User GPOs not processing for specific users, but did work previously.

[edavid3001]

I have a 550 machine network. On this network I have some users who's
user settings (GPOs) are not *running*. My guess is maybe 20 of the
~600 users.

What I mean is that the settings have been set in the registry, but
they simply don't run. This includes user login scripts, logoff
scripts, and various settings such as run login scripts invisible=yes
but they don't run invisible.

I have a VMware PC for testing. Whenever I log in, it works fine.
I took a user in question, and made a copy of this user's profile.
Gave this new user it's own home drive and mapped it to that home
drive & roaming profile.

I logged into the VM machine as this new test user numerous times.
The problem followed this test user onto my VM machine. The user
login scripts do not run. The domain logon script is visible.

The machine settings are there.

Another thing worth mentioning is that these GPOs apply at the root.
This user is in a department OU with other users, of which they are
running the user GPOs. Their computer is in another OU for computers/
department and same thing - the computer GPOs are processing.

So the problem is following the user. It was working for this user
per the log files I generate during the user login script. It just
quit and hasn't worked for 3 1/2 months.

This is the userenv.log;

USERENV(37c.380) 09:46:01:885 ReconcileFile: Unable to open temporary
file
USERENV(37c.380) 09:47:31:375 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.380) 09:47:31:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.380) 09:47:31:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.75c) 09:47:38:046 ProcessGPOs: The DC for domain PRIME is
not available at startup. retrying
USERENV(37c.75c) 09:47:44:125 ProcessGPOs: DC for domain PRIME is
reachable after retries.
USERENV(b08.b0c) 09:47:50:687 RefreshPolicyEx: Failed to open event
with 2
USERENV(b08.b0c) 09:47:50:921 RefreshPolicyEx: Failed to open event
with 2
USERENV(37c.75c) 09:47:58:015 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(37c.d64) 09:48:11:698 GetWbemServices: CoCreateInstance
returned 0x800401f0
USERENV(37c.d9c) 09:48:58:744 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(37c.d9c) 09:50:08:566 ProcessGPOs: Forced option changed
policy mode.

The local GPOs GPT.ini error is normal I believe, since I have no
"local" GPO set. It's all domain.

Rsop.msc shows everything as normal. The user shows the policy's and
user login scripts. They just don't run for this particular user.

DNS resolves for the domain. WINS had an issue, but that is fixed.

If I recreate the GPO making an exact copy of it, and copying the
scripts from the old GPOs directories into the new GPOs directories,
then the new GPO will run on these users but the old one doesn't.
The rights are the same on these. The user has access to these
scripts when I navigate in explorer to them.

Any ideas on this? It really strikes me odd that the login scripts
are in HKCU, and the old one doesn't run but the new one does.

 

[Ace Fekay [MVP]]

In

I have a 550 machine network. On this network I have some users who's
user settings (GPOs) are not *running*. My guess is maybe 20 of the
~600 users.

What I mean is that the settings have been set in the registry, but
they simply don't run. This includes user login scripts, logoff
scripts, and various settings such as run login scripts invisible=yes
but they don't run invisible.

I have a VMware PC for testing. Whenever I log in, it works fine.
I took a user in question, and made a copy of this user's profile.
Gave this new user it's own home drive and mapped it to that home
drive & roaming profile.

I logged into the VM machine as this new test user numerous times.
The problem followed this test user onto my VM machine. The user
login scripts do not run. The domain logon script is visible.

The machine settings are there.

Another thing worth mentioning is that these GPOs apply at the root.
This user is in a department OU with other users, of which they are
running the user GPOs. Their computer is in another OU for
computers/ department and same thing - the computer GPOs are
processing.

So the problem is following the user. It was working for this user
per the log files I generate during the user login script. It just
quit and hasn't worked for 3 1/2 months.

This is the userenv.log;

USERENV(37c.380) 09:46:01:885 ReconcileFile: Unable to open temporary
file
USERENV(37c.380) 09:47:31:375 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.380) 09:47:31:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.380) 09:47:31:406 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(37c.75c) 09:47:38:046 ProcessGPOs: The DC for domain PRIME is
not available at startup. retrying
USERENV(37c.75c) 09:47:44:125 ProcessGPOs: DC for domain PRIME is
reachable after retries.
USERENV(b08.b0c) 09:47:50:687 RefreshPolicyEx: Failed to open event
with 2
USERENV(b08.b0c) 09:47:50:921 RefreshPolicyEx: Failed to open event
with 2
USERENV(37c.75c) 09:47:58:015 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(37c.d64) 09:48:11:698 GetWbemServices: CoCreateInstance
returned 0x800401f0
USERENV(37c.d9c) 09:48:58:744 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(37c.d9c) 09:50:08:566 ProcessGPOs: Forced option changed
policy mode.

The local GPOs GPT.ini error is normal I believe, since I have no
"local" GPO set. It's all domain.

