Hi Steve,

Just noted your comment on trying to interpret the Userenv Log. I always found it very confusing so I wrote a utility that picks it apart. You can download it from http://www.sysprosoft.com/policyreporter.shtml I just ran it on your file and it shows quite clearly the process involved (it is made clearer if you click on "user Policy Processing"). Basically it is the way Darren explains it. It goes and finds all polices the user would normally get then gets all the policies that the user would get if they were in the Machine's OU.

One thing I have tried doing was to interpret the flags returned from Extension processing to try and make them meaningful, but haven't had any success. I did get the following definitions, but they don't seem to work. For instance your log reports Security Processing with flags 6x, which doesn't seem to apply. :-

'0x00000001  // Apply machine policy rather than user policy
'0x00000010  // Background refresh of policy (ok to do slow stuff)
'0x00000020  // Policy is being applied across a slow link
'0x00000040  // Verbose output to the eventlog
'0x00000080  // No changes were detected to the Group Policy Objects
'0x00000100 // A change in link speed was detected between previous policy application and current policy application '0x00000200 // A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only)
'0x00000400  // Forced Refresh is being applied. redo policies.
'0x00000800  // windows safe mode boot flag
'0x00001000  // Asynchronous foreground refresh of policy
'0x00002000 // Report all settings for one GPO rather than the resultant settings across multiple GPOs

If anyone can tell me how they work (or where I am misprocessing it), I will include it in the utility

Feel free to download the utility if only to better understand how it all works!

Alan Cuthbertson


Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml


----- Original Message ----- From: "Steve Rochford" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, January 06, 2006 4:54 AM
Subject: RE: [ActiveDir] Duplicate application of group policy


I'm glad that you say loopback shouldn't cause this - I was sure I'd
used something like this successfully before!

I've now put a copy of the complete results of gpresult /v and
userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to
email to the list!)

I've tried looking at userenv.log files before and while I can
understand some of what's going on, I can't really see what's going
wrong!

I've loaded the syspro Policy Log Viewer
(http://www.sysprosoft.com/policyreporter.shtml) which you mention on
your website. On the Performance History tab it says "Via Loopback" next
to the policies which are being duplicated.

Not sure where this gets me but it's now time for me to go home (and
brave the snow which has just started falling in London!)

Steve

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 04 January 2006 18:14
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy

John-
I don't doubt this is the behavior you're seeing, but loopback *should*
not cause this. At least not given the way its *supposed* to work. So,
that is why a userenv log would be very interesting here. My guess is
that even though Gpresult is showing it as running twice, the given GPO
is really only being processed once. I will also try to test this on my
end to see if I can discover what's up.

Darren

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 04, 2006 9:57 AM
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy

Not to doubt your expertise Darren, but  we use a worksation loopback
here for the screen saver. Not my idea, but in our situation, it is
easier to figure out machines that need to be exempt, rather than users.
They could run a certain test for weeks on one pc, but on their
administrative pc, the screen saver is OK, and required.  RSOP certainly
shows the domain policies being run twice. Might be because of "merge"
mode, never really bothered into looking into the mechanics.  I also
fool around with my local policy to test a setting here and there, and
it also shows that as being run twice in certain situations.  We even
use site policies, and they show being run twice, and that's done before
the domain.

Certainly he should turn on the logging as you say, but Steve's
situation sounds very familiar to me.

Thanks,
John









            "Darren Mar-Elia"

            <[EMAIL PROTECTED]

            uest.com>
To
            Sent by:                  <[email protected]>

            [EMAIL PROTECTED]
cc
            ail.activedir.org


Subject
                                      RE: [ActiveDir] Duplicate

            01/04/2006 11:09          application of group policy

            AM





            Please respond to

            [EMAIL PROTECTED]

               tivedir.org









Steve-
In this situation, I would enable verbose userenv logging and see if you
can track down what is actually happening during the processing cycle. I
am kinda doubting that loopback would cause things like the local GPO or
Default Domain Policy from processing twice, because these should be
processing well before you OU-based loopback policies kick in.

Darren

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 04, 2006 7:50 AM
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy

Hi Steve...

That's about the only way to apply user settings to computers, using the
loopback.

