Urgent Group Policy Issue - not applying despite saying it does
Thank you for this urgent help. Auditors checking this out tomorrow morning.
We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.
When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.
When I run gpresult/z from that server it shows the policy applying to that server.
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.
In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.
Quick help would be fantastic.
Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).
OK, After several hours I figured it out. Turns out there's bugs and odd functionality.
If someone ever tested the 'advanced audit settings' (which I did in the same GPO at some point) then it sets a registry key to disable the use of the older basic audit settings. But when you stop using those advanced settings in your GPO it doesn't remove
that registry bit. So I used the GPO to undo that setting. This was the first step. This is found Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" to DISABLED.
Even though this is done, sometimes the GPO files on the domain controllers don't remove the old audit settings. So in the comments of another thread I found out you may have to go to
\\domain-fqdn\SYSVOL\domain-fqdn\Policies\{your-policy-id-where-this-setting-was-originally-set}\Machine\Microsoft\Windows NT\ and delete the Audit folder which is left behind due to some odd bug. If you don't do this even after doing the next step the
next gpupdate will bring that security setting above back down.
Next you have to reset your audit settings on your PC to the defaults. Unfortunately there is no way to do this. Auditpol /clear does not accomplish this. The only way to do this is to take the audit settings from another working system, export them and
then 'restore' those same settings to the affected server. To do this:
1. On 'working system' run cmd.exe as administrator and export the audit settings to a folder like this:
auditpol /backup /file:c:\working-auditpol-settings.txt
2. Copy that file to the broken system such as the C:\ drive and run this on the broken system:
auditpol /restore /file:c:\working-auditpol-settings.txt
Open GPEDIT.MSC and verify the audit settings are back to normal. Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Then run gpupdate/force on the formerly broken system. Close gpedit.msc and reopen and verify the settings were not overwritten. If you skipped the sysvol audit folder deletion step they may come back.
Hope this helps someone.
Similar Messages
-
User Group Policy Settings not applied to new user profiles at first logon
Good Afternoon,
We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
not applying.A log off and back on is required before the policies apply.
Any thoughts to this behaviour please?
Regards
LeeB
Lee Bowman MCITP MCTSHi,
How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
When this problem occures, have you checked event log if it identify this problem?
Roger Lu
TechNet Community Support -
Group policy is not applying in windows 8
There is different behavior on Windows 7 and Windows 8 on desktop wallpaper. In Windows 7, when we log into the system,
the cached wallpaper file will re-generated automatically.
But in Windows 8, if the wallpaper path didn’t change, the cached wallpaper will not re-generate.
After I deleted below file and log off/log on I can see the desktop wallpaper automatically changed on Windows 8.
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
So I think you can apply this deletion operation to the domain controller as a log
off and shut downscript, the script which is as below.
(you can also write a .bat file by yourself and the content is :del
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper)
Any solution on a doamin area pcs is not changing wallpaper by default in windows 8 i do the above but it applies only for a client machine. i want this to all windows 8 pcs in domain...please check this
try this. Run regedit and navigate to the following key in the Registry Editor:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
Right click on Policies > New > KEY > name it as ActiveDesktop.
Next in the right side, right-click > New > DWORD > name it as
NoChangingWallPaper.
The DWORD value 1 will restrict change in desktop wallpaper. To
allow change give it value as 0.
Reboot. -
We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
Version\Internet Settings" with the pac file link.
I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?> have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
> settings per-machine (rather than per user)", and i've add a registry
> key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
> Version\Internet Settings" with the pac file link.
In the past, we experienced various issues with machine proxy settings,
so we don't use them anymore. The simple approach:
Block access to the connections page through ADM template settings and
deploy the proxy through GPP Internet Settings.
