Risorse per professionisti IT >
Home page del forum
>
Group Policy
>
Group Policy Preference - Not Applying to Windows XP SP3
Group Policy Preference - Not Applying to Windows XP SP3
- Folks,
I'm am new to Group Policy Preferences and having a difficult time getting them to work properly.
Here's my setup:
Windows XP SP3 clients (so my understanding is that it should have CSE installed)
Windows 2003 SP2 - AD (Native Mode)
Windows 2008 Server used to configure GPP
> XP clients are in an OU that is linked to the GPO that has all the GPP settings.
> Old fashion group policies settings work flawlessly (pre-2008)
Here's my GPP settings (and problems):
1. User Configuration\Preferences\Windows Settings\Registry
- Action: Delete
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\Internet Explorer\Settings
- Value name: <name of value that I want to delete>
So, here's the problem: It's not deleting the reg_sz. I've also tried creating this pref in "Computer Configuration\.." and still no dice.
2. User Configuration\Preferences\Windows Settings\Registry
- Action: Create
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\Office\11.0\Outlook\Options\Mail
- Value name: JunkMailImportLists
- Value type: REG_DWORD
- Value data: 1
Similar problem: It's not creating the reg_dword. I've tried creating this pref in "Computer Configuration\.." and also, no dice.
3. User Configuration\Preferences\Control Panel Settings\Scheduled Tasks
- Immediate Task (Windows XP)
- Run: regedit /s \\domain\NETLOGON\hkcu_script.reg
- Common tab: Run in logged-on user's security context (user policy option). -> CHECKED
So, here's the deal with this... because I couldn't get #1 or #2 to work, I thought to resort to the old fashion way of implementing this semi-scripted process. To my dismay, this scheduled task is also not being "pulled" down to my XP clients. I hate to do this with a startup or shutdown GPO which I know will work because I want this change to take effect immediately (or at the next GP refresh).
Help! I've already spent too much time playing around with (eh-um, testing) this and I'm hoping someone else out there has encountered the similar problem and has a quick fix.
Thanks in advance,
Jackson
Risposte
- Does that mean GPP is running, and the the regisry item is applied, but the result is not as expected?
If this is the case, please enable GPP logging as I described it above.
Concerning the user/machine behavior:
If you set a policy or preference item within "User Configuration", but the GPO is applied only to AD computer objects,
you will not see anything on the client. "User Configuration" is applied only for user objects only and vice versa ("Computer Configuration" for computer objects only).
If your OU to which the GPO is linked does not contain the user object which is logging io to the client, none of the "User Configuration" settings will take effect.
I justed picked up the settings of your ölst post an created the GPP item in a GPO that is linked to my users OU and after the first GPO refresh the setting
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail\JunkMailImportLists is there with the DWORD value of 1.
This means, in general it does work as expected.
If you take in account what I wrote about users/computers and still it is not working, we will need the mentioned logfile to see what is going wrong.
Patrick- Contrassegnato come rispostaJackson Yeung mercoledì 8 luglio 2009 17.46
Tutte le risposte
- SP3 does not have the GPP CSEs installed by default, AFAIK. So you might want to double-check that by looking in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions. You should see a number of extension GUIDs that include the DLL name of gpprefcl.dll. If you don't, and if you only have a dozen or so GUID-named keys under that GPExtensions key, then the GPP CSEs are not installed.
Darren
Darren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts" - Thanks Darren. Yes, you're right as I got it mixed up with XMLLite. That said, I've checked and it is installed on all my systems. CSE is being pushed out to my clients via WSUS.
Boy, I'd really love to get rid of startup/shutdown scripts and GPP seems to be the Holy Grail if I can get it to work properly. - Can you see any GPP activity in Application Eventlog?
Every GPP item will log success or error here.
The source name start with "Group Policy..." and also includes the extension name (e.g. "Registry").
If you see none of those, GPP is not running at all or there is nothing to be applied...
Please double check GPP CSE installation, GPO filtering including user / computer addressing:
You said the GPO is linked to OU with XP Clients but you use "User Configuration" based GPP items...
this could be the cause for your "issue".
If you see any errors or warnings in eventlog you should also get a hint to the problem.
