a local user on the machines, and that hosed up royally, perhaps because of my impatience. I had the GPO active for a little while, but then disabled it. I tried to add the local user to the permissions of a certain folder, it would add it, but when I would view permissions, it would only see a GUID, not a name. I would delete and recreate the user manually, it would say it couldn't add it to the User's group because it already exists in the group, then when I try to add it to the permissions of the folder... etc etc.
|
|
#
?
Sep 19, 2011 17:47
|
|
|
I've got a weird issue that someone with more experience could probably answer. I have an AD/DC server that also acts as our file server. I have the data drive being backed up offsite every night, and I also have all the most important files being backed up locally every hour incrementally from 630AM to 630PM. I also said up Shadow copys set to run every hour from 6AM to 6PM (Didn't know if doing both a shadow and a hobocopy backup at the same time would cause issues, so I just made them half an hour apart) of the hourly important files drive in case one of my users changes something they didn't want our we lose a file, they only lose an hours worth of work. I also have the Windows Server Backup running at 1AM every night backing up a bare metal recovery to the same drive the important files are backing up to, but on a different partition. Anyway, everything works great, backups work, shadow copy's work, and from what I can tell the Bare Metal backups are running fine. My only issue is I get this warning message in my AD MMC every hour from 630AM to 630PM, usually a couple minutes after, which seems like when the backups finish. Here is the warning message. The Active Directory Domain Services backup will be failed, because the user requested the Active Directory Domain Services stop during the backup process. The invocation ID may be changed on AD DS startup. I've been trying to find an answer through googling for the past couple days, but can't wrap my head around it. I'm new to AD and the like and I'm trying to stumble my way through it without setting everything on fire. Any help to get in the right direction would be appreciated. ddiddles fucked around with this message at 07:34 on Sep 22, 2011 |
|
#
?
Sep 22, 2011 07:32
|
|
|
FISHMANPET posted:Yeah, I did this, it didn't work, I went to lunch, talked to the head Windows guy that said it wasn't possible, came back from lunch, and the policy had applied itself. But yeah always leave time for new policies to replicate. Force replication and gpupdate if you're in a hurry.
|
|
#
?
Sep 22, 2011 07:57
|
|
|
evil_bunnY posted:That dude is a muppet why is he head of anything. Also if he's head of windows things why not let him worry about it? Different department, but he sort of works for my department (we pay 5% of his salary) so the desktop scut work lands on my desk. He also knows a ton about everything else, so I won't fault him for making one mistake.
|
|
#
?
Sep 22, 2011 15:36
|
|
|
I 'm feeling very dumb today and just want to get this over with. I have some legacy app, I need to update the client end. I have an exe that I need to run on every PC (250ish). I ran it through Universial Extractor but it craps out because of the version on Inno Setup that it was made with. The /VERYSILENT switch seems to work with it. So what is my best option here? This seems like an incredibly dirty process I am doing here, but it should work? -Make a script that looks in a network directory for %computername%.txt -If exist, goto end -Launch crap.exe /VERYSILENT -Create %computername%.txt on network directory -end I figure leaving that as a login script for a week will take care of 99% of the computers here, then I can get rid of it. Ehhhh? Feel free to call me stupid.
|
|
#
?
Sep 28, 2011 18:46
|
|
|
I usually do one of the two following things: Reg check code:code:Echo "Software installed at %time% %date% on %computername%" >> \\server\share\softwareinstall.log e: You might also want to give Repackager a shot: http://www.appdeploy.com/tools/repackager/
|
|
#
?
Sep 28, 2011 18:54
|
|
|
This is such a crappy program, the installer doesn't really do much. I think I may do something like that with the reg checking (I sandboxed what this exe actually does, and it is very minimal). I also like the idea of logging date and time of the installs. Thanks! Another GPO related question, how many policies is everyone out there applying? I was discussing how we have everything setup with my boss, and he seems to think having a bunch of extra non-linked GPOs (I have about a dozen that I was playing around with for testing, but they are not applied anywhere anymore) will slowdown login. I don't see how it could. This brought the discussion of how everything should be organized. I prefer to keep things real granular. I have a default domain policy that hits everyone, then as departments break down, I have their individual settings in their own object. We don't have too many, the most I found an OU with, was a total of 9 being applied. Is it better to merge a lot of these settings into one object (any kind of performance gain), or keep them granular for ease of changes and troubleshooting?
|
|
#
?
Sep 29, 2011 18:21
|
|
|
Policies are cached locally and the client just polls for changes so unless you are using policy to launch some kind of scripts at every logon the change should be barely noticeable. If you want hard proof, turn on the verbose start and logon options for a system and use that for timing. It will clearly indicate when it is applying policy during the startup process. One thing to keep in mind is that desktop OS's apply policy asynchronously during startup which speeds things up while servers do it synchronously (by default) so there might be a little added overhead on the server side, but they reboot so infrequently who really cares? I would bet money that you being a little policy-happy makes no effective difference to the startup times unless there is some other underlying issue that is slowing or blocking access to the DCs.
|
|
#
?
