none
GP Preference Run Once doesn't apply to new profiles?

    Frage

  • I work for a corporate environment supporting multiple domains.

    Windows 2008 R2 DC and Windows 7 Clients (fully patched). Local User profiles with Folder Redirection.

    We set User Group Policy Preferences for Control Panel\Desktop Registry keys (Wallpaper, screensaver, etc) and then set to "Apply once and don't re-apply".

    For existing users the Group Policy applies the first time and the registry key is created in the users profile HKEY_CURRENT_USER\Software\Microsoft\Group Policy\Client\RunOnce so it won't apply again.

    The problem is with new profiles. The user logs in, the profile is created, the registry key for the Apply once and don't re-apply for the policies are created BUT NO actual preference settings apply on that first logon (even the ones that are not set to apply once). The preferences keys just don't get added or modified. It is like the profile is built after Group Policy Preference runs.

    If you delete the HKEY_CURRENT_USER\Software\Microsoft\Group Policy\Client\RunOnce manually and do GPUpdate then the preferences apply fine.

    Also all those preferences set to apply every time will apply at the next logon.

    The problem is that the "Apply once and don't re-apply" are flagged that they have applied with they have NOT applied due to the profile creation not applying preferences on first logon.

    I did find a Hotfix KB2284538 but the .dll version in the hotfix is two years older than the one we are using so it doesn't apply. 

    Our DLL is gpprefcl.dll Version 6.1.7601.22249

    Any ideas even for a work-around. We need these settings to apply, but only once, so users can change them.

    I think we have narrowed it down to the fact that Microsoft runs Active Setup for new user profiles AFTER User Group Policy which is so ridiculous. It means that Active Setup Overwrites Group Policy Preference files.  I verified by watching it remotely. The user logs in, the settings are set, and then Active Setup deletes them.

     

    lforbes



    • Bearbeitet lforbes Freitag, 19. Juli 2013 20:37
    Freitag, 19. Juli 2013 18:08

Alle Antworten

  • Hi,

    Thanks for your posting.

    Please post the gpresult to here.

    Meanwhile, hope this article helps:

    http://blog.stepneymarsh.com/2010/02/group-policy-preferences-options.html

    Regards.


    Vivian Wang
    TechNet Community Support

    Dienstag, 23. Juli 2013 08:54
  • So the Preferences Apply but are immediately overwritten by "Microsoft building" the profile with their defaults which is NO screen saver (how insecure is that) and the default Windows wallpaper.

    I loaded the Registry remotely and watched the process as a user logged in.

    I logon as the user and then watch the ntuser.dat. It starts as the 512kb file and then the key for Control Panel has all my settings set in Preferences.

    I refresh and boom, they are all REPLACED by Microsoft Defaults and the ntuser.dat goes up to 724.

    This doesn't happen with XP because the profile is built right from the Default User.

    So how silly is that? Microsoft "Active Setup" overwriting Group Policy Preferences because the preferences are applied BEFORE the profile is completely built.

    This is a big BUG. It means that no Theme based policies OR preferences apply on the first logon (how insecure is that) and that the "run once and don't reapply" doesn't work with ANY Theme based preferences for new profiles.


    lforbes

    Mittwoch, 24. Juli 2013 01:44
  • Hi,

    Thanks for your response.

    User profiles that are created with Windows Server 2003 or Windows XP are not compatible with Windows 7.

    For more and detail information, please refer to :

    What's New in Folder Redirection and User Profiles

    http://technet.microsoft.com/en-us/library/ff458273(v=ws.10).aspx

    Regards.

     


    Vivian Wang
    TechNet Community Support

    Montag, 29. Juli 2013 06:44
  • Hi,

    Thanks for your response.

    User profiles that are created with Windows Server 2003 or Windows XP are not compatible with Windows 7.

    For more and detail information, please refer to :

    What's New in Folder Redirection and User Profiles

    http://technet.microsoft.com/en-us/library/ff458273(v=ws.10).aspx

    Regards.

    Vivian Wang

    What does Windows 2003 or Windows XP have to do with the original question?

    In fact I was very clear when I said Windows 7 LOCAL profiles.

    I am no longer using Windows XP. We have upgraded to Windows 7. With Windows XP the preferences applied just fine. With Windows 7 because the Active Setup is run after the preferences, it is not working


    lforbes


    • Bearbeitet lforbes Montag, 29. Juli 2013 19:57 update
    Montag, 29. Juli 2013 19:49
  • IIRC (I'm on vacation) I worked around that issue by using ILT. When Windows creates the profile at first logon it writes a default path in the registry (to the wallpaper for instance) and as you have discovered, this is after the GPP with the custom registry path is executed, so it is effectively overwritten. By configuring an ILT condition that the default registry path should exist, the GPP will not execute before the condition is fulfilled even if it is set to "Apply once..." This is the setting we use, our users should be able to change the wallpaper if they like.

    Of course the custom wallpaper will not appear until the second logon, but that is good enough in my environment.

    Regards
    Rolf Lidvall
    Swedish Radio (Ltd)




    • Bearbeitet Rolf Lidvall Dienstag, 30. Juli 2013 19:51 append2
    Dienstag, 30. Juli 2013 18:01
  • I have seen this issue with a few other profile settings (such as IE). Our solution was to configure these options with Group Policy Administrative Templates. You could also try importing the registry keys with a logon script. Have the logon script sleep for a few minutes until Active Setup finishes. 

    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    Dienstag, 30. Juli 2013 18:24
  • IIRC (I'm on vacation) I worked around that issue by using ILT. When Windows creates the profile at first logon it writes a default path in the registry (to the wallpaper for instance) and as you have discovered, this is after the GPP with the custom registry path is executed, so it is effectively overwritten. By configuring an ILT condition that the default registry path should exist, the GPP will not execute before the condition is fulfilled even if it is set to "Apply once..." This is the setting we use, our users should be able to change the wallpaper if they like.

    Of course the custom wallpaper will not appear until the second logon, but that is good enough in my environment.

    Regards
    Rolf Lidvall
    Swedish Radio (Ltd)





    I did try the Item Level Targeting but with the run once and don't reapply it only checks for the item (registry key) once and then says it looked, says the policy applied and doesn't reapply. The only work around I found is to create an Active Setup to delete the Run Once key after the rest have executed.

    lforbes

    Dienstag, 30. Juli 2013 22:21