Trouble Assigning Group Policies

[Buratti]

Hello all. I am in the beginning stages of learning Server 2008 R2. Everything I have learned already is just from internet tutorials and youtube videos, so bear with me a little here. I have set up Server 2008 R2 on a virtual machine and also created 2 virtual XP pro machines to simulate my small office where I plan on actually using Server for real (once I learn enough). I have already installed and set up the following roles and features: AD DS, DNS, DHCP, Remote Desktop, IIS, and Application Server. I have created one OU and added all my users to that OU. So what I am having trouble with is assigning group policies well several different types of group policies...

 

The first, really simple policy I am having trouble with is setting a default desktop background. I created the GPO and set it to display the gone fishing.bmp background (doesn't matter which one, i just used that one to test). I linked it to my domain, and added all domain users to the policy. Upon logging on to an XP machine, the selected background does NOT display. If I try to change the background manually, the properties box says the gone fishing background is already selected, and I am locked from changing it, as the policy controls, but it just isn't displaying. I get the same results with other standard .bmp or .jpg backgrounds.

 

The second more important problem is as follows. I gave up on the background policy and moved onto something more complicated. I am trying to deploy an application using RemoteApp. Using the RemoteApp manager I used the RemoteApp wizard to add the Paint app (again just a random easy testing app). I then created a Windows Installer Package for that app selecting the options to create shortcut on desktop AND start menu. I then proceeded to create a new group policy. I edited the policy and under User Config->Policies->Software settings, I added the package created in last step using the network location (not local) and set it to Assigned. I assigned all domain users to the policy, did a gpupdate /force and then logged on to an XP machine. The way the policy was set up, it should have installed the package opon login, adding a shortcut to the desktop and start menu, but did not! I tried logging on as several different users including Admin, but all with the same results. If I go into the Add Remove Programs, the app is listed as installed, but there is no way of opening it (ie. not on the desktop, start menu, and cannot find a shortcut for it anywhere on the computer.

To go one step further, if I physically copy the installer package over to the XP machine and double click it to run locally, it does install, creating the correct shortcuts, etc., but whenever I try to open it, it asks for a user/password (as is should I think) but no matter what user/pass i give (even admin) it says incorrect. And I cannot get around this problem.

 

Now, not to ramble on and make this too long, but I was playing around trying to get it to work and noticed the following. In Group Policy management, under Group Policy Modeling, I created a new model based on the OU all my users are in. When opened, under the User Config Summary->Group Policy Objects->Denied GPO's, all of my Group policies that I created are listed here. Under "Reason Denied" they all say "Access Denied (Security Filtering), and none are displayed under the Applied GPO's heading.

So any suggestions on what I can be doing wrong and how to get these policies working correctly? Thank you for any help you may give.

[ICTCity]

Hi there,

 

Before reading the last sentence I had many ideas, but now you must solve the biggest problem: ACCESS DENIED.

 

First of all under GROUP POLICY MANAGEMENT (from domain controller), create a "NEW RESULTANT POLICY" from GROUP POLICY RESULTS. You must select a computer (a remote computer) and a user. After a while you have a result which tells you which policy has been applied and which has not been applied (denied policy).

 

Here you can see if there are any other policy which are not applied correctly.

 

The next step is:

 

Open Group Policy management mmc, select the OU where the policy is applied, select the policy. On the right side, there are 4 tabs, select the last one (I think is DELEGATION), on the right corner (bottom), click ADVANCED. On the next windows, click ADVANCED again and add a new user (the user or group you want to allow), now check the box "APPLY GROUP POLICY" and everything related to "READ" (it should be already ok).

[Buratti]

Thank you for your prompt response. Unfortunatelly trouble already...

"First of all under GROUP POLICY MANAGEMENT (from domain controller), create a "NEW RESULTANT POLICY" from GROUP POLICY RESULTS. You must select a computer (a remote computer) and a user. After a while you have a result which tells you which policy has been applied and which has not been applied (denied policy).