This is what we do (with a pac file, too), and it works well :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Hi All,
Am facing plenty of issues in Group policies.. Like when i run this command "gpresult /v" i could see the same policy applied in as thrice in applied group policy.. and that policy is default domain policy.. also trying to add one of intranet site
in Internet Group policy maintenance policy but its not reflected to users.. even i forced the policy.. Please advice me on this.
i have given the gpresult fyr.. some have a quick look and advice me accordingly.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/6/2014 at 9:20:31 AM
RSOP data for OURDOMAIN\venkat2r on INBRLT141 : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\venkat2r
Connected over a slow link?: No
USER SETTINGS
Last time Group Policy was applied: 3/6/2014 at 9:07:33 AM
Group Policy was applied from: INCHDC01.OURDOMAIN.com
Group Policy slow link threshold: 500 kbps
Domain Name: OURDOMAIN
Domain Type: WindowsNT 4
Applied Group Policy Objects
ourdomain_Policy_Customized
Global_Wallpaper
ourdomain_Policy_Customized
ourdomain_Policy_Customized
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
The user has the following security privileges
Resultant Set Of Policies for User
Software Installations
N/A
Logon Scripts
N/A
Logoff Scripts
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
Value: 1, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
Value: 54, 0, 48, 0, 48, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
Value: 67, 0, 58, 0, 92, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 92, 0, 87, 0, 101, 0, 98, 0, 92, 0, 87, 0, 97, 0, 108, 0, 108, 0, 112, 0, 97, 0, 112, 0, 101, 0,
114, 0, 92, 0, 69, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
Value: 1, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 115, 0, 116, 0, 97, 0, 114, 0, 46, 0, 101, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 99, 0, 111, 0, 114, 0, 112, 0, 46,
0, 99, 0, 111, 0, 109, 0, 47, 0, 83, 0, 105, 0, 110, 0, 103, 0, 97, 0, 112, 0, 111, 0, 114, 0, 101, 0, 47, 0, 100, 0, 101, 0, 102, 0, 97, 0, 117, 0, 108, 0, 116, 0, 46, 0, 97, 0, 115, 0, 112, 0, 120, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
Value: 49, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper
Value: 1, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab
Value: 1, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
Value: 52, 0, 0, 0
State: Enabled
Folder Redirection
N/A
Internet Explorer Browser User Interface
GPO: ourdomain_Policy_Customized
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: ourdomain
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
GPO: ourdomain_Policy_Customized
Home page URL: http://star.OURDOMAIN.com/Singapore/default.aspx
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: ourdomain_Policy_Customized
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: Yes
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
GPO: ourdomain_Policy_Customized
Import the current Program Settings: No
Thanks, Venkatesh. "Hardwork Never Fails"Hi,
Before going further, I have to admit that I made a mistake and Paul is right.
>>But i am not able to change the security settings in IE like adding sites in Trusted sites its grayed out.
If we don’t want to allow users to change this setting, we can configure this setting via native policy and the following blog can be referred to as reference.
Internet Explorer 10 – Add Sites To The Trusted Sites Zone With Group Policy
http://johnfail.wordpress.com/2013/11/07/internet-explorer-10-add-sites-to-the-trusted-sites-zone-with-group-policy/
If we want to allow users to change this setting, we can configure this setting via GPP Registry.
Regarding this point, the following thread can be referred to for more information.
Add Trusted Sites Via GPO but still allow users to add trusted sites
http://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites
Best regards,
Frank Shen -
I can't determine how a group policy is being applied. Please help. Thank you.
Hi,
I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain). When ever a user logs into a domain, the computer get's a new local group policy. One particular attribute is that the local
admin account get's renamed:
I can't figure out where it's coming from. I've run gpresult, and I'm assuming it's the default domain policy.
But when I go to the domain controller and look at the default domain policy, the entry is empty:
I'm really at a loss. However, I really don't think it's the default domain policy, but I can't figure out what else it could be?
