Re: EventID 1054 from Userenv for startup script

On May 19, 2:44 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,

See here about the order of GPO processing:http://technet.microsoft.com/en-us/library/cc778890.aspx

If you use GPMC and mark the OU where the machines are located check in the
right window "Group policy Inheritance tab", are all GPO's listed that you
expect and in which order are they listed?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

On May 9, 7:33 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:

Hello cjg.gro...@xxxxxxxxx,

The ipconfig looks ok.

Please run rsop on the client machine with a user account and check
if the policies are lsited that you are using.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Meinolf, thank you for your help, and sorry for the delay in
replying.  I have run RSOP on a computer which is not receiving the
startup script policy.  When browsing RSOP's policy tree, the Computer
Configuration branch has an error saying:
"Software Installation did not complete policy processing because a
system restart is required for the settings to be applied."
I expect this, and this is what I see when running ipconfig /force.
I see a problem with the order in which the policies are applied.
Default Domain Policy is applied second to last, before Local Policy.
Those two contain the requirement to "Wait for network before logging
in".  Since the script policy runs before these, maybe the machine is
still not waiting for the network.

But when you apply a group policy (from the domain or locally),
doesn't that setting stay in effect until another policy changes it?
So, my machine got the "Wait for network" command yesterday, then when
I reboot today, it should wait.  Right?

Another odd thing I saw were permissions on the GPOs for the script
and deployment.  They list my security filtering group as having
"Special Permissions" which are List Contents, Read All Properties and
Read Permissions.  These are three of the components of Read
permissions, with List Objects missing.  However, Authenticated Users
has an ACE entry containing only List Objects.

The startup script is applied to the computer, so the computer needs
the permissions.  It gets permission by belonging to the security
filtering group contains, but does it belong to the Authenticated
Users group to get List Objects?  Maybe the computer can't
authenticate because it didn't wait for the network?

The answer must be easier than this, though.  I have to rethink
this...



GPMC's Group Policy Inheritance view shows all of the OU's policies
being applied first, than Default Domain Policy being applied last.
This matches with RSOP said, but doesn't match the article that you
linked, which says local and domain policies are applied before OU
policies.

Still, the problem is: The script and deployment policies work for
some computers but not others. These are machines with similar
hardware, cloned from the same image, and joined to the domain in the
same way.

Often, the startup script won't run, but if I run it manually, than
the deployment GPO will run at next reboot. I also saw a machine
where the startup script did run but the deployment GPO would not.
This machine is not getting network connectivity at startup, thus
can't run the deployment, but could run the script which it received
during GP refresh when network was available.

For some reason, some machines don't have full access to the network
at startup, but they do have access once a user logs in. Thanks for
any input.
.

Relevant Pages

  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
    (Security-Basics)
  • Re: Hang @ Applying Computer Settings/Applying Your Personal Setti
    ... It would appear the you have ruled out network connectivity problems ... >> Policy that has had changes but that should not happen every time unless ... >> computers having a gigabit network adapter. ... Policies are being created and maintained only on ...
    (microsoft.public.windows.group_policy)
  • Re: Policies applied to "Default User"
    ... Some computers do not execute a startup script ... You have a software restriction policy that applies on only these ... You can run gpresult to see what policies have been applied to each ... change the RestrictRun value to 0, and reboot, the Startup Script executes ...
    (microsoft.public.windows.group_policy)
  • Re: EventID 1054 from Userenv for startup script
    ... if Default Domain Policy shows as being the higest number on the ... Just above the bottom one would be any Site policies if they existed. ... See here about the order of GPO processing:http://technet.microsoft.com/en-us/library/cc778890.aspx ... Those two contain the requirement to "Wait for network before logging ...
    (microsoft.public.windows.group_policy)
  • Re: EventID 1054 from Userenv for startup script
    ... This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. ... So if you said "some machines don't have full access to the network at startup" the GPO's seems not to apply correct. ... in the right window "Group policy Inheritance tab", ... The startup script is applied to the computer, ...
    (microsoft.public.windows.group_policy)
Loading