[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'

  • From: TAZAMAL HUSSAIN <tazamal_hussain@xxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2007 01:32:51 +0000

This is an even better discussion for me, as for someone who wasn't on the 
scene pre-GP days I guess I dont appreciate see the value of Group Policy and 
what it does and take applying GPs for granted (without fully understanding 
whats going on in the background) and when things go wrong dont know where to 
start looking. I am slowly learning the lesson of creating relatively small 
amounts of Group Policies and not tinkering with lot.
 > From: darren@xxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: 
 > Problem with GPO Setting even after set to 'Not Configured'> Date: Tue, 27 
 > Nov 2007 16:06:54 -0800> > This is a good discussion. In the past, working 
 > in very large environments,> I customized the crap out of the default 
 > profile. This was pre-GP days> however but the value of creating those 
 > customizations was still useful,> esp. in the pre-GP days. The reality is 
 > that GP does not expose all that can> be customized in the user profile and 
 > so if you want to do that, you almost> need to create a custom default 
 > profile. However, for the un-initiated, the> process is not very well 
 > defined. I've seen things like embedding the wrong> ntuser.dat hive 
 > permissions into a default profile cause 5000 people to not> be able to 
 > logon (that was a fun day). Profiles cause a lot of problems for> folks, 
 > esp. when things like the purpose of ntuser.pol are not clear to> them. My 
 > feeling is that the less tinkering you do with the default profile,> the 
 > better, but there are valid reasons for it.> > Darren> > -----Original 
 > Message-----> From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On> Behalf Of Alan & Margaret> Sent: 
 > Tuesday, November 27, 2007 3:07 PM> To: gptalk@xxxxxxxxxxxxx> Subject: 
 > [gptalk] Re: Problem with GPO Setting even after set to 'Not> Configured'> > 
 > Hi Jamie,> > You don't really have any argument with me. I have always 
 > tended to have a> fairly robust VB program to run at logon to do all the 
 > special tailoring and> to fix up old "mistakes" etc. This is especially 
 > important when you also> want to change existing users, rather than just new 
 > users. > > However there are some things that can be done much more easily 
 > via the GUI> than using a program/script, especially if you do not have a 
 > really> experienced programmer. Small things like increasing the width of 
 > the quick> launch area, changing a default setting in explorer can take 
 > quite a while> to work out.> > Another advantage of the default profile is 
 > that it behaves as a preference.> You get the setting first up, but you can 
 > then change it. Group Policy> doesn't usually support this. Of course your 
 > script can be clever enough to> set it if it isn't already set, but that 
 > gets more complex again > > I would still say that for small sites, the 
 > ability to quickly change things> by logging on as a "standard user" make 
 > changes to the profile then save it> all back to the default profile has a 
 > lot of appeal. You just need to be> careful... > > Also, there are a lot of 
 > managers that think we should run it "out of the> Box". They argue that 
 > changing the Default Profile is the way Microsoft> intended you to do it, 
 > writing Programs/scripts is creating a support> headache.> > Alan 
 > Cuthbertson > > -----Original Message-----> From: 
 > gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On> Behalf 
 > Of Nelson, Jamie R Contr 72 CS/SCBAF> Sent: Wednesday, 28 November 2007 8:52 
 > AM> To: gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem with GPO Setting 
 > even after set to 'Not> Configured'> > Alan,> > I understand where you are 
 > coming from, but if you can't customize> something with a Group Policy 
 > setting, wouldn't it make more sense to> write a script that makes your 
 > custom changes (i.e. registry settings,> desktop shortcuts, etc.) at logon? 
