Announcement

Collapse
No announcement yet.

GPO HKCU Registry Changes not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO HKCU Registry Changes not working

    Hello Folks:

    First, the problem:
    I have created a custom GPO adm template to add some registry keys under HKEY_CURRENT_USERm, the template was of course imported into the "user configuration --> administrative templates" area of the GPO. The template has been tested and works perfectly (or at least I think). The problem that I am running into is that the user accounts that this policy applies to don't always get the registry changes enforced by the policy. And the problem seems to be specific to a group of workstations.


    Now let me give you some background on my set up.
    I have a lab of computers (about 25) that have the exact same hardware. The computers were setup with ghost/sysprep, so all of the computers configuration is exactly the same aside from the unique OS/software identifiers. They are all running XPPRO SP3 with the most recent updates as of the end of August and all accounts exist in the same OU. I use 'Faronics Deep Freeze' on these machines to ensure that upon every reboot, the machines are restored to their initial state, so no software/configuration changes are made without me knowing. To account for any machine password issues since the machine is part of the domain, I have a GPO that sets the "Windows Settings > Security Settings > Local Polices/Security Options > Domain Member > Maximum machine account password age" to 365. The idea being that every year I will rebuild these machines at least once.

    I know that when I make a policy change that affects the machine I have to unfreeze the machines and then reboot them a couple of times in order for the workstation to refresh its policies and then I freeze the machines again. So far this has been working.

    What is really confusing me is that after I applied the GPO, when a user within the scope of this policy would log in to lab machine X the registry changes would be there. But when he would log in to lab machine Y the registry changes are not there. The same would go for every other user within the scope of this policy. The problem is not random in the sense that if the policy registry changes do not show up on workstation Y for user 1 then they wont show up for any other user either on that same workstation. And vice versa, if they do show up on a given workstation then they will be there for all users on that workstation.

    What is really odd is that this doesn't seem like it should be a workstation problem since it is a USER policy change not a workstation. In fact, in the same policy that I deployed with the HKCU changes, there was a change to the "Computer Configuration" part of the GPO that changed another registry setting (using a custom adm as well) but on the HKEY_LOCAL_MACHINE part of the registry. This particular change seems to have been applied successfully on ALL the machines. So why would the computer configuration change work and not the user configuration in the same GPO?

    Things I did to try and figure out what the issue was:
    I initially thought that it was a problem with the local workstation password being out of sync with the workstation password stored in AD. So I used nltest and ran "nltest /sc_query:mydomain" on one of the computers that is causing the problem
    and I did get some error like "denied access". And also on the same machine when I would try and run a "runas /user:mydomain\domainusername cmd" I would get the following error:
    1789 the trust relationship between this workstation and the primary domain failed.
    But what confused me was that if the account had in fact become out of sync then why would I still be able to log in to the domain using this computer with any domain user account? Usually when a workstation's local account password does not match what is on AD you will get a message when you try to log in letting you know that the computer account is out of sync.
    Nevertheless, I unfroze the machine account and removed it from the domain, then I rejoined the domain and ran the nltest command again as well as the "runas" command mentioned above. They both executed successfully! So I once more logged in as a user within the scope of the policy that changes the registry and still no change to the registry!. What gives?

    In the past I've noticed problems when the DNS servers for the workstation are not set to point to a DC. But all workstations in the lab are set the same and all of them are looking at the DCs for my domain.

    Now the questions:
    1. Most importantly, What could be causing the problem and how can I fix this?

    2. In a setup like mine where all the computers are exact replicas of one another why would the policy work on some computers and not on others? could deep freeze be a culprit?

    3. In a Deep Freeze environment, correct me if I am wrong but when I apply a GPO that affects a group of users (ie. user configuration) I shouldn't need to unfreeze the computers and restart them correct? since it is a user change I should just have to get the users within the scope of the policy to log out and back in again right?

    4. Why would the nltest and runas commands initially fail almost hinting to the fact that the workstation account was out of sync with what AD has in its database but then allow a domain user (who has not logged in to the machine before) to log in without a problem?

    5. When I set the "Maximum machine account password age" to 365 does that mean that in a years time the machine from the last password change the workstation will attempt to change its password? or does it mean that anytime from the last password change up to a year from that date is when the password change will occur? I suppose what I am asking is that if the workstation sets its password today and I change the policy to say 365 days, does that mean that I can accurately say that the next password change will be on Sept. 15, 2010 and not a day before?

    6. Right now I have my GPO for this registry change configured under the "user configuration" part of the GPO. The OU where this GPO is linked to contains the users that I am targeting as well as the workstations that I am having the problems with. If I change my GPO's adm template to reside under the "computer configuration" would this possibly solve the problem? Does it matter that the registry entries are being created under HKCU and not HKLM? does that dictate if the configuration should go under 'user' or 'computer'?

    I know I've written a book here and I apologize for that however I don't want to leave out any details, I don't post in forums much often since I can usually find the answer to my own problems but I been battling this one for a few days now and I am not sure what else to try.

    Thanks,

    JD
    Last edited by JonasDavis; 16th September 2009, 03:52.

  • #2
    Re: GPO HKCU Registry Changes not working

    Originally posted by JonasDavis View Post
    6. Right now I have my GPO for this registry change configured under the "user configuration" part of the GPO. The OU where this GPO is linked to contains the users that I am targeting as well as the workstations that I am having the problems with. If I change my GPO's adm template to reside under the "computer configuration" would this possibly solve the problem? Does it matter that the registry entries are being created under HKCU and not HKLM? does that dictate if the configuration should go under 'user' or 'computer'?
    User settings need to be put under User Configuration. If you move them to Computer Configuration, it won't work at all.

    Does gpupdate (or gpupdate /force) fix the problem you're experiencing? What do gpresult and rsop.msc show?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: GPO HKCU Registry Changes not working

      I knew I had missed something in my original post.

      I tried to run gpupdate /force several times without seeing any changes. Each time I would run it, I 'd get a message saying that the user and computer policies had been refreshed successfully.

      When I ran gpresult I would see all of the policies being applied as they should for both user and computer including the user GPO in question.

      When I run resultant set of policy as one of the users in the scope of the GPO I am having problems with logged in to one of the workstations having the problem, for some reason i cannot see the "Administrative Templates" node under the "User Configuration" where my custom adm would be. So i can't tell if it is being used or not.

      When I check the event log to see if there is any information regarding policies this event id keeps popping up:

      Event Type: Information
      Event Source: gupdate1ca281a831b4586
      Event Category: None
      Event ID: 0
      Date: 9/15/2009
      Time: 4:02:45 PM
      User: N/A
      Computer: MYPCNAME
      Description:
      The description for Event ID ( 0 ) in Source ( gupdate1ca281a831b4586 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service stopped.

      But I also get the following message right after the user logs in:
      Event Type: Information
      Event Source: SceCli
      Event Category: None
      Event ID: 1704
      Date: 9/16/2009
      Time: 9:18:21 AM
      User: N/A
      Computer: MYPCNAME
      Description:
      Security policy in the Group policy objects has been applied successfully.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


      Thanks for your help.
      Last edited by JonasDavis; 16th September 2009, 16:36.

      Comment


      • #4
        Re: GPO HKCU Registry Changes not working

        Worth a try perhaps... rather than using a custom ADM (which may have a syntax error in it perhaps), try having a logon script merge the required settings from a REG file.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: GPO HKCU Registry Changes not working

          Hi gforce:

          Thanks for the reply again. I had originally tried this and I can't remember why it was working properly. I will have to revisit this and remind myself why it didnt work.

          However, for documentation purposes and ease of administration I prefer to have this as an adm since there are settings that need to be changed on a regular basis. To have the other admins open up GMPC nd make those changes without having them to chase down the batch file and hard code them in there is much easier, cleaner and convenient.

          Also, the adm file does work on about half of the workstations in the lab. It is the other half that is causing the problem. I checked the %userprofile%/neuser.pol file for those workstations where the registry changes is not displayed and I can see the name of my policy:
          [PReg ; * * C o m m e n t : G P O N a m e : M y P o l i c y N a m e ; ;  ;  ;  ]
          So it seems to be reading it. But not processing my registry entries. On the workstations where the policy actually works i can see:
          [PReg ; * * C o m m e n t : G P O N a m e : M y P o l i c y N a m e ; ;  ;  ;  S o f t w a r e \ P a t h \ t o \ R e g i s t r y \ K e y s \ V a l u e s]

          It seems like for some reason on the computers that this is not working the group policy is not entirely read. I am not sure what to try after having removed one of these problematic workstations completely off the domain and rejoined it again and still no dice!

          suggestions widely welcome!

          Comment


          • #6
            Re: GPO HKCU Registry Changes not working

            One more thing I just noticed is that when a user logs in the
            C:\WINDOWS\debug\UserMode\userenv.log file records the following information:

            USERENV(2e8.2ec) 10:46:04:130 MyRegUnLoadKey: Failed to unmount hive 00000005
            USERENV(2e8.2ec) 10:46:04:130 DumpOpenRegistryHandle: 3 user registry Handles leaked from \Registry\User\S-1-5-21-690125046-981627084-2091817669-500
            USERENV(2e8.2ec) 10:46:04:130 UnloadUserProfileP: Didn't unload user profile <err = 5>
            USERENV(2e8.2ec) 10:46:06:431 UnloadUserProfile: UnloadUserProfileP failed with 0
            USERENV(2e8.988 ) 10:47:04:869 ProcessGPORegistryPolicy: Failed to move archive file to temporary file due to error: 2.
            USERENV(2e8.b98 ) 10:47:04:931 PolicyChangedThread: UpdateUser failed with 1008.
            USERENV(2e8.2ec) 10:48:15:887 MyRegUnLoadKey: Failed to unmount hive 00000005
            USERENV(2e8.2ec) 10:48:15:949 DumpOpenRegistryHandle: 2 user registry Handles leaked from \Registry\User\S-1-5-21-1177238915-706699826-725345543-27094
            USERENV(2e8.2ec) 10:48:15:949 UnloadUserProfileP: Didn't unload user profile <err = 5>
            USERENV(2e8.2ec) 10:48:16:167 UnloadUserProfile: UnloadUserProfileP failed with 0
            USERENV(2e8.1cc) 10:48:38:248 ProcessGPORegistryPolicy: Failed to move archive file to temporary file due to error: 2.
            USERENV(2e8.988 ) 10:48:38:310 PolicyChangedThread: UpdateUser failed with 1008.
            USERENV(2e8.2ec) 10:49:55:742 Profile was loaded but the Ref Count is 1 !!!

            I googled that last line and came across a suggestions about possible permission problems with %systemroot%\system32\GroupPolicy
            could this be the problem? if so what type of permissions should it have?

            Thanks.
            Last edited by biggles77; 23rd September 2009, 19:46. Reason: Removed smilie caused by 8)

            Comment


            • #7
              Re: GPO HKCU Registry Changes not working

              Ok.

              I think I found the issue.
              A line on the userenv.log file says:
              ProcessGPORegistryPolicy: Failed to move archive file to temporary file due to error: 2

              according to microsoft (http://technet.microsoft.com/en-us/l...75(WS.10).aspx) a return corde of 2 means:
              "The system cannot find the file specified. This message is very similar to the error 3 message and you troubleshoot them the same way. This message indicates that the computer cannot locate either the file or the path that you have told it to look for. This occurs if you try to connect to a UNC path that is not valid (for example, reading policy from SYSVOL). Find the path or file in question and attempt to navigate to that path under the proper credentials. If you want to navigate to the path under the computer context."

              So I logged in to a problem workstation and tried to access the \\mydomain\sysvol\policies\{mypolicy#}\adm directory only to find out that my custom polices were not there!

              I went back to my admin workstation and logged into GMPC and sure enough they had been deleted. But it didn't make sense to me why some machines were still working. I think the response to that was that once i had applied the policy originally and logged in to "some" workstations to see if everything had worked, it actually saved those changes since the machines were unfrozen at that point. Then once I froze the machines the changes were persisted through reboots regardless of whether the adm files were there or not.

              I went through and re imported the polices and everything is working perfectly and all machines.

              One question still in the back of my mind is why was the policy working on some machines when it comes to the "user configuration" since that part of the GPO is downloaded to the machine every time a user logs in regardless of its deep freeze state.

              Anyhow, I hope this helps someone.

              Thanks,
              JD

              Comment

              Working...
              X