Announcement

Collapse
No announcement yet.

GP Client Side Extension error

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GP Client Side Extension error

    I have clean installed Windows 7 at 3 x 2008 R2 DC locations but unlucky third is giving me problems (but it may be due to the 2003 Secondary DC crapping itself 2 weeks beforehand and me not noticing).

    When I logon to the Windows 7 machine as a User I get the following.
    Click image for larger version

Name:	GPO-Client-Side-Problem.png
Views:	1
Size:	21.3 KB
ID:	469745

    Change Always wait for the network at computer startup and logon setting hoping the GPOs will get applied and I get the following.
    Click image for larger version

Name:	GPO-Error.png
Views:	1
Size:	19.4 KB
ID:	469746

    Created a Profile and I set the Profile path in the ADUC Profile tab and logon I get the following error:

    The Group Policy Client service failed the logon.
    Access is denied.

    This message displays with either a standard Profile or a Mandatory one. Remove the Profile path and the above image is displayed but NO GPOs are applied. I did an RSOP but can't find the captured image and I can't remember what the results were but the Logon Script that was applied via GPO ran and mapped drives but that I think was all. Will create another image during the next visit. Only get 3 hours per fortnight for 58 machines so it make is a tad tricky trying various solutions. Click image for larger version

Name:	bang-head-wall.gif
Views:	11
Size:	2.3 KB
ID:	469744

    I have done a L O T of Googling but nothing has worked yet.
    Tried:
    Local User rights
    Deny log on locally (not applied/enabled)
    Allow log on locally (added User Group AND even a test user)
    Checked Local Policy was not enabled (coz Domain ones not applying)
    DCGPOFix to provide a clean Default Domain Policy

    Any suggestions appreciated. Click image for larger version

Name:	yahoo.gif
Views:	16
Size:	6.2 KB
ID:	469743


    [This is probably more in the AD Forum but I think it may all be intertwined and related. Mmmmm, wish I knew Microsoft Premier Field Engineer ]
    Also removed trashed 2003 DC from Domain and did metadata cleanup. When I tried to DCPROMO it down had to use /forceremoval . Before that I tried Seizing FSMO Roles but that failed until AFTER the metadata cleanup.

    Another part of the problem is the Home Drive is set in the AD Users Profile tab and it is not appearing when the users log on but I believe it may all be related to the Secondary DC crapping itself.
    [Note to self] Haven't tried h: /home yet.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

  • #2
    Re: GP Client Side Extension error

    Sounds like you're enforcing Syncronous Processing in your GP enforcement, for the first issue. With syncronous, your policy objects are applied one at a time; a given policy must complete before the next one in the link list can start. It's slower, but more dependable.

    Have a read at: http://technet.microsoft.com/en-us/l.../cc978253.aspx to get more info.

    Since you've already boned the 2003 DC and done the data cleanup, have you tried divorcing the trouble PC form the domain, reset the computer object in AD and then re-join? If the client got it's policy at joining from the damaged DC, the policies could also be damaged. If you leave and then re-join the domain, you push all policies down again from scratch.

    If the PC isn't a proper member of the domain, it may have something to do with user profile issues, as the client PC won't authorise correctly for access.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: GP Client Side Extension error

      Originally posted by RicklesP
      have you tried divorcing the trouble PC form the domain
      The big problem here Richard is that I had just reimaged the whole site and really want to avoid doing it again.

      Thanks for the link. At the site tomorrow so hopefully I can post back with some sort solution.

      And something I am sure you will know of from a past life: Yea though I walk through the valley of the shadow of death I shall fear no evil coz I am at 80,000 feet and climbing.
      Sign above a certain Ready Room door (of some very elite aircrew) on an airbase in, I believe, Okinawa. [Apologies Richard. Forgot I had already posted that in your Wall of Frame thread.]
      Last edited by biggles77; 28th August 2013, 20:45.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Re: GP Client Side Extension error

        It sounds more like NTFS/sysvol permissions issues rather than an actual policy setting. I would make sure the policy scope is Authenticated Users or if you're filtering make sure the computer objects have permission to read and apply the policy.

        I would disjoin and rejoin a machine and see if it fixes the problem. If it does then there might be something wrong with the accounts.

        I would also check to make sure ADSS is clean and configured correctly.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: GP Client Side Extension error

          Thanks to Ian Somnia or I may not have read this in time.

          Was thinking as I left the site 2 weeks ago that DCDiag might have been good to run but staff were closing up and I was time constrained. Maybe I should remove the GPOs, clean up Sysvol, check permissions and then recreate the GPOs. I have a feeling that once the Home Drive that is set in the Users Profile tab starts mapping then all may start working again. One problem is that I cant check the trashed DC Event Logs due to all MMC snap-ins not working. Will have to see if I can manually access them for a clue or 2 as long as they werent trashed as well.

          Thanks guys. This has given me ideas of even more things I can look at and try. My thought well was more empty than normal on this but it now is a bit fuller and I am a lot more optimistic than I was yesterday and coming from a glass half empty, that is saying something.
          Last edited by biggles77; 31st August 2013, 04:00. Reason: fix typo
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: GP Client Side Extension error

            Originally posted by JeremyW
            It sounds more like NTFS/sysvol permissions issues rather than an actual policy setting
            Close; is was permissions but not on Sysvol and they were all over the place. In the end it would probably been better if I had blown the site away and rebuilt it from scratch.

            Fix one problem and another appeared. This went on for about 5 layers so I have no idea what was done over the past 5 years to get it to this state. I think when 2012R2 gets installed it shall be a NEW rebuild. This AD dates back to 2000 Server and has been upgraded with each new OS release. Hopefully I won't be there for the next one.

            Last problem today was the Printer install GPO wasn't working. That was fixed by disabling the Point and Print setting in Computer--> Policies--> Admin Templates (I think)--> Printers. Hopefully now I will have an easier time.
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Re: GP Client Side Extension error

              Never a dull moment, eh?
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X