Re: EventID 1054 from Userenv for startup script
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Wed, 20 May 2009 20:57:33 +0000 (UTC)
Hello cjg.groups@xxxxxxxxx,
Nice to hear that you found it, thanks for the feedback.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
On May 20, 3:29 pm, cjg.gro...@xxxxxxxxx wrote:
On May 19, 4:20 pm, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>Well, I found the problem. It's my network card. The NVidia onboard
wrote:
Hello cjg.gro...@xxxxxxxxx,Thanks for the reply.
The article is correct and matches. Local, site, domain, on OU the
GPO with
the lowest number (1) will be applied last, so it has the highest
prcedence.
This order means that the local GPO is processed first, and GPOs
that are
linked to the organizational unit of which the computer or user is a
direct
member are processed last, which overwrites settings in the earlier
GPOs
if there are conflicts. (If there are no conflicts, then the earlier
and
later settings are merely aggregated.)
So if you said "some machines don't have full access to the network
at startup" the GPO's seems not to apply correct. Please post an
unedited ipconfig /all from a problem client and your DC/DNS server.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
On May 19, 2:44 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,GPMC's Group Policy Inheritance view shows all of the OU's policies
See here about the order of GPO
processing:http://technet.microsoft.com/en-us/library/cc778890.asp
x
If you use GPMC and mark the OU where the machines are located
check in the right window "Group policy Inheritance tab", are all
GPO's listed that you expect and in which order are they listed?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
On May 9, 7:33 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
Hello cjg.gro...@xxxxxxxxx,Meinolf, thank you for your help, and sorry for the delay in
The ipconfig looks ok.
Please run rsop on the client machine with a user account and
check if the policies are lsited that you are using.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help
YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
replying. I have run RSOP on a computer which is not receiving
the
startup script policy. When browsing RSOP's policy tree, the
Computer
Configuration branch has an error saying:
"Software Installation did not complete policy processing because
a
system restart is required for the settings to be applied."
I expect this, and this is what I see when running ipconfig
/force.
I see a problem with the order in which the policies are applied.
Default Domain Policy is applied second to last, before Local
Policy.
Those two contain the requirement to "Wait for network before
logging
in". Since the script policy runs before these, maybe the
machine
is
still not waiting for the network.
But when you apply a group policy (from the domain or locally),
doesn't that setting stay in effect until another policy changes
it?
So, my machine got the "Wait for network" command yesterday, then
when I reboot today, it should wait. Right?
Another odd thing I saw were permissions on the GPOs for the
script and deployment. They list my security filtering group as
having "Special Permissions" which are List Contents, Read All
Properties and Read Permissions. These are three of the
components of Read permissions, with List Objects missing.
However, Authenticated Users has an ACE entry containing only
List Objects.
The startup script is applied to the computer, so the computer
needs the permissions. It gets permission by belonging to the
security filtering group contains, but does it belong to the
Authenticated Users group to get List Objects? Maybe the
computer can't authenticate because it didn't wait for the
network?
The answer must be easier than this, though. I have to rethink
this...
being applied first, than Default Domain Policy being applied last.
This matches with RSOP said, but doesn't match the article that you
linked, which says local and domain policies are applied before OU
policies.
Still, the problem is: The script and deployment policies work for
some computers but not others. These are machines with similar
hardware, cloned from the same image, and joined to the domain in
the same way.
Often, the startup script won't run, but if I run it manually, than
the deployment GPO will run at next reboot. I also saw a machine
where the startup script did run but the deployment GPO would not.
This machine is not getting network connectivity at startup, thus
can't run the deployment, but could run the script which it
received during GP refresh when network was available.
For some reason, some machines don't have full access to the
network at startup, but they do have access once a user logs in.
Thanks for any input.
The ipconfig posted earlier in this thread is still accurate, showing
no problems with the server or client who can't get GP at startup.
We
may learn more by looking at the USERENV verbose
logs.http://technet.microsoft.com/en-us/library/cc775423.aspx
The log file shows data for three user profiles: NetworkService,
LocalService, and the user profile I logged in with. During the
LocalService portion, I see a lot of these entries:
USERENV(3e4.3e8) 12:37:36:828 GetUserDNSDomainName: Domain name is
NT
Authority. No DNS domain name available.