Any help would be greatly appreciated. Thanks!!! -TimDoes this help
C:\Users\***>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/12/2015 at 1:57:06 PM
RSOP data for ****\*** on H9MHD12 : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\***
Connected over a slow link?: No
COMPUTER SETTINGS
CN=H9MHD12,CN=Computers,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ****
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
H9MHD12$
Domain Computers
System Mandatory Level
Resultant Set Of Policies for Computer
Software Installations
N/A
Startup Scripts
N/A
Shutdown Scripts
N/A
Account Policies
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
Audit Policy
N/A
User Rights
N/A
Security Options
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: NewAdministratorName
Computer Setting: Enabled
N/A
Event Log Settings
N/A
Restricted Groups
N/A
System Services
N/A
Registry Settings
N/A
File System Settings
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows\ScPnp\EnableScP
nP
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ***
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
The user has the following security privileges
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Resultant Set Of Policies for User
Software Installations
N/A
Logon Scripts
N/A
Logoff Scripts
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
N/A
Internet Explorer Connection
N/A
Internet Explorer URLs
N/A
Internet Explorer Security
N/A
Internet Explorer Programs
N/A -
Group Policy Startup Script Applies My Policy But Does Not Run The Acual Scripts
I have created a basic batch file with msiexec.exe to uninstall a program on startup and then another separate .bat script to install the same program but the newer version. The software I'm referring to has to be completely uninstalled BEFORE
I install the "newer" version of the same program, it cannot just be overwritten. If I run a gpupdate /force on the client computer and restart, the scripts run as they are supposed to and everything works but the problem is that I can't get it to
run on first boot on a computer that has been turned off for months, even after multiple reboots it still doesn't run the scripts. The 3 policies apply to the different computers/users but the scripts don't run. I manage a theme park that is
only open 4 months of the year so the rest of the time the in park PC's are turned off. I have created my OU as "POS Computers & Users" which has all of the computers and users that will take this policy. I also have 3 Group Policy
Objects attached to this OU in Group Policy, 1 is the program uninstallation .bat script policy that runs on startup, 2 is the install .bat script policy that runs after the uninstallation script, and 3 is the Default Policy for the OU. I already have the
"Always wait for the network at computer startup and logon", "Run startup scripts visible"enabled, "Run startup scripts asynchronously" disabled, and "Run Logon Scripts Synchronously" enabled for all 3 of the
policies. They are all "link enabled" and security filtering is set to only the OU I mentioned earlier so that it doesn't affect anyone else. I have the link order set as the script I want to run first as the last and the one I want to run last first
because from what I understand inheritance is from bottom to top. The install file is accessible by everyone with full permissions on our "Shared" drive so I know its not a permissions issue because it runs after a gpupdate /force with a restart.
The scripts are in the proper folder for the policies they are attached to and permissions are fine.
Here is my uninstall .bat script (msiexec.exe /X{14324A6A-BDD1-4F40-8E77-664C8AEEA251} /forcerestart /qb-! ALLUSERS=1 REMOVE=ALL)
Here is my install .bat script (msiexec.exe /i {\\kksrvad\shared\Gatemaster\NewGatemaster.msi} /qb ALLUSERS=1)Can't be done in a login script.
This is a Group Policy issue and not a scripting issue. You do not have a script. You have a command saved in a batch file and you are using a GPO. Not a scripting issue.
¯\_(ツ)_/¯ -
Windows 7 DNS and Group Policy Issues
Hi,
We have several suites of Windows 7 domain connected PC's.
In one of the suites I have been called into look at 3 different PC's where the users have not got mapped drives, desktop backgrounds, internet connectivity - because their group policies have not applied.
When I look at the error logs I find DNS 1014 errors, and Group Policy 1054 errors.
I have looked at the logs on the switches, and there is nothing on them - Could a pupil pulling the network cable out cause these errors?... Possibly they could have put it back in before I got back in the room.
The user logs off of the PC and back on again and are fine, as are the users that logon after them.
We have 2 DC's/DNS servers, which I would have thought would be able to cope with the load here.
Please let me know what you think the likely cause could be.Hello John555444,
What is your current situation?
Is this issue resolved?
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support -
Group Policy Files Not Being Deployed to UNC Paths
When attempting to deploy files via Group Policy Preferences, there is a well-known issue wherein you may receive an error to the effect of: 0x80070003
The system cannot find the path specified. This is due to the local system being the security context used to deploy the file. If the local system does not have rights to the location, as is true with mapped drives, access is denied and the path cannot
be found. The workaround for this is to enable the common option "Run under the logged in user's security context"
However, I have done this and still receive the same error. I have verified the logged-in user can reach both the source and destination. Specifically, the source is a file server and the destination is the user's HOMEPATH,
which resides on another fileserver in this case. More to the point, it's their redirected Documents folder, and it otherwise works fine; I cannot imagine this being a permissions or connectivity issue, especially because I receive the error even if I execute
a gpupdate
/force /target:user while logged in.
