Hi Steve,
Just noted your comment on trying to interpret the Userenv Log. I always
found it very confusing so I wrote a utility that picks it apart. You can
download it from http://www.sysprosoft.com/policyreporter.shtml I just ran
it on your file and it shows quite clearly the process involved (it is made
clearer if you click on "user Policy Processing"). Basically it is the way
Darren explains it. It goes and finds all polices the user would normally
get then gets all the policies that the user would get if they were in the
Machine's OU.
One thing I have tried doing was to interpret the flags returned from
Extension processing to try and make them meaningful, but haven't had any
success. I did get the following definitions, but they don't seem to work.
For instance your log reports Security Processing with flags 6x, which
doesn't seem to apply. :-
'0x00000001 // Apply machine policy rather than user policy
'0x00000010 // Background refresh of policy (ok to do slow stuff)
'0x00000020 // Policy is being applied across a slow link
'0x00000040 // Verbose output to the eventlog
'0x00000080 // No changes were detected to the Group Policy Objects
'0x00000100 // A change in link speed was detected between previous policy
application and current policy application
'0x00000200 // A Change in Rsop Logging was detected between previous
policy application and current policy application, (new intf only)
'0x00000400 // Forced Refresh is being applied. redo policies.
'0x00000800 // windows safe mode boot flag
'0x00001000 // Asynchronous foreground refresh of policy
'0x00002000 // Report all settings for one GPO rather than the resultant
settings across multiple GPOs
If anyone can tell me how they work (or where I am misprocessing it), I will
include it in the utility
Feel free to download the utility if only to better understand how it all
works!
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
----- Original Message -----
From: "Steve Rochford" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, January 06, 2006 4:54 AM
Subject: RE: [ActiveDir] Duplicate application of group policy
I'm glad that you say loopback shouldn't cause this - I was sure I'd
used something like this successfully before!
I've now put a copy of the complete results of gpresult /v and
userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to
email to the list!)
I've tried looking at userenv.log files before and while I can
understand some of what's going on, I can't really see what's going
wrong!
I've loaded the syspro Policy Log Viewer
(http://www.sysprosoft.com/policyreporter.shtml) which you mention on
your website. On the Performance History tab it says "Via Loopback" next
to the policies which are being duplicated.
Not sure where this gets me but it's now time for me to go home (and
brave the snow which has just started falling in London!)
Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 04 January 2006 18:14
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy
John-
I don't doubt this is the behavior you're seeing, but loopback *should*
not cause this. At least not given the way its *supposed* to work. So,
that is why a userenv log would be very interesting here. My guess is
that even though Gpresult is showing it as running twice, the given GPO
is really only being processed once. I will also try to test this on my
end to see if I can discover what's up.
Darren
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 04, 2006 9:57 AM
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy
Not to doubt your expertise Darren, but we use a worksation loopback
here for the screen saver. Not my idea, but in our situation, it is
easier to figure out machines that need to be exempt, rather than users.
They could run a certain test for weeks on one pc, but on their
administrative pc, the screen saver is OK, and required. RSOP certainly
shows the domain policies being run twice. Might be because of "merge"
mode, never really bothered into looking into the mechanics. I also
fool around with my local policy to test a setting here and there, and
it also shows that as being run twice in certain situations. We even
use site policies, and they show being run twice, and that's done before
the domain.
Certainly he should turn on the logging as you say, but Steve's
situation sounds very familiar to me.
Thanks,
John
"Darren Mar-Elia"
<[EMAIL PROTECTED]
uest.com>
To
Sent by: <[email protected]>
[EMAIL PROTECTED]
cc
ail.activedir.org
Subject
RE: [ActiveDir] Duplicate
01/04/2006 11:09 application of group policy
AM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Steve-
In this situation, I would enable verbose userenv logging and see if you
can track down what is actually happening during the processing cycle. I
am kinda doubting that loopback would cause things like the local GPO or
Default Domain Policy from processing twice, because these should be
processing well before you OU-based loopback policies kick in.