Sep 29, 2011 18:26
|
|
|
Aren't password policies special in that you only get one per domain unless you screw around with the weird server 2008 hackish way of having multiple ones?
|
|
#
?
Sep 29, 2011 20:01
|
|
|
sanchez posted:Aren't password policies special in that you only get one per domain unless you screw around with the weird server 2008 hackish way of having multiple ones? Correct. 2008 and R2 gives you some mechanism to specify groups of people that have different policies but I haven't been able to play with them yet (thanks, 2003 domain).
|
|
#
?
Sep 29, 2011 20:12
|
|
|
I'm a complete novice when it comes to this sort of administration, so forgive me if this question is silly. However, I work at a hotel and am thus responsible for policing the four business center PCs. I have set all the guest accounts to be limited accounts, but that somehow does not stop the yahoos from installing Skype and MySpywareBullshit.exe and StupidMotorcycleWallpaper.msi and what have you. Can anyone point me in the right direction as to how I can use group policies to keep them from installing anything, but still be able to use IE for whatever? All of the PCs in question are XP SP3
|
|
#
?
Sep 29, 2011 20:17
|
|
|
Rev. Bleech_ posted:I'm a complete novice when it comes to this sort of administration, so forgive me if this question is silly. However, I work at a hotel and am thus responsible for policing the four business center PCs. The problem you're having is that these programs install entirely within the user profile. Two common ways of addressing this: Either use mandatory profiles which dump all changes every time the session logs out so each person that sits down gets a fresh session or set up software restriction policies so you can explicitly say which programs are allowed to run on the system.
|
|
#
?
Sep 29, 2011 20:46
|
|
|
Rev. Bleech_ posted:I'm a complete novice when it comes to this sort of administration, so forgive me if this question is silly. However, I work at a hotel and am thus responsible for policing the four business center PCs. I would check local security polices on the computers in question. I bet Authenticated Users or whatever group that the guest accounts are a part of are members of the Administrators group. e: assuming they are hosing the whole machine and not just their profiles. If it is profile specific problems listen to Bangers. Naramyth fucked around with this message at 20:51 on Sep 29, 2011 |
|
#
?
Sep 29, 2011 20:49
|
|
|
Rev. Bleech_ posted:MySpywareBullshit.exe and StupidMotorcycleWallpaper.msi Have you looked into SteadyState? I have not personally used this, but have wanted to on a many computers. You setup your profiles (aka Hotel Guest) and lock it down how you want it. Maybe you want to give them some freedoms so they are not harassing you. Then whenever someone decides to bork up the computer, a reboot brings it back to how it was setup. Here is a guide on it. http://www.howtogeek.com/howto/6520/windows-steadystate/
|
|
#
?
Sep 29, 2011 21:34
|
|
|
Awesome, thanks guys.Moey posted:Have you looked into SteadyState? Yeah, we tried SteadyState for awhile and it was kind of a disaster, borking up printer settings and the like.
|
|
#
?
Sep 30, 2011 04:30
|
|
|
Rev. Bleech_ posted:I'm a complete novice when it comes to this sort of administration, so forgive me if this question is silly. However, I work at a hotel and am thus responsible for policing the four business center PCs. I'm only half joking when I suggest you take a look at Windows Live Family Safety from Microsoft. Personally I'd use GPOs to lock everything down. More specifically I'd disable the ability to write anywhere but the temp-folder IE uses, and disallow any files to be executed except (for example.) C:\Program Files\Internet Explorer\iexplore.exe. If you don't want to set the execute rights to exclude all files except the ones you allow you should at least make sure they can only run files from [Location A], only write to [Location B] and make sure that [Location A] and [Location B] doesn't overlap - so they can't run a file they download. Moey posted:Another GPO related question, how many policies is everyone out there applying? I was discussing how we have everything setup with my boss, and he seems to think having a bunch of extra non-linked GPOs (I have about a dozen that I was playing around with for testing, but they are not applied anywhere anymore) will slowdown login. I don't see how it could. Ordinary Windows 7 desktops has 11 GPOs. Unlinked policies doesn't affect anything. Crowley fucked around with this message at 10:51 on Sep 30, 2011 |
|
#
?
Sep 30, 2011 10:46
|
|
|
Rev. Bleech_ posted:Awesome, thanks guys. If steady state didn't work I would recommend looking into Deep Freeze. We use that for our public facing computers and it works pretty well.
|
|
#
?
Sep 30, 2011 20:01
|
|
|
|
| # ? May 16, 2024 23:25 |
|
|
Naramyth posted:If steady state didn't work I would recommend looking into Deep Freeze. We use that for our public facing computers and it works pretty well. Now somebody is going to tell me Deep Freeze can do that and it's done it since version 1. Edit: It looks like the newest version of Deep Freeze gives you better control over the computer. They also make Deep Freeze for servers.  "Hey Bob, why do all the users vanish when we restart our only DC that runs on a Pentium 2?"If the computers are fast enough, set up a VM on them running Windows. 
Yaos fucked around with this message at 22:11 on Sep 30, 2011 |
|
#
?
Sep 30, 2011 22:04
|
|
