I'm an IT Support Engineer for a company with around 60,000 workstations on our domain. We use AD for most things, but have just begun migrating to VMware's Workspace One.
Recently, we've had a bunch of reports from users that when they manually lock their workstations, it instead logs them out. All apps they had opened close and they need to reopen and login to all of them all over again.
We've checked the GPO and see no issues there, even tried deleting the .pol file and running gpupdate /force but cmd returned an error of unable to update group policy. The bizarre part is that if the machine auto-locks instead of manually locks, it behaves as it should; users log back in and their apps are all still opened.
Anyone have any clue what's going on?
I have noticed that on all these workstations running dsregcmd /status returns that WorkplaceJoined:NO DefaultWamSet:Error (0x80070520) and no details for any connected work accounts despite settings saying they are connected. Not sure if that could be the problem and why it can't get a GP update or if its entirely unrelated.
Attempted fixes:
Deleting .pol and running GPupdate /force to have it recreate the gpo. Update failed in cmd with no error code.
Unenrolling/renrolling in Workspace One.
Proposed next step:
Disconnecting work accounts from settings, clearing the tpm and reinitializing it, reconnecting work accounts and retrying gpupdate /force
Related
In our Active Directory we have a group policy to allow users to manage the server via Remote Desktop.
I have to apply this to my user EVERYDAY because it seemingly removes itself overnight on it's on. 5:30 pm yesterday it was working properly. Today (no reboot) I login and the remote connection says the permission is missing.
Has anyone experienced this and can anyone help?
Are you sure you are applying it to the correct user group?
I’ve had trouble in the past with this, being a novice. I would suggest doing running the following from command prompt Gpresult /h report.html /f
This will generate a HTML document that you can see what has been applied to this machine. If it’s not on there then it’s probably a wrong target from the GPO end. If it’s there but fails you should have a reason why.
One more thing to check too is what your GPOs are on your computer itself. there might be something that is overwriting/blocking what the AD is sending?
I downloaded the latest version of Appium from the GitHub. I have installed it on two Windows PCs,
On first one it works fine.
But on the second one, just by clicking "Start server v1.7.2" a window appear showing "The server is stopped".
What is wrong with the configuration?
I found the solution for above error.
It was due to firewall modified by an antivirus, it disables all open ports on this PC.
There can be around three solutions:
Format the PC will help us to get open ports, but it is not a recommended solution.
Uninstalling Antivirus can open blocked ports, by recovering firewall to its original state.
If the 2nd solution does not help then Uninstalling Antivirus and create a new User Account on PC, helps me to run Server successfully.
I’m going to try to be as thorough as I can, but if you have questions or would like additional tests. I will provide more detail as I can. I have a small number of computers exhibiting intermittent issues when waking from sleep.
Some details:
Bound to Active Directory (although the bind is likely broken when the issue occurs)
OSX - 10.12.3
Machine is Encrypted
Symptoms:
When a user sleeps their machine which enables a locked screen saver, and then attempts to wake the machine, they are unable to log in using their credentials.
If they click on "Switch User" they are then able to log into their account, however, they are not recognized as an admin and can not run sudo commands or unlock system preferences.
It seems, at least with the computer I was able to get hands on with, that they can not authenticate in terminal or system prefs UNLESS they change their network connection to reflect the connection that allowed them to log in. So if they switch user, then connect to wifi, they can not authenticate in sysprefs, but if they turn off wifi, then they are able to authenticate.
When clicking "Switch User" the wi-fi appears to drop, and thus, lets them log in.
Restarting resolves the issue for some users but not others (unverified, going off user input, the machine I restarted did resolve the issue, at least temporarily.)
Generally when I see this issue, the computer seems to have become unbound from Active Directory. Re-binding it appears to resolve the issue temporarily (until AD drops the keychain item again).
The issue was present prior to upgrading to OSX 10.12.
It seems to me like the computer knows to check with AD if the internet is available, but if AD is unreachable or the credentials are not accepted, then it does not know to default to the local cache, unless the internet is turned off completely. I'm not sure what file or files may be involved in that, but I would like to change that file to default to the local cache when internet is connected but AD is unreachable as well as when no internet is present.
This is an issue with the opendirectoryd daemon which bugs when trying to bind with AD.
The raw solution is basically to kill the daemon which will restart and rebind somehow.
There are many ways to automate the kill, a cronjob would work but will require to have the killall command run every minute, which is very dirty.
I am using sleepwatcher (available with homebrew) and set it to launch the kill command everytime the laptop is going out of sleep, which works like a charm.
It's a workaround, but seems Apple doesn't really work on a fix for that issue which is ongoing for years.
The kit started hanging for twenty minutes while testing an app, and I clicked cancel but it continued to hang. So I fired up task manager and killed it. Now it won't start at all due to error cleaning .etl file from the last session - no permission. It's in AppData/Local/Microsoft/AppCert/ftlog. Any suggestions?
No luck on Google search, and I've tried just deleting that file/folder. It's read only, and won't even show who owns it. The kit runs fine on the other accounts on my pc which have no ftlog folder since I haven't ran any sessions on those accounts. So I think getting rid of it would fix the problem. That's easier said than done however...
Also tried uninstalling/reinstalling Windows 10 sdk, but that didn't delete the AppData evidently.
Rebooted this morning and problem solved! Hopefully this post can save someone an hour or two of your life.
We've successfully set-up WDS (Windows Deployment Services) and had it all working (it's serving an unattended Windows 7 x64 installation, the user only has to F12 then wait for the install to finish) but it no longer works the way it did before.
We're trying to F12 the exact same machine where it used to work. The WDS part of the installation is still automatic (unattended) but ImageUnattend.xml does not seem to run on the client at all now, it gets stuck at the language selection (everything after that is manual as well which is supposed to be automatic).
Inspecting C:\windows\panther on the client machine shows that WDS pops up with an error: WDS CallBack_WdsClient_CopyPrivatesDone: Failed to process client unattend variables.
Changing "%MACHINENAME%" to "*" in the ImageUnattend.xml file makes it all automatic again, however it then renames the computer incorrectly.
The variable %MACHINENAME% worked before, so why does it not work now? Has anyone else met this issue before?
Using a different user (domain administrator) in the ImageUnattend.xml file does not seem to change anything.
After countless of attempts with at least 15 new ImageUnattend.xml files, I decided to restart the server and use the original files I knew worked before.
This fixed it.