This is a good discussion. In the past, working in very large environments, I customized the crap out of the default profile. This was pre-GP days however but the value of creating those customizations was still useful, esp. in the pre-GP days. The reality is that GP does not expose all that can be customized in the user profile and so if you want to do that, you almost need to create a custom default profile. However, for the un-initiated, the process is not very well defined. I've seen things like embedding the wrong ntuser.dat hive permissions into a default profile cause 5000 people to not be able to logon (that was a fun day). Profiles cause a lot of problems for folks, esp. when things like the purpose of ntuser.pol are not clear to them. My feeling is that the less tinkering you do with the default profile, the better, but there are valid reasons for it. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Tuesday, November 27, 2007 3:07 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Hi Jamie, You don't really have any argument with me. I have always tended to have a fairly robust VB program to run at logon to do all the special tailoring and to fix up old "mistakes" etc. This is especially important when you also want to change existing users, rather than just new users. However there are some things that can be done much more easily via the GUI than using a program/script, especially if you do not have a really experienced programmer. Small things like increasing the width of the quick launch area, changing a default setting in explorer can take quite a while to work out. Another advantage of the default profile is that it behaves as a preference. You get the setting first up, but you can then change it. Group Policy doesn't usually support this. Of course your script can be clever enough to set it if it isn't already set, but that gets more complex again I would still say that for small sites, the ability to quickly change things by logging on as a "standard user" make changes to the profile then save it all back to the default profile has a lot of appeal. You just need to be careful... Also, there are a lot of managers that think we should run it "out of the Box". They argue that changing the Default Profile is the way Microsoft intended you to do it, writing Programs/scripts is creating a support headache. Alan Cuthbertson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Wednesday, 28 November 2007 8:52 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Alan, I understand where you are coming from, but if you can't customize something with a Group Policy setting, wouldn't it make more sense to write a script that makes your custom changes (i.e. registry settings, desktop shortcuts, etc.) at logon? That way the default profile is not even an issue. It's just my opinion, but with the multitude of Group Policy admin template settings, there shouldn't be much of need to customize the default profile in the first place. Not to mention that it limits your flexibility in larger, more diverse enterprises. Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Tuesday, November 27, 2007 2:57 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Jamie/ Darren I would agree with you that it would be better to have a default profile without any policies applied. However, most people tend to build a "Clean" user, logon with that account, tailor it the way they want (add registry keys, shortcuts etc) then save that profile away. Since they have logged on, they get all of the default policies applied, which is fine provided they copy across the ntuser.pol file as well. I take your point Darren that if at some time in the future you remove a policy that is Tattooed, you must remember to remove it from the default policy as well, but that is life. Since you probably have got to go and remove it from all existing users as well, getting it off the default profile is not that big a job. I suppose it is an issue that people need to be aware of. Alan Cuthbertson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Wednesday, 28 November 2007 1:59 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Alan, I would have to agree with Darren on this one. Not to gang up on you or anything but I've never been too high on customizing the default profile in the first place. Seems to always create more problems than it solves. Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Tuesday, November 27, 2007 8:45 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Alan- While I agree with what you're saying, I would say that its bad form to create a default profile that already has policies applied to it. Typically default profiles hang around for a while, while GPOs and settings come and go. Having to drag around those settings and then requiring the ntuser.pol file as well to be able to remove them seems like a bad idea. Also note that any preferences applied in that profile would get stuck there if the GPO that applied them goes away over time. I just think its fraught with peril. My .02 Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Monday, November 26, 2007 9:40 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Darren, It depends on how you build your default profile. If you are copying the NTUser.dat file from a user that has never had a policy