Answered by:
Policy applied is ghost. Where's it cached?
-
I know lengthy posts don’t get much response, because of the intense focus required on the reader’s part, to fully understand the situation presented. I’ll try my best to be to the point here. Domain names and IP schema are not the actual ones in use presented here, for obvious reasons.
Lab setup: Server 2008R2 domain controller set up as test.local domain. This PDC also has WSUS installed. Workstations are not joined to the test domain, and I use a wsus.reg file that I merge in the workstation registry to get it to point at the test.com WSUS. When setting up new workstations, this saves a ton of time getting them up to date before deploying them to the production domain.
Production setup: Server 2012R2 Standard as PDC. This server has AD, DNS, DHCP and Group Policy Management roles.
Domain has mix of Win 7 Pro and Win 8.1 Pro.
Also have a Server 2008R2 Standard member server joined to the domain. The 2008R2 server does NOT have AD installed. It’s joined to the domain no differently than the workstations are. The 2008R2 server has WSUS installed, along with RD Gateway all configured with a certificate for remote access, and was the very last computer to be joined to the domain.
Problem: I have a WSUS policy on the PDC that directs workstations to point to the 2008R2 server for their WSUS updates. But the distribution of this policy is the weirdest thing I’ve ever seen. If I remove the policy (by remove, I mean delete it from existence in its entirety) then nothing is distributed to the workstations. On any workstation I can check the registry at HKLM/Software/Policies/Microsoft/Windows and the WindowsUpdate key is not there as expected. Starting the Windows Update applet in control panel shows that it gets updates from the MS site. All as expected.
However, when I create and implement the policy to point to my WSUS server in the production environment, policy distribution “appears” to occur because the WindowsUpdate key appears in the registry as it should. HOWEVER (and this is the weird part) the values of the WUServer and WUStatusServer shows it pointing to the WSUS server in the lab. Completely different IP address! This occurs on about 10 workstations, a mix of Win 7 and 8.1.
I’ve deleted the policy, rebooted all servers and workstations, recreated policies, ran gpupdate /force until my fingers hurt, and I just can’t seem to get it to point to anything but the production server which is in another city 15 miles away with no physical connection of any type, in any way, form or fashion to the test lab setup. Where is this cached at on the workstations? Note that all of these computers have been reloaded from the ground up within the last month or so. So this is in effect, a “new” production network in every sense of the word.
Question
Answers
-
Okay, I've got the problem solved. Seems the cause was "user error" whereas I had forgotten a very basic GPO fundamental. I'll repeat it here for the sake of others, as I've seen a few other posts in this forum with the same problem as me, just with different policies.
The order in which policies are applied does matter. Machine/Computer policies need to be applied before user policies. Since my WSUS policy is a machine/computer policy, when it's listed last among my 9 policies, it will not get applied. If it does get applied, then either it's not applied correctly, or I just get lucky. Since machine policies are applied on boot and user policies applied on login, by having the WSUS machine policy last it was either not being applied at all on user login, or was applied incorrectly using cached information from somewhere in la-la land.
When I grouped my policies it was more than just making machine policies first in the order of application too. Policies need to be applied in the order they appear in the policy template. I have 5 computer policies. Since the WSUS policy is actually the last policy in the Computer Configuration container of the template, I made it the 5th policy applied in the policy application order list of the GUI.
Same rule holds true for user policies. User policies should be applied after machine policies, and those user policies should be applied in the order they are in the Users Configuration section of the policy template.
Once I did all this, not only were all policies applied correctly every time on every computer, I also had two more computers pop up in the WSUS Console this morning, that I was totally unaware of having this issue, due to my focus on the 10 other computers I was aware of.
Much thanks to DonPick for helping me get my head straight. This was a case of I couldn't see the forest because the trees were in the way. A return to the simple basics of GPO fundamentals is all that was needed to figure this out and fix it.
- Marked as answer by Carl1959 Saturday, May 21, 2016 5:16 PM
All replies
-
So, when you create and link a GPO, what actually arrives at the scoped client machine, is different from what you've configured within the GPO?
At an affected client machine (use Win8.1 for this if you can, because it will show you more detail than Win7), do a gpresult /h blah.html
Open the html file in IE and look for anomalies.
Domain Group Policy (assuming you're using the classic Admin Templates methods and not GPP) mainly consists of .POL files, which are delivered to the client and are merged during the GP processing by the CSE's at the client.
