Hi,
I'm activating the logging with verbose... do you think it's
enough?
Here is a part of whats in there.
USERENV(210.214) 11:22:59:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(210.1a0) 01:34:18:174 ProcessGPOs: GetGPOInfo failed.
USERENV(208.608) 10:15:07:406 ReadMembershipList: Group
S-1-5-21-1785794336-1158417043-4547331-2117 not in current list of token
groups
USERENV(208.144) 10:15:09:937 PolicyChangedThread: UpdateUser failed
with 0.
USERENV(208.b6c) 13:52:56:848 PolicyChangedThread: UpdateUser failed
with 6.
Here is the complete configuration of the policy that I'm testing with:
ScreenSaver_User
General
Details
Domain Domain
Owner Domain\Domain Admins
Created 15/09/2005 9:07:24 AM
Modified 19/09/2005 3:28:06 PM
User Revisions 10 (AD), 10 (sysvol)
Computer Revisions 1 (AD), 1 (sysvol)
Unique ID {356D9C9D-53A3-49CD-ABB5-************}
GPO Status Enabled
Links
Location Enforced Link Status
Technique No Enabled
Usagers_direction No Enabled
Usagers_inventoriees No Enabled
Usagers_portables No Enabled
Usagers_portables_valides No Enabled
Usagers_validees No Enabled
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:
NT AUTHORITY\Authenticated Users
Domain\Domain Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPOName
Allowed Permissions
Inherited
Everyone Read (from Security Filtering) No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
DOMAIN\Domain Admins Edit settings, delete, modify security No
DOMAIN\Domain Users Read (from Security Filtering) No
DOMAIN\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Administrative Templates
System/Logon
Policy Setting
Always wait for the network at computer startup and logon Enabled
User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Hide Screen Saver tab Enabled
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name %systemroot%\system32\ssmarque.scr
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 600
Thanks for your help!
Darren: I can send you the result file for the userenv log. It's about
200KB.
You can contact me offlist at mbruyere at gmail dot com.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:45 PM
To: [email protected]
Subject: RE: [ActiveDir] only 1 GPO not applying...
Ok, so in the RSOP report, does it show the setting being applied to the
user? If not, then the next step is to enable userenv logging and see
what it shows when it enumerates the GPOs to process for the user. These
kinds of problems typically break down into:
--infrastructure problems (e.g. DNS, FRS, etc. which usually means no
GPOs apply)
--Configuration problems (e.g. GPO linked wrong, filtered wrong or
blocked by some config. error)
--Client problems (e.g. Required client services not running, issues
with client communicating with DC, etc.)
In your case it sounds like either a config. problem or a client
problem--probably the latter. One thing to double-check--sometimes a
setting gets applied but the client doesn't behave as expected. Look in
the system.adm file and determine what registry value should be set for
that screen saver policy then confirm on the client that it indeed is
not being set. That way you know that it's a problem of not processing
the GPO correctly rather than a problem of the policy not responding the
way you expect.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 19, 2005 1:20 PM
To: [email protected]
Subject: RE: [ActiveDir] only 1 GPO not applying...
Hi,
I thought that this could be a problem... I added domain users
and everyone in the permissions to test things out... still no go.
The gpresult message does not report any filtering (except for the
computers GPOs that have the users section disabled, but the reason
listed is "disabled" which is normal).
Still in the dark ...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:00 PM
To: [email protected]
Subject: RE: [ActiveDir] only 1 GPO not applying...
The filtering message you got from RSOP indicates that either security
group filtering or WMI filtering may be getting in the way of this. How
have you configured security on that GPO? By default, Authenticated
Users (meaning all users and computers in the domain) will process a
GPO. So if you removed the Authenticated Users ACE you need to replace
that with a user group that contains all the users you wish to receive
that GPO.
Darren
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 19, 2005 12:46 PM
To: [email protected]
Subject: RE: [ActiveDir] only 1 GPO not applying...
Hi,
I found that only computer policies applies ;/ The user only policy
do not apply, still searching but will appreciate any inputs.
It may be permissions issue, I' looking this way.
Thanks!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: September 19, 2005 2:04 PM
To: [email protected]
Subject: [ActiveDir] only 1 GPO not applying...
Hi,
I have a little problem applying a GPO.
SETUP: windows 2k native domain with XPsp2 ADM files. All stations are
WinXP sp2.
I had a GPO the pushed a screen saver configuration and some other
restrictions. I had to split the GPO in 2 because I needed to deploy the
Screensaver without the other restrictions. There is a problem woth this
new GPO because it just do not apply to any machine/user.
I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the
GPOs.
Note: all other Policies are applied correctly and the one that do not
apply isn't listed in the " The following GPOs were not applied because
they were filtered out" section...
Any ideas?
Thanks for your time!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