"

I have a problem from the start trying this. I went to Group Policy Management, right clicked "Group Policy Results" selected "Group Policy Results Wizard" (assuming that is what you meant by "New Resulant Policy"). in the wizard, I selected "another Computer" then Browse. I selected one of the 2 VM's on the domain and clicked next, but then recieved the error: "Failed to connect to MyDomain/JoeXP1 due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled an the target computer, and consult the event log of the target computer for further details. Details: The RPC server is unavailable." I procedded to the target PC and started the WMI service and anything related to RPC and tried again, but still the same error.

 

After that error I tried step 2 of your suggestion. I got to the part where I selected the policy->Deligation->Advanced->Advnaced->Add, then selected a specific user. I could not originally find the check box "APPLY GROUP POLICY", but then found it at the very bottom of the list. I checked it and everything related to "read" as you suggested, applied and closed all, ran GPupdate again, tried logging on with the specific user selected in last step but still no progress. Anything you see that I am doing worng?

[ICTCity]

Check the DC's LOG AND client's LOG to see any error / warning regarding policies. It looks like there's a compatibility issue...

 

those events are triggered at user logon.

[Buratti]

Ok, I must be doing something really wrong or missing something big here, because I checked the client log (BTW by log you mean event viewer right?), and I had no warnings or errors, but several informational events. Those information events are quite interesting though. A few to note are: "Type: Information, Source Application Management, Description: The assignment of application WordPad from policy Install Software succeeded." and "Type: information, Source: Application Manager, Description: Changes to software installation settings were applied successfully".

Now my own interpretation of those logs says that the package I am trying to install succeeded successfully, however, I still do not have any links, shortcuts, or other means of opening those applications. i checked the event viewer on the server and although I did not know exactly where to look for errors, i did browse through and didn't find many errors/warnings. Of the few I did, they had nothing to do with the problem i am having.

 

After modifying the policy like you stated in step 2 of your first post, i deleted and created a new Group Policy Model and finally, a little good news, The policy in question here is no longer listed under the Denied GPO's and is now listed in the Applied GPO's (although all my other policies are still under the denied section).

 

Now I am just totally lost. According to the event viewer on the client and Model on the server everything "should" be working just fine, but it isn't! any other suggestions?

[Buratti]

Ok, so a quick update. I got one step closer to it working. What I originally did was when i created the policy, when adding the application there was an option for assigned, published, or advanced. I chose assigned. After troubleshooting I found if I selected advanced (or right click the already set up app and select properties and the deployment tab) there is an option to install at logon. After modifying this policy to include the "install at logon" checkmark, upon logon on the client, the application installed correctly. YAY!!!

 

I am still having problems though. Upon opening the app, it asks for my password, but rejects (well not rejects but says incorect) the username/password every time. No matter what user/pass I provide, even admin credentials. Now what is the next step to fix this?

 

Also just out of curiosity, from what I understand, the purpose of assigning an app in a group policy is to install it automatically, and publish is to let the user install at their own will. So if I assigned it, why would I still need to check the "install at logon" box? Isn't that really the purpose of this policy in the first place? Just confused on that one.

[ICTCity]

You have to provide password for every application installed via GP?

 

Regarding your last question it should be like this: "install at next logon" can create shortcuts because the GPO know WHICH user need the application and can actually put the link. If not, the software will be installed for computer not for a specific user. It's quite confusing... but it's microsoft :P

[Buratti]

"You have to provide password for every application installed via GP?"

 

Yeah its asking me for a password to open the software. In case you misuderstood, I am not deploying the full software to be installed on the client computer, but rather using the the RemoteApp service (formerly Terminal Service) to run the app from the server. I got the app "installed" (in quotes because its not really fully installing the app but rather installing links or whaterver client side files that are needed to run that app remotely) correctly, but when opening it asks for my credentials to connect to the remote computer (the server is this case). I enter them, but it says the username or password is incorrect.[ATTACH]113.IPB[/ATTACH] I click Ok and I see a window that looks like a computer login screen: [ATTACH]112.IPB[/ATTACH]

 

I did not set up any certificates for the user/app because this is just testing purposes and security is not a factor right now, plus I have never worked with them to even know how to make one, etc. So I dont know maybe this could be the problem. Another quick thought is that maybe the actual location on the server where the app resides has to be shared??? But then I wouldn't I just get an access denied response rather that incorrect user/password.