You can sometimes find that stale .POL files might get left behind, from a previous configuration, and this can throw weird symptoms.
Or, there might be some AD replication or SYSVOL replication issues, such that the Domain GP creation process is not correctly completing (or it could be getting interference from some "security" product)
When you are "deleting" and "creating" the Domain GP, are you doing that via GPMC/GPME, or are you using some scripting or import/export tools?
Don [doesn't work for MSFT, and they're probably glad about that ;]
-
Yes. On the workstation I delete the WSUS entries in the registry manually. Then I reboot the computer so that the policy from the production server will be applied. However, it appears as if the workstation "magically" gets the policy settings from the test server in the lab 15 miles away (which is physically impossible - so it has to be magic. :)) But just to reiterate as a reminder, if I delete the policy from the production server entirely, then no WSUS policy is applied to any workstation on the domain. I put the policy back, and it's successfully applied to every workstation on the domain, with 10 of the workstations pointing to the test WSUS server in the lab, which is 15 miles away and not connected to the production domain in any way, form or fashion.
Did a gpresult /v on a Win 7 machine (win 8.1 not available to me for this at the moment) and there's nothing "abnormal" that jumps out at me - other than the fact it's setting the wsus server in the registry to the WSUS server in the lab 15 miles away. The results file is at the end of this post, for your review. note that computer names, domain names and the such have been changed from what the "really" are, for obvious reasons.
As for policy templates, I've honestly no clue what you're talking about with admin templates method and GPP. I'm using whatever is installed by default in WinServer 2008R2 Std when you add the group policy role.
I'm not sure what .POL files are (other than the fact that .POL is short for policy) and a search of the workstation hard drive reveals no files with a .pol filename extension. However, there are a fair number of java.policy files that I don't think relate to this issue.
I'm not following you clearly on your reference to replication or SYSVOL replication issues. All 24 computers use the same common login username of DOMAIN\USER (not the real one of course), yet only about 10 of the computers have this specific issue, and only with this specific policy. All other polices are applied and implemented just fine.
When I'm deleting/creating the policys in the production domain, I'm using the GUI provided for policy management in the administrative tools applet of Control Panel on the Server 2012R2 Std domain controller.
I'm be no means an expert when it comes to GPOs, yet I do have what I consider to be a deeply clear understanding of how to "manage" them. But when it domes to dealing with issues such as this, Sheldon Cooper knows more about social skills than I do about the inner workings of GPO. That's why I suspect these 10 computers are pulling the policy from a local cache, and calling that "good/applied successfully", when it needs to be pulling from the actual server itself. If my suspicions are correct, then all I need to know is where this secret cache location is, so I can clear it.
Of course, knowing how MS does things, it won't be this simple, right? So I greatly appreciate you taking the time to address this with me.
For the below results file, (so you can better understand it) I have a custom group in AD called "WSUS Computers" and only the domain computers are in this group. No, I am not using targeting either. Heres' the results file. The results file is broken up in separate posts, since I'm limited to 6000 characters.