Darren
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 04, 2006 7:50 AM
To: [email protected]
Subject: RE: [ActiveDir] Duplicate application of group policy
Hi Steve...
That's about the only way to apply user settings to computers, using the
loopback.
Not sure of your OU structure, if you had your users seperated, you
could apply the actual user policies (loginscripts etc.) at the "user
OU" level.
As long as that was a different "scope" it would eliminate them trying
to run the scripts twice, which is where I would expect these things to
hang some. Or even generate errors, if trying to remap an already
mapped drive.
Not sure if I"m explaining it clearly enough?
John
"Steve Rochford"
<[EMAIL PROTECTED]
nwl.ac.uk>
To
Sent by: <[email protected]>
[EMAIL PROTECTED]
cc
ail.activedir.org
Subject
RE: [ActiveDir] Duplicate
01/04/2006 09:12 application of group policy
AM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Thanks; I spotted that proxy_isa was only once but John's other message
about loopback makes me start thinking that this is very relevant.
The proxy_isa just sets a particular OU to use an ISA server as proxy
(rather than Squid - we have some software which won't work with ISA so
a couple of OUs link to a GPO called ISA_Squid which points them at the
Squid proxy server).
The policy is applied to a group of machines (because it's particular
rooms which need the proxy set like this rather than particular people)
but loopback processing is set because the proxy settings themselves are
user specific rather than machine specific.
I'm sure I've used loopback processing for actually this sort of thing
before but I'd guess I'm doing something wrong! I've tried to copy the
settings screen from the proxy_isa GPO below - is this where I should be
looking or could something else be wrong?
If necessary, I can remove the GPO and just use the login script to set
proxy settings - there was just a "nice" feel to doing things with the
GPO
Steve
Computer Configuration (Enabled) Administrative Templates System/Group
Policy
Policy Setting
Enabled
Mode: Merge
User Configuration (Enabled) Windows Settings Internet Explorer
Maintenance Connection/Proxy Settings Enable proxy settings
Protocol Server Port
HTTP witproxy 8080
Secure witproxy 8080
FTP witproxy 8080
Gopher witproxy 8080
Socks witproxy 8080
Exceptions: Do not use proxy server for addresses beginning with
www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk,
learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk,
mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet)
addresses Enabled
________________________________
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 04/01/2006 14:16
To: [email protected]
Subject: Re: [ActiveDir] Duplicate application of group policy
Steve, it looks like, from that list that you're not applying all GPO's
twice. Some are and some aren't. That seems to me like it would be a
configuration issue.
allpcs
Proxy_ISA <-----applied once
Default Domain Policy <----- applied twice
LogonLogoffScripts
Local Group Policy
Default Domain Policy
LogonLogoffScripts
Local Group Policy
Some things to look for:
Check to see what the GPO's are linked to.
Look over recent changes to see if any of them could have affected this
behavior.
Verify that the slow logon is due to the application of group policy.
You may have something else going on.
Al
On 1/4/06, Steve Rochford <[EMAIL PROTECTED]> wrote:
Most group policy objects are being applied twice - what do
I need to look for to fix this?
Running gpresult /v shows that they're being picked up
twice - eg the the start of the user section is shown below.
There is only one link for each policy object but there's
obviously something I'm missing. All the policies are working but it's
causing problems because logging on takes twice as long and the user
login script (set in the "logonlogoffscripts" group policy) runs twice.
Steve
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=student,DC=cnwl,DC=ac,DC=uk
Last time Group Policy was applied: 04/01/2006 at
08:23:52
Group Policy was applied from:
pstud1.student.cnwl.ac.uk
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
allpcs
Proxy_ISA
Default Domain Policy
LogonLogoffScripts
Local Group Policy
Default Domain Policy
LogonLogoffScripts
Local Group Policy
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
[attachment "winmail.dat" deleted by John P
Salemi/CedarRapids/RockwellCollins]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
