Watching the 60-640 Server 2008 AD course and one of the group policies is not working.

Now it may be the fact that I am doing this through Virtual PC 2007 and viewing the VM using log me in at my work place, but the desktop screen wallpaper is not coming up correctly.

I applied the policies for the hide appearance; prevent wallpaper, control panel access, etc but the policy for using our own wallpaper is not showing up

All the other policies work just fine. I double and triple checked to make sure the share was correct and the names were correct but the dumb policy just won't work.

Is this due to I am logging in using VPC 2007 and log me in free? I will find out tonight but seems odd.

Ok here is an update. I am home now and found out that again all the policys work EXCEPT the wallpaper policy. What is interesting is that if I log in under the defalt administrator acct the new wallpaper shows up. Any other profile it does not.

COACH HELP!!!! This makes no sense. I even went so far in the GP to remove all the rights and mark the admin as full control but remove the check box from apply policy and also added authencated users but only checked read and apply.

Well, sounds like a permissions problem, and without standing over your shoulder, it'll be a little difficult for me to see what's missing. Virtualization can cause a little weirdness, but shouldn't be an issue here. Check the following:

1. Make sure that Authorized Users or any User Groups that you may have created have access to the Share that contains the wallpaper. If need be, add Everyone to the Share permissions as a test.
2. Ensure that your GPO that contains the Wallpaper GPO is linked to the OU that contains the users you're using to test with. If you've created a separate folder that contains your Users, you'll need to link the wallpaper GPO to that container.
3. Use the Filter and Filter Options from the View Menu on the All Settings inside of your User-->Administrative Templates to find all settings that have to do with Wallpaper. Make sure that you have all necessary settings turned on.


Try this first, see if there's anything missing.

Your friendly neighborhood instructor,
Coach Culbertson

[QUOTE=flipper;1363]I fixed the first issue. I don't know what the issue was I decided to delete the entire policy and re-apply it and after an hour later it finally took.

HOWEVER, yes there always is a however, I have a new problem. This one I must be doing something wrong.

Ok so I am installing software via group policy and I even tried firefox just to make sure it is not the MSI file itself. If I setup a computer policy and set it on the OU for "NYComputers" when starting it says installing FoxIt. It says a little more but goes by way too fast.

Anyhow, it does not install. If I setup a User Policy for the same software or a different msi file it does not install it. What happens is It puts in in add/remove programs. No I choose assign not publish. Here is the kicker. Let's say fine I want to install manually it won't let me install it. Says don't have the rights.

I checked the GP again that I had setup earlier and there is nothing that says I can't install. It must be related to the local policy.

FYI I have to use XP not Vista as a Vista OS takes way too much RAM for my laptop.

Oh not sure if this helps but this came from the event viever:

1) Failed to apply changes to software installation settings. Software installation policy application has been delayed until the next logon because an administrator has enabled logon optimization for group policy. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.

2) The removal of the assignment of application Foxit Reader from policy FoxItInstall failed. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.

Hi Flipper,

At first it sounded to me like you may have access and/or permission issues. When deploying software through Group Policy you need to make sure that the clients have both physical access and appropriate permissions to the source files used to install the software.

I'm not sure if that would cause the event log entries that you mentioned. Take a look at the event IDs on those log entries and try to search the Internet for common problems associated with them. Go ahead and post the IDs here if you want me to try to find additional solutions.

Ed

I seemed to resolve the issue to some degree although it is still puzzling.

1) Turns out there was a permission issue. On my File Sever I created a Share called Software. I gave it read only rights to Everyone. This worked. BUT...

2) If I provide authenicated users read or domain users read it does not go through. Very strange. Tonight I am going to publish the programs and see if they can be installed. I created two catagories one called PDF and one called Web Browsers. They may not go through as domain rights may prevent install but they should show up at least and install locally.

3) So again Software now has read only share

4) Created the GP on the computer side and works. I am still confused on why everyone is the only one that works. At least this is a non-production enviroment. I would rather use authenciated users as it is more secure.

