Cisco VPN client install fails if GP is applied.
- The Network admin had been working on this problem of the VPN install failing for a couple of months when they asked me to look at the problem. I pretty quickly determined that if I put the computer in question (Vista SP1 in this case) in a test OU and block all inheritance we can install without problems and moving the computer back to the proper OU has no effect on functionality. So, Group Policy is breaking the install. Problem is, I can't figure out why. Default Domain policy breaks the install but I don't have much configured there. Password Policys, kerberos stuff, and some Firewall stuff to allow the techs to remote in to the clients. Some printer stuff on the user side but nothing that I can see that might prevent the VPN from being installed. Research reveals that the failure started happening after a schema update for the System Center Configuration Manager.
My question, beyond the obvious has anyone had a similar experience, is are there policies applied that are hidden from the GPM console?
Jim Carmichael MCITP-EA
Answers
It would appear that there can be hidden settings if the Policy object is corrupt. I can't be sure what caused it, but I know what fixed it. After recording all settings from the default domain policy object I restored the default settings via DcGPOFix. I then created a secondary GPO for some of the non default settings that I can apply along with the default (easier in case of future problems given that I was never able to ascertain the cause of the original problem).
This solved all of my problems.
Disclaimer: DcGPOFix is a tool of last resort. This utility is intended only for disaster recovery purposes.
Sorry it took so long to respond. I've been VERY busy at work.
Jim Carmichael MCITP-EA- Marked As Answer byMervyn ZhangMSFT, ModeratorFriday, November 20, 2009 3:35 AM
All Replies
- Hi Jim,
Please let us know the detailed VPN error message for research. Also, you may try to disable GPO Link one by one to narrow down the cause.
After finding the culprit GPO, link only this GPO to users, right-click Group Policy Results and follow the wizard to collect a report. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the report file and then give us the download address.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Mervyn,
Thanks for responding. I came in this morning to find that the hd in my desktop computer has died so I don't have access to all my notes right now. I will try to either get the error later today or just recreate it, but it is just a 5 digit error code accompanied with your OS may be corrupt. I looked up the code and it is essentially that my OS might be corrupt. The problem occurs exclusively on any domain machine to which GP is applied so I do not believe that the OS is corrupt.
I have already reduced the problem to default domain policy and have stepped through the few settings that I have there removing them singly and in multiples to no result.
I will collect the result and post it anyway.
My question still stands, does Group Policy apply settings that do not show up in the GPMC? If so, I don't think they will show up in the report as I have already looked at it myself and I see nothing that isn't in the GP Editor. When I check for changes in the registry I am seeing changes that I don't understand (and can't access right now due to the problem of not having my own machine available till later today). Essentially, there are keys I am not familiar with added that consist of nothing but large blocks of hex. These changes occur with no other external change other than removing the block from the test container and allowing gp to apply only domain policy. In light of the problem starting in close correlation to the schema update for SCCM I am still inclined to suspect that there is a causal relationship there. What role might GP play in that relationship?
More info, since I neglected to post it originally.
Server 2008. Domain and Forrest levels 2008.SCCM schema update applied but SCCM is not fully implemented yet.
The problem occurs on both Vista and XP with no regard to user other than needing admin privileges to install software.
Jim Carmichael MCITP-EA - The detailed error message:
Installer information dialog box
Error 27850. Unable to manage networking component.
Operating system corruption may be preventing installation.
Jim Carmichael MCITP-EA - Hi,
All Group Policy settings show up in the GPMC. Please collect a copy of Group Policy Report. In GPMC, right-click Group Policy Results, choose Group Policy Results Wizard, follow the wizard to get a report of a problematic machine and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. It would appear that there can be hidden settings if the Policy object is corrupt. I can't be sure what caused it, but I know what fixed it. After recording all settings from the default domain policy object I restored the default settings via DcGPOFix. I then created a secondary GPO for some of the non default settings that I can apply along with the default (easier in case of future problems given that I was never able to ascertain the cause of the original problem).
This solved all of my problems.
Disclaimer: DcGPOFix is a tool of last resort. This utility is intended only for disaster recovery purposes.
Sorry it took so long to respond. I've been VERY busy at work.
Jim Carmichael MCITP-EA- Marked As Answer byMervyn ZhangMSFT, ModeratorFriday, November 20, 2009 3:35 AM