I've also installed the hotfix from Microsoft pertaining to this issue: "Error
code 0x80070003 when a Group Policy preference is applied to Windows 7 clients", but this did not change anything. (I only installed it onto the desktop; that seems to be where it belongs for my case.)
I'm at a loss as to why this happens. The domain controllers agree the common option is set, and a gpupdate does otherwise succeed. Also, if I change the target to a location on a local drive of the computer, it works fine. I do not see the common option reflected
in the output of gpresult,
but I'm not sure if I should.Hi Ron,
Before going further, how did we input the source file path and the destination file path? Did we input the paths as follows (t1.txt as an example):
Action: Create
Source file path: \\servername\sharename\username\documents\t1.txt
Destination file path:\\servername\sharename\t1.txt
Best regards,
Frank Shen -
Folder Redirection policy is not applied to a user, when the server target is changed.
After server target is changed via group policy, when user login (roaming profile)first time, the the new server target has not been applied, instead it's pointing to the old folder redirection path.
But if we reset the windows profile (roaming ), the new folder redirection works, can you please specify a solutions that the new folder redirection works when the user login for the first time. so it reduce the time on resetting users profile.
it seems that we need to delete the old folder redirection path from the user profile (roaming user profile) via group policy or similar solutions..
Many Thanks> But when the specific users login they all get the same error, it
Is the old server removed from the domain? Seems so - or some other
authentication related issue, hard to tell from here...
> seems that the roaming user profiles still keeps the old server details,
Yes - if you change redirection targets, FR moves content from old to
new, and only if this ends sucessfully, it will update the redirection
target.
Make the old redirection target accessible to the user and you'll be fine.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Preventing Domain Group Policy from being applied
How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?
Hi,
No, group policy is processed by order, that is, local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Alex Zhao
TechNet Community Support -
Group Policy Preference's --APplied to Groups not always working
I've created a new group policy preference to add a couple new desktop shortcuts.
I've set the security filtering to apply to "JamesGroup". I have verified that "JamesGroup" has Read & Allow Apply Group Policy selected
I put myself into that group.
I then run a GPupdate/force on my computer and I get no new shortcuts.
If I adjust the security filtering to apply to "JamesUserAccount" and rerun GPupdate/force, the desktop shortcuts come through right away.
I've tried creating new groups and it never seems to work...it just works when I set the security filtering to specific user accounts.
When I remove myself from the security filtering, and run a GPresult /r I see that the GPO was not applied because it was filtered out: Denied (Security)
Why isn't the GPO applying when I set it on a security group?
To make things more interesting, it seems to work if I log onto a different computer as the same user?!? But doesn't work on 90% of the computers.> Yes I have tried logging out/in, locking/unlocking, and restarting
> computers...nothing seems to work...
How many groups are you a member of? You might suffer kerberos token
bloating...
To verify, check
"whoami /groups"
against
"dsquery user -samid %username% | dsget user -memberof -expand"
All groups in dsquery output also listed in whoami output?
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Group Policy - Issues deploying software packages through GPO
Hello everyone,
I am having issues successfully deploying MSI packages through group policy. I have set my computer account up in its own test OU in my domain, but yet the software will not deploy. Example, I'm trying to deploy AVG Anti-Virus and make sure it
is installed on each and every PC in my domain. As for the GPO, I set it up as an assigned package and pointed to the location of the package with the UNC file path (visible to both the DC and my computer that is part of the affected OU)
On the domain controller, I get these messages in application event logs:
Beginning a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
Ending a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
This shows up when I refresh GP on my computer. I run gpresult /h GPReport.html and get the following message:
Software Installation failed due to the error listed below.
Fatal error during installation.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between
The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access. I have tested the package on my computer and it installs
correctly if I do it manually, so it's a good package.