applied, then you are correct, you don't need the ntuser.pol file (obviously, since it would not exist). If you apply a policy, that creates an entry under software\policy, then an entry is created in the ntuser.pol file and you must copy it to the default policy. If you don't, and the policy is not applied to the new user, then Tattoo processing doesn't know that it needs to remove it from the user's copy of the default policy. Tazamal, Looking at your file, it would seem that the entry is already in the registry but is not in the NTUSER.POL , so tattoo processing doesn't know that it has to remove it. This will happen if the default profile has been incorrectly built. It also agrees with the fact that if you deactivate the policy, the key is deleted and won't come back. Try deleting it manually and it won't come back either. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of TAZAMAL HUSSAIN Sent: Tuesday, 27 November 2007 12:00 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Alan, Darren, Jamie.... Your responses and guidance has been very much appreciated. I've done some screen scrapes to try and eliminate any things you guys may think i might be doing wrong... I hope these help us find a solution. I have attached a file, its not too big, hope you dont mind... Thanks so far on the quick responses so far. Lozz ________________________________ From: darren@xxxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Date: Mon, 26 Nov 2007 16:23:32 -0800 Alan- Just to clarify, ntuser.pol should not exist in a default profile. It is created on the fly (both per-user and per-computer) for a given user and, as you correctly point out, contains the admin template policy settings (as well as preferences by the way) for the current user. The per-user version is held in the current user's profile directory. It is responsible for the policy clean up process inasmuch as each time Admin. Template policy is processed, this "archive" file is read and any policy keys found in it are removed before the current Admin. Template policies are re-applied. So it is possible that this .pol file somehow did not get the policy in question added to it, and thus would not remove it. But this seems like a strange scenario. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Monday, November 26, 2007 3:19 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Can you try removing the registry key manually, then reapplying the policy and see if it comes back? What I suspect you may have done is got your default Profile screwed up. There are two files in the Default profile, the NTUser.dat file which contains the registry keys that are in use, plus the NTUser.Pol file that stores all of the non-tattooed polices that are to be removed. If these get out of synch, you can have the case that NTUser.dat contains a registry key but NTUser.Pol doesn't contain the key for removal. This will happen if when building the default profile, you copy across NTuser.dat but not NTUSER.POL This means that new users inherit a registry which contains the key but the NTUSER.POL does not contain the key to remove it as part of tattoo processing. However, once you manually remove it, it wont come back. While the best way to fix it for new users is to rebuild your Default profile from scratch, if this is the only error, you can simply remove the entry from the NTUSER.DAT. Existing users are somewhat harder to fix. I suspect the only way is a batch file that removes the key on a once of basis. The trouble is that you need to leave it running until all profiles on all machines have been fixed., Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Tuesday, 27 November 2007 4:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Then, as Darren suggested, you need to run a RSoP on that system/user and ensure you're not getting it from somewhere else. Eliminate that possibility first. Also, are you sure GP is processing correctly on the system? When you run your RSoP, check and see if any GP related events occurred. Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of TAZAMAL HUSSAIN Sent: Monday, November 26, 2007 11:12 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' Hi Jamie, Yup... gave that a go.. rebooted few times etc but still that setting is coming down and shown in the user registry hive. Within the GPMC settings view of the defdompol, there is no sign that this setting (ForcePST) is now set... and the only GPO applied to this User is defdompol... Thanks for you reply Loz > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' > Date: Mon, 26 Nov 2007 10:58:51 -0600 > From: Jamie.Nelson.ctr@xxxxxxxxxxxxx > To: gptalk@xxxxxxxxxxxxx > > Have you done a 'gpupdate /force /target:user' from the command-line? > Sometimes if you forcefully reapply the policy it will correct things > like that. > > Regards, > Jamie Nelson > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of TAZAMAL HUSSAIN > Sent: Sunday, November 25, 2007 5:36 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Problem with GPO Setting even after set to 'Not > Configured' > > Hi Guys, > > I have also posted this to Group Policy Forums @ Microsoft. Trying to > get some exposure to this problem... hoping someone can shed some light. > I have tried to describe exactly what is going on being a descriptive as > possible. If