Rsop.msc shows everything as normal. The user shows the policy's and
user login scripts. They just don't run for this particular user.

DNS resolves for the domain. WINS had an issue, but that is fixed.

If I recreate the GPO making an exact copy of it, and copying the
scripts from the old GPOs directories into the new GPOs directories,
then the new GPO will run on these users but the old one doesn't.
The rights are the same on these. The user has access to these
scripts when I navigate in explorer to them.

Any ideas on this? It really strikes me odd that the login scripts
are in HKCU, and the old one doesn't run but the new one does.

It appears something changed a few months ago or you wouldn't be having this
problem.

Let's take a closer methodical look at the messages you posted above. These
two jump out at me and are screaming for attention:

USERENV(37c.75c) 09:47:38:046 ProcessGPOs: The DC for domain PRIME is
not available at startup. retrying
USERENV(37c.75c) 09:47:44:125 ProcessGPOs: DC for domain PRIME is
reachable after retries.

They are telling me it cannot find a DC for your domain called "PRIME". Was
a DC lost or removed? Did it possibly fail and a metadata cleanup wasn't
performed?

Do me a favor, please post the following information. Please try and NOT
edit any of the results, otherwise it may get difficult to assist you.

1. Unedited ipconfig /all from two of your DCs, and one of your clients..
2. The exact zone name spellng in DNS and whether updates are allowed on the
zone.
3. The AD DNS domain name as it shows up in ADUC.
4. If the SRV records exist under the zone.
5. Any errors in the Event logs on the DC under System, Replication Service
and Directory Services (post the Event ID# and source please)
6. Dcdiag /v /fix > c:\dcdiag.txt (post the dcdiag.txt as an attachment)
7. Netdiag /v /fix > c:\netdiag.txt (post the dcdiag.txt as an attachment)
8. More than one subnet?
9. Forwarder(s) configured?
10. How many DCs are there?
11. How many AD Sites?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express or
any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or
password required nor do you need a Newsgroup Usenet account with your
ISP. It connects directly to the Microsoft Public Newsgroups. OEx
allows you to easily find, track threads, cross-post, sort by date,
poster's name, watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

"Quitting smoking is easy. I've done it a thousand times."
- Mark Twain

 

[edavid3001]

Regarding the domain being unavailable at startup. That is related
to the Cisco PortFast issue on our switches.

http://www.edugeek.net/index.php?name=Forums&file=viewtopic&p=82400

So the Ethernet port is not available until after about 45 seconds
after boot. Then DHCP has to happen, et al. That's why we have
"Wait for network at startup" set on at to 90 seconds.

The computer GPO's are applying. These apply at startup. Our
machines generally are rebooted at end of shift. Then user logs in
the next day after about 16 hours of uptime. And it is the user login
GPO's not applying. By this time, the secured channel to the AD
controllers are well established.

Nothing's changed on our AD in many months. No failed servers, no
replacements. We have 3 controllers at one site, with many remote
sites but no remote AD's.

 

[Randy Reimers]

Please check for a file in the root of the user's profile, called ntuser.pol
Not sure if you rename, or delete it - notepad can open it - compare the
"bad" user ntuser.pol with someone who works. You may be able to copy a
good one over the one that doesn't work. We had to do that with mandatory
profiles - these ntuser.pol files have something to do woth GPO and how it
works.

Let us know what you find

Randy Reimers

 

[Ace Fekay [MVP]]

In

Regarding the domain being unavailable at startup. That is related
to the Cisco PortFast issue on our switches.

http://www.edugeek.net/index.php?name=Forums&file=viewtopic&p=82400

So the Ethernet port is not available until after about 45 seconds
after boot. Then DHCP has to happen, et al. That's why we have
"Wait for network at startup" set on at to 90 seconds.

The computer GPO's are applying. These apply at startup. Our
machines generally are rebooted at end of shift. Then user logs in
the next day after about 16 hours of uptime. And it is the user login
GPO's not applying. By this time, the secured channel to the AD
controllers are well established.

Nothing's changed on our AD in many months. No failed servers, no
replacements. We have 3 controllers at one site, with many remote
sites but no remote AD's.

Hmm, an additional variable. Apparently your users experience long logon
times due to the GPO 'wait' setting. What happens if you turn off spanning
tree and eliminate the 'wait' setting?

I actually would have welcomed the additional info I asked for to eliminate
some of the 'obvious', and believe me, I've seen some simple overlooked
settings that make a dfference. But I understand your privacy.

As for the GPOs, you say the user section is not running. You said you
determined that thru an RSOP? How about running a gpresult at the
workstation while the user is logged on? Go thru the results tosee if the
user is getting the user section please.

Also, you said the logon script is not running. Is the logon script a batch
file that is stored in the Netlogon folder and specified in under the
profile tab of the user account AD properties, or is it specified in the
user section of the GPO logon script ?

Ace