DarraghOShaughnessy
Posts:177
 | | 11/22/2010 6:20 PM |
| Hmm, since U: is mapped outside of group policy preferences/group
policy, I would disable all drive mapping settings in gpp/gpo on a test
lab machine and see if you can reproduce a logon where U: doesn't get
mapped. This will eliminate a cse as being the problem. U: is mapped by
the userint process as far as I remember (as that is the process that
looks at the user accounts properties). If you can reproduce under this
scenario then eliminate group policy for the time being and continue to
look at other factors. Again, a net trace should reveal if the users
account is successfully being looked up for such properties.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 20 November 2010 04:04
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
U: is only mapped in the AD User Account. The path is variable based on
User(grade, building, etc.). The 'sun1' one is for a generic student
account.
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
Behalf Of Darragh O'Shaughnessy [xxxxxxxxxxxxxxxx]
Sent: Friday, November 19, 2010 4:16 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Yep, GPP are environment variable ware so they expand them That's why
they show up in the lo but my question remains 
You map U: to \\student\students\%username%
<file:///\\student\students\%25username%25> .
* Why is homepath set to "\SS\KG1\sun1"???
Replication latencies look fine.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 22:12
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Userenv 1054 Error
We are only using the Default Site.
We aren't setting the U: anywhere but the AD Account. The log must be
picking that up.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 3:54 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Well, if these DC's are in different subnet they may be in different AD
sites and have site links between them which means there is most likely
some replication delay between them (in the order of minutes).
Replmon might show that there are no errors but to get the latencies run
* repadmin /replsummary
And paste the output. Also, one thing:
2010-11-16 14:11:32.884 [pid=0x2e0,tid=0x88c] Variable %HOMEPATH% =
"\SS\KG1\sun1"
2010-11-16 14:11:32.884 [pid=0x2e0,tid=0x88c] Variable %HOMESHARE% =
"\\student\students"
2010-11-16 14:11:32.884 [pid=0x2e0,tid=0x88c] Variable %LOGONSERVER% =
\\SERVICES3 <file:///\\SERVICES3>
You map U: to \\student\students\%username%
<file:///\\student\students\%25username%25> . Why is homepath set?
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 21:31
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Userenv 1054 Error
I'm not sure how to answer those questions. I've checked Replmon and
there are no errors. How can I answer your question correctly?
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 3:15 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
And are the replication latencies ok? Is urgent replication enabled?
Sorry for all the questions but just trying to get ur toplogy in my
head.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 21:10
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Userenv 1054 Error
Services3 is the strict 2003 one. Don't ask me why. I need to usurp
some of that power. It's 2003 Standard, whereas the others are 2003
Enterprise R2.
Domain/Forest Level is 2003. Schema has been extended for 802.3 Wired
and 802.11 Wireless Policies.
Just cleared up some Netdiag issues on Serivces3. It was pointing to a
false secondary WINS server. Services2 also had a WINS Replication
Partner that is no longer a DC. Don't ask me why we're still using
WINS. No other issues found.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Which one is the 2003 one? SERVICES3? PS: what is the Domain/Forest
level
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 20:39
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Userenv 1054 Error
I just noticed one juicy piece of information....
2 of our DCs are Server 2003 R2 and 1 is Server 2003. If a user
authenticates to the Server 2003 DC, would drives with Access-Based
Enumeration get fubar?
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 2:06 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Adam,
Could it be that some of the drives are being hidden in the gui?
611638F8FEEE}" bypassErrors="1">
<Properties action="U" thisDrive="HIDE" allDrives="NOCHANGE"
userName="" path="\\apps\nwappsSS" label="Test Taker" persistent="0"
useLetter="1" letter="J" />
- <Filters>
<FilterGroup bool="AND" not="0" name="PCS.K12\SS Staff"
sid="S-1-5-21-834434087-1672823513-1849977318-38577" userContext="1"
primaryGroup="0" localGroup="0" />
<FilterGroup bool="OR" not="0" name="PCS.K12\SS Students"
sid="S-1-5-21-834434087-1672823513-1849977318-38535" userContext="1"
primaryGroup="0" localGroup="0" />
</Filters>
</Drive>
This takes precedence over the Hide/Show all drives setting. I presume
you've checked if the drives are mapped from the command line? I did see
an "accessed denied" message in the gptrace logs on one of the J drive
attempts.
