GPO Issue, "Run these programs at user logon" - Weird issue.

[xendrome]

Ok weird issue here, have a GPO applied to group of computers and "Authenticated Users". GPO is working fine for the most part, except the contents of the GPO.

Computer Config>Policies>Administrative Templates>System>Logon is there "Run these programs at user logon" resides. I have 1 program already there, it basically launches a 3rd party app with a disclaimer with an "I accept" and "I decline" button. That works fine, I can edit that line in the GPO at the server, do a GPUPDATE /FORCE on server and client and see the changes. It is entry: 1

Entry 2: is a second app. I can add it to GPO, do a GPUPDATE /FORCE on server and client. It never shows in the registry at HKLM>Software>Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run in the list with "1" above

It was previously in there, we took it out because of some issues, fixed the issues, added it back.

Now the weird part, if I add it twice to the GPO list, it will show up in the registry area above once I go the GPUPDATE /FORCE. But it is entry "3". It totally skips over entry "2". See this pic: https://dl.dropboxusercontent.com/u/111413/gpo-issue.jpg

Any ideas anyone?

[xendrome]

Created a new GPO with a new name, added both entries to it, made it the first in the list to apply. It applies the first entry not the second.

[Daedroth]

Try running RSOP against the client machine/user to see what's going on with the policies that are being applied.

[xendrome]

  On 19/11/2015 at 15:44, Daedroth said:

Try running RSOP against the client machine/user to see what's going on with the policies that are being applied.

Yeah RSOP looks good. see: https://dl.dropboxusercontent.com/u/111413/gpo-issue-rsop.jpg

[xendrome]

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took  that's really weird....

[Daedroth]

  On 19/11/2015 at 16:12, xendrome said:

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took  that's really weird....

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

[xendrome]

  On 20/11/2015 at 08:17, Daedroth said:

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

Well according to Microsoft the different is, Computer Config applies to Computers and User Config appies to users, so HKLM (All users) vs (HKCU). The danger for a setting like this in using it under the User Config is, there will be an entry in every users registry hive, so if you remove something via GPO and it fails, you'll have to automate a script to clean up that reg entry for every user at logon or run on demand. By running it under Computer Config it puts it in HKLM and is 1 settings for all/any user.

[binaryzero]

Loopback processing