I was of the understanding that you have to use 802.1x machine based authentication for application deployment (and some other group policy settings) with wireless connected computers, due to the network not being available until after logon. Oddly, this option is not available if I use the Win7 RSAT to connect to my Win2K3 DC.
-- Mike Gill From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, October 13, 2010 11:24 AM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless I'm 99.9% sure this is a wireless issue, but will get that additional .01% assurance shortly. I have a technician plugging one of the lab machines in to see if the problem goes away. I'd bet money it does. From: Carl Houseman [mailto:[email protected]] Sent: Wednesday, October 13, 2010 2:20 PM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless All things considered, you appear to have a group policy problem unrelated to the wireless, something easily proven by taking a problem machine and connecting it wired. The info you've posted about the event ID's was insufficient for me to research them further. Googling the event ID description text may also be useful. Good luck. Carl From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, October 13, 2010 1:47 PM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless Yeah, I've done the force. Half a dozen times. Been to that website, too, but have come up empty in terms of resolving this specific issue. I'm just stumped. Oddly, the deployment worked fine on one of the machines in the lab-and they're all ostensibly the same. I say ostensibly because clearly there's something different between the one that worked and the ones that didn't, but I have no clue what. From: Carl Houseman [mailto:[email protected]] Sent: Wednesday, October 13, 2010 1:02 PM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless gpupdate /force Also eventid.net is your friend. Carl From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, October 13, 2010 12:38 PM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless Gpresult /v shows something odd. Below is an edited version of the results. The "TCHS SMART Sync 2010 Student Computer Assignment Policy" is the policy that pushes down the app. But it only does so to machines that are members of a group called "TCHS SMART Sync 2010 Student Computers." Now, the computer in question (TCHS-115-S02) *is* a member of that group, as confirmed by looking in ADUC. Yet gpresult says it's not. So if the machine doesn't know it's a member of the group, why is it trying to apply the software assignment policy at all? I don't get that. And the assignment is failing with event IDs 101, 102, and 108. Applied Group Policy Objects ----------------------------- TCHS SMART Sync 2010 Student Computer Assignment Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization TCHS-115-S02$ FCS Computers TCHS Admin Policy Computers Domain Computers System Mandatory Level From: Carl Houseman [mailto:[email protected]] Sent: Wednesday, October 13, 2010 11:50 AM To: NT System Admin Issues Subject: RE: Group Policy Problems Over Wireless What are you using for a wireless supplicant (program that configures the SSID etc.)? Windows WZC or something specific to the wireless? Whichever one you are using, turn it off and try the other. Also download and install the latest wireless NIC drivers. All else being OK, generally the "trick" is to use WZC, but as some have indicated, sometimes the vendor utility, assuming it runs as a service, might be OK. I would also disable any wired adapter that may be present. Also make sure your group policies are in effect using gpresult /v - especially the one about always waiting for network. Carl From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, October 13, 2010 10:26 AM To: NT System Admin Issues Subject: Group Policy Problems Over Wireless Short version: Is there a trick to improving group policy processing when accessing the network wirelessly? Long version: We have a lab with machines that have Broadcom wireless NICs in them. Vista OS, connecting to Server 2008 R2 DC. I'm trying to deploy a piece of software to these machines via Group Policy. I have things setup so that if the machine is a member of a certain group, the software is deployed. Unfortunately, it only worked correctly on one of the machines-on all the rest, the software isn't being deployed. So I connect to any of the machines that didn't get the software, and run gpresult. It doesn't show me that those machines are members of the group that gets the software. But I know they are; I've confirmed in ADUC on the DC. They're just not picking up group membership. Looking at the event log for events that happen around startup, I see things that make me think group policy processing is trying to happen prior to the wireless network being initialized. Things like: Event ID 5719 (There are currently no logon servers available to service the logon request.) Event ID 129 (NtpClient was unable to set a domain peer to use as a time source because of discovery error.) Event ID 1129 (The processing of Group Policy failed because of lack of network connectivity to a domain controller.) Connectivity to the DC is fine once you get the [Ctrl] + [Alt] + [Del] window. You can log in (including as someone who has never logged into the machine before), ping the DC, browse to \\domain\syvol <file:///\\domain\syvol> , and so on. It's just that at that point, group policy processing seems to have given up. My machines aren't figuring out that they've been added to a new group. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