I'm at a loss. I am admitedly very new to GP management, but I'm pretty sure I have covered all my bases here. I humbly ask for any and all help that you all can provide.
Thank you all very much, have a great weekend!> Magnolia_Schools.exe
What's that???
> \\hs-dc2\software\avg\installavg.msi
> <file://\\hs-dc2\software\avg\installavg.msi> /qb addeploy=1
/qb ADDEPLOY=1
Uppercase matters (:
A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
I should have explained, my apologies. The InstallAVG.msi is the package I have GP deploying. it is a package that AVG wrote for us that goes in, uninstalls the two previous antivirus softwares we have on our network if it is present, and
then wraps it to run magnolia_schools.exe which installs the AV software. I am uninstalling AVG now and will try reinstalling with
\\hs-dc2\software\avg\installavg.msi /qb ADDEPLOY=1 and report back.
also, the only logs I found that were around the time of the install attempt were such as these:
1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
Does that tell you anything?
I will say this, if this means anything...now that AVG is installed, the event logs are changing from an error %%1603 to this:
Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274
The removal of the assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%2
So it acts like it's at least seeing that the package is installed...and reacting differently, correct?
Thanks so much -
I have two Domain Controllers Main ( Main DC ) and Second DC.
the date of some policies is not out of date....
please check these files to know the problem.
dcdiag.txt output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine ASMDC, is a Directory Server.
Home Server = ASMDC
* Connecting to directory service on server ASMDC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ASMDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... ASMDC passed test Connectivity
Testing server: Default-First-Site-Name\BSMDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... BSMDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ASMDC
Starting test: Advertising
The DC ASMDC is advertising itself as a DC and having a DS.
The DC ASMDC is advertising as an LDAP server
The DC ASMDC is advertising as having a writeable directory
The DC ASMDC is advertising as a Key Distribution Center
The DC ASMDC is advertising as a time server
The DS ASMDC is advertising as a GC.
......................... ASMDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... ASMDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... ASMDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... ASMDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... ASMDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
......................... ASMDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC ASMDC on DC ASMDC.
* SPN found :LDAP/ASMDC.buc.edu/buc.edu
* SPN found :LDAP/ASMDC.buc.edu
* SPN found :LDAP/ASMDC
* SPN found :LDAP/ASMDC.buc.edu/BUC
* SPN found :LDAP/5e88f85b-15a6-4ff5-b0fd-6df748df06fd._msdcs.buc.edu
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e88f85b-15a6-4ff5-b0fd-6df748df06fd/buc.edu
* SPN found :HOST/ASMDC.buc.edu/buc.edu
* SPN found :HOST/ASMDC.buc.edu
* SPN found :HOST/ASMDC
* SPN found :HOST/ASMDC.buc.edu/BUC
* SPN found :GC/ASMDC.buc.edu/buc.edu
......................... ASMDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC ASMDC.
* Security Permissions Check for
DC=ForestDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=buc,DC=edu
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=buc,DC=edu
(Configuration,Version 3)
* Security Permissions Check for
DC=buc,DC=edu
(Domain,Version 3)
......................... ASMDC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\ASMDC\netlogon
Verified share \\ASMDC\sysvol
......................... ASMDC passed test NetLogons
Starting test: ObjectsReplicated
ASMDC is in domain DC=buc,DC=edu
Checking for CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
......................... ASMDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=DomainDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Schema,CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
......................... ASMDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 8604 to 1073741823
* ASMDC.buc.edu is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 7604 to 8103
* rIDPreviousAllocationPool is 7604 to 8103
* rIDNextRID: 7640
......................... ASMDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... ASMDC passed test Services
Starting test: SystemLog
* The System Event log test
An Warning Event occurred. EventID: 0x825A0024
Time Generated: 08/21/2014 00:22:16
Event String:
The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system
time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources.
Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
An Warning Event occurred. EventID: 0x8000000E
Time Generated: 08/21/2014 00:32:29
Event String:
There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential BUC.EDU\administrator.