*** One thing to note and hopfully someone has an answer. While the software did install this time, I needed to reboot the computer for the user twice. Not once but twice. This is after I ran a gpupdate and a gpupdate /force

Any clue as to why? Other than that I'm good as I has a pretty good understanding of this stuff

Hi Flipper,

Glad to hear that you are making progress with this. It sounds like you still have permission issues related to your domain. I would need to look into this further, but I think part of the problem is that you are assigning the software to the computer and the computer is not a member of authenticated users or domain users. I use those groups all the time, but have not run into this problem. Keep playing with it. I am sure you will be able to figure it all out.

As far as why you had to reboot...when you assign software to the computer a reboot is always necessary. Gpupdate will not work in this situation. There are only 2 reasons I can think of why you had to reboot twice:

1. The Group Policy may not have propagated to all domain controllers and the computer may have authenticated with one which had not received the update on the first reboot.

2. The software itself may require a reboot in order to complete the installation.

There could be another reason, but that is all I got right now.

Ed

Ed:

I double checked and the accts for the GP do have auth user rights so not sure what the issue is. No big deal I guess since it is not in productions but would be nice to find out what is what.

One thing I am finding is this. If I setup the Software GP to be published on the user side unless I am logged in locally the programs are not showing up in the add/remove section. Is there a policy that I need to turn on or off for this to work. Even if my fake users can't install the software due to local admin rights how can I make them see it so someone with rights can do a run as and install the apps.

If logged in locally the programs show up. This is on the user side of the policy b/c under the computer policy I can only assign not publish.

Hi Flipper,

I have to be honest here and say that I am not completely following what you are doing. When you say that you are logging on locally do you mean that you are logging in with a local user account or that you are physically logging in locally at the client computer? It really doesn't make any sense at all to find software published in add/remove programs if you are logged in as a local user because that user shouldn't be affected by group policy.

Overall, it sounds to me like you probably have been playing around quite a bit with this network (very good thing) and there is a good chance that you have something else (somewhat unrelated) affecting the outcome. I have experienced this personally while working in many test environments. The best thing to do if you really want to know how software deployment works with group policy would be to start over with a clean install of the network and see if anything changes. I know that can be a lot of work, but you would be surprised what else could be skewing your results. Once you have more experience with the system you will be able to troubleshoot problems without having to rebuild networks, but many rebuilds are common during the learning process.

Sorry I can't give you a more detailed answer, but without seeing your network it is very difficult to figure out the problem you are having.

Ed

I'll see if I can be clearer. Essentially the deployment of the software works using group policy and the other policies work. The policies either take forever to propagate even after running the update or other junk like that. Although it seems to eventually kick in after several restarts; typically two or more.

Regarding as to what I was referring to locally, yes as a local user on say a XP client station. So for example, if I setup GP on DC1, to deploy say firefox to all clients’ computers on say CL1-XP, I would setup a Computer GP and do an assign; this is on DC1; this works. If I do the exact same thing but instead of doing a computer GP I do a User GP, yet instead of doing an assign I perform a publish what should happen is the software should be listed under add/remove programs under CL1-XP. If I log into CL1-XP under a domain acct no software shows up. Again this is for publish under the user GP. Now if I log in locally, meaning not on a domain acct but on a local acct then the software shows up which I set the policy for.

if this does not make sense don't worry about it. I think I beat this topic like a dead horse and you have have been more than helpful. In general I understand how the policys work, and how to deploy them. What I don't understand is why these weird quirks happen when using VM. I generally don't have issues when working with physical computers such as auth users vs. everyone. Just weird things.

On well.....thanks again.

I will completely agree with you on the VM thing. There are many issues which seem to appear in virtual world that seem to work fine when using real computers.

I completely follow what you are doing, but something out of the ordinary is definitely happening. It could be a VM thing, but I'm not sure.

The only other suggestion I have for you is to become very close friends with the Group Policy Results wizard and the Group Policy Modeling wizard. That is where I would start if I was over there with you trying to figure this out.

Ed

I'll give that a shot. Thanks again. If I ever take the 70-640 test (and pass it in the next 6 months.) your course is next. Actually I already setup DHCP on my test network as I could not stand setting static IPs to each machine. Working good so far...lol