If that is not sufficient, you could also enable logging for the GPP extension. To do this,
use a policy setting:
[Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and Tracing]
After having enabled trace (Trace = ON, include ERROR/WARNING/INFO) restart client, log in and search for the log in
"%SYSTEMDRIVE%\Documents and Settings\All Users\Application Data\GroupPolicy\Preference\Trace
Search the log for the name of your item.
Patrick - Hi Patrick,
I checked the app log and filtered for "Group Policy Registry" and "Group Policy Scheduled Tasks" - both came up empty.
I do see another GPP that was created for deleting executables from a folder. That does log a warning (and a different issue that I'll need to track down separately) under "Group Policy Files".
So in short, GPP is being received by my client, just not processing them successfully.
I will give enabling a try and see what that turns up.
Thanks,
Jackson Please double check GPP CSE installation, GPO filtering including user / computer addressing:
The way our domain is setup, we have clients in a workstations OU (we have a separate OU's for servers) and linked the GPO to this OU.
You said the GPO is linked to OU with XP Clients but you use "User Configuration" based GPP items...
this could be the cause for your "issue".
Patrick
As for the user configuration, my understanding is this will apply the gpp using the logged on user's credentials as opposed to the system's as in the case if the gpp settings were set under the Computer Configuration". But in either case, I've tried the gpp in both locations without much success.2. User Configuration\Preferences\Windows Settings\Registry
- Action: Create
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\Office\11.0\Outlook\Options\Mail
- Value name: JunkMailImportLists
- Value type: REG_DWORD
- Value data: 1
Similar problem: It's not creating the reg_dword. I've tried creating this pref in "Computer Configuration\.." and also, no dice.
Ok, so I should add that it does appear to be creating the reg value, just not in the specified hive. It created it under HKEY_USER hive with the same key path but unfortunately, the app does not appear to look for the value in there (only HKCU).
Any ideas??- ModificatoJackson Yeung mercoledì 1 luglio 2009 22.13
- Does that mean GPP is running, and the the regisry item is applied, but the result is not as expected?
If this is the case, please enable GPP logging as I described it above.
Concerning the user/machine behavior:
If you set a policy or preference item within "User Configuration", but the GPO is applied only to AD computer objects,
you will not see anything on the client. "User Configuration" is applied only for user objects only and vice versa ("Computer Configuration" for computer objects only).
If your OU to which the GPO is linked does not contain the user object which is logging io to the client, none of the "User Configuration" settings will take effect.
I justed picked up the settings of your ölst post an created the GPP item in a GPO that is linked to my users OU and after the first GPO refresh the setting
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail\JunkMailImportLists is there with the DWORD value of 1.
This means, in general it does work as expected.
If you take in account what I wrote about users/computers and still it is not working, we will need the mentioned logfile to see what is going wrong.
Patrick- Contrassegnato come rispostaJackson Yeung mercoledì 8 luglio 2009 17.46
Concerning the user/machine behavior:
If you set a policy or preference item within "User Configuration", but the GPO is applied only to AD computer objects,
you will not see anything on the client. "User Configuration" is applied only for user objects only and vice versa ("Computer Configuration" for computer objects only).
If your OU to which the GPO is linked does not contain the user object which is logging io to the client, none of the "User Configuration" settings will take effect.
Hi Patrick,
Hope you had a good 4th. Just got back in the office today and revisiting this issue. Thanks for your replies- I've created a new GPO w/ the GPP that is linked to my User OU and see what that will do. The thing that is still slightly unclear for me is that I created the registry preference in "Computer Configuration" and applied it to my computer OU. In any case, I do see your point that this setting affects user objects only (HKCU) but I would have expected the scheduled task to called a script would have ran (I created an "Immediate Task (Windows XP) in both the Computer Configuration and User Configuration)- neither was created on my system or ran.
In any case, I will let this new GPO run it's course. In the meantime, I will enable logging as well.
Thanks again,
JacksonSo, it worked. After creating the GPO w/ the GPP setting under "User Configuration" and linking it to the "User" OU, the registry setting was pulled down immediately after a gpupdate /force.
I'm still a little fuzzy on the fine line between Computer vs User configs but I will straighten myself out at a later time. I'm just glad this works. Props to you Patrick!
