User Policies not applying over Checkpoint VPN

Discussion in 'Active Directory' started by Aidan, Mar 28, 2007.

  1. Aidan

    Aidan Guest


    I am having an issue with User policies failing to apply when connected over
    our Checkpoint Secure Client VPN (They apply perfectly on the LAN). So far I
    have tried the following.

    - I have ensured that I can ping the Domain Controllers
    - Ensured that the client is successfully registered in DNS
    - Verified that I can resolve the domain name in DNS
    - Verified that I can browse to the SYSVOL\Policies folder
    - Logged in as domain admin to ensure that the issue isnt rights related
    - Forced Kerberos over TCP via a reg change
    - Disabled Minimum transfer rates for GPO processing (both user and machine)

    The users login with cached credentials and launch the Secure Client VPN
    connector. When I do a gpupdate /force, I get the following result:
    Failed to refresh User Policy. Error - The system cannot find the file
    .. Exiting...
    Computer Policy Refresh has completed.

    I have therefore tried to gain more information by enabling verbose logging
    of the userenv as no events are produced in the event log. The area of
    interest I believe is the following:
    USERENV(14c.330) 20:42:35:730 LibMain: Process Name:
    USERENV(14c.798) 20:42:35:777 RefreshPolicyEx: Entering with force refresh 1
    USERENV(14c.798) 20:42:35:777 RefreshPolicyEx: Leaving.
    USERENV(3b0.334) 20:42:35:777 ProcessGPOs:
    USERENV(14c.d34) 20:42:35:777 RefreshPolicyEx: Failed to open event with 2
    USERENV(3b0.334) 20:42:35:777 ProcessGPOs:
    USERENV(3b0.334) 20:42:35:777 ProcessGPOs: Starting computer Group Policy
    (Background) processing...

    There is no record of 'starting user group policy' anywhere in the log file
    so I presume that this is due to "Failed to open event with 2". As a result,
    I have scoured the web looking for results. I did note the following URL
    This seems to decribe a very similar situation although it is for Win2000
    rather than XP SP2.

    As you will probably have gathered by now, this issue is really getting to
    me! I have spent several hours investigating. I would like to know if anyone
    has any suggestions on how I should resolve this issue. To the best of my
    knowledge I cannot initiate the Checkpoint VPN prior to login. This would be
    ideal as I would not have to login with cached credentials. Perhaps someone
    knows a better way as I note that my LoginServer is the local
    computer.....Can I kick off a process to initate a domain login somehow?

    Any help would be greatfully accepted!


    Aidan, Mar 28, 2007
    1. Advertisements

  2. First, resolving GPO filename needs NetBIOS :( If you know a way to make
    this without NetBIOS - post it here...
    If you look on GP Object in AD you will find, that it's location looks
    like \\<your domain name>\SYSVOL\etc...

    Second. Processing GPO may (or will?) require RPC protocol, so you need
    to bind RPC traffic to fixed ports and open them at your firewall:
    Nick Domukhovsky, Mar 28, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.