 > That way the default profile is not> even an issue.> > It's just my opinion, 
 > but with the multitude of Group Policy admin> template settings, there 
 > shouldn't be much of need to customize the> default profile in the first 
 > place. Not to mention that it limits your> flexibility in larger, more 
 > diverse enterprises.> > Regards,> Jamie Nelson> > -----Original 
 > Message-----> From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On Behalf Of Alan & Margaret> Sent: 
 > Tuesday, November 27, 2007 2:57 PM> To: gptalk@xxxxxxxxxxxxx> Subject: 
 > [gptalk] Re: Problem with GPO Setting even after set to 'Not> Configured'> > 
 > Jamie/ Darren> > I would agree with you that it would be better to have a 
 > default profile> without any policies applied. However, most people tend to 
 > build a> "Clean"> user, logon with that account, tailor it the way they want 
 > (add registry> keys, shortcuts etc) then save that profile away. Since they 
 > have logged> on,> they get all of the default policies applied, which is 
 > fine provided> they> copy across the ntuser.pol file as well. > > I take 
 > your point Darren that if at some time in the future you remove a> policy 
 > that is Tattooed, you must remember to remove it from the default> policy as 
 > well, but that is life. Since you probably have got to go and> remove it 
 > from all existing users as well, getting it off the default> profile is not 
 > that big a job. > > I suppose it is an issue that people need to be aware 
 > of. > > Alan Cuthbertson> > -----Original Message-----> From: 
 > gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On> Behalf 
 > Of Nelson, Jamie R Contr 72 CS/SCBAF> Sent: Wednesday, 28 November 2007 1:59 
 > AM> To: gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem with GPO Setting 
 > even after set to 'Not> Configured'> > Alan,> > I would have to agree with 
 > Darren on this one. Not to gang up on you or> anything but I've never been 
 > too high on customizing the default profile> in the first place. Seems to 
 > always create more problems than it solves.> > Regards,> Jamie Nelson> > 
 > -----Original Message-----> From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On Behalf Of Darren Mar-Elia> Sent: 
 > Tuesday, November 27, 2007 8:45 AM> To: gptalk@xxxxxxxxxxxxx> Subject: 
 > [gptalk] Re: Problem with GPO Setting even after set to 'Not> Configured'> > 
 > Alan-> > While I agree with what you're saying, I would say that its bad 
 > form to> create a default profile that already has policies applied to it.> 
 > Typically default profiles hang around for a while, while GPOs and> settings 
 > come and go. Having to drag around those settings and then> requiring the 
 > ntuser.pol file as well to be able to remove them seems> like a bad idea. 
 > Also note that any preferences applied in that profile> would get stuck 
 > there if the GPO that applied them goes away over time.> I just think its 
 > fraught with peril. > > > > My .02> > > > Darren> > > > From: 
 > gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On Behalf 
 > Of Alan & Margaret> Sent: Monday, November 26, 2007 9:40 PM> To: 
 > gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem with GPO Setting even 
 > after set to 'Not> Configured'> > > > Darren,> > > > It depends on how you 
 > build your default profile. If you are copying the> NTUser.dat file from a 
 > user that has never had a policy applied, then> you are correct, you don't 
 > need the ntuser.pol file (obviously, since it> would not exist). If you 
 > apply a policy, that creates an entry under> software\policy, then an entry 
 > is created in the ntuser.pol file and you> must copy it to the default 
 > policy. If you don't, and the policy is not> applied to the new user, then 
 > Tattoo processing doesn't know that it> needs to remove it from the user's 
 > copy of the default policy. > > > > Tazamal, > > > > Looking at your file, 
 > it would seem that the entry is already in the> registry but is not in the 
 > NTUSER.POL , so tattoo processing doesn't> know that it has to remove it. 
 > This will happen if the default profile> has been incorrectly built. It also 
 > agrees with the fact that if you> deactivate the policy, the key is deleted 
 > and won't come back. Try> deleting it manually and it won't come back 
 > either.> > > > Alan Cuthbertson> > > > > > Policy Management Software:-> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> > > > 
 > ADM Template Editor:-> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> > > > 
 > Policy Log Reporter(Free)> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> > 
 > > > > > > > > > ________________________________> > From: 
 > gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On Behalf 
 > Of TAZAMAL HUSSAIN> Sent: Tuesday, 27 November 2007 12:00 PM> To: 
 > gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem with GPO Setting even 
 > after set to 'Not> Configured'> > > > Alan, Darren, Jamie....> > Your 
 > responses and guidance has been very much appreciated. I've done> some 
 > screen scrapes to try and eliminate any things you guys may think i> might 
 > be doing wrong... I hope these help us find a solution. > > I have attached 
 > a file, its not too big, hope you dont mind...> > Thanks so far on the quick 
 > responses so far.> > Lozz> > ________________________________> > From: 
 > darren@xxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem 
 > with GPO Setting even after set to 'Not> Configured'> Date: Mon, 26 Nov 2007 
 > 16:23:32 -0800> > Alan-> > Just to clarify, ntuser.pol should not exist in a 
 > default profile. It is> created on the fly (both per-user and per-computer) 
 > for a given user> and, as you correctly point out, contains the admin 
 > template policy> settings (as well as preferences by the way) for the 
 > current user. The> per-user version is held in the current user's profile 
 > directory. It is> responsible for the policy clean up process inasmuch as 
 > each time Admin.> Template policy is processed, this "archive" file is read 
 > and any policy> keys found in it are removed before the current Admin. 
