Group Policy Troubleshooting

The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:

Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.

Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.

Make sure you and users have proper permissions on SYSVOL folder.

Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.

Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.

 Make sure NetBIOS Helper service is running in server using services.msc snap-in.

 Make sure you haven’t enabled *No Override* option on parent GPOs if yo’re using one. Check this in Default Domain GPO.

 For permissions, you should have the following set for each object:

Remove *Authenticated Users* group from list of objects listed on Security Tab.

Sales Dept should have “Read” and “Apply Group Policy” permissions.

Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.

Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.

How to enable User Profile Debugging:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

How to manually create Default Domain GPOs

There is a way to create Default Domain GPO. There are two GPO created when you promote a member computer or a stand-alone server to domain controller.

These two GPOs are :

  • Default Domain Group Policy
  • Default Domain Controller Group Policy.

These GPO are stored in the SYSVOL folder. Netlogon service creates two permanent GUID for these two GPO under SYSVOL folder:

          \Windows\SYSVOL\sysvol\domain.com\policies\GUID

Domain Default GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

Domain Controller Default GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}

Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder. These GUIDs are unique for Default Domain Policy and Default Domain Controller Policy created by default.

You can use the following steps to create the Default GPOs manually:

1. Open ADUC

2. Right click on Domain_name.com > Property

3. Switch to Group Policy tab

4. Create a policy named “Default Domain Policy” or you can rename it if you want. AD Tools queries default domain policies by their GUIDs located in SYSVOL folder and not by name.

5. Click this GPO > Property > note down the GUID of this GPO created.

6. Go to SYSVOL folder and change the GUID to default domain policy or default domain controller policy.

7. Next you need to use a small script using ADSI to set this unique GUID into GPC of this policy in AD database. You can also edit Schema manually to do so.
Here are some articles that you can use to troubleshoot Group Policy:

You can also use ADSI Edit to create the GUID in GPC:

GPC container.

 

Troubleshooting Group Policy issues in Windows
http://www.microsoft.com/technet/community/columns/profwin/pw0502.mspx
How to reset security settings in GPO
http://support.microsoft.com/?kbid=226243
Scripting GPO
http://www.windowsitpro.com/Article/ArticleID/40231/40231.html?Ad=1

Using Dcgpofix.exe:

You can also use Dcgpofix.exe to restore Default GPO.

Have a look here for Dcgpofix.exe:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/48872034-1907-4149-b6aa-9788d38209d2.mspx

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

http://support.microsoft.com/?KBID=833783

Problem with Customized MSI Files.

Title of Article

Problem with manually configured MSI files.

Description

The article explains the problem with customized MSI files deploying through Group Policy – Software Installation snap-in.

Symptom

In a situation you may need to create a customized MSI for your configuration or application or vendor of an application may supply a Customized MSI to deploy application updates. MSI will work correctly when you install and double click on the local machine. You may get the error when you deploy MSI using Group Policy – Software Installation snap-in. When you open the MSI log you will get the following errors:

MSI (s) (70:78) [08:38:54:515]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:38:54:515]: Executing op: CustomActionSchedule(Action=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,ActionType=1025,

Source=BinaryData,Target=ManagedInstall,CustomActionData=/installtype=

notransaction /action=install /LogFile= /targetdir=”C:\Program Files\xxxxx\Browser\\” /sourcedir=”\” “C:\Program Files\xxxxx\Browser\rowser.exe” “C:\WINNT\TEMP\CFG2.tmp”)
MSI (s) (70:F0) [08:38:54:562]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI6.tmp,

Entrypoint: ManagedInstall
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:437]:
MSI (s) (70:F0) [08:39:00:453]: Leaked MSIHANDLE (12) of type 790531 for thread 1268
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2769 2: _341744F6_503A_48FB_AB56_E563AB3D8D89.install 3: 1
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2262 2: Error 3: -2147287038
Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found..
DEBUG: Error 2769:  Custom Action _341744F6_503A_48FB_AB56_E563AB3D8D89.install did not close 1 MSIHANDLEs.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: _341744F6_503A_48FB_AB56_E563AB3D8D89.install, 1,
MSI (s) (70:78) [08:39:00:468]: User policy value ‘DisableRollback’ is 0
MSI (s) (70:78) [08:39:00:468]: Machine policy value ‘DisableRollback’ is 0
Action ended 08:39:00: InstallFinalize. Return value 3.
MSI (s) (70:78) [08:39:00:468]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=881018074,LangId=1033,Platform=0,ScriptType=2

,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=1,Argument=xxxxx Browser)
MSI (s) (70:78) [08:39:00:468]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (70:78) [08:39:00:468]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:39:00:484]: Executing op: ProductInfo(ProductKey={B9F52B16-7040-4DA8-9D05-D6C366B468F2},ProductName= xxxxx Browser,PackageName=Browser.msi,Language=1033,Version=16842759,Assignment=1,

ObsoleteArg=0,ProductIcon=_bb32ea6.exe,,PackageCode={737A9C67-474C-4C8F-BC8E-5FE44A26BACA},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0)
MSI (s) (70:78) [08:39:00:484]: Executing op: ActionStart(Name=CreateShortcuts,Description=Creating shortcuts,Template=Shortcut: [1])
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=25)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)

And the following Event ID will be logged:

Event Type:     Error
Event Source:     MsiInstaller
Event Category:     None
Event ID:     11001
Date:          03/04/2006
Time:          08:39:00
User:          NT AUTHORITY\SYSTEM
Computer:     WD-UKSPARE6
Description:
The description for Event ID ( 11001 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: Product: xxxxx Browser — Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found.., (NULL), (NULL), (NULL).
Data:
0000: 7b 42 39 46 35 32 42 31   {B9F52B1
0008: 36 2d 37 30 34 30 2d 34   6-7040-4
0010: 44 41 38 2d 39 44 30 35   DA8-9D05
0018: 2d 44 36 43 33 36 36 42   -D6C366B
0020: 34 36 38 46 32 7d         468F2}  

Cause

This happens for the following reasons:

1. This happens because of the NULL returned by Winlogon service at the time of processing GPO and applications (MSI). NULL is returned only when the value is not returned to variable assigned in programming or while customizing MSI file. This variable could also be an UNC path pointing to the current machine where this MSI is being processed. MSI terminology uses UNC and %computername% variable to find machine name where it is currently being processed.

2. This also happens when variables used in customized MSI will point to a local directory in the computer where this MSI is being processed. For example: in above error browser.exe couldn’t be located by MSI Installer Service because it points to a local path.

Resolution

Make sure MSI is configured with proper variable and settings in it and while receiving Customized MSI from vendor make sure that it can be deployed using Group Policy – Software Installation snap-in.

More Information

Please visit

Group Policy:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx