Despite what the name may imply, this is not a Microsoft hate site! Microsoft does some really good things. My purpose here is to shame Microsoft into fixing the absurd things they let go unaddressed. Broken links in help files, fixed-size windows too small to read the information they contain, and any other quality control failure they could've gotten right if they just had a little bit more money.
Wednesday, February 18, 2015
The "fix" for group policy actually completely breaks it
Microsoft recently published a set of patches to fix a 15 year vulnerability in the way clients update group policy. I was glad to read how they had taken the time they needed to get the fix right. Now it just so happened the week after this patch was automatically installed on my computers that I needed to make a group policy change. When I ran gpupdate on the client to get the changes, the update failed. Network access denied. So I tried a few more computers and discovered that the 2012 servers were OK, one of five of the 2008 servers was OK, and only one of 3 windows 7 machines would still work and it was the one that hadn't been patched yet. SYSVOL and NETLOGON shares were completely unreachable on the affected machines.  I spent several hours troubleshooting with the guidance of the error messages -- checked DFS clients, ran AD diagnostics, tested network access, firewalls, demoted a secondary DC, and so on... Finally when nothing made any difference I figured I'd just have to roll everything back. For science though, I just uninstalled patch 3000483. As soon as the computer restarted group policy started updating again. Naturally the computers all automatically installed the patch again, but this time it worked. My best guess is that there was some race condition that affected those machines. 
So there I was just trying to get something done and wouldn't you know, the group policy "fix" broke group policy on half my machines. They point out in the article that they had time to do this patch right and it still cost me hours of troubleshooting. Can you imagine how bad it would've been if they hadn't "done it right"? This is why I hate Microsoft today. If only they had a few more resources to throw at quality control, a few more dollars to pay some people to test these things out, I might not have had to lose all that time. Have you had any issues with the Jasbug patches? Commiserate in the comments. 
Subscribe to:
Comments (Atom)
