« Despite What My Daddy Taught Me? | Main | Reason Number 57 Why Chicks Play Games »

Group Policy Madness

I consider Group Policy to be one of the more accessible administration tools to date. It is quite useful and fairly easy to maneuver, but that didn?t come into play with my latest GP task.

With the recent expiration of the SP2 download block from Windows Update, it is necessary to know the effects SP2 could have on your user environment. Obviously each user environment differs, but most users will be affected by the default option of turning the Windows Firewall to the On position upon installation of Service Pack 2 for Windows XP. When you have a decent amount of users this will push down to, the best option is to block the Firewall with Group Policy. It is an easy block to administer, but for some reason, still unknown to me, it would not push in my test environment. I would continually receive an Inaccessible error as the Reason Denied when running the Group Policy Results Wizard on the test machines. I checked permissions, recreated the Policy and did an amazing amount of research on the topic. Maybe because SP2 is a fairly new package to distribute Group Policies on, it hindered my search results. All the same, after a week of struggling with Inaccessible errors and pounding my head against my monitor, I found a workaround. I say workaround because I do not know the reason behind the fix so it can?t very well be called a solution. Sometimes a workaround is good enough and you won?t always be able to explain why they work. I?ve found in my line of work, it is perfectly acceptable to say ?It works. I don?t know why it didn?t work to begin with, or why it works now.? As long as you have a user working, that is all that matters in the end.

I created a standalone Policy which means I didn?t tie it to an existing GP. I checked and rechecked the permissions on each Policy User and even the Policy folders on the Domain Controllers. I updated the ADM files to the XPSP2 release and created the Policy on multiple machines. When creating a GP for Windows XP SP2, you must create it from a computer with that exact OS, so I did that as well. None of these produced successful results. A SP2 Windows Update block is also in place so I checked that Policy to see if it was interfering with the push down of my Firewall block. This is the best explanation I could come up with. I?m not sure if the Windows Update GP was the cause, but after attaching the Firewall Block to the existing Windows Update block GP and adding the latest system ADM file, all was working as it should. Hmmmm?well I couldn?t complain as everything was working properly, but I still wonder?why wasn?t it working as a standalone GP?

I guess I may never know?but as I said before, sometimes a workaround is all you have.

Posted by on March 20, 2005 8:47 AM |

Comments

Forcing SP2 firewall settings requires the newest system.adm. If the group policy blocking SP2 installs was still in place, my money says it was still using the old system.adm and so when the domain controller was building the aggregate policy to push, it didn't have all the fields in the new ADM file. Net result: unrecognized policies got dropped. The domain controller should have messages about the unrecognized policy keys in its event log.

Posted by: Mr. Red Cape | March 20, 2005 7:58 PM

What the hell are you both talking about?

Actually, on second thoughts, I don't want to know.

Posted by: steve | March 21, 2005 8:36 PM

Yes, it does require the latest system.adm file, as I stated in my post. ;) Once you create a GP from a machine with the latest adm files, it grabs from those files and not off the DC, as they are not typically stored there. That fact confused me during all of this.

The thing about the SP2 WU block is that it didn't have any adm files attached to it aside from the block adm provided by Microsoft for that exact purpose. I agree with you...no system.adm in that GP might have very well contributed to why it blocked the SP2 Firewall block because once I attached it and added my Firewall rules, it worked properly. I think I will test that theory out...leave the system.adm in the SP2 WU block then create a Firewall block GP separately. It would rock to finally get the solution to this.

That's a good tip to check the logs in the DC as the GP Results Wizard was entirely too vague for my tastes. I did learn a tremendous amount about GP Management and hope to not run into this issue again :)

On a side note, technically only one person has had an official Red Cape presented to them, so unless you're him, I don't know if you can call yourself Mr. Red Cape. That title is taken. Haw haw?

Fuckin Capers always out to get an official shiny red cape. ;)

Posted by: Princess | March 21, 2005 8:36 PM

Capeless :(

Posted by: Mr. Red Cape | March 22, 2005 12:40 AM

There is no cape, grasshopper!

Posted by: groby | March 22, 2005 9:11 AM

Well, don't worry Capeless...keep this up and I'm sure we could wrestle one up for ya ;)

Posted by: Princess | March 31, 2005 5:54 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)