Machine domain group policy failed to apply

In this case, domain joined workstation with Windows 7 operating system was failing to register itself on new WSUS server. Settings for the new WSUS server were entered into domain GPO. I tried to refresh the settings with gpupdate /force. But, the command was failing to apply computer settings from domain GPO, with following error message:

Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

The output from Gpresult /h gpresult.html was showing failed status for Registry in component status:

 

Error event was logged into System event log with ID 1096 and same description:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

So, all errors were pointing for local policy corruption.
Navigating to c:\windows\system32\GroupPolicy\Machine folder and renaming the registry.pol file into registry-pol.bakup (for example), and running the gpupdate /force again, has resulted the command to successfully complete and apply the computer and user policy settings. The workstation has received new settings for the WSUS server and successfully registered itself on this new WSUS server.

I was using the same method for resolution in my article The processing of Group Policy failed. Event ID 1096, and the reason for not applying the domain GPOs was again the local policy corruption.
 

Windows 8.1 Logon Script Delay

When joining Windows 8.1 or Windows Server 2012 R2 to your domain environment, you will experience delayed execution of logon scripts. By default, these Microsoft operating systems have 5 minutes preconfigured delay of execution of logon scripts. With this kind of behavior, Microsoft wanted to eliminate poorly written logon script from overall logon user experience and user's desktop responsiveness.
This behavior can be changed using following GPO setting: Computer Configuration > Administrative Templates > System > Group Policy > Configure Logon Script Delay :

Logon Script Delay can be changed by increments of one minute or setting it to zero which will disable this feature and logon scripts will execute as were in previous operating system versions.
 

Internet Explorer Branding failed

On all Windows 8 and Windows 8.1 client Resultant Set of Polices (rsop.msc) was returning an error for Internet Explorer Branding component like this:

And in Group Policy event log the following event is logged Event ID 7016:

• CSEElaspedTimeInMilliSeconds 0
• ErrorCode 127
• CSEExtensionName Internet Explorer Branding
• CSEExtensionId {A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B} 

The reason for this behavior is that Internet Explorer Maintenance or Internet Explorer Branding has been removed from Windows 8 and Windows Server 2012. One way to resolve this error is to remove Internet Explorer Branding Group Policy client side extension using the following Microsoft KB 2813272 .
Another way to prevent this error is to prevent all the GPOs with some Internet Explorer Maintenance configured setting from applying to Windows 8 computers. But, there is also another catch, if you reset the Internet Explorer Maintenance settings in GPO, the extensions are not removed from GPO ! There is also published article from Microsoft about this bug http://support.microsoft.com/kb/2722241/EN-US . So, there might be GPOs with no settings about internet explorer branding, but still having the client extension in place. To find all the GPOs with configured Internet Explorer Maintenance extension, dsquery can be used with following syntax:

dsquery * -filter "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))"

DSquery will return GUIDs of all affected GPOs with Internet Explorer Branding Extension. In order to remove the extension information from the GPOs, Active Directory Users and Computers snap-in on Windows Server 2008 or later can be used to edit the attributes. Navigate to Domain Name -> System -> Policies and locate and select the GUID of the GPO that was returned as result from dsquery command, and go to the attribute editor tab from the properties of the GPO. Search for gPCUserExtensionNames entry and edit the field. Locate the [{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}], and delete that entry including "[" and "]" brackets. Save the properties, and that GPO will not be qualified for running the Internet Explorer Branding client extension.
After removing "orphaned" extensions from GPOs, the Event ID 7016 with error code 127 was not logged anymore and rsop.msc was not returning failed status for Internet Explorer Branding since this extension is not in use anymore.

Note: If you're using Internet Explorer Maintenance for pushing Internet Explorer settings to clients, you should consider migrating to Group Policy Preferences for Internet Explorer for setting those settings. Also, you can't use Internet Explorer Maintenance for setting Internet Explorer 10 or 11 http://technet.microsoft.com/en-us/library/jj890998.aspx .
 

Group Policy Internet Settings Event ID 4098

In this post I'll explain how I've managed to fix the Warning Event ID 4098 from Group Policy Internet Settings source in Application Log. The following event was logged in Application Event Log on affected machines:

The user 'Internet Explorer 10' preference item in the 'Policy Name and ID' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The reason for this access denied was because Internet Settings preference 'Internet Explorer 10' was running under user's context.

Removing the check mark from common tab for Run in logged-on user's security context (user policy option) has resolved the warning event log. Preference items created either under computer or user part of the GPO are processed under System security context. For more info about configuring common option check http://technet.microsoft.com/en-us/library/cc772371.aspx .
 

Adding additional keyboard layout for domain users

This is quick one, where I wanted to add additional keyboard layout to some users using GPO preferences. Using GPO preferences I have added following registry key to targeted domain users:

HKEY_CURRENT_USER\Keyboard Layout\Preload\

• Value Name:2
• Value type:REG_SZ
• Value data:0000042f

42F is keyboard layout for Macedonian Language and 2 for value name is keyboard preference. Additional language codes can be found in following part of registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts.
 

Where is Group Policy Preference for Internet Explorer 11 ?

After joining the Windows 8.1 enterprise into domain environment, I was expecting that GPMC will introduce new GPP template for Internet Explorer 11, but the latest version was still the Internet Explorer 10.
So, how to apply settings to Internet Explorer 11 via GPP ?
Fortunately, GPP for Internet Explorer 10 will also work with Internet Explorer 11. Why ?
I opened GPP for IE10 xml file, and saw that file version filtering for iexplore is between 10 and 99.
Here is the filtering part from the xml file:

path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="10.0.0.0" max="99.0.0.0"

My opinion is that with this kind of file filter versioning for iexplore, the GPP template should be named Internet Explorer 10 and higher, not just Internet Explorer 10.

Unable to deploy Adobe Flash Player using GPO

I was trying to deploy Adobe Flash Player 11 using Group Policy Object Software installation feature. The msi package of Adobe Flash Player was assigned to computer part of the GPO. GPO was applying successfully and Adobe Flash Player was installing successfully on start up on most of the computers that were in the scope for the GPO to be applied. On some workstations, GPO was failing to apply with following events in Application Log :

Log Name:      Application
Source:        MsiInstaller
Event ID:      10005
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Description:
....
Product: Adobe Flash Player 10 ActiveX -- Error 2753.The File 'InstallAX.exe' is not marked for installation.

And in System Event Log couple of messages from Source Application Management Group Policy with Event ID 108,303,102, followed by:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Event ID:      1085
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Description:
....
Fatal error during installation.

I tried to execute the msi package with administrative account and the setup was failing with following error message:

From control panel, Programs and Features there were now signs for any Adobe Flash Player Installation. But, in registry HKEY_Classes_Root\Installer\Products\ there was info for some Adobe Flash Player 10 ActiveX component:

 

After deleting the key from registry, Adobe Flash Player has installed successfully.

 



Group Policy Error Events 1085 & 8194

In my case few client XP machines were having problems with applying group policy settings. Following events were logged in Application event log from Source Userenv and Event ID 1085:

The Group Policy client-side extension Group Policy Local Users and Groups failed to execute. Please look for any errors reported earlier by that extension.
 

Earlier events related with applying group policy client side extension from Source Group Policy Local Users and Groups and Event ID 8194 were:

The client-side extension could not remove computer policy settings for 'GPO name and ID' because it failed with error code '0x8007000d The data is invalid.' See trace file for more details.

Easiest way to fix this behavior is to delete client's group policy cache. Because the client is XP, delete all folders from %ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History and run gpupdate /force to refresh policy settings. Error events from Application log regarding event ids 1085 & 8194 should be solved.