-
Created On 5/20/2016 at 10:05:12 PM
RSOP data for DOMAIN\user on MYCOMPUTER : Logging Mode
-----------------------------------------------------------OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\user
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=MYCOMPUTER,CN=Computers,DC=DOMAIN,DC=LOCAL
Last time Group Policy was applied: 5/20/2016 at 10:01:30 PM
Group Policy was applied from: DOMAINSERVER.DOMAIN.LOCAL
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2000Applied Group Policy Objects
-----------------------------
Default Domain Policy
WSUS Policy
MSE Policy
Workstation Restart Policy
Windows Defender Policy
Remote Users PolicyThe following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
IE Policy
Filtering: Not Applied (Empty)Local Group Policy
Filtering: Not Applied (Empty)The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
IIS_WPG
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
MYCOMPUTER$
WSUS Computers
Domain Computers
Authentication authority asserted identity
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------Software Installations
----------------------
N/AStartup Scripts
---------------
N/AShutdown Scripts
----------------
N/AAccount Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 4294967295GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/AGPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/AGPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6Audit Policy
------------
N/AUser Rights
-----------
N/ASecurity Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not EnabledGPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Computer Setting: 1Event Log Settings
------------------
N/ARestricted Groups
-----------------
GPO: Remote Users Policy
Groupname: Remote Desktop Users
Members: DOMAIN\user
DOMAIN\rbeckett
System Services
---------------
N/ARegistry Settings
-----------------
N/AFile System Settings
--------------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
GPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts
Value: 1, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\IncludeRecommendedUpdates
Value: 1, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\DisableRemovableDriveScanning
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\EnableFeaturedSoftware
Value: 1, 0, 0, 0
State: EnabledGPO: Default Domain Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\UseWindowsUpdate
State: disabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Value: 1, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 55, 0, 50, 0, 46, 0, 50, 0, 48, 0, 46, 0, 54, 0, 53, 0, 46, 0, 50, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\DisableArchiveScanning
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\AllowPause
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\ScheduleTime
Value: 236, 4, 0, 0
State: EnabledGPO: Default Domain Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\RepairContentServerSource
Value: 2, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeout
Value: 15, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleTime
Value: 176, 4, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\2
Value: 2, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\DisableRestorePoint
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
Value: 4, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\AvgCPULoadFactor
Value: 100, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Quarantine\PurgeItemsAfterDelay
Value: 5, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1
Value: 2, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\DisableOSUpgrade
Value: 1, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\ScheduleDay
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\AvgCPULoadFactor
Value: 95, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupFullScan
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 55, 0, 50, 0, 46, 0, 50, 0, 48, 0, 46, 0, 54, 0, 53, 0, 46, 0, 50, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTimeMinutes
Value: 15, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\DisableRoutinelyTakingAction
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\PurgeItemsAfterDelay
Value: 7, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutomaticMaintenanceEnabled
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\DisableCatchupQuickScan
Value: 1, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableScheduledSignatureUpdateOnBattery
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting
Value: 2, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Remediation\Scan_ScheduleTime
Value: 236, 4, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\ScheduleTime
Value: 44, 1, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\ArchiveMaxDepth
Value: 20, 0, 0, 0
State: Enabled -
GPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleDay
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Remediation\Scan_ScheduleDay
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\CheckForSignaturesBeforeRunningScan
Value: 1, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
Value: 23, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableOnAccessProtection
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\DisableCatchupFullScan
Value: 1, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\ScanOnlyIfIdle
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting
Value: 2, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\ScanParameters
Value: 2, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled
Value: 1, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\UX Configuration\DisablePrivacyMode
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\ScanOnlyIfIdle
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4
Value: 2, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\ScanParameters
Value: 2, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval
Value: 6, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Signature Updates\ForceUpdateFromMU
Value: 0, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeoutEnabled
Value: 1, 0, 0, 0
State: EnabledGPO: Windows Defender Policy
KeyName: Software\Policies\Microsoft\Windows Defender\Scan\DisableRestorePoint
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIOAVProtection
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTime
Value: 1, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Scan\ScheduleDay
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5