Also, ur domain ispulaski.k12.wi.local, domain down-level name is
PCS.K12?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 19:45
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Userenv 1054 Error
I'm attaching one of the UserEnv.logs and the XML Settings. They should
be receiving J,P,T,V,X and Y.......in addition to their Home Drive.
Like I said, sometimes they don't even get their home drive. The
machine accounts disappearing only seems to have 3-4 times a
year.....still weird, though.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 12:27 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Hi, I cant really interpret your stats from the switch (router/wap ???)
unless I knew your topology. Just because the port on the switch si
fines doesn't mean that somewhere along the path there are other issues.
Do you have userenv debug logging enabled and can you post a sample?
Also, it would help, when looking at the logs, if we knew what the
drives for a given user should be when they log on. Also, what drive
preference options are set for the drives. Could you post the .xml
config for the preference (excluding any passwords of course)
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adam C Juelich
Sent: 19 November 2010 18:09
To: 'xxxxxxxxxxxxxxxx'
Subject: [gptalk] Userenv 1054 Error
Thank you! See responses below!
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh
O'Shaughnessy
Sent: Friday, November 19, 2010 11:54 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Userenv 1054 Error
Ok, we have to get to the bottom of this one! 
What we know:
* Single forest/single domain
* Windows XP
* PCs are plugged directly into network switches (i.e. no ip
phones in the way)
* Not using cached credentials to log in
Questions:
* What service pack is being used?
XP SP3
* Does this happened on the same machines or various random
machines?
Happens on various machines but we ESPECIALLY see the results in this
lab (Missing mapped drives, missing Home Drive....)
* Does it only happened on the first logon after the machine
boots or various logons?
Various
* Have you any security posture software that could affect logon
such as Cisco NAK?
I don't believe so. I know the network team controls a lot of stuff
with ACLs.
* Does a "gpuupdate/force" solve the problem once the user is
logged on?
Sometimes. One of my co-workers has to sometimes remove that user's
local profile, or re-add the machine to the domain. Interestingly,
sometimes machine accounts just vanish from AD.
* Do some of the gpp settings get applied on logon?
It looks like Registry ones and such get applied fine. It's only the
Drive Mappings which aren't reliable.
* Are there any gp settings relating to DNS, firewall etc being
applied?
Not yet. We are planning on doing a Firewall one soon.
* Is there a firewall in place?
Not on the client-side. Just hardware ones for the DMZ.
* Has the AD site info been verified? Have you got a global
catalogue in each site?
We have three DCs. They are all GCs. Two are virtualized at our
central office, another one is at another building and that isn't
virtualized. The two virtualized ones hold all FSMO roles.
* How many DC in the local site and does the client subnet match
that site?
See above. Each building has its own subnet, wireless also has its own
subnet. The DCs are not on the same subnet as this building having the
issue.
Networking:
* "Tracing on the network side looks fine. DNS looks fine". How
was this quantified? Has dcdiag/netdiag been run at both sides of the
connection? Have you checked WINS/DNS for leftover dc/gc entries? I
can't ever remember a time I asked a network guy to check on the network
and him saying "oh yeah, it's not configured that way it should be !" J
They always seem to saw "there are no errors on the network". Can't
remember the last time I saw an error on the network either J. Maybe
misconfigs though .....
I haven't done dcdiag/nediag yet. I have looked through DNS to make
sure there aren't leftover dc/gc entries.......I cleaned that up about a
year ago. I have enabled verbose userenv logging.
* Are there odd packets going to an unknown host or any strange
dn/wins lookups?
