August 8, 2018 at 12:22 pm #14044
I have run the free tool GPHealthReporter1.9 against our Sysvol on a selected DC and found (10) critical errors re: Client side processing for CSE but the link for logging errors and resolving is a dead one.
Can this forum help me tracking down the solve? I did see an article about enabling the following:
Always wait for the network at computer startup and logon – Enabled
..but wanted to ask here first since this is the source of the tool that presumably knows what these are.
thanksAugust 8, 2018 at 2:15 pm #14046
I think the error message you’re getting was truncated in the forum post. What error does the tool show you exactly?August 8, 2018 at 2:36 pm #14047
Sorry about that, the full error is:
Last Extension Status Security Processing Failed for Computer with error: The group policy framework should call the extension even if there are no changes.
then the advise:
Client Side Extension returned errors
If Client Side Extension status did not return zero, this can mean the CSE failed. In that case, use CSE-specific logging to trackdown the error. A custom ADM (and ADMX) file is available for download at http://www.gpoguy.com/tools/gpolog.htmAugust 8, 2018 at 2:51 pm #14048
OK. In that case, what it means is not an actual failure, but instead of a warning. It just means that the security CSE has been configured to run every time policy is processed. The normal behavior for any CSE is to only run if the GPO has changed, but in this case, someone has configured the policy on your machine to process security policy every single time GP refreshes. This is *somewhat* common and makes sure that, if someone tampers with security configuration on a given endpoint, that GP will “fix it up” during the processing cycle. But in any case, it’s a benign message in this case. The Health Reporter looks for any non-zero codes returned by either core processing or cse processing and in this case, that flag is non-zero :).August 8, 2018 at 3:03 pm #14049
re: “…the security CSE has been configured to run every time policy is processed”
How does it extract that information if I am simply polling a DC’s sysvol? I get the same “warnings” on two different DCs in the domain so has to be on the GPO itself, not the server *receiving* the GPO, correct? In other words, how can sysvol or the GPO itself get a “client side” extension (dll) to process? I’d like to view this and then decide if i want to turn it off or not, on a GPO by GPO basis.
We don’t see it on so many other GPOs in sysvol but just these 10 (which are mostly in the Domain Controllers OU.August 8, 2018 at 4:09 pm #14050
I think you misunderstand how the Health Reporter works. When you a select a computer, the Health Reporter is looking at that computer’s GP processing health. So, the information related to how it has processed GP during the last cycle.
That said, there are setting related to GP processing under Computer Configuration\Admin Templates\System\Group Policy. What’s likely is that one of your GPOs has implemented the security policy processing setting that is altering GP processing behavior on your receiving systems. So what Health Reporter is showing you, is the effect of the computer you’ve targeted, processing one of those GPO to deliver that setting, that changes GP processing behavior. A bit confusing, but the point is, that Health Reporter is not reporting on settings within GPOs per-se. It’s reporting on how a given endpoint has processed GPOs.August 9, 2018 at 10:53 am #14052
Ah ok I see now Darren. Got it, thanks.
So, when I dig into one of the GPOs that generates this “warning” and navigate to Computer Configuration\Admin Templates\System\Group Policy I see nothing configured there. None of the “* Extension policy processing” has been configured, nor anything in Logging and Tracing.
I then checked 3 other of the 10 alerted GPOs and saw the same thing. Is there any other setting on a GPO that is creating this flag on the endpoints processing? How about on the endpoint itself? Is there a registry setting perhaps that I could view that could ascertain this?
Thank youAugust 9, 2018 at 5:02 pm #14054
The best thing to do here Jeff, is to run RSOP (Group Policy Results) against that same computer that you’re collecting against in Health Reporter. That will tell you where that setting may be coming from, if it is coming from Group Policy. If it’s not coming from Group Policy, then it could be baked into the image. I don’t have the registry path off the top of my head but you should be able to find it from the underlying GroupPolicy.admx file or if you look online at Microsoft’s Group Policy Settings Spreadsheet (download.microsoft.com)
DarrenAugust 10, 2018 at 10:10 am #14055
here are the results from the RSOP targeted against the server (s) with the warnings:
“Security Warning 8/10/2018 4:48:14 PM
Security has requested to process its policy settings again. This can be due to non-critical errors occurring during the previous processing of policy.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 8/10/2018 4:47:53 PM and 8/10/2018 4:48:14 PM.”
which yielded this: “Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
Advanced help for this problem is available on http://support.microsoft.com. Query for “troubleshooting 1202 events”.
and this particular error: 0x4b8: An extended error has occurred.
I’ll be enabling debugging logging to dig further.
Thanks DarrenAugust 10, 2018 at 10:38 am #14056
OK Here’s what I did per Micorosft troubleshooting:
Ran gpupdate /force
The system geberated new secedit.sdb and winlogon.log
See a lot of registry Access Denied:
—-Configure 64-bit Registry Keys…
Warning 5: Access is denied.
Error setting security on machine\software\microsoft.
—-Configure File Security…
Warning 5: Access is denied.
Error setting security on c:\.
—-Configure General Service Settings…
Error 1060 querying undo value for group policy setting <tlntsvr>.
Error 1060: The specified service does not exist as an installed service.
Error opening tlntsvr.August 10, 2018 at 2:26 pm #14057
Yea, this is somewhat different than what I was suggesting but what it’s showing is that the security policy applying to this system is having some issues. That’s separate from the policy I mentioned that is telling security policy to run at every refresh, but clearly there’s some work that needs to be done around security policy processing itself. You’re trying to configure file and registry permissions at levels of the tree that don’t have permissions to do so. Trying to configure service parameters for a service that doesn’t exist on that box, etc. Not all of these are breaking issues but clearly warnings of what policy can’t do.
You must be logged in to reply to this topic.
- Speaking in Chicago Next Month!
- Group Policy Storage Whitepaper Updated!
- Elevating AD Domain Access With Write Access on the Domain NC Head
- Performing a Denial of Service on AD–How Hard Is it Really?
- Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers