Re: EventID 1054 from Userenv for startup script
- From: cjg.groups@xxxxxxxxx
- Date: Wed, 20 May 2009 12:29:14 -0700 (PDT)
On May 19, 4:20 pm, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,
The article is correct and matches. Local, site, domain, on OU the GPO with
the lowest number (1) will be applied last, so it has the highest prcedence.
This order means that the local GPO is processed first, and GPOs that are
linked to the organizational unit of which the computer or user is a direct
member are processed last, which overwrites settings in the earlier GPOs
if there are conflicts. (If there are no conflicts, then the earlier and
later settings are merely aggregated.)
So if you said "some machines don't have full access to the network at startup"
the GPO's seems not to apply correct. Please post an unedited ipconfig /all
from a problem client and your DC/DNS server.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
On May 19, 2:44 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,
See here about the order of GPO
processing:http://technet.microsoft.com/en-us/library/cc778890.aspx
If you use GPMC and mark the OU where the machines are located check
in the right window "Group policy Inheritance tab", are all GPO's
listed that you expect and in which order are they listed?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
On May 9, 7:33 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,
The ipconfig looks ok.
Please run rsop on the client machine with a user account and check
if the policies are lsited that you are using.
Best regards
Meinolf WeberMeinolf, thank you for your help, and sorry for the delay in
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
replying. I have run RSOP on a computer which is not receiving the
startup script policy. When browsing RSOP's policy tree, the
Computer
Configuration branch has an error saying:
"Software Installation did not complete policy processing because a
system restart is required for the settings to be applied."
I expect this, and this is what I see when running ipconfig /force.
I see a problem with the order in which the policies are applied.
Default Domain Policy is applied second to last, before Local
Policy.
Those two contain the requirement to "Wait for network before
logging
in". Since the script policy runs before these, maybe the machine
is
still not waiting for the network.
But when you apply a group policy (from the domain or locally),
doesn't that setting stay in effect until another policy changes it?
So, my machine got the "Wait for network" command yesterday, then
when I reboot today, it should wait. Right?
Another odd thing I saw were permissions on the GPOs for the script
and deployment. They list my security filtering group as having
"Special Permissions" which are List Contents, Read All Properties
and Read Permissions. These are three of the components of Read
permissions, with List Objects missing. However, Authenticated
Users has an ACE entry containing only List Objects.
The startup script is applied to the computer, so the computer needs
the permissions. It gets permission by belonging to the security
filtering group contains, but does it belong to the Authenticated
Users group to get List Objects? Maybe the computer can't
authenticate because it didn't wait for the network?
The answer must be easier than this, though. I have to rethink
this...
GPMC's Group Policy Inheritance view shows all of the OU's policies
being applied first, than Default Domain Policy being applied last.
This matches with RSOP said, but doesn't match the article that you
linked, which says local and domain policies are applied before OU
policies.
Still, the problem is: The script and deployment policies work for
some computers but not others. These are machines with similar
hardware, cloned from the same image, and joined to the domain in the
same way.
Often, the startup script won't run, but if I run it manually, than
the deployment GPO will run at next reboot. I also saw a machine
where the startup script did run but the deployment GPO would not.
This machine is not getting network connectivity at startup, thus
can't run the deployment, but could run the script which it received
during GP refresh when network was available.
For some reason, some machines don't have full access to the network
at startup, but they do have access once a user logs in. Thanks for
any input.
Thanks for the reply.
The ipconfig posted earlier in this thread is still accurate, showing
no problems with the server or client who can't get GP at startup. We
may learn more by looking at the USERENV verbose logs.
http://technet.microsoft.com/en-us/library/cc775423.aspx
The log file shows data for three user profiles: NetworkService,
LocalService, and the user profile I logged in with. During the
LocalService portion, I see a lot of these entries:
USERENV(3e4.3e8) 12:37:36:828 GetUserDNSDomainName: Domain name is NT
Authority. No DNS domain name available.
When LocalService begins processing group policy, the log shows how it
can't find the domain controller and quits (successfully??):
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs: Starting computer Group
Policy (Background) processing...
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Entering
with timeout 600000 and flags 0x0
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Machine
critical section has been claimed. Handle = 0x678
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Leaving
successfully.
USERENV(3b8.270) 14:57:55:656 ProcessGPOs: Machine role is 2.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available at startup. retrying
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Enter.
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Failed
to query GpNetworkStartTimeoutPolicyValue with 2, exit.
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Exit
with status 1355.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available after retries.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available. aborting
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: No WMI logging done in this
policy cycle.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Processing failed with
error 1355.
USERENV(3b8.270) 14:57:55:734 LeaveCriticalPolicySection: Critical
section 0x678 has been released.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Computer Group Policy has
been applied.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Leaving with 0.
USERENV(3b8.270) 14:57:55:734 ApplyGroupPolicy: Leaving successfully.
Further down the log, when I log in, the group policy processing finds
the domain controller with no problem:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs: Starting user Group Policy
(Background) processing...
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: Entering
with timeout 600000 and flags 0x0
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: User
critical section has been claimed. Handle = 0x76c
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: Leaving
successfully.
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs: Machine role is 2.
USERENV(3b8.1b4) 15:06:41:781 PingComputer: PingBufferSize set as 2048
USERENV(3b8.1b4) 15:06:41:813 PingComputer: Adapter speed 100000000
bps
USERENV(3b8.1b4) 15:06:41:813 PingComputer: First time: 0
USERENV(3b8.1b4) 15:06:41:813 PingComputer: Fast link. Exiting.
USERENV(3b8.1b4) 15:06:41:845 ProcessGPOs: User name is: CN=Cjg
Groups,OU=IT,OU=Dept Users and Computers,DC=ad-dept,DC=school,DC=edu,
Domain name is: AD-DEPT
USERENV(3b8.1b4) 15:06:41:845 ProcessGPOs: Domain controller is: \
\dept-files.ad-dept.school.edu Domain DN is ad-dept.school.edu
Is there any way to interpret this log to find out what the real
problem is? Thanks.
.
- Follow-Ups:
- Re: EventID 1054 from Userenv for startup script
- From: cjg . groups
- Re: EventID 1054 from Userenv for startup script
- References:
- Re: EventID 1054 from Userenv for startup script
- From: cjg . groups
- Re: EventID 1054 from Userenv for startup script
- From: Meinolf Weber [MVP-DS]
- Re: EventID 1054 from Userenv for startup script
- Prev by Date: Group Policy Preferences - Choose a Security Group from another Do
- Next by Date: Additional 3rd Party Group Policies
- Previous by thread: Re: EventID 1054 from Userenv for startup script
- Next by thread: Re: EventID 1054 from Userenv for startup script
- Index(es):
Relevant Pages
|
Loading
