Announcement

Collapse
No announcement yet.

GPOs are not applying/being removed on background refresh over VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPOs are not applying/being removed on background refresh over VPN

    G'day all,

    Hoping someone out there has had this problem or can let me in on what's happening.

    I've been having a problem over the last few months with our Software Restriction GPOs not applying to our remote users.

    When they're logged onto the VPN (either via their home ADSL or their 3G modem), the background refresh kicks in and deletes all the GPOs (even when I haven't changed anything) but then doesn't reapply them. As the local restriction policy defaults to Disallowed, this has the very undesirable effect of locking the user out of every application they are not currently running (Word, Excel etc), and if they reboot, winlogon.exe is also prevented from running which then means they get logged off straight away.

    If I manually run gpupdate /force on the client all is well, until the next background refresh.

    This problem does not occur when the user is connected to the LAN in HQ or a regional office, and seems to affect only those who do sometimes work from an office but also frequently work away from it.

    The most I've been able to get out of userenv.log by way of an error is the following line:

    "ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating"

    Extensive Googling and many "fixes" have not made any difference, although I did find out the other day that NTFRS wasn't working on one of the DCs, so I've fixed that (thinking that might have been why it detected a change when there wasn't one). Since then I've had the same user back in my office with the same problem, so I've decided to continue the search for an answer.

    I've attached the User processing section of userenv.log as userenv.log.txt.

    Any help would be much appreciated - I'm really stumped here!
    Attached Files

  • #2
    Re: GPOs are not applying/being removed on background refresh over VPN

    Can you just disable the background refreash?

    http://technet.microsoft.com/en-us/l.../cc940445.aspx

    You could also Delay the refreash... but thats not really fixing it (like a 6 hour delay or something stupid).

    This is a intresting one, I will investgate more, and see what I come up with.

    Wofen
    Good to be back....

    Comment


    • #3
      Re: GPOs are not applying/being removed on background refresh over VPN

      Could it possibly be the slow link detection? Not too sure if that would result in the set of policies being cleared though...
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: GPOs are not applying/being removed on background refresh over VPN

        Originally posted by Wofen View Post
        Can you just disable the background refreash?

        You could also Delay the refreash... but thats not really fixing it (like a 6 hour delay or something stupid).
        Hmm, hadn't thought of that - the results wouldn't be disastrous except if there was an update that needed to go out to all the affected users. Definitely better than them not being able to use their laptops. I'll try it if we can't find the answer.

        The refresh interval for this user (according to userenv.log) is already around 320 mins, so if she logs on at 9am she gets the problem around 2pm. I've suggested disconnecting the VPN and reconnecting at around lunchtime but that didn't seem to help - in hindsight she probably needed to leave it disconnected for a couple of hours to let the refresh fail.

        Comment


        • #5
          Re: GPOs are not applying/being removed on background refresh over VPN

          In the mean time, I hope you have given the uses a batch file that does a GPupdate.

          Could we get a resultant set of the GPO? So that we know what GPO is being deployed. I am wondering if the GPO is trying to do something that it can not complete before the refreash, though with a 320 min wait time, that seems unlikly.

          If the laptop is on the domain, you can always get it to remotely run a GPupdate script (I am used to SMB, where having to manully do something for a set of users is not a problem), by creating a task and using the remote computer management to run the task. Its abit fiddly, and time consuming, but it its someone important, will get the laptop working stright away till you resolve it.

          Wofen
          Good to be back....

          Comment


          • #6
            Re: GPOs are not applying/being removed on background refresh over VPN

            Originally posted by gforceindustries View Post
            Could it possibly be the slow link detection? Not too sure if that would result in the set of policies being cleared though...
            No, I enabled slow link detection only recently in the troubleshooting process.

            Apparently the way a refresh works is by removing all policies that have changed then reapplying them, so its deleting all the registry keys makes sense in that way. It's why they aren't being reapplied that's baffling me.