Value: 2, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Value: 0, 0, 0, 0
State: EnabledGPO: MSE Policy
KeyName: Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableRealTimeMonitoring
Value: 0, 0, 0, 0
State: EnabledGPO: WSUS Policy
KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency
Value: 1, 0, 0, 0
State: Enabled
USER SETTINGS
--------------
CN=JVC User,OU=Active Business Users,DC=DOMAIN,DC=LOCAL
Last time Group Policy was applied: 5/20/2016 at 10:02:55 PM
Group Policy was applied from: DOMAINSERVER.DOMAIN.LOCAL
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Folder Redirection Policy
IE Policy
Block Google Chrome Policy
Desktop Background PolicyThe following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Windows Defender Policy
Filtering: Not Applied (Empty)WSUS Policy
Filtering: Denied (Security)Local Group Policy
Filtering: Not Applied (Empty)MSE Policy
Filtering: Not Applied (Empty)Remote Users Policy
Filtering: Denied (Security)Workstation Restart Policy
Filtering: Denied (Security)The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Desktop Background Group
Redirected Folders Group
Authentication authority asserted identity
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
----------------------------------------------Bypass traverse checking
Shut down the system
Remove computer from docking station
Increase a process working set
Change the time zone
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Create symbolic linksResultant Set Of Policies for User
-----------------------------------Software Installations
----------------------
N/ALogon Scripts
-------------
GPO: Folder Redirection Policy
Name: regedit.exe
Parameters: /s offlinefiles.reg
LastExecuted: 2:02:57 AMLogoff Scripts
--------------
Public Key Policies
-------------------
N/AAdministrative Templates
------------------------
GPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{b9724719-9893-49a7-9f7f-5c118887ae0b}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
Value: 0, 0, 4, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{b9724719-9893-49a7-9f7f-5c118887ae0b}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
Value: 1, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\SaferFlags
Value: 0, 0, 0, 0
State: EnabledGPO: Desktop Background Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
Value: 52, 0, 0, 0
State: EnabledGPO: IE Policy
KeyName: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
Value: 104, 0, 116, 0, 116, 0, 112, 0, 115, 0, 58, 0, 47, 0, 47, 0, 119, 0, 119, 0, 119, 0, 46, 0, 103, 0, 111, 0, 111, 0, 103, 0, 108, 0, 101, 0, 46, 0, 99, 0, 111, 0, 109, 0, 47, 0, 63, 0, 103, 0, 119, 0, 115, 0, 95, 0, 114, 0, 100, 0, 61, 0, 115, 0, 115, 0, 108, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\ItemData
Value: 103, 0, 101, 0, 97, 0, 114, 0, 115, 0, 45, 0, 99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 45, 0, 111, 0, 112, 0, 116, 0, 46, 0, 109, 0, 115, 0, 105, 0, 0, 0
State: EnabledGPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\Explorer\PowerButtonAction
Value: 1, 0, 0, 0
State: EnabledGPO: Desktop Background Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
Value: 92, 0, 92, 0, 106, 0, 118, 0, 104, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 92, 0, 100, 0, 101, 0, 115, 0, 107, 0, 116, 0, 111, 0, 112, 0, 92, 0, 105, 0, 109, 0, 97, 0, 103, 0, 101, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\Description
Value: 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\ItemData
Value: 99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 115, 0, 101, 0, 116, 0, 117, 0, 112, 0, 46, 0, 101, 0, 120, 0, 101, 0, 0, 0
State: EnabledGPO: Block Google Chrome Policy
KeyName: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\ItemData
Value: 99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 46, 0, 101, 0, 120, 0, 101, 0, 0, 0
State: EnabledGPO: IE Policy
KeyName: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
Value: 1, 0, 0, 0
State: EnabledFolder Redirection
------------------
GPO: Folder Redirection Policy
KeyName: InstallationType: basic
Grant Type: Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: N/A
Redirected Path: \\DOMAINserver\RedirectedFolders$\%USERNAME%\Documents -
Yes. On the workstation I delete the WSUS entries in the registry manually.
Then I reboot the computer so that the policy from the production server will be applied.
However, it appears as if the workstation "magically" gets the policy settings from the test server in the lab 15 miles away (which is physically impossible - so it has to be magic. :))
But just to reiterate as a reminder, if I delete the policy from the production server entirely, then no WSUS policy is applied to any workstation on the domain.
I put the policy back, and it's successfully applied to every workstation on the domain, with 10 of the workstations pointing to the test WSUS server in the lab, which is 15 miles away and not connected to the production domain in any way, form or fashion.Hmm. Generally, and, by default, once a "classic" Admin Templates-based Domain GP (i.e. a nice simple one which merely pokes in some registry keys/values like this one) has been applied, it isn't re-asserted.
So the first thing which seems odd to me, is that when you manually delete the reg keys, that a reboot is repopulating those keys. That doesn't typically happen. There are ways to cause that to happen, but I'm not seeing any of those methods in your gpresult output.I suspect there's something going on outside of Domain GP's direct/obvious influence.
I can see a user logon script, named "folder redirection", but it looks to be doing a regedit regfile merge. It could be some errant keys/values in that file, or, something else is in play, which isn't showing in your output so I don't think it's GP doing the deed.Logon Scripts
-------------
GPO: Folder Redirection
Policy Name: regedit.exe
Parameters: /s offlinefiles.reg
LastExecuted: 2:02:57 AMAre there any other things on these machines, like a scheduled task, script, something in the Run keys in registry, or some other software product running on the machines which could be "injecting" the incorrect values?
Does the Windows event log(s) show anything launching or occurring at/around the bootup time?
Don [doesn't work for MSFT, and they're probably glad about that ;]
-
As for policy templates, I've honestly no clue what you're talking about with admin templates method and GPP. I'm using whatever is installed by default in WinServer 2008R2 Std when you add the group policy role.
You can see in the gpresult output, that GP is categorised or classified into several different sub-types, one of which, is Administrative Templates. (GPP i.e. Group Policy Preferences, is a different type/method. I can't recall if GPP methods are revealed by gpresult /v, which is why I suggested to use gpresult /h)
GPP, when used in conjunction with classic GP, can end up in overlapping settings, leading to confusion ;)
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
<stuff>
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
<stuff>
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
<stuff>
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
<your WU/WSUS settings stuff etc>Don [doesn't work for MSFT, and they're probably glad about that ;]
-
I'm not following you clearly on your reference to replication or SYSVOL replication issues. All 24 computers use the same common login username of DOMAIN\USER (not the real one of course), yet only about 10 of the computers have this specific issue, and only with this specific policy. All other polices are applied and implemented just fine.
If you have more than one single Domain Controller, the DC's will be replicating between each other, to provide you with redundancy and availability for your AD.
Domain Group Policy (as distinct from Local Group Policy), is composed of several different component blobs of goop, some of which is stored within the AD (and so is replicated along with that goop), and the other bits of GP are files which are stored in a share on the DC, named SYSVOL.
SYSVOL is replicated across the DC's using either FRS or DFS-R.For Domain GP to work correctly, when you create or modify a GPO, the blobs of goop which comprise the GPO need to be replicated across all DC's for consistent GP processing. So, if these replication services are unhealthy, you will have inconsistency and therefore unpredictable outcomes.
Don [doesn't work for MSFT, and they're probably glad about that ;]
-
I think you got me pointed in the right direction now. I've a total of nine polices (ten if you include the default domain policy, which I always never touch). I disabled 8 of the policies, leaving only my WSUS policy active. Rebooted a workstation, and the WSUS policy was applied correctly.
Apparently, this has something to do with the order in which policies are applied. My WSUS policy was next to last in my list. So I'm moving it to the top as number 2, (I leave default domain policy at the top, as always) then start enabling policies one at a time to see what happens.
I'll post back later in the day and let you know what I find.
-
Ok, that sounds like the standard/builtin Group Policy Management Console / Group Policy Management Editor, which is fine.When I'm deleting/creating the policys in the production domain, I'm using the GUI provided for policy management in the administrative tools applet of Control Panel on the Server 2012R2 Std domain controller.
(there are lots of ways to do things with Windows, including plenty of "unsupported" ways, out there is the real world ;)Don [doesn't work for MSFT, and they're probably glad about that ;]
-
Okay, I've got the problem solved. Seems the cause was "user error" whereas I had forgotten a very basic GPO fundamental. I'll repeat it here for the sake of others, as I've seen a few other posts in this forum with the same problem as me, just with different policies.
The order in which policies are applied does matter. Machine/Computer policies need to be applied before user policies. Since my WSUS policy is a machine/computer policy, when it's listed last among my 9 policies, it will not get applied. If it does get applied, then either it's not applied correctly, or I just get lucky. Since machine policies are applied on boot and user policies applied on login, by having the WSUS machine policy last it was either not being applied at all on user login, or was applied incorrectly using cached information from somewhere in la-la land.
When I grouped my policies it was more than just making machine policies first in the order of application too. Policies need to be applied in the order they appear in the policy template. I have 5 computer policies. Since the WSUS policy is actually the last policy in the Computer Configuration container of the template, I made it the 5th policy applied in the policy application order list of the GUI.
Same rule holds true for user policies. User policies should be applied after machine policies, and those user policies should be applied in the order they are in the Users Configuration section of the policy template.
Once I did all this, not only were all policies applied correctly every time on every computer, I also had two more computers pop up in the WSUS Console this morning, that I was totally unaware of having this issue, due to my focus on the 10 other computers I was aware of.
Much thanks to DonPick for helping me get my head straight. This was a case of I couldn't see the forest because the trees were in the way. A return to the simple basics of GPO fundamentals is all that was needed to figure this out and fix it.
- Marked as answer by Carl1959 Saturday, May 21, 2016 5:16 PM
-
-
Hi,
I am glad that the issue is solved. And appreciate your update and share. It will be greatly helpful to others who has the same problem.
Thank you for your effort again.
Regards,
WendyPlease remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
