Sunday, 31 May 2009

Vista Service Pack 2 Not Applying Group Policy Preferences

We are collaborating on an SBS 2008 and Windows Server 2008 Core Hyper-V fresh installation.

The Hyper-V server will host 8 Windows Vista desktops for the organization that has users that are out of the office more than 85% of the time.

This solution keeps their data organized and protected as well as enables them to run a Line of Business application that is not Terminal Services friendly.

The Vista software is provided by a base retail OS purchase with Open Value Vista Upgrade + SA added.

The media that was downloaded for the VMs:

image

A fresh Windows Vista Service Pack 2 OS.

Well, we have discovered that the slipstreamed version of the OS does not have the Client Side Extensions functioning properly.

After troubleshooting our User and Computer based GPOs that contain Preferences, the following page came up in a search:

Ouch … this is not a happy scene because we had to burn critical time today troubleshooting this problem instead of placing the new SBS domain into production.

Jake Paternoster in the above TechArena page gave us a good lead towards the solution, but for some reason we could not come up with quite the right process to get the CSEs to install.

But almost every combination that we could come up with would fail with:

image

Or, at least UAC us but still fail ... with nothing in the Event Logs to even give us a clue as to what we were running up against.

But then, wait! It gets better! After leaving the first Vista SP2 VM alone for a while then coming back to work through the processes and see if we missed anything the GPPrefs were applied! 8O

So, was it the RSAT and GPMC that was enabled that made things work? Or, was it running the GP wizards in the GPMC that got things going?

Since we have 8 VMs to play with, we started with the next one and worked our way backwards through the process to figure out which step actually worked.

Gotta love these in the middle of everything too:

image

Windows 7 TS Client. They have not been very frequent, but they seem to hit when they are the least welcome!

Here is the methodology for getting things working:

  1. Download the CSEs (Microsoft KB site).
  2. Copy the KB file to C:\KB943729
  3. Open an elevated command prompt.
    • It is absolutely necessary that the command prompt be elevated with the domain admin credentials.
  4. Navigate to C:\KB943729
  5. expand Windows6.0-KB943729-x86.msu –F: *\KB943729 [Enter]
    • Note the space _ in between the –F:_*
  6. Delete the original Windows6.0-KB943729-x86.MSU
  7. start /w pkgmgr.exe /ip /m:C:\KB943729\Windows6.0-kb943729-x86.cab [Enter]
    • No quotes around the path.
    • Make sure the full path including the CAB is there.
    • A bunch of files and folders will show up in the directory. This indicates that the CSEs are seemingly installed.
  8. GPUpdate /Force [Enter] 
  9. shutdown –r –t 0 [Enter]

Note that the syntax of the PkgMgr.exe command is extremely important ...

The actual command line format is to be found in this link:

Lesson:

  • Question:
    • What is the definition of insanity?
  • Answer:
    • Doing the same thing over and over and over again and expecting a different result! ;)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

14 comments:

Chris Knight said...

Another definition: expecting Microsoft to provide software that just works.

thomas.rhoads said...

Awesome. Thanks for posting this. I just set up an image deploying Windows Vista Enterprise w/ SP2 using WDS and was wondering why my WSUS server wasn't installing the CSE on it

SB said...

I must be insane according to your definition. I have performed the procedure you outlined over and over and over... without success.

The registry keys get setup but group policy does not get applied.

Any suggestions?

Philip Elder SBS MVP said...

SB,

Verify that last step cause all of the contents of the CAB file to extract into the directory the files were in. If the content shows up, then the CSEs did indeed install themselves.

Verify that the GPOs are applying themselves correctly. Check the GP log on the workstation for errors.

Believe me, the forehead was feeling the pain after trying to get this one working!

Jeremy Moskowitz pointed out that the CSEs are never included with the OS. So, I sit corrected on that note as far as my expectation for them to be included with a factory imaged OS like Vista SP2.

Thanks for the comments folks!

Philip

SB said...

Thanks for the fast response, Philip!

The problem I'm experiencing is with the logon script (just a simple file to map some drives). The client RSOP shows the logon script file, the client GP log indicates that the logon script was completed in 0 seconds but no drives are mapped. The file executes perfectly if it is run at the client from the sysvol\...\...\...\ folder.

On a side note, I tried using a login script in the user's profile but it doesn't execute either. This suggests that the client isn't actually forwarding the logon request to the server and is using cached credentials. I know the network connection is good because I can browse to the server after logon. To make matters worse, there are no errors in Event Viewer.

If I could find an error, I could track down the problem but I can't seem to find any errors anywhere.

Any other suggestions would be welcome.

Philip Elder SBS MVP said...

SB,

Use the Group Policy Preferences setting in the Users portion of a GPO that can be scoped to the necessary users via Security Group membership.

The GPPrefs allow you to deploy any number of mapped drives to your users.

I have seen it mentioned, though not had time to research yet, that batch files will not be processed due to security structures in the OS.

We use GPPrefs to map drives to shared folders.

Philip

SB said...

Thank-you again for the info, Philip. I tried using GPPrefs but no succes with them either.

However, I finally solved it. It might be a "rookie" mistake but I've burned a lot of time chasing this problem.

Some more background - I usually disable UAC but for the user that's getting this machine, I would much prefer to leave it on. I stumbled across an MS technote that describes the symptoms I was seeing and it indicated that UAC being on was the culprit. Sure enough, with UAC off, everything worked perfectly - both the script and the GPPrefs.

The technote provided a registry modification to make things work with UAC still enabled. I changed the registry, turned UAC back on, and voila! Logon scripts and GPPrefs worked as expected.

For your reference, here is the technote:
http://support.microsoft.com/kb/937624

Thanks again for your help with this. I appreciate both your fast response and your extensive knowledge.

Jens Jensen said...

We use Vista 64-bit SP2, and cant get the registry items setup using the instructions. Are there different instructions required for 64-bit Vista ?

Jens Jensen said...

Solved my problem. It was permissions on the folder that we ran the PKGMGR command from. We only had Read Only on the folder which is, obviously, not enough.

Also got an error from the Expand command stated above, which should read:

expand Windows6.0-KB943729-x86.msu –F:* \KB943729 [Enter]

Thanks for posting this, have searched for several days to solve our drive maps problem.

thomas.rhoads said...

They just released the updated executable to include SP2 today.

Microsoft Download Center - KB943729

It's still giving me the "The update does not apply to your system" error message, though and I'm using Vista Enterprise w/ SP2.

Philip Elder SBS MVP said...

Thomas,

That link is to Vista RTM's CSEs.

Philip

thomas.rhoads said...

Right, but if you follow the link you posted in the article, select Vista 32-bit edition, it takes you to that exact same page. Also, the published date has changed to reflect 6/23/2009 and the supported operating systems list Windows Vista Service Pack 2 among Vista Business, Enterprise, Service Pack 1, and Ultimate.

On a side note, I downloaded it and attempted to install using the same steps listed in the article due to the error message I still received and it caused some issues with updating. Uninstalled it using via control panel and it started receiving GPOs properly again, but still no CSE benefits.

salon software said...

hi,I had slightly different issues and wanted to refresh by reinstalling Vista SP2. none of the above worked for me but I searched the registry for VistaSP2, removed about 10 or so and retried the install from the big Vista Sp2 .exe download and it finally stopped saying it was already installed. Good luck! (ps the registry keys had to be set to either everyone and then deleted or taking ownership as administrator)

Anonymous said...

Registry-Hack described in http://support.microsoft.com/kb/937624 worked for me... Thanx!