An Error Event occurred. EventID: 0x00000422
Time Generated: 08/21/2014 00:32:29
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\buc.edu\sysvol\buc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not
successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
......................... ASMDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on
CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
The system object reference (serverReferenceBL)
CN=ASMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu
and backlink on
CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
......................... ASMDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\BSMDC
Starting test: Advertising
The DC BSMDC is advertising itself as a DC and having a DS.
The DC BSMDC is advertising as an LDAP server
The DC BSMDC is advertising as having a writeable directory
The DC BSMDC is advertising as a Key Distribution Center
The DC BSMDC is advertising as a time server
The DS BSMDC is advertising as a GC.
......................... BSMDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... BSMDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... BSMDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... BSMDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... BSMDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
......................... BSMDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC BSMDC on DC BSMDC.
* SPN found :LDAP/BSMDC.buc.edu/buc.edu
* SPN found :LDAP/BSMDC.buc.edu
* SPN found :LDAP/BSMDC
* SPN found :LDAP/BSMDC.buc.edu/BUC
* SPN found :LDAP/93561cab-4fb3-421f-9a67-af6b4c280eca._msdcs.buc.edu
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/93561cab-4fb3-421f-9a67-af6b4c280eca/buc.edu
* SPN found :HOST/BSMDC.buc.edu/buc.edu
* SPN found :HOST/BSMDC.buc.edu
* SPN found :HOST/BSMDC
* SPN found :HOST/BSMDC.buc.edu/BUC
* SPN found :GC/BSMDC.buc.edu/buc.edu
......................... BSMDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BSMDC.
* Security Permissions Check for
DC=ForestDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=buc,DC=edu
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=buc,DC=edu
(Configuration,Version 3)
* Security Permissions Check for
DC=buc,DC=edu
(Domain,Version 3)
......................... BSMDC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\BSMDC\netlogon
Verified share \\BSMDC\sysvol
......................... BSMDC passed test NetLogons
Starting test: ObjectsReplicated
BSMDC is in domain DC=buc,DC=edu
Checking for CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
......................... BSMDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=DomainDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Schema,CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
......................... BSMDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 8604 to 1073741823
* ASMDC.buc.edu is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 8104 to 8603
* rIDPreviousAllocationPool is 8104 to 8603
* rIDNextRID: 8106
......................... BSMDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BSMDC passed test Services
Starting test: SystemLog
* The System Event log test
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:15
Event String:
Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:18
Event String:
Driver SolidPDF XChange required for printer SolidPDF XChange is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:18
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!net_pc5!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:19
Event String:
Driver Send To Microsoft OneNote Driver required for printer !!BUCLAPTOP1!Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:20
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An Warning Event occurred. EventID: 0x80000008
Time Generated: 08/20/2014 23:52:20
Event String:
The jobs in the print queue for printer Microsoft XPS Document Writer (redirected 2) were deleted. No user action is required.
To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the
Advanced tab, and then clear the Log spooler warning events check box.
An Warning Event occurred. EventID: 0x80000004
Time Generated: 08/20/2014 23:52:20
Event String:
Printer Microsoft XPS Document Writer (redirected 2) will be deleted. No user action is required.
To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the
Advanced tab, and then clear the Log spooler warning events check box.
An Warning Event occurred. EventID: 0x80000003
Time Generated: 08/20/2014 23:52:20
Event String:
Printer Microsoft XPS Document Writer (redirected 2) was deleted, and users will no longer be able to print to this printer. No user action is required.
To stop logging information events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click
the Advanced tab, and then clear the Log spooler information events check box.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:22
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 (Copy 1) is unknown. Contact the administrator to install the driver before you log in again.
......................... BSMDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on
CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
The system object reference (serverReferenceBL)
CN=BSMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu
and backlink on
CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
......................... BSMDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : buc
Starting test: CheckSDRefDom
......................... buc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... buc passed test CrossRefValidation
Running enterprise tests on : buc.edu
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
PDC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
Time Server Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
Preferred Time Server Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
KDC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
......................... buc.edu passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... buc.edu passed test Intersite
====================================================================
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\ASMDC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5e88f85b-15a6-4ff5-b0fd-6df748df06fd
DSA invocationID: 1355f657-cd24-4ad4-b890-f04f5c624acd
==== INBOUND NEIGHBORS ======================================
DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:43:56 was successful.
