0

So I decided to add users to the Backup Operators group to all computers in the Domain by editing the default domain policy and adding a restricted group. I also set the Volume Shadow copy to start as part of the default domain policy as well.

One of these two changes seems to have made it so Volume shadow copy will no longer start on any computers in the domain.

I tried undoing both these changes, force pushing the changes with gpupdate, and then restarting the computer. But the service still won't start, I get error:

Windows Could not Start the Volume Shadow Copy Service ... 
refer to service specific error code -2147467243

All I get in the event log is:

Volume Shadow Copy Service initialization error: the COM classes cannot be registered [0x80004015]
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • http://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=126569 Seems to fix it by deleting a registry value. Can I delete a registry entry on the entire domain? – Kyle Brandt Aug 27 '09 at 19:57
  • Actually, reverting the changes looks like it might have fixed it, just took a little while to replicate. Does anyone know if those to changes are only applied after a restart? If that is the case, if a computer was never restarted before the change, what happens? – Kyle Brandt Aug 27 '09 at 20:03

2 Answers2

1

I always assume that my GP changes won't take effect until I gpupdate/force or reboot. Or reboot twice. I think in the worst case, the policy doesn't get updated till the first reboot, and then can't apply til the second. Yet some machines/policies will update at the set interval (90 min default, Computer Configuration\Administrative Templates\System\Group Policy\Group Policy refresh interval for computers).

I know it's not really random, but it feels like it.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
1

The changes do seem to have propagated without the reboot. So I a had to do was revert the changes, I think it was telling the Volume Shadow Copy service to start at boot that broke it, but I am not sure. A reboot doesn't seem to be required, I will edit this if over time some of the machiens did need to be rebooted.

This has changed my philosophy for how I am going to handle my Window's administration. My new approach is going to be that unless I find an article that says doing exactly what I am going to do will work, I am not going to touch it. I just find that this stuff sucks to much to expect things that logically should work have a decent chance of working. Either that or my knowledge of AD is just not good enough, I do have to leave room for that possibility..

I generally avoid rants, but this frustrated me, and it was my own question ;-).

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • 1
    Nothing wrong with posting (and even accepting) an answer to your own question. And I agree with your philosophy - I'll sometimes create a test setup (hooray VMs) to get an idea of how things will pan out. – Kara Marfia Aug 28 '09 at 17:36
  • Guess that's how things work on Windows... *avoids going on pro-debian tirade* – marcusw Jan 20 '11 at 00:58
  • 1 - Don't edit the default policy. No, really - it may or may not be an official "best practice" these days, but no matter how well thought out you think it is, you always end up with exceptions that you have to track down, forget where it is, etc. Trust me on this, it's not worth the pain. 2 - This didn't show up in testing? (I mean, you did test this on your test VM, then your larger test OU/Group, right? Right.) 3-Tag says Server 2003, is this correct?!? Many things are much better (and of course, a few new gotchas) in newer AD versions. – Orangutech Oct 15 '15 at 06:27