            Comment


            • #7
              Re: GPOs are not applying/being removed on background refresh over VPN

              Originally posted by Wofen View Post
              In the mean time, I hope you have given the uses a batch file that does a GPupdate.

              Could we get a resultant set of the GPO? So that we know what GPO is being deployed. I am wondering if the GPO is trying to do something that it can not complete before the refreash, though with a 320 min wait time, that seems unlikly.

              If the laptop is on the domain, you can always get it to remotely run a GPupdate script (I am used to SMB, where having to manully do something for a set of users is not a problem), by creating a task and using the remote computer management to run the task. Its abit fiddly, and time consuming, but it its someone important, will get the laptop working stright away till you resolve it.

              Wofen
              I would give them a script but they'd need admin privs to run it!

              I've been getting around it by having them call me the minute they are restricted, and using remote assistance to run gpupdate /force as admin. That gets them going 80% of the time, but if they have left it too long cmd.exe is also restricted, so that tells me that the refresh takes a while to complete.

              I've attached a zipped gpresult report for your viewing pleasure.
              Attached Files

              Comment


              • #8
                Re: GPOs are not applying/being removed on background refresh over VPN

                Forgot about the whole admin priv thing... whoops.

                What about disabling the background refreash on those computers, then setup a task to run a GPupdate every.... 4-5 hours. Still does not resolve the problem, but gets by it without you having to be interupted every day.

                I will load that set up and have a look at it later when not at work.

                EDIT: I just saw the user log attached to the first post, DOH.
                See if you can access \\{domain}\SysVol\{domain}\Policies\{2404BBE4-1037-4A7D-AF89-13232C49445D}\User\registry.pol From the remote computer. (With Domain being the name of your domain).

                Also, this is the error for the error code you get in that log. Error 1274 : The group policy framework should call the extension in the synchronous foreground policy refresh.

                Also, the laptops this is happening to, are they windows XP with Fast user Logon? If so, disable it.

                Wofen
                Last edited by Wofen; 2nd July 2010, 05:18.
                Good to be back....

                Comment


                • #9
                  Re: GPOs are not applying/being removed on background refresh over VPN

                  Thanks for your responses.

                  General update: since I fixed NTFRS I've had exactly two instances occur - one was local (I'd "fixed" her machine by running gpupdate /force before finding the NTFRS issue) and the other was in another city the next day - but it's been nearly a week since anyone's reported the problem.

                  @Wofen: I found in the event logs some errors about a corrupt registry.pol file, so I tried accessing that path (and file) when the problem was actually occurring, and was successful. No permissions issues (obviously, as it would happen all the time if there were). The XP laptops don't have Fast User Logon enabled, no.

                  If things get worse I'll make with the scheduled gpupdate /force script...

                  Comment


                  • #10
                    Re: GPOs are not applying/being removed on background refresh over VPN

                    Does this happen if the user is a local Admin? I am just wondering if the GPO is trying to get the user to do something that it does not have permissions for?

                    Ummm, I have reached the limit of my ideas ATM. I will keep a eye on this post to see if can help out with any progress, but its sounds like its time to create a patchfix for this problem on the computers its effecting (via disabling the backup GPO update, and replacing it with a set task), or call in some onsite support.

                    Some diagnostic tests (if you have time, if you dont, you could try decreasing the time between background refreash)
                    A) Create a New user, create a New empty GPO, attach them together. See if this user is effected. If it works, it shows that your problem lies with your User/GPO combo.
                    B) Move a existing user to a new empty GPO and see if it works. If it works, then the problem is in the GPO, not User.
                    C) The Existing GPO to a New user, see if it effects.

                    These test would be majorly time intensive, and only really give you a direction to start looking, but with how wide this problem seems to be, abit of direction can never be a bad thing.

                    Sry for not being more help.

                    Wofen
                    Good to be back....

                    Comment

                    Working...
                    X