Not sure of your OU structure, if you had your  users seperated, you
could apply the actual user policies (loginscripts etc.)  at the "user
OU" level.
As long as that was a different "scope" it would eliminate them trying
to run the scripts twice, which is where I would expect these things to
hang some.  Or even generate errors, if trying to remap an already
mapped drive.

Not sure if I"m explaining it clearly enough?

John







            "Steve Rochford"

            <[EMAIL PROTECTED]

            nwl.ac.uk>
To
            Sent by:                  <[email protected]>

            [EMAIL PROTECTED]
cc
            ail.activedir.org


Subject
                                      RE: [ActiveDir] Duplicate

            01/04/2006 09:12          application of group policy

            AM





            Please respond to

            [EMAIL PROTECTED]

               tivedir.org









Thanks; I spotted that proxy_isa was only once but John's other message
about loopback makes me start thinking that this is very relevant.

The proxy_isa just sets a particular OU to use an ISA server as proxy
(rather than Squid - we have some software which won't work with ISA so
a couple of OUs link to a GPO called ISA_Squid which points them at the
Squid proxy server).

The policy is applied to a group of machines (because it's particular
rooms which need the proxy set like this rather than particular people)
but loopback processing is set because the proxy settings themselves are
user specific rather than machine specific.

I'm sure I've used loopback processing for actually this sort of thing
before but I'd guess I'm doing something wrong! I've tried to copy the
settings screen from the proxy_isa GPO below - is this where I should be
looking or could something else be wrong?

If necessary, I can remove the GPO and just use the login script to set
proxy settings - there was just a "nice" feel to doing things with the
GPO

Steve



Computer Configuration (Enabled) Administrative Templates System/Group
Policy
Policy              Setting
            Enabled
Mode:         Merge
User Configuration (Enabled) Windows Settings Internet Explorer
Maintenance Connection/Proxy Settings Enable proxy settings
Protocol            Server            Port
HTTP          witproxy          8080
Secure              witproxy          8080
FTP           witproxy          8080
Gopher              witproxy          8080
Socks         witproxy          8080
Exceptions:         Do not use proxy server for addresses beginning with
       www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk,
learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk,
mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet)
addresses Enabled


________________________________

From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 04/01/2006 14:16
To: [email protected]
Subject: Re: [ActiveDir] Duplicate application of group policy


Steve, it looks like, from that list that you're not applying all GPO's
twice.  Some are and some aren't.  That seems to me like it would be a
configuration issue.

allpcs
      Proxy_ISA                           <-----applied once
      Default Domain Policy          <----- applied twice
      LogonLogoffScripts
      Local Group Policy
      Default Domain Policy
      LogonLogoffScripts
      Local Group Policy

Some things to look for:

Check to see what the GPO's are linked to.
Look over recent changes to see if any of them could have affected this
behavior.
Verify that the slow logon is due to the application of group policy.
You may have something else going on.

Al



On 1/4/06, Steve Rochford <[EMAIL PROTECTED]> wrote:

            Most group policy objects are being applied twice - what do
I need to look for to fix this?

            Running gpresult /v shows that they're being picked up
twice - eg the the start of the user section is shown below.

            There is only one link for each policy object but there's
obviously something I'm missing. All the policies are working but it's
causing problems because logging on takes twice as long and the user
login script (set in the "logonlogoffscripts" group policy) runs twice.

            Steve

            USER SETTINGS
            --------------
               CN=Administrator,CN=Users,DC=student,DC=cnwl,DC=ac,DC=uk
               Last time Group Policy was applied: 04/01/2006 at
08:23:52
               Group Policy was applied from:
pstud1.student.cnwl.ac.uk
               Group Policy slow link threshold:   500 kbps
               Applied Group Policy Objects
               -----------------------------
                   allpcs
                   Proxy_ISA
                   Default Domain Policy
                   LogonLogoffScripts
                   Local Group Policy
                   Default Domain Policy
                   LogonLogoffScripts
                   Local Group Policy
            List info   : http://www.activedir.org/List.aspx
            List FAQ    : http://www.activedir.org/ListFAQ.aspx
            List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



[attachment "winmail.dat" deleted by John P
Salemi/CedarRapids/RockwellCollins]

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to