 > Template policies> are re-applied. So it is possible that this .pol file 
 > somehow did not> get the policy in question added to it, and thus would not 
 > remove it.> But this seems like a strange scenario.> > > > Darren> > > > > > 
 > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On 
 > Behalf Of Alan & Margaret> Sent: Monday, November 26, 2007 3:19 PM> To: 
 > gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Problem with GPO Setting even 
 > after set to 'Not> Configured'> > > > Can you try removing the registry key 
 > manually, then reapplying the> policy and see if it comes back?> > > > What 
 > I suspect you may have done is got your default Profile screwed up.> There 
 > are two files in the Default profile, the NTUser.dat file which> contains 
 > the registry keys that are in use, plus the NTUser.Pol file> that stores all 
 > of the non-tattooed polices that are to be removed. If> these get out of 
 > synch, you can have the case that NTUser.dat contains a> registry key but 
 > NTUser.Pol doesn't contain the key for removal. This> will happen if when 
 > building the default profile, you copy across> NTuser.dat but not 
 > NTUSER.POL> > > > This means that new users inherit a registry which 
 > contains the key but> the NTUSER.POL does not contain the key to remove it 
 > as part of tattoo> processing. However, once you manually remove it, it wont 
 > come back.> While the best way to fix it for new users is to rebuild your 
 > Default> profile from scratch, if this is the only error, you can simply 
 > remove> the entry from the NTUSER.DAT. Existing users are somewhat harder 
 > to> fix. I suspect the only way is a batch file that removes the key on a> 
 > once of basis. The trouble is that you need to leave it running until> all 
 > profiles on all machines have been fixed., > > > > Alan Cuthbertson> > > > > 
 > > Policy Management Software:-> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> > > > 
 > ADM Template Editor:-> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> > > > 
 > Policy Log Reporter(Free)> > 
 > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> > 
 > > > > > > > -----Original Message-----> From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx]> On Behalf Of Nelson, Jamie R Contr 72 
 > CS/SCBAF> Sent: Tuesday, 27 November 2007 4:21 AM> To: gptalk@xxxxxxxxxxxxx> 
 > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not> 
 > Configured'> > > > Then, as Darren suggested, you need to run a RSoP on that 
 > system/user> > and ensure you're not getting it from somewhere else. 
 > Eliminate that> > possibility first.> > > > Also, are you sure GP is 
 > processing correctly on the system? When you> > run your RSoP, check and see 
 > if any GP related events occurred.> > > > Regards,> > Jamie Nelson> > > > 
 > -----Original Message-----> > From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx]> > On Behalf Of TAZAMAL HUSSAIN> > 
 > Sent: Monday, November 26, 2007 11:12 AM> > To: gptalk@xxxxxxxxxxxxx> > 
 > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not> > 
 > Configured'> > > > Hi Jamie,> > > > Yup... gave that a go.. rebooted few 
 > times etc but still that setting is> > coming down and shown in the user 
 > registry hive. Within the GPMC> > settings view of the defdompol, there is 
 > no sign that this setting> > (ForcePST) is now set... and the only GPO 
 > applied to this User is> > defdompol... > > > > Thanks for you reply> > > > 
 > Loz > > > > > Subject: [gptalk] Re: Problem with GPO Setting even after set 
 > to 'Not> > Configured'> > > Date: Mon, 26 Nov 2007 10:58:51 -0600> > > From: 
 > Jamie.Nelson.ctr@xxxxxxxxxxxxx> > > To: gptalk@xxxxxxxxxxxxx> > > > > > Have 
 > you done a 'gpupdate /force /target:user' from the command-line?> > > 
 > Sometimes if you forcefully reapply the policy it will correct things> > > 
 > like that.> > > > > > Regards,> > > Jamie Nelson> > > > > > -----Original 
 > Message-----> > > From: gptalk-bounce@xxxxxxxxxxxxx 
 > [mailto:gptalk-bounce@xxxxxxxxxxxxx]> > > On Behalf Of TAZAMAL HUSSAIN> > > 
 > Sent: Sunday, November 25, 2007 5:36 PM> > > To: gptalk@xxxxxxxxxxxxx> > > 
 > Subject: [gptalk] Problem with GPO Setting even after set to 'Not> > > 
 > Configured'> > > > > > Hi Guys,> > > > > > I have also posted this to Group 
 > Policy Forums @ Microsoft. Trying to> > > get some exposure to this 
 > problem... hoping someone can shed some> > light.> > > I have tried to 
 > describe exactly what is going on being a descriptive> > as> > > possible. 