CN=Configuration,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:41:11 was successful.
CN=Schema,CN=Configuration,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-20 23:51:37 was successful.
DC=DomainDnsZones,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:45:39 was successful.
DC=ForestDnsZones,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-20 23:51:37 was successful.
Regards and thanks in advance
MhiarHi,
Based on the description, the Sysvol is replicated by FRS service.
>>some policies at the main DC are not updated like same policies in second DC.
In this case, we can do a non-authoritative restore on the main DC.
To do so:
Click Start, and then click
Run.
In the
Open box, type cmd and then press ENTER.
In the
Command box, type net stop ntfrs.
Click Start, and then click
Run.
In the
Open box, type regedit and then press ENTER.
Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double-click
BurFlags.
In the
Edit DWORD Value dialog box, type D2 and then click OK.
Quit Registry Editor, and then switch to the
Command box.
In the
Command box, type net start ntfrs.
Quit the
Command box.
Regarding reinitializing File Replication Service replica sets, the following article can be referred to for more information.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762/en-us
Best regards,
Frank Shen -
Group Policy won't apply, No mapping between account names and security IDs was done.
I am using Group Policy Preferences to remove users from the local admin group and add a local admin account. This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO. I get the following error:
Log Name: Application
Source: Group Policy Local Users and Groups
Date: 6/24/2014 8:49:28 AM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: laptop1.internal.com
Description:
The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
IDs was done.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Local Users and Groups" />
<EventID Qualifiers="34305">4098</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
<EventRecordID>68771</EventRecordID>
<Channel>Application</Channel>
<Computer>laptop1.internal.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>user</Data>
<Data>Administrators</Data>
<Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
<Data>0x80070534 No mapping between account names and security IDs was done.</Data>
</EventData>
</Event>
I've searched high and low for an answer and nothing I find on-line seems to apply. I also notice that the option to 'Run as Administrator' does not work. If I right-click on cmd.exe and select 'run as administrator', the command box opens but
I am not prompted for credentials and the command box does not have admin rights. Not sure if this is related or not.
Any help on this would be greatly appreciated.
Thanks,
JoeHi,
Delete your remove action from the GPP and push it again, does this issue still occur?
If it still exists, let’s collect the GPP log for analysis:
Group policy Preference debug logging policy settings are located under:
Computer Configuration\Administrative Templates\System\Group Policy
Click Logging and tracing, select local users and group preference logging and trace.
Meanwhile, just a similar issue, but it is worth trying:
A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2280515
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support
Maybe you are looking for
-
How Can I call a UCM service from SOAP request
Hi, I have created one custom service and I would like to call that service from 3rd Party system via SOAP call. The 3rd Party system does not have the capability to call through RIDC. Now I have exposed my service and tried to call but authenticatio
-
Enhancements vendor/customer master data
Hi, Are enhancements aboutvendor/customer master data there to allow to insert 55 digit into field 'Name' (ADDR1_DATA-NAME1) ? Now the ADDR1_DATA-NAME1 is 40 char. Any assistance would be greatly appreciated. Best Regards. Helen.
-
ICal removes events after 6 months
iCal automatically deletes events except for recurring events after six months. I want to keep all events as a record but cannot find anyway to do that. Is that be possible? I'm using iCal version 2.0.5. PowerBook G4 Mac OS X (10.4.9) PowerBook G
-
New JCo names are not listing in WB Content Administrator
Dear Friends, I have deployed my WebDynpro application on a landscape where the production system got 4 server services running. Initially the WD application was using the existing JCo connections. But on the latest deploy I have to use new JCo conn
-
Query to find match on two fields where third does not..
Struggling with this one.. Stripped down example data SECTION GROUPID SUBGROUPID COMPONENT PNUM USERNAME HVAC AC MOTOR HOSE 111.1 BOB HVAC AC MOTOR HOSE 111.2 BOB HVAC