Applying Group Policies Fails After Symantec Endpoint Protection Client Installation

book

Article ID: 157412

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After installing Symantec Endpoint Protection 12.1 with Network Threat Protection, or at least the Firewall feature, Windows clients fail to process group policies during startup. The associated group policy configuration has an advanced amount of settings being applied, possibly including the distribution of software packages.

 

Windows System Event Log may show event ID 5719 (No Domain Controller is available...) Windows Application Event Log shows event ID 1054 (Windows cannot obtain the domain controller name...) and event ID 1000 (Could not execute the following script...) from subsequently failing logon scripts.

 

Cause

This behavior is not caused by Symantec Endpoint Protection blocking certain domain controller traffic. Adding an additional component to the network stack, like the Symantec Endpoint Protection firewall, may exceed standard timeouts during Windows startup, so that certain actions like applying group policies fail.

 

Resolution

Event ID 5719 could be caused by the Netlogon service starting before the network is ready. This is typically not a problem as the connection is retried later on once the network becomes available. Microsoft's knowledge base article KB938449 lists possible causes and solutions.

To allow more time for group policy processing, a higher timeout (e.g. 60s) can be set via GpNetworkStartTimeoutPolicyValue in the registry at

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue

on Windows XP, Windows Server 2003 or

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue

on Windows 7, Windows Server 2008

 

See Micosoft's knowledge base at KB840669 or KB2421599 for further information.