 > If I get an answer on the on the Microsoft forum i'll post> > it> > > over 
 > to here if anyone is interested.... > > > > > > I have pasted the Thread I 
 > have started already:> > > > > > > > > 2 posts altogether:> > > > > > Hey 
 > Guys,> > > > > > > > Okay, although I have not found an answer yet, I 
 > *think* I have made> > > some > > > > progress and am on the right lines, 
 > again if anyone has any comments> > > please > > > > do let me know.> > > > 
 > > > > > .... after a lot of googling everything was pointing to the fact> > 
 > that> > > I MUST > > > > HAVE at some point applied the Outlook ADM to the 
 > def-dom-pol with> > the> > > > > > > setting for 'default path for PST 
 > Files' pointing to my network> > > location. > > > > After applying it I 
 > must have ripped out the ADM template from the > > > > def-dom-pol and 
 > applied it specifically to the OU where I wanted the> > > GPO to > > > > 
 > apply. Hence this *probably* caused GPMC to give the output of> > > 'display 
 > names > > > > for some setting cannot be found....'> > > > > > > > So... in 
 > an attempt to correct this.... Within the def-dom-pol I> > added> > > the > 
 > > > > Outlook ADM template back in... And set the setting for the PST path> 
 > > > to 'not > > > > configured'.. . Rebooted an XP client, logged in with a 
 > new user but> > > still > > > > outlook is pushing the path of the PST to 
 > the network store when> > > configuring a POP3 email account.> > > > > > > > 
 > The strange thing still is even though I have configured the setting> > > 
 > now to > > > > 'Not Configured' (and hence it does not now display in the 
 > GPMC> > > settings tab > > > > for the def-dom-pol GPO as being set at all) 
 > AND the ONLY policy> > that> > > is > > > > applied to Users (for new users 
 > created after this change as well)> > is> > > the > > > > def-dom-pol ONLY, 
 > the users registry hive is still showing the> > network> > > location path 
 > in the > > > > ForcePST registry key under > > > > 
 > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought> > > 
 > was a > > > > protected registry area that doesn;t suffer from tatooing 
 > i.e.... is> > > this > > > > tatooing? > > > > > > > > My head is kind of 
 > spinning now... as i think i am getting out of my> > > depth... > > > > any 
 > steer would be great. All i am looking to achieve is for users> > > (not 
 > within a specific OU) default outlook PST path to point to where> > it> > > 
 > would have pointed if I didn;t mess with this setting... its as if the> > > 
 > default PST location value is now the network path if I leave this> > > 
 > setting to 'Not Configured'> > > > > > > > lozza > > > > > > > > > > > > 
 > 'lozza' wrote:> > > > > > > > > Hi Guys,> > > > > > > > > > I am confused by 
 > what is going on here.... looking for some help:> > > > > > > > > > In AD i 
 > have an OU with a GPO applied. This GPO, as well as other> > > user> > > > > 
 > settings, sets User Configuration\Administrative Tools\Microsoft> > > Office 
 > > > > > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST> 
 > > > files.... to > > > > > a network location (I dont have any other 
 > option!). Now my> > > understanding was > > > > > that this should apply to 
 > all users within the OU that is GPO is> > > linked to... > > > > > and it 
 > does, just fine, was happy until today> > > > > > > > > > However....> > > > 
 > > > > > > > When I create a new user in AD, and place him in any other OU 
 > that> > > does not > > > > > have this GPO linked to it (and only the 
 > Default domain Policy),> > > this setting > > > > > still applies to the 
 > user when configuring outlook... it> > shouldn't,> > > should it?> > > > > > 
 > > > > > So... I went into GPMC, clicked the OU the user sits in on the> > 
 > left> > > hand side, > > > > > clicked 'Group Policy Inheritance' tab on the 
 > right pane and see> > > that ONLY > > > > > the Default Domain Policy is 
 > being applied... which it should> > be...> > > good> > > > > > > > > > So... 
 > I clicked on the Default domain policy on the left hand side> > > pane of > 
 > > > > > GPMC and on the right hand side pane clicked the settings tab> > 
 > which> > > shows me > > > > > all configured settings within this GPO. AND 
 > THERE IT WAS! under> > > User > > > > > Configuration, Administrative 
 > Templates, Extra Registry Settings> > it> > > says:> > > > > > > > > > 
 > 'Display names for some settings cannot be found. You might be> > able> > > 
 > to > > > > > resolve this issue by updating the .ADM files used by Group 
 > Policy> > > > > > > Management' > > > > > > > > > > and directly under that 
 > it specifies:> > > > > > > > > > Setting:> > > 
 > Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath> > > > > State: 
 > \\Network File server where PSTs are stored in the GPO its> > > configured > 
 > > > > > for...> > > > > > > > > > So why is this setting, that is set in 
 > another GPO specifically> > > linked to one particular OU also in my Default 
 > Domain Policy? When I> > > > > open the defdompol to configure it I dont see 
 > the template that> > sets> > > this setting, in fact I dont see any of the 
 > Microsoft > > > > > Office stuff in the defdompol GPO as I didn't add any 
 > additional> > > administrative templates to the Default Domain GPO.> > > > > 
 > > > > > > Truly confused and a bit worried that I've messed my default> > 
 > domain > > > > > policy... does anyone know what i;m talking about?> > > > > 
 > > > > > > Lozz> > > > > > > > > ________________________________> > > > > > 
 > The next generation of MSN Hotmail has arrived - Windows Live Hotmail> > > 
 > <http://www.newhotmail.co.uk> > > > ***********************> > > You can 
 > unsubscribe from gptalk by sending email to> > gptalk-request@xxxxxxxxxxxxx 
 > with 'unsubscribe' in the Subject field OR> > by logging into the 
 > freelists.org Web interface. Archives for the list> > are available at 
 > http://www.freelists.org/archives/gptalk/> > > > > ************************> 
 > > > > > > > > ________________________________> > > > Get free emoticon 
 > packs and customisation from Windows Live. Pimp My> > Live! 
 > <http://www.pimpmylive.co.uk> > > ***********************> > You can 
 > unsubscribe from gptalk by sending email to> gptalk-request@xxxxxxxxxxxxx 
 > with 'unsubscribe' in the Subject field OR> by logging into the 
 > freelists.org Web interface. Archives for the list> are available at 
 > http://www.freelists.org/archives/gptalk/> > ************************> > > > 
 > ________________________________> > Are you the Quizmaster? Play BrainBattle 
 > with a friend now!> <http://specials.uk.msn.com/brainbattle> > > 
 > ***********************> You can unsubscribe from gptalk by sending email 
 > to> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR> 
 > by> logging into the freelists.org Web interface. Archives for the list are> 
 > available at http://www.freelists.org/archives/gptalk/> 
 > ************************> > ***********************> You can unsubscribe 
 > from gptalk by sending email to> gptalk-request@xxxxxxxxxxxxx with 
 > 'unsubscribe' in the Subject field OR> by logging into the freelists.org Web 
 > interface. Archives for the list> are available at 
 > http://www.freelists.org/archives/gptalk/> ************************> 
 > ***********************> You can unsubscribe from gptalk by sending email 
 > to> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
 > by> logging into the freelists.org Web interface. Archives for the list are> 
 > available at http://www.freelists.org/archives/gptalk/> 
 > ************************> > ***********************> You can unsubscribe 
 > from gptalk by sending email to> gptalk-request@xxxxxxxxxxxxx with 
 > 'unsubscribe' in the Subject field OR by> logging into the freelists.org Web 
 > interface. Archives for the list are> available at 
 > http://www.freelists.org/archives/gptalk/> ************************> > 
 > ***********************> You can unsubscribe from gptalk by sending email to 
 > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
 > logging into the freelists.org Web interface. Archives for the list are 
 > available at http://www.freelists.org/archives/gptalk/> 
 > ************************
_________________________________________________________________
100’s of Music vouchers to be won with MSN Music
https://www.musicmashup.co.uk

Other related posts: