1

So I'm setting up LAPS on my DC to take care of all the local admin passwords in the domain, I've tested the configuration installing the client package by hand in one PC and it works perfectly.

I created a GPO to install the package in the rest of the computers but it's not working.

  • Packages are on a shared drive that can be accessed by all the machines.
  • All the users have access to the packages and the permissions are correct.
  • I have windows 10 and 7 in the domain, all of them are 64 bits.

Is there any way to troubleshoot this or anything that I'm missing? I'm fairly new to Windows administration.

Thanks in advance for any tips.

Plaguna
  • 31
  • 2
  • 8
  • What is the value of policy: `Computer > System > Logon > Always wait for the network at computer startup and logon`? (`HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon!SyncForegroundPolicy`) – Greg Askew Sep 20 '17 at 16:01
  • @GregAskew It's not configured – Plaguna Sep 20 '17 at 16:12
  • That would be my first recommendation. – Greg Askew Sep 20 '17 at 16:25
  • @GregAskew Tried that, didn't work, is there a way to debug it? – Plaguna Sep 21 '17 at 09:23
  • Enable User Environment Debug Logging: https://blogs.technet.microsoft.com/mempson/2010/01/10/userenvlog-for-windows-vista2008win7/ . You should also check gpresult /h to confirm the group policy is in scope for the computer. – Greg Askew Sep 21 '17 at 12:16

2 Answers2

0

When you deploy software in the computer policy, the computer account is used to access the share. Make sure “Domain Computers” (or a more restricted group containing the computer accounts) has read access in the share permissions and NTFS permissions where you’re hosting the installer package.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • That's done already, all the users that need to reach the files have read and NTFS permissions – Plaguna Sep 21 '17 at 10:49
  • @Plaguna you keep saying “users” but the users don’t need any access. The *computer accounts* need access. Can you post a screenshot of your ACLs. – MDMarra Sep 21 '17 at 13:10
  • Yes, the group Domain Computers have permissions as well. – Plaguna Sep 21 '17 at 14:17
  • In the GPO report I get the next message: **Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.** I have rebooted the PC several times, but still the same message. – Plaguna Sep 21 '17 at 14:24
0

Managed to solve it with the following:

Computer Configuration > Policies > Administrative Templates > System > Group Policy

Enable the Specify startup policy processing wait time. Set Amount of time to wait (in seconds): = 120

Got the solution from Group Policy installation failed error 1274

Thanks everyone for your help

Plaguna
  • 31
  • 2
  • 8