When LocalService begins processing group policy, the log shows how
it
can't find the domain controller and quits (successfully??):
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs: Starting computer Group
Policy (Background) processing...
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 ProcessGPOs:
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Entering
with timeout 600000 and flags 0x0
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Machine
critical section has been claimed. Handle = 0x678
USERENV(3b8.270) 14:57:55:656 EnterCriticalPolicySectionEx: Leaving
successfully.
USERENV(3b8.270) 14:57:55:656 ProcessGPOs: Machine role is 2.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available at startup. retrying
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Enter.
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Failed
to query GpNetworkStartTimeoutPolicyValue with 2, exit.
USERENV(3b8.270) 14:57:55:703 RetryDCContactAtMachineStartup: Exit
with status 1355.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available after retries.
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: The DC for domain AD-DEPT
is not available. aborting
USERENV(3b8.270) 14:57:55:703 ProcessGPOs: No WMI logging done in
this
policy cycle.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Processing failed with
error 1355.
USERENV(3b8.270) 14:57:55:734 LeaveCriticalPolicySection: Critical
section 0x678 has been released.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Computer Group Policy has
been applied.
USERENV(3b8.270) 14:57:55:734 ProcessGPOs: Leaving with 0.
USERENV(3b8.270) 14:57:55:734 ApplyGroupPolicy: Leaving successfully.
Further down the log, when I log in, the group policy processing
finds
the domain controller with no problem:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs: Starting user Group Policy
(Background) processing...
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs:
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: Entering
with timeout 600000 and flags 0x0
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: User
critical section has been claimed. Handle = 0x76c
USERENV(3b8.1b4) 15:06:41:781 EnterCriticalPolicySectionEx: Leaving
successfully.
USERENV(3b8.1b4) 15:06:41:781 ProcessGPOs: Machine role is 2.
USERENV(3b8.1b4) 15:06:41:781 PingComputer: PingBufferSize set as
2048
USERENV(3b8.1b4) 15:06:41:813 PingComputer: Adapter speed 100000000
bps
USERENV(3b8.1b4) 15:06:41:813 PingComputer: First time: 0
USERENV(3b8.1b4) 15:06:41:813 PingComputer: Fast link. Exiting.
USERENV(3b8.1b4) 15:06:41:845 ProcessGPOs: User name is: CN=Cjg
Groups,OU=IT,OU=Dept Users and Computers,DC=ad-dept,DC=school,DC=edu,
Domain name is: AD-DEPT
USERENV(3b8.1b4) 15:06:41:845 ProcessGPOs: Domain controller is: \
\dept-files.ad-dept.school.edu Domain DN is ad-dept.school.edu
Is there any way to interpret this log to find out what the real
problem is? Thanks.
gigabit ethernet controller could not get networking during Windows
startup, but a trusty old Linksys LNE100TX 10/100 mbps card worked
perfectly. Problem is, a few machines in my office must have these
incompatible network cards (though most use the LNE100TX).
I should have listened to EventID.net in the first place. Their
articles mentioned disabling the Spanning Tree algorithm and enabling
Fast Link for gigabit ethernet. See these:
http://www.eventid.net/display.asp?eventid=1054&eventno=1393&source=Us
erenv&phase=1
http://www.eventid.net/display.asp?eventid=1003&eventno=1478&source=DH
CP&phase=1
They also mention DHCP Media Sensing.
http://support.microsoft.com/kb/239924
I tried forcing the card to 100 mbps full duplex and that didn't
help. I will try this step to see if the Eventlog errors go away.
Thanks to everyone for their help, even though the problem was
unrelated to our best efforts.
.
- Follow-Ups:
- Re: EventID 1054 from Userenv for startup script
- From: cjg . groups
- Re: EventID 1054 from Userenv for startup script
- References:
- Re: EventID 1054 from Userenv for startup script
- From: cjg . groups
- Re: EventID 1054 from Userenv for startup script
- Prev by Date: Re: GPO settings
- Next by Date: GPO order for software deployment and scripts
- Previous by thread: Re: EventID 1054 from Userenv for startup script
- Next by thread: Re: EventID 1054 from Userenv for startup script
- Index(es):
Relevant Pages
|
Loading
