-
Título
Rules are not applied after system starts -
Descrição
After every reboot or system start, the rules are not applied and the agent icon is not seen in System Tray. Executing a gpupdate / force command reads the rules and apply them and if the icon is set to be shown then it is available.
-
Causa
Windows 8.1 introduced the Group Policy Caching Policy. It keeps a cached copy of the policies in below folder on the workstation:
C:\Windows\System32\GroupPolicy\datastore
The workstation updates location with changes through Group Policy background refresh, while the device is active. The workstation applies them when there are no changes to the policies, if there is a connection to a Domain Controller, and under circumstances below:
- If during a Group Policy background refresh changes were detected in policies or preferences.
- The computer starts.
- At logon event for any user.
Since the workstation will not retrieve the policies and preferences from the Domain Controllers, this process will speed up the computer startup and the user logon event, especially in environments with slow or remote connections to Domain Controllers.
However if for any reason the computer is not able to retrieve updated policies, it will apply the available ones, not necessarily those available on domain controllers making the applied rules will not be current.
To confirm that the policies are being cached from the local folder, the below log file can be checked:
%PROGRAMDATA%\Privilege Authority\Logs\GPECommonCSE.log
This file contains the source for the policies, if the policies are cached, the file will read:
loading user data from: C:\Users\(username)\AppData\Local\GroupPolicy\DataStore\0\SysVol\(domain FQDN)\Policies\{2D56CBC3-66AC-4595-86B9-34BE9C88372B}\
If the policies are not cached, but read from the domain, then the file will read:
loading user data from: \\(domain name)\SysVol\(Domain FQDN)\Policies\{C70F05FD-27CC-4423-B58E-B84B507A9EA6}\
If the content of the group policy caching location is not synchronized then the rules will not be properly applied when the workstation starts.
-
Resolução
When the Group Policy Caching location is corrupted or de-synchronized, one of actions below must be followed:
1. Disable the Group Policy Caching Policy: The Group Policy Caching feature is enabled by default in Windows 8.1 and higher. However,it may be disabled through a Group Policy.
On the Group Policy Editor (it may be opened by typing gpedit.msc in the Start Screen) and in the left pane, navigate to Computer Configuration | Administrative Templates | System | Group Policy, and double-click the Configure Group Policy Caching setting in the main pane, then click "Disabled" radio button and click "OK". It will force the policies to be read always from the domain.
Note:
Group Policy Caching is disabled by default on Windows Server 2012 R2-based member servers. It may be enabled through the Enable Group Policy Caching for Servers group policy setting, located just below the Configure Group Policy Caching group policy setting.Or
2. The Windows local Group Policy cache is located at: %PROGRAMDATA%\Microsoft\Group Policy\History. Notice that this is a hidden folder. Delete out the contents of the History folder; do not delete the folder itself. Also delete the content of these folders %LOCALAPPDATA%\GroupPolicy\DataStore, %WinDir%\System32\GroupPolicyUsers and %WinDir%\System32\GroupPolicy.
After that, a GPUpdate /force from a command prompt must be executed to rebuild the cache, rebooting the system is also recommended.
Note: Privilege Manager relies on Microsoft procedures to read and apply the group policies and it does not configure or modify the way that Microsoft Windows is designed to function.