Announcement

Collapse
No announcement yet.

GPO not applying to more than 50% clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO not applying to more than 50% clients

    I know it's long-winded, but we're out of answers. Just trying to provide plenty of info up front. I've tried to help folks here for a little while, but now it's my turn.

    Srvr 2003R2 SP2 servers, Srvr 2003 Functional level domain, 91 XP PRo SP3 client PCs. All the latest patches applied across the system thru WSUS. Application software is deployed reliably thru GP, using Security Filtering where license counts are an issue. All this works flawlessly.

    Part of the environment is a 3rd-party application. Said app is custom-made by a defence contractor, and includes a purpose-built *.api to allow integration with Adobe Reader. Recently the *.api was re-written due to a discovered flaw. Not all users on the domain have experienced the flaw, but since we use roaming profiles and shared workstations, we want to update every machine. The update is a simple file copy, writing the new *.api over the old one, applied as a shutdown script. It's the only setting in this new GPO.

    Our problem is the file copy. Since the app is in use by the majority of users the bulk of the day, the plan was to copy the new *.api into place during the daily, evening scripted shutdown/restart of all domain clients. Since the shutdown script is a computer setting and those run under local system creds (no network resources), we used PSExec during the day to mass-copy the *.api from a network share to the local C: root (users have no access to C:, so they don't see this.) The shutdown script simply copies the *.api file to the appropriate Prog Files location, deletes the root C: copy, and exits.

    It's been 4 days now, and we're at only 44% compliant. The ones that did complete, did so the first night of shutdown/restart. Any others since then have only worked if we've done a 'gpupdate /force' at the client and let it reboot. Every one that does, works. All the client PCs are divided between one root OU (where the GP is applied and enforced), and 2 sub-OUs. The GPO is applied to the root OU. There are no users there at all. The breakdown of successful clients is NOT limited to which OU (root or sub) a client PC is in. Event logs on each client show repeated successful applications of GP every day (source Scecli), so we don't get why it works perfectly if we run as admins, but only some worked the first night when no users were logged on, and the rest keep missing.

    Any advice greatly appreciated.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: GPO not applying to more than 50% clients

    Do all your clients get the file during the initial part of the process??

    What i mean is does the *.api file reside on the client machine when they need it to???

    Comment


    • #3
      Re: GPO not applying to more than 50% clients

      In answer, yes the file is resident locally on the machine when the script calls for it. I copied it to every PC from a network share before rolling out the shutdown script (the part about using PSExec in the original post). So every machine has 'C:\<filename>.api', and the script copies that to C:\Program Files\..., then deletes the C:\<filename> instance and exits.

      Since no one else had responded before this I changed the script to run as a startup script instead. And all but 6 of the remaining PCs updated in one night's power down/power up cycle.

      If anyone can explain why that is, I'd love to hear it!! Other than that, this thread is done.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: GPO not applying to more than 50% clients

        Your right it does seem pretty strange that some would work as shutdown and others startup. I'd love to offer an explanation but i can't.

        Well done and many thanks for posting back. It is very much appreciated.

        Comment

        Working...
        X