[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'
- From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 28 Nov 2007 09:16:35 -0600
Indeed, it is a great discussion. In pre-GP days it was extremely
beneficial to do this. Of course, back in those days it was also
somewhat of a common practice to give users local admin rights on their
PC, so we could also do a lot of things through logon scripts.
Since GP has matured, I haven't found much of a need to customize the
default profile anymore. If the changes are purely aesthetic and not
functional in nature, it is my opinion that messing with it is just not
worth the time. Not saying that the usefulness of doing so is gone, but
I just haven't come across very many instances where I couldn't change
something through GP or very easily with a script. However, I also
understand that not everyone can or wants to learn how to write code, so
I can see how customizing the default profile is a much more attractive
option to them.
My main argument with doing so is that in larger, more diverse
enterprises (like those I've been a part of for the better part of my
career) you can't always use the same default profile across the board.
In this situation you have to resort to making the changes to the local
default profile which can become a mess if you are dealing with more
than a couple of different configurations. In situations where you're
lucky enough to be able to centrally manage one profile from NETLOGON,
then it is not too much of an administrative headache, but I would still
tend to shy away from doing so unless it is an absolute necessity.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 27, 2007 6:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
This is a good discussion. In the past, working in very large
environments,
I customized the crap out of the default profile. This was pre-GP days
however but the value of creating those customizations was still useful,
esp. in the pre-GP days. The reality is that GP does not expose all that
can
be customized in the user profile and so if you want to do that, you
almost
need to create a custom default profile. However, for the un-initiated,
the
process is not very well defined. I've seen things like embedding the
wrong
ntuser.dat hive permissions into a default profile cause 5000 people to
not
be able to logon (that was a fun day). Profiles cause a lot of problems
for
folks, esp. when things like the purpose of ntuser.pol are not clear to
them. My feeling is that the less tinkering you do with the default
profile,
the better, but there are valid reasons for it.
Darren
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of Alan & Margaret
Sent: Tuesday, November 27, 2007 3:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Hi Jamie,
You don't really have any argument with me. I have always tended to have
a
fairly robust VB program to run at logon to do all the special tailoring
and
to fix up old "mistakes" etc. This is especially important when you also
want to change existing users, rather than just new users.
However there are some things that can be done much more easily via the
GUI
than using a program/script, especially if you do not have a really
experienced programmer. Small things like increasing the width of the
quick
launch area, changing a default setting in explorer can take quite a
while
to work out.
Another advantage of the default profile is that it behaves as a
preference.
You get the setting first up, but you can then change it. Group Policy
doesn't usually support this. Of course your script can be clever enough
to
set it if it isn't already set, but that gets more complex again
I would still say that for small sites, the ability to quickly change
things
by logging on as a "standard user" make changes to the profile then save
it
all back to the default profile has a lot of appeal. You just need to be
careful...
Also, there are a lot of managers that think we should run it "out of
the
Box". They argue that changing the Default Profile is the way Microsoft
intended you to do it, writing Programs/scripts is creating a support
headache.
Alan Cuthbertson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: Wednesday, 28 November 2007 8:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Alan,
I understand where you are coming from, but if you can't customize
something with a Group Policy setting, wouldn't it make more sense to
write a script that makes your custom changes (i.e. registry settings,
desktop shortcuts, etc.) at logon? That way the default profile is not
even an issue.
It's just my opinion, but with the multitude of Group Policy admin
template settings, there shouldn't be much of need to customize the
default profile in the first place. Not to mention that it limits your
flexibility in larger, more diverse enterprises.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Tuesday, November 27, 2007 2:57 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Jamie/ Darren
I would agree with you that it would be better to have a default profile
without any policies applied. However, most people tend to build a
"Clean"
user, logon with that account, tailor it the way they want (add registry
keys, shortcuts etc) then save that profile away. Since they have logged
on,
they get all of the default policies applied, which is fine provided
they
copy across the ntuser.pol file as well.
I take your point Darren that if at some time in the future you remove a
policy that is Tattooed, you must remember to remove it from the default
policy as well, but that is life. Since you probably have got to go and
remove it from all existing users as well, getting it off the default
profile is not that big a job.
I suppose it is an issue that people need to be aware of.
Alan Cuthbertson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: Wednesday, 28 November 2007 1:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Alan,
I would have to agree with Darren on this one. Not to gang up on you or
anything but I've never been too high on customizing the default profile
in the first place. Seems to always create more problems than it solves.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 27, 2007 8:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Alan-
While I agree with what you're saying, I would say that its bad form to
create a default profile that already has policies applied to it.
Typically default profiles hang around for a while, while GPOs and
settings come and go. Having to drag around those settings and then
requiring the ntuser.pol file as well to be able to remove them seems
like a bad idea. Also note that any preferences applied in that profile
would get stuck there if the GPO that applied them goes away over time.
I just think its fraught with peril.
My .02
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Monday, November 26, 2007 9:40 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Darren,
It depends on how you build your default profile. If you are copying the
NTUser.dat file from a user that has never had a policy applied, then
you are correct, you don't need the ntuser.pol file (obviously, since it
would not exist). If you apply a policy, that creates an entry under
software\policy, then an entry is created in the ntuser.pol file and you
must copy it to the default policy. If you don't, and the policy is not
applied to the new user, then Tattoo processing doesn't know that it
needs to remove it from the user's copy of the default policy.
Tazamal,
Looking at your file, it would seem that the entry is already in the
registry but is not in the NTUSER.POL , so tattoo processing doesn't
know that it has to remove it. This will happen if the default profile
has been incorrectly built. It also agrees with the fact that if you
deactivate the policy, the key is deleted and won't come back. Try
deleting it manually and it won't come back either.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of TAZAMAL HUSSAIN
Sent: Tuesday, 27 November 2007 12:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Alan, Darren, Jamie....
Your responses and guidance has been very much appreciated. I've done
some screen scrapes to try and eliminate any things you guys may think i
might be doing wrong... I hope these help us find a solution.
I have attached a file, its not too big, hope you dont mind...
Thanks so far on the quick responses so far.
Lozz
________________________________
From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Date: Mon, 26 Nov 2007 16:23:32 -0800
Alan-
Just to clarify, ntuser.pol should not exist in a default profile. It is
created on the fly (both per-user and per-computer) for a given user
and, as you correctly point out, contains the admin template policy
settings (as well as preferences by the way) for the current user. The
per-user version is held in the current user's profile directory. It is
responsible for the policy clean up process inasmuch as each time Admin.
Template policy is processed, this "archive" file is read and any policy
keys found in it are removed before the current Admin. Template policies
are re-applied. So it is possible that this .pol file somehow did not
get the policy in question added to it, and thus would not remove it.
But this seems like a strange scenario.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Monday, November 26, 2007 3:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Can you try removing the registry key manually, then reapplying the
policy and see if it comes back?
What I suspect you may have done is got your default Profile screwed up.
There are two files in the Default profile, the NTUser.dat file which
contains the registry keys that are in use, plus the NTUser.Pol file
that stores all of the non-tattooed polices that are to be removed. If
these get out of synch, you can have the case that NTUser.dat contains a
registry key but NTUser.Pol doesn't contain the key for removal. This
will happen if when building the default profile, you copy across
NTuser.dat but not NTUSER.POL
This means that new users inherit a registry which contains the key but
the NTUSER.POL does not contain the key to remove it as part of tattoo
processing. However, once you manually remove it, it wont come back.
While the best way to fix it for new users is to rebuild your Default
profile from scratch, if this is the only error, you can simply remove
the entry from the NTUSER.DAT. Existing users are somewhat harder to
fix. I suspect the only way is a batch file that removes the key on a
once of basis. The trouble is that you need to leave it running until
all profiles on all machines have been fixed.,
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: Tuesday, 27 November 2007 4:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Then, as Darren suggested, you need to run a RSoP on that system/user
and ensure you're not getting it from somewhere else. Eliminate that
possibility first.
Also, are you sure GP is processing correctly on the system? When you
run your RSoP, check and see if any GP related events occurred.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of TAZAMAL HUSSAIN
Sent: Monday, November 26, 2007 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Hi Jamie,
Yup... gave that a go.. rebooted few times etc but still that setting is
coming down and shown in the user registry hive. Within the GPMC
settings view of the defdompol, there is no sign that this setting
(ForcePST) is now set... and the only GPO applied to this User is
defdompol...
Thanks for you reply
Loz
> Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
> Date: Mon, 26 Nov 2007 10:58:51 -0600
> From: Jamie.Nelson.ctr@xxxxxxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
>
> Have you done a 'gpupdate /force /target:user' from the command-line?
> Sometimes if you forcefully reapply the policy it will correct things
> like that.
>
> Regards,
> Jamie Nelson
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of TAZAMAL HUSSAIN
> Sent: Sunday, November 25, 2007 5:36 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Problem with GPO Setting even after set to 'Not
> Configured'
>
> Hi Guys,
>
> I have also posted this to Group Policy Forums @ Microsoft. Trying to
> get some exposure to this problem... hoping someone can shed some
light.
> I have tried to describe exactly what is going on being a descriptive
as
> possible. If I get an answer on the on the Microsoft forum i'll post
it
> over to here if anyone is interested....
