Group Policy won't apply to Computers

[Brian Parker]

I'm looking for help in troubleshooting why our group policy won't apply to
computers in our domain. Here's what is happening:

I've created a test OU (TESTOU) and placed a PC (PCNAME) into that OU. I
created a new GPO (Deploy Outlook 2k (TEST)) and linked it to TESTOU. TESTOU
only contains the PC, and is set for block policy inheritance. The GPO is
set to install Outlook 2002 to any PC it applies to (I've set this up in the
Computers node of the policy object).

When I boot the PC, it says it's applying software installation settings,
but when I log in, nothing has been installed.

This is what I see in the userenv file (the names have been changed to
protect the innocent). There is one line that concerns me, which has to do
with GPC and GPT versions:

ApplyGroupPolicy: Entering. Flags = 7
ProcessGPOs:
ProcessGPOs:
ProcessGPOs: Starting computer Group Policy processing...
ProcessGPOs:
ProcessGPOs:
EnterCriticalPolicySection: Machine critical section has been claimed.
Handle = 0x370
ProcessGPOs: Machine role is 2.
PingComputer: PingBufferSize set as 2048
PingComputer: First time: 0
PingComputer: Fast link. Exiting.
ProcessGPOs: User name is:
CN=PCNAME,OU=computers,OU=TESTOU,DC=DOMAIN,DC=com, Domain name is: DOMAIN
ProcessGPOs: Domain controller is: \\PRIMARYDC.DOMAIN.com Domain DN is
DOMAIN.com
ProcessGPOs: Calling GetGPOInfo for normal policy mode
GetGPOInfo: ********************************
GetGPOInfo: Entering...
GetGPOInfo: Server connection established.
GetGPOInfo: Bound successfully.
SearchDSObject: Searching <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
ProcessGPO: Deferring search for
<LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=D
OMAIN,DC=com>
SearchDSObject: <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com> has the Block
From Above attribute set
SearchDSObject: Searching <OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s): < >
SearchDSObject: Searching <DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC=
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
AddGPO: GPO will not be added to the list since the Block flag is set and
this GPO is not in enforce mode.
ProcessGPO: Deferring search for
<LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC=D
OMAIN,DC=com>
SearchDSObject: Searching
<CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com>
SearchDSObject: No GPO(s) for this object.
EvaluateDeferredGPOs: Searching for GPOs in
cn=policies,cn=system,DC=DOMAIN,DC=com
ProcessGPO: ==============================
ProcessGPO: Searching
<CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=DOMAIN,D
C=com>
ProcessGPO: Machine has access to this GPO.
ProcessGPO: Found functionality version of: 2
ProcessGPO: Found file system path of:
<\\DOMAIN.com\SysVol\DOMAIN.com\Policies\{0221DA82-7113-436B-BC7A-E8B3C9E384
F3}>
ProcessGPO: Found common name of: <{0221DA82-7113-436B-BC7A-E8B3C9E384F3}>
ProcessGPO: Found display name of: <Deploy Outlook 2k (TEST)>
ProcessGPO: Found machine version of: GPC is 3, GPT is 0
ProcessGPO: Found flags of: 1
ProcessGPO: Found extensions:
[{C6DC5466-785A-11D2-84D0-00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603F
}]
ProcessGPO: ==============================
GetGPOInfo: Leaving with 1
GetGPOInfo: ********************************
ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not
impersonating
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Registry
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Registry has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Folder Redirection
ProcessGPOs: Extension Folder Redirection skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Microsoft Disk Quota
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Microsoft Disk Quota's
status or policy time.
ProcessGPOs: Extension Microsoft Disk Quota skipped because both deleted and
changed GPO lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Scripts
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Scripts's status or
policy time.
ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO
lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Security has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Internet Explorer Branding
ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension EFS recovery
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension EFS recovery has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Application Management
CheckForGPOsToRemove: GPO <New Group Policy Object> needs to be removed
GetDeletedGPOList: Finished.
ProcessGPOList: Entering for extension Application Management
MachinePolicyCallback: Setting status UI to Applying Application Management
policy...
MachinePolicyCallback: Setting status UI to Applying software installation
settings...
MachinePolicyCallback: Setting status UI to Applying computer settings...
ProcessGPOList: Extension Application Management returned 0x5.
ProcessGPOs: Extension Application Management ProcessGroupPolicy failed,
status 0x5.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension IP Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension IP Security's status
or policy time.
ProcessGPOs: Extension IP Security skipped because both deleted and changed
GPO lists are empty.
LeaveCriticalPolicySection: Critical section 0x370 has been released.
ProcessGPOs: Computer Group Policy has been applied.
ProcessGPOs: Leaving with 1.
ApplyGroupPolicy: Leaving successfully.