I get an answer on the on the Microsoft forum i'll post it > over to here if anyone is interested.... > > I have pasted the Thread I have started already: > > > 2 posts altogether: > > Hey Guys, > > > > Okay, although I have not found an answer yet, I *think* I have made > some > > progress and am on the right lines, again if anyone has any comments > please > > do let me know. > > > > .... after a lot of googling everything was pointing to the fact that > I MUST > > HAVE at some point applied the Outlook ADM to the def-dom-pol with the > > > setting for 'default path for PST Files' pointing to my network > location. > > After applying it I must have ripped out the ADM template from the > > def-dom-pol and applied it specifically to the OU where I wanted the > GPO to > > apply. Hence this *probably* caused GPMC to give the output of > 'display names > > for some setting cannot be found....' > > > > So... in an attempt to correct this.... Within the def-dom-pol I added > the > > Outlook ADM template back in... And set the setting for the PST path > to 'not > > configured'.. . Rebooted an XP client, logged in with a new user but > still > > outlook is pushing the path of the PST to the network store when > configuring a POP3 email account. > > > > The strange thing still is even though I have configured the setting > now to > > 'Not Configured' (and hence it does not now display in the GPMC > settings tab > > for the def-dom-pol GPO as being set at all) AND the ONLY policy that > is > > applied to Users (for new users created after this change as well) is > the > > def-dom-pol ONLY, the users registry hive is still showing the network > location path in the > > ForcePST registry key under > > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought > was a > > protected registry area that doesn;t suffer from tatooing i.e.... is > this > > tatooing? > > > > My head is kind of spinning now... as i think i am getting out of my > depth... > > any steer would be great. All i am looking to achieve is for users > (not within a specific OU) default outlook PST path to point to where it > would have pointed if I didn;t mess with this setting... its as if the > default PST location value is now the network path if I leave this > setting to 'Not Configured' > > > > lozza > > > > > > 'lozza' wrote: > > > > > Hi Guys, > > > > > > I am confused by what is going on here.... looking for some help: > > > > > > In AD i have an OU with a GPO applied. This GPO, as well as other > user > > > settings, sets User Configuration\Administrative Tools\Microsoft > Office > > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST > files.... to > > > a network location (I dont have any other option!). Now my > understanding was > > > that this should apply to all users within the OU that is GPO is > linked to... > > > and it does, just fine, was happy until today > > > > > > However.... > > > > > > When I create a new user in AD, and place him in any other OU that > does not > > > have this GPO linked to it (and only the Default domain Policy), > this setting > > > still applies to the user when configuring outlook... it shouldn't, > should it? > > > > > > So... I went into GPMC, clicked the OU the user sits in on the left > hand side, > > > clicked 'Group Policy Inheritance' tab on the right pane and see > that ONLY > > > the Default Domain Policy is being applied... which it should be... > good > > > > > > So... I clicked on the Default domain policy on the left hand side > pane of > > > GPMC and on the right hand side pane clicked the settings tab which > shows me > > > all configured settings within this GPO. AND THERE IT WAS! under > User > > > Configuration, Administrative Templates, Extra Registry Settings it > says: > > > > > > 'Display names for some settings cannot be found. You might be able > to > > > resolve this issue by updating the .ADM files used by Group Policy > > > Management' > > > > > > and directly under that it specifies: > > > > > > Setting: > Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath > > > State: \\Network File server where PSTs are stored in the GPO its > configured > > > for... > > > > > > So why is this setting, that is set in another GPO specifically > linked to one particular OU also in my Default Domain Policy? When I > > > open the defdompol to configure it I dont see the template that sets > this setting, in fact I dont see any of the Microsoft > > > Office stuff in the defdompol GPO as I didn't add any additional > administrative templates to the Default Domain GPO. > > > > > > Truly confused and a bit worried that I've messed my default domain > > > policy... does anyone know what i;m talking about? > > > > > > Lozz > > > ________________________________ > > The next generation of MSN Hotmail has arrived - Windows Live Hotmail > <http://www.newhotmail.co.uk> > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ > ************************ ________________________________ Get free emoticon packs and customisation from Windows Live. Pimp My Live! <http://www.pimpmylive.co.uk> *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ ________________________________ Are you the Quizmaster? Play BrainBattle with a friend now! <http://specials.uk.msn.com/brainbattle> *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************