I'm attaching one of the Userenv.logs and details from one of the ports
they are plugged into.
I know it seems like a lot but check them off one by one
Darragh O'Shaughnessy
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Gustin Johnson
Sent: 19 November 2010 17:08
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Userenv 1054 Error
Is the DC on the same subnet as the lab? Could there be a router
dropping traffic or filtering ports, or perhaps a firewall on the DC
itself?
hping or ncat combined with either tcpdump (windump) or wireshark can
be your friend here.
Are the configured DNS servers of the lab computers AD DNS servers?
On Fri, Nov 19, 2010 at 6:55 AM, Adam C Juelich
<xxxxxxxxxxxxxxxx> wrote:
> Tracing on the network side looks fine. DNS looks fine. I'm running
out of
> options.
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Thursday, November 18, 2010 1:54 PM
>
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> If you are truly logging in with cached creds, you should see an event
log
> entry to that effect-specifically that 5719 entry. If not, then it
could be
> a different issue. But the sniffer trace should help.
>
>
>
> Darren
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Adam C Juelich
> Sent: Thursday, November 18, 2010 11:42 AM
> To: 'xxxxxxxxxxxxxxxx'
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> Well, I'm getting the errors stating that it cannot find the name of
the DC,
> so I would then think it is logging in with cached credentials thus
> bypassing GP Processing. What I'm trying to find out is why it can't
find
> the DC....
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Thursday, November 18, 2010 1:22 PM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> If they are using cached credentials then that would explain user
policy not
> processing. But the question I would have is, why are they using
cached
> credentials, which typically only occurs if the DC is not available at
user
> logon.
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Adam C Juelich
> Sent: Thursday, November 18, 2010 9:53 AM
> To: 'xxxxxxxxxxxxxxxx'
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> I'm sure they are using cached credentials. We do have 'wait for
network'
> applied to all machines. I did not see any 5719 events. In this
particular
> lab we have elementary students logging in using a single generic
account,
> usually at the same time.
>
>
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Thursday, November 18, 2010 11:36 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> It seems strange that you would get this during user-side processing,
since,
> the assumption is that if the user is logging in, they are already
getting
> to the DC. I wonder if these users are logging in with cached
credentials.
> Do you see any system log events of 5719 on these systems?
>
>
>
> Darren
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Adam C Juelich
> Sent: Thursday, November 18, 2010 7:25 AM
> To: 'xxxxxxxxxxxxxxxx'
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> These machines aren't plugged into IP Phones. My hunch was that it
was
> something on the network-side. I'll have my network admin start some
> traces. In the meantime, I've enabled Verbose UserEnv Logging on
several
> machines and I'll start picking through those logs.
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darragh O'Shaughnessy
> Sent: Thursday, November 18, 2010 9:07 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Userenv 1054 Error
>
>
>
> I'd consider grabbing a network trace from a spanned port on the
switch
> Adam. Are these PC's plugged into IP phones by any chance?
>
>
>
> Darragh O'Shaughnessy
>
>
>
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Adam C Juelich
> Sent: 18 November 2010 14:24
> To: 'xxxxxxxxxxxxxxxx'
> Subject: [gptalk] Userenv 1054 Error
>
>
>
> Hi Everyone,
>
>
>
> I'm still getting this error on many machines, even after modifying
the
> GpNetworkStartTimeoutPolicyValue setting to 60. Usually when this
error
> pops up, the user is missing some drive mappings and sometimes their
Home
> Drive. Any other explanation for this? Thanks.
>
>
>
>
>
> ------------------------------------------------------------------
>
> Adam C. Juelich
>
> A+, Network+, MCTS:Vista, MCSE: Server 2003, MCSA: Messaging
>
> Application and Hardware Specialist/Technician
>
> Pulaski Community School District
>
> 920-822-6075
>
>
>
> "If you never venture outside the box, you will probably not be
creative.
> But if you never get inside the box, you will certainly be stupid"
>
> - Christopher Peterson
>
>
| | | |
|