 

Thanks for your help up to here by the way, but any other suggestions?

[ICTCity]

So, here we go :)

 

RemoteApp is a role of server 2008 and is completely different from installing a software via GP :)

 

I suggest you to read this article:

 

http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

 

Specially from the middle.

 

In our environment we had this scenario, but after months we moved to terminal services, users log on via RDP to the application server and they can access what they want. Of course you can manage this and the most interesting thing is that you can easily update programs, you must do it in just one server and not deploy an update to the clients.

[Buratti]

So, here we go :)

 

RemoteApp is a role of server 2008 and is completely different from installing a software via GP :)

 

Yes. In the beginning I was having a problem deploying my .msi package using a GP, but we got around that and the GP has done its job. Not I am having a problem the RemoteApp.

 

I suggest you to read this article:

 

http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

 

Specially from the middle.

 

In our environment we had this scenario, but after months we moved to terminal services, users log on via RDP to the application server and they can access what they want. Of course you can manage this and the most interesting thing is that you can easily update programs, you must do it in just one server and not deploy an update to the clients.

I have already done mostly everything that article states but still no progress. I did not read word for word though, I just skimmed through it as I was remembering already doing the step I was reading. Here is some more information that may or may not help in figuring a solution to my problem:

 

1. My remote Desktop service (role) ( formerly Terminal Services) is running on the same server as my Active Directory. As a matter of fact I only have 1 server in my testing environment. From the Youtube video I watched to learn how to originally set up Remote Desktop, they set up and recommended installing RD on a different server, however they did say it can work on the same one. Maybe there is an issue here???

2. I can connect to the RD web access via Internet Explorer, it asks for my credentials, accepts them, and displays all of the available remote apps to use. Which ever one I select though, it opens the RemoteApp window and tries to connect asking for User/Password again, but then says Incorrect User/Pass just like before.

3. I can SUCESSFULLY access the remote desktop of the server or any other machine from a client machine. I can accomplish this both through Start->Programs...Remote Desktop Connection, and also through RD web access like stated above. I just click the Remote Desktop link, it asks me what computer to connect to, then it displays the remote desktop at the logon screen of that computer. I enter my, or any user credentials and it connects just fine.

4. Just to try it out, In Active Directory Users and Computers, in the Built In folder, I right clicked->properties for the Remote Desktop users. In the Members tab I added each user individually as well as each computer in the domain. i haven't heard anything about doing so in my own research, but I figured it would seem logical to do so since I have followed everything else step by step with no success.

 

Not to be repetitive, but Anything Else???

[Buratti]

GOT IT!!! I knew it had to be something simple that I overlooked from the begining. When it was asking for my username and password, I was assuming that I did NOT need to specify the domain due to it already stating the domain I am trying to connect to (ie. it asked "please enter the username and password for RGB.net") so I just entered the username and password and got an invalid user/pass response. If I entered the username in the domain\username format, low and behold IT WORKS!!! The proformance is slow though, even for such a simple app like wordpad. It could be due to my physical computer running 3 VM's at the same time though. at least it's working

 

I thank you for all your help in trying to fix my issue.

 

I dont want to continue on with different questions in the same post once the previous question is solved, but one last question... To go back on a completely different issue, remember in my first original post I mentioned that i set a GP to set a default desktop background and it wasn't displaying correctly? All the client settings were applied as they should, and according the the display properties the desktop background was set for what the GP said, but the desktop just wasn't actually displaying what it should be, instead it was just the default blue background. Any suggestions on this or do you think i should start a new post for this issue?

[ICTCity]

I didn't tell you to specify the domain because from your picture there was the word "SERVER\UserName" so I tought that SERVER was your domain...

 

Anyway, take a look here:

http://support.microsoft.com/kb/977944/en-us

[Buratti]

Well "server" is the name of my server that is running Active directory. My Domain is RGB.net. I just quickly saw the format .../username and wrongly assumed it was correct.

 

Thanks for the link again, but I already saw that one. It seems like that applies to windows 7 client and I am running xp Pro clients. It's no big deal though. Its not like I will be using that GP in my real network anyway. I was just testing/learning how to user Server 2008 and I'm the type of person that if something isn't working the way it should be, I go crazy until i figure out why its not, and I cant rest till its fixed.

 

If you feel like helping further thats great, but if you need to move on to help other people go ahead and do so.

[ICTCity]

Assuming you are not trying to connect via RDP (TS), check this:

 

http://www.grouppolicy.biz/2011/03/best-practice-using-group-policy-to-configure-desktop-wallpaper-background/

 

The only thing is that you are trying to connect via terminal server, and this policy cannot be applied correctly.

[Buratti]

Thats probably the problem with asking several different questions in the same post. I am fininshed working with RDP and Terminal Server for the momnet and this problem. This is just a simple GP that is applied to a client computer and its not working correctly. I checked out that link and learned a few simple things from it, but unfortunatelly its still not working.

First off, I thought maybe the entire GP was not being applied for whatever reason, so I added a random setting to restrict Control Panel access and tried again, and that setting applied correctly. So now I know the GP IS being applied to the user(s)correctly.

2.After setting the Desktop Background GP setting, I logged on to a client computer and checked the Registry. According to your link, all this GP setting does is change the registry. The setting was present and correct for the desktop to be displayed, however it just displayed a solid blue background (the .bmp file I amm trying to set it to DOES exist by the way). I go to control panel->background, and the preview is displaying the background and I am locked from changing it as the GP controls.

3. If I use method 2 in your link and use Group Policy Preferences Registry Key Wallpaper Configuration, it just doesn't set any of the values into the registry that I select.

4. If I manually edit the registry on the client machine I get "some" results... If I edit the HKCU\Control Panel\Desktop\Wallpaper key, I can see the correct background at next login. If I edit the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper key, I get the same results as when I try to appply the desktop background policy as stated above.

 

If I could just get the GP registry editor to correctly enter a key in in HKCU\Control Panel\Desktop\Wallpaper it should work, but then again the simple GP desktop Background I tried in the begining "should work" also.

[ICTCity]

Ohhhh that's lovely!

 

This is a... known bug... since 2009.

 

But luckly this has been fixed with the hotfix that you can find in here: http://support.microsoft.com/kb/977944/en-us (already posted before). THE SADDEST part is that there's no fix for XP machines.

 

You MUST create this key: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper and set the current path.

 

You can do this with a script:

 

Windows Registry Editor Version 5.00 

[HKEY_CURRENT_USER\Control Panel\Desktop] 
"Wallpaper"=path

[Buratti]

I only have XP machines so the hotfix will not work for me. I have played around with the script and pretty much got it working. I have not yet tested/played around with applying scripts to users via GP or any other means, and I understand there are manny different ways to apply scripts. So which method would you suggest to do so? Just to test this one I entered the script into the User Configuration->Policies->Window Settings->Scripts(Logon) GP. It works, but upon logon it asks if I want to apply the setting to the registry... click yes, says sucessfully entered..., then I have to logoff and back in to see the settings take effect. Which method do you suggest to apply it only once, and have settings take effect before logon?

[ICTCity]

I don't know why setting the registry via GP is not working... that's odd.

 

Now, if you run a script to add registry key, by default it ask for confirmation. To avoid this you can change a key in regedit:

 

HKEY_CLASSES_ROOT\regfile\shell\open\command

 

change the value of DEFAULT to: regedit.exe /s %1?

 

This is really unsecure because each .reg file can be executed silently.

 

To troubleshoot the registry key not applied, take a look here:

http://technet.microsoft.com/en-us/library/cc940322.aspx

 

It's quite easy, from client run gpresult /V and check if there're any "REGISTRY KEY" received.