>
> I have pasted the Thread I have started already:
>
>
> 2 posts altogether:
>
> Hey Guys,
> >
> > Okay, although I have not found an answer yet, I *think* I have made
> some
> > progress and am on the right lines, again if anyone has any comments
> please
> > do let me know.
> >
> > .... after a lot of googling everything was pointing to the fact
that
> I MUST
> > HAVE at some point applied the Outlook ADM to the def-dom-pol with
the
>
> > setting for 'default path for PST Files' pointing to my network
> location.
> > After applying it I must have ripped out the ADM template from the
> > def-dom-pol and applied it specifically to the OU where I wanted the
> GPO to
> > apply. Hence this *probably* caused GPMC to give the output of
> 'display names
> > for some setting cannot be found....'
> >
> > So... in an attempt to correct this.... Within the def-dom-pol I
added
> the
> > Outlook ADM template back in... And set the setting for the PST path
> to 'not
> > configured'.. . Rebooted an XP client, logged in with a new user but
> still
> > outlook is pushing the path of the PST to the network store when
> configuring a POP3 email account.
> >
> > The strange thing still is even though I have configured the setting
> now to
> > 'Not Configured' (and hence it does not now display in the GPMC
> settings tab
> > for the def-dom-pol GPO as being set at all) AND the ONLY policy
that
> is
> > applied to Users (for new users created after this change as well)
is
> the
> > def-dom-pol ONLY, the users registry hive is still showing the
network
> location path in the
> > ForcePST registry key under
> > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought
> was a
> > protected registry area that doesn;t suffer from tatooing i.e.... is
> this
> > tatooing?
> >
> > My head is kind of spinning now... as i think i am getting out of my
> depth...
> > any steer would be great. All i am looking to achieve is for users
> (not within a specific OU) default outlook PST path to point to where
it
> would have pointed if I didn;t mess with this setting... its as if the
> default PST location value is now the network path if I leave this
> setting to 'Not Configured'
> >
> > lozza
> >
> >
> > 'lozza' wrote:
> >
> > > Hi Guys,
> > >
> > > I am confused by what is going on here.... looking for some help:
> > >
> > > In AD i have an OU with a GPO applied. This GPO, as well as other
> user
> > > settings, sets User Configuration\Administrative Tools\Microsoft
> Office
> > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST
> files.... to
> > > a network location (I dont have any other option!). Now my
> understanding was
> > > that this should apply to all users within the OU that is GPO is
> linked to...
> > > and it does, just fine, was happy until today
> > >
> > > However....
> > >
> > > When I create a new user in AD, and place him in any other OU that
> does not
> > > have this GPO linked to it (and only the Default domain Policy),
> this setting
> > > still applies to the user when configuring outlook... it
shouldn't,
> should it?
> > >
> > > So... I went into GPMC, clicked the OU the user sits in on the
left
> hand side,
> > > clicked 'Group Policy Inheritance' tab on the right pane and see
> that ONLY
> > > the Default Domain Policy is being applied... which it should
be...
> good
> > >
> > > So... I clicked on the Default domain policy on the left hand side
> pane of
> > > GPMC and on the right hand side pane clicked the settings tab
which
> shows me
> > > all configured settings within this GPO. AND THERE IT WAS! under
> User
> > > Configuration, Administrative Templates, Extra Registry Settings
it
> says:
> > >
> > > 'Display names for some settings cannot be found. You might be
able
> to
> > > resolve this issue by updating the .ADM files used by Group Policy
> > > Management'
> > >
> > > and directly under that it specifies:
> > >
> > > Setting:
> Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath
> > > State: \\Network File server where PSTs are stored in the GPO its
> configured
> > > for...
> > >
> > > So why is this setting, that is set in another GPO specifically
> linked to one particular OU also in my Default Domain Policy? When I
> > > open the defdompol to configure it I dont see the template that
sets
> this setting, in fact I dont see any of the Microsoft
> > > Office stuff in the defdompol GPO as I didn't add any additional
> administrative templates to the Default Domain GPO.
> > >
> > > Truly confused and a bit worried that I've messed my default
domain
> > > policy... does anyone know what i;m talking about?
> > >
> > > Lozz
>
>
> ________________________________
>
> The next generation of MSN Hotmail has arrived - Windows Live Hotmail
> <http://www.newhotmail.co.uk>
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
> ************************
________________________________
Get free emoticon packs and customisation from Windows Live. Pimp My
Live! <http://www.pimpmylive.co.uk>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
************************
________________________________
Are you the Quizmaster? Play BrainBattle with a friend now!
<http://specials.uk.msn.com/brainbattle>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