From the above log and from my description, does anything obvious stand out
that I've overlooked? If not, where should I start? Thanks,

Brian

 

[Steve Dodson [MSFT]]

I would approach this by the following:

1. Look at the application event log on the client
2. See if you can make another policy change (remove run, control panel,
etc.)
3. See if the package you are trying to depoly is bad
4. Enable winlogon logging

245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422

5. Turn up windows installer logging:

223300 How to Enable Windows Installer Logging
http://support.microsoft.com/?id=223300

Hope that helps get you started/

Steve Dodson [MSFT]
Directory Services

--------------------

From: "Brian Parker" <[email protected]>
Newsgroups: microsoft.public.win2000.group_policy
Subject: Group Policy won't apply to Computers
Lines: 155
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Date: Wed, 01 Oct 2003 17:45:06 GMT
NNTP-Posting-Host: 24.160.224.134
X-Complaints-To: (e-mail address removed)
X-Trace: twister.rdc-kc.rr.com 1065030306 24.160.224.134 (Wed, 01 Oct 2003 12:45:06 CDT)
NNTP-Posting-Date: Wed, 01 Oct 2003 12:45:06 CDT
Organization: RoadRunner
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!xmission!news-out.spamk
iller.net!propagator2-maxim!news-in.superfeed.net!news-west.rr.com!news.rr.c
om!cyclone.kc.rr.com!cyclone2.kc.rr.com!news2.kc.rr.com!twister.rdc-kc.rr.co
m.POSTED!53ab2750!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:14548
X-Tomcat-NG: microsoft.public.win2000.group_policy

I'm looking for help in troubleshooting why our group policy won't apply to
computers in our domain. Here's what is happening:

I've created a test OU (TESTOU) and placed a PC (PCNAME) into that OU. I
created a new GPO (Deploy Outlook 2k (TEST)) and linked it to TESTOU. TESTOU
only contains the PC, and is set for block policy inheritance. The GPO is
set to install Outlook 2002 to any PC it applies to (I've set this up in the
Computers node of the policy object).

When I boot the PC, it says it's applying software installation settings,
but when I log in, nothing has been installed.

This is what I see in the userenv file (the names have been changed to
protect the innocent). There is one line that concerns me, which has to do
with GPC and GPT versions:

ApplyGroupPolicy: Entering. Flags = 7
ProcessGPOs:
ProcessGPOs:
ProcessGPOs: Starting computer Group Policy processing...
ProcessGPOs:
ProcessGPOs:
EnterCriticalPolicySection: Machine critical section has been claimed.
Handle = 0x370
ProcessGPOs: Machine role is 2.
PingComputer: PingBufferSize set as 2048
PingComputer: First time: 0
PingComputer: Fast link. Exiting.
ProcessGPOs: User name is:
CN=PCNAME,OU=computers,OU=TESTOU,DC=DOMAIN,DC=com, Domain name is: DOMAIN
ProcessGPOs: Domain controller is: \\PRIMARYDC.DOMAIN.com Domain DN is
DOMAIN.com
ProcessGPOs: Calling GetGPOInfo for normal policy mode
GetGPOInfo: ********************************
GetGPOInfo: Entering...
GetGPOInfo: Server connection established.
GetGPOInfo: Bound successfully.
SearchDSObject: Searching <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC =
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
ProcessGPO: Deferring search for
<LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC= D
OMAIN,DC=com>
SearchDSObject: <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com> has the Block
From Above attribute set
SearchDSObject: Searching <OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s): < >
SearchDSObject: Searching <DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC =
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
AddGPO: GPO will not be added to the list since the Block flag is set and
this GPO is not in enforce mode.
ProcessGPO: Deferring search for
<LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC= D
OMAIN,DC=com>
SearchDSObject: Searching
<CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com>
SearchDSObject: No GPO(s) for this object.
EvaluateDeferredGPOs: Searching for GPOs in
cn=policies,cn=system,DC=DOMAIN,DC=com
ProcessGPO: ==============================
ProcessGPO: Searching
<CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=DOMAIN, D
C=com>
ProcessGPO: Machine has access to this GPO.
ProcessGPO: Found functionality version of: 2
ProcessGPO: Found file system path of:
<\\DOMAIN.com\SysVol\DOMAIN.com\Policies\{0221DA82-7113-436B-BC7A-E8B3C9E38 4
F3}>
ProcessGPO: Found common name of:

ProcessGPO: Found display name of: <Deploy Outlook 2k (TEST)>
ProcessGPO: Found machine version of: GPC is 3, GPT is 0
ProcessGPO: Found flags of: 1
ProcessGPO: Found extensions:
[{C6DC5466-785A-11D2-84D0-00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603 F
}]
ProcessGPO: ==============================
GetGPOInfo: Leaving with 1
GetGPOInfo: ********************************
ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not
impersonating
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Registry
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Registry has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Folder Redirection
ProcessGPOs: Extension Folder Redirection skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Microsoft Disk Quota
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Microsoft Disk Quota's
status or policy time.
ProcessGPOs: Extension Microsoft Disk Quota skipped because both deleted and
changed GPO lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Scripts
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Scripts's status or
policy time.
ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO
lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Security has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Internet Explorer Branding
ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension EFS recovery
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension EFS recovery has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Application Management
CheckForGPOsToRemove: GPO <New Group Policy Object> needs to be removed
GetDeletedGPOList: Finished.
ProcessGPOList: Entering for extension Application Management
MachinePolicyCallback: Setting status UI to Applying Application Management
policy...
MachinePolicyCallback: Setting status UI to Applying software installation
settings...
MachinePolicyCallback: Setting status UI to Applying computer settings...
ProcessGPOList: Extension Application Management returned 0x5.
ProcessGPOs: Extension Application Management ProcessGroupPolicy failed,
status 0x5.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension IP Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension IP Security's status
or policy time.
ProcessGPOs: Extension IP Security skipped because both deleted and changed
GPO lists are empty.
LeaveCriticalPolicySection: Critical section 0x370 has been released.
ProcessGPOs: Computer Group Policy has been applied.
ProcessGPOs: Leaving with 1.
ApplyGroupPolicy: Leaving successfully.

From the above log and from my description, does anything obvious stand out
that I've overlooked? If not, where should I start? Thanks,

Brian

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Brian Parker]

Thank's for the tips! Here's what I've found so far:

Application log seems very consistant: Events 1000, 101, 103, 108 and 1000.
The first is: Windows cannot access the registry information at
\\twcmil.com\SysVol\twcmil.com\Policies\{2EDEAF22-EB2E-4EFF-AAB7-935A92BAFA7
9}\Machine\registry.pol with (5). Next I get: The assignment of application
Microsoft Outlook 2002 from policy Deploy 02002 to PC (TEST) failed. The
error was Access is denied. The third error is: The removal of the
assignment of application Microsoft Outlook 2002 from policy Deploy 02002 to
PC (TEST) failed. The error was The system cannot find the file specified.
The forth error is: Failed to apply changes to software installation
settings. Software changes could not be applied. A previous log entry with
details should exist. The error was Access is denied. The final error is:
The Group Policy client-side extension Application Management was passed
flags (1) and returned a failure status code of (5).

I am able to apply policy to users. Anything applied to the computers node
doesn't seem to work. The package seems to be fine.

The appmgmt log file in the WINNT\Debug\UserMode directory shows:

Assigning application Microsoft Outlook 2002 from policy Deploy 02002 to PC
(TEST).
The script file for application Microsoft Outlook 2002 from policy Deploy
02002 to PC (TEST) cannot be copied. Copy from
\\domain.tld\SysVol\domain.tld\Policies\{FBEF42D7-46C0-4E50-9C0B-5CDDA8756B6
5}\Machine\Applications\{D209514D-F7D1-48B8-B8B7-C97A15D52DB2}.aas to
C:\WINNT\system32\appmgmt\MACHINE\{6b0704fe-caaa-4a41-a013-06364330783c}.aas
failed, error 5.
The assignment of application Microsoft Outlook 2002 from policy Deploy
02002 to PC (TEST) failed. The error was %5.
Removing application Microsoft Outlook 2002 from the software installation
database.
Calling Windows Installer to remove application advertisement for
application Microsoft Outlook 2002 from script
C:\WINNT\system32\appmgmt\MACHINE\{6b0704fe-caaa-4a41-a013-06364330783c}.aas
..
Windows Installer cannot remove application advertisement for application
Microsoft Outlook 2002 from script
C:\WINNT\system32\appmgmt\MACHINE\{6b0704fe-caaa-4a41-a013-06364330783c}.aas
, error 2.
The removal of the assignment of application Microsoft Outlook 2002 from
policy Deploy 02002 to PC (TEST) failed. The error was %2.
Failed to apply changes to software installation settings. Software changes
could not be applied. A previous log entry with details should exist. The
error was %5.
Software installation extension returning with final error code 5.

The MSI log didn't show me much:

=== Verbose logging started: 10/3/2003 19:17:08 Build type: SHIP UNICODE
2.00.2600.1183 Calling process: \??\C:\WINNT\system32\winlogon.exe ===
=== Verbose logging stopped: 10/3/2003 19:17:08 ===

And I'm not sure if there is anything valuable in winlogon.log:

-------------------------------------------
10/03/2003 19:31:52
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Analyze machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Analyze machine\system\currentcontrolset\control\lsa\crashonauditfail.
Analyze machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Analyze machine\system\currentcontrolset\control\lsa\restrictanonymous.
Analyze machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
..
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Copy local policy.
----Configuration engine is initialized successfully.----
----Reading Configuration template info...
----Configure User Rights...
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-6.
Configure S-1-5-21-515967899-152049171-854245398-501.
User Rights configuration completed successfully.
----Configure Security Policy...
Configure password information.
System Access configuration completed successfully.
Configure event audit settings.
Audit/Log configuration completed successfully.
Configure machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Configure machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Configure
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Configure
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Configure
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Configure
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
Configure
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Configure
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
Configure machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Configure machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Configure machine\system\currentcontrolset\control\session
manager\protectionmode.
Configure
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Configure
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Configure
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Configure
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Configure
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Configure
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Configure
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Configure
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Configure
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Configure
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Configure
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Configure
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Registry values configuration completed successfully.
----Configure available attachment engines...
Attachment engines configuration completed successfully.
----Un-initialize configuration engine...

I haven't given up yet (I'm quite determined to get this working) but I
could still use some help in analyzing all of this. My first guess, based on
the error received in the appmgmt file, is it's something to do with file
permissions. But I can't seem to figure out what needs changing. Any ideas?

Thanks,
Brian

I would approach this by the following:

1. Look at the application event log on the client
2. See if you can make another policy change (remove run, control panel,
etc.)
3. See if the package you are trying to depoly is bad
4. Enable winlogon logging

245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422

5. Turn up windows installer logging:

223300 How to Enable Windows Installer Logging
http://support.microsoft.com/?id=223300

Hope that helps get you started/

Steve Dodson [MSFT]
Directory Services

--------------------

From: "Brian Parker" <[email protected]>
Newsgroups: microsoft.public.win2000.group_policy
Subject: Group Policy won't apply to Computers
Lines: 155
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Date: Wed, 01 Oct 2003 17:45:06 GMT
NNTP-Posting-Host: 24.160.224.134
X-Complaints-To: (e-mail address removed)
X-Trace: twister.rdc-kc.rr.com 1065030306 24.160.224.134 (Wed, 01 Oct

2003
12:45:06 CDT)

NNTP-Posting-Date: Wed, 01 Oct 2003 12:45:06 CDT
Organization: RoadRunner
Path:

cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!xmission!news-out.spamkiller.net!propagator2-maxim!news-in.superfeed.net!news-west.rr.com!news.rr.com!cyclone.kc.rr.com!cyclone2.kc.rr.com!news2.kc.rr.com!twister.rdc-kc.rr.co

m.POSTED!53ab2750!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:14548
X-Tomcat-NG: microsoft.public.win2000.group_policy

I'm looking for help in troubleshooting why our group policy won't apply to
computers in our domain. Here's what is happening:

I've created a test OU (TESTOU) and placed a PC (PCNAME) into that OU. I
created a new GPO (Deploy Outlook 2k (TEST)) and linked it to TESTOU. TESTOU
only contains the PC, and is set for block policy inheritance. The GPO is
set to install Outlook 2002 to any PC it applies to (I've set this up in the
Computers node of the policy object).

When I boot the PC, it says it's applying software installation settings,
but when I log in, nothing has been installed.

This is what I see in the userenv file (the names have been changed to
protect the innocent). There is one line that concerns me, which has to do
with GPC and GPT versions:

ApplyGroupPolicy: Entering. Flags = 7
ProcessGPOs:
ProcessGPOs:
ProcessGPOs: Starting computer Group Policy processing...
ProcessGPOs:
ProcessGPOs:
EnterCriticalPolicySection: Machine critical section has been claimed.
Handle = 0x370
ProcessGPOs: Machine role is 2.
PingComputer: PingBufferSize set as 2048
PingComputer: First time: 0
PingComputer: Fast link. Exiting.
ProcessGPOs: User name is:
CN=PCNAME,OU=computers,OU=TESTOU,DC=DOMAIN,DC=com, Domain name is: DOMAIN
ProcessGPOs: Domain controller is: \\PRIMARYDC.DOMAIN.com Domain DN is
DOMAIN.com
ProcessGPOs: Calling GetGPOInfo for normal policy mode
GetGPOInfo: ********************************
GetGPOInfo: Entering...
GetGPOInfo: Server connection established.
GetGPOInfo: Bound successfully.
SearchDSObject: Searching <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC

=
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
ProcessGPO: Deferring search for
<LDAP://CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=
D
OMAIN,DC=com>
SearchDSObject: <OU=computers,OU=TESTOU,DC=DOMAIN,DC=com> has the Block
From Above attribute set
SearchDSObject: Searching <OU=TESTOU,DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s): < >
SearchDSObject: Searching <DC=DOMAIN,DC=com>
SearchDSObject: Found GPO(s):
<[LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC
=
DOMAIN,DC=com;0]>
ProcessGPO: ==============================
AddGPO: GPO will not be added to the list since the Block flag is set and
this GPO is not in enforce mode.
ProcessGPO: Deferring search for
<LDAP://CN={70267B41-4920-4BB5-97B1-DA4249B91691},CN=Policies,CN=System,DC=
D
OMAIN,DC=com>
SearchDSObject: Searching
<CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com>
SearchDSObject: No GPO(s) for this object.
EvaluateDeferredGPOs: Searching for GPOs in
cn=policies,cn=system,DC=DOMAIN,DC=com
ProcessGPO: ==============================
ProcessGPO: Searching
<CN={0221DA82-7113-436B-BC7A-E8B3C9E384F3},CN=Policies,CN=System,DC=DOMAIN,
D
C=com>
ProcessGPO: Machine has access to this GPO.
ProcessGPO: Found functionality version of: 2
ProcessGPO: Found file system path of:
<\\DOMAIN.com\SysVol\DOMAIN.com\Policies\{0221DA82-7113-436B-BC7A-E8B3C9E38
4
F3}>
ProcessGPO: Found common name of:

ProcessGPO: Found display name of: <Deploy Outlook 2k (TEST)>
ProcessGPO: Found machine version of: GPC is 3, GPT is 0
ProcessGPO: Found flags of: 1
ProcessGPO: Found extensions:
[{C6DC5466-785A-11D2-84D0-00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603
F
}]
ProcessGPO: ==============================
GetGPOInfo: Leaving with 1
GetGPOInfo: ********************************
ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not
impersonating
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Registry
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Registry has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Folder Redirection
ProcessGPOs: Extension Folder Redirection skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Microsoft Disk Quota
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Microsoft Disk Quota's
status or policy time.
ProcessGPOs: Extension Microsoft Disk Quota skipped because both deleted and
changed GPO lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Scripts
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension Scripts's status or
policy time.
ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO
lists are empty.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension Security has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Internet Explorer Branding
ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7.
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension EFS recovery
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes and no security group membership change and
extension EFS recovery has NoGPOChanges set.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension Application Management
CheckForGPOsToRemove: GPO <New Group Policy Object> needs to be removed
GetDeletedGPOList: Finished.
ProcessGPOList: Entering for extension Application Management
MachinePolicyCallback: Setting status UI to Applying Application Management
policy...
MachinePolicyCallback: Setting status UI to Applying software installation
settings...
MachinePolicyCallback: Setting status UI to Applying computer settings...
ProcessGPOList: Extension Application Management returned 0x5.
ProcessGPOs: Extension Application Management ProcessGroupPolicy failed,
status 0x5.
ProcessGPOs: -----------------------
ProcessGPOs: -----------------------
ProcessGPOs: Processing extension IP Security
CompareGPOLists: The lists are the same.
CheckGPOs: No GPO changes but couldn't read extension IP Security's status
or policy time.
ProcessGPOs: Extension IP Security skipped because both deleted and changed
GPO lists are empty.
LeaveCriticalPolicySection: Critical section 0x370 has been released.
ProcessGPOs: Computer Group Policy has been applied.
ProcessGPOs: Leaving with 1.
ApplyGroupPolicy: Leaving successfully.

From the above log and from my description, does anything obvious stand out
that I've overlooked? If not, where should I start? Thanks,

Brian

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Guest]

You need to move go into the computers group of your domain and move the computer name you created and place this into your OU before the computer settings will apply as only User settings will be applied with the user account in your OU

hope this helps