[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'

  • From: TAZAMAL HUSSAIN <tazamal_hussain@xxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2007 20:12:54 +0000

Alan/Guys,
 
Okay... I managed to load the Domain Default User Hive and yes, the registry 
key is in it and set....
 
So, is it possible somehow to edit this and then replace the NTUSER.dat file 
sitting in the default user profile.
 
I;m getting out of my depth here BUT would really like to learn the internal 
workings here. I also dont see the .pol file in ANY of my roaming profile users 
profile folders.... is this bad?


From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: 
Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 Nov 
2007 13:41:22 +1100








Hi Tazamal,
 

To open the registry hive you must:-

Start regedit
Click on Hkey_Local_Machine
Click on file/Load Hive
Then navigate to the ntuser.dat file and select it
Give it a new name (say aaaa) and you should be able to browse it
When finished, click on the root of the attached hive (say aaaa) and click 
file/Unload Hive. It gives a warning as to whether you are sure. Provided you 
have clicked on the correct branch it will be OK.  
The fact that you do not see an NTUSER.pol file sort of explains your problem. 
It should have been copied over when the NTUser.dat file was copied over
 
To get round you current problems I would suggest a new policy with the setting 
set to DISABLED. This will fix your immediate problem, both for new and 
existing users. You can then go through and rebuild your default profile at 
your leisure, test it and implement it. When this is done and you are confident 
that all (most) of your registries sitting on machines have been fixed, remove 
the policy all together.
 
Alan Cuthbertson
 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: Wednesday, 28 November 2007 12:27 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Guys After reading all the replies I think I need to take some time and make 
sure this is done correctly. What Darren suggested was what I was going to do, 
now though i'm hestating as i;m not sure as there might be useful stuff in my 
default profile that i;m not aware of. As far as I remember I only did desktop 
and start menu type clean ups, but it was a while back. I cant find the 
document I produced :(  Alan, some questions for you (please bear with me if 
this basic stuff) from your points i'm unsure how to carry out: 2) How do I 
open the registry hive?3) I dont see an NTUSER.pol file i only see an 
NTUSER.dat fileI Copied the whole Default User profile folder from the netlogon 
share to my laptop d:\ as suggested in step 1 Have I understood what you meant 
correctly? In a locked down type environment do you guys have a kind of good 
lockdown policy that you have previously documented and have to hand when going 
into a new environment. A kind of standard procedure the default profile should 
look like? In my case, users only need to fire up Microsoft Office, Internet 
Explorer, use certain mapped drives, pick up printers and run some LOB 
applications.. nothing else. I would be very interested to see how the 
experienced guys deal with these kinds of things... might be asking for a lot. 
I understand this all down to choice and situation that depoyment is taking 
place in, but any useful would be handy to know.... This is excellent learning 
for me... so thanks 



From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: 
Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 Nov 
2007 08:17:01 +1100

Tazamal,
 
While Darren is correct in what he suggests, I am not sure it is something you 
want to rush in to. You may find there are a lot of useful things in your 
default profile that you are not really aware of. It really depends on how well 
documented your process is for building the default profile.
 
As a short term check I would do the following:-
 

Copy the default profile to somewhere where you can play with it
Open the registry hive and see whether the offending key is present
Open the NTUSER.pol file with notepad and see if the key is present there. (The 
file is a bit messy, but you should be able to read it )
 
If you find the key is present in step 2 and not present in step 3, then that 
explains your problem. The quick fix is then to either remove the entry from 
the registry hive in the default user profile or to create a policy with the 
entry set to DISABLED.
 
Note: If you fix the default profile without creating the DISABLED policy, you 
will only fix new users, not existing users. You may be stuck with having a 
policy setting to disable the entry until all existing users have been fixed. 
Since a user can have profiles on multiple machines, it is not “fixed” until 
all copies have been fixed.
 
So… it’s all a bit messy. The moral of the story is either follow Darren’s 
advice and make sure no policies are applied to your default profile, or else 
ensure the NTUSER.pol is always copied across as well.
 
Alan Cuthbertson
 
 
 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
 
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
 
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
 
 
 
 
 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-EliaSent: Wednesday, 28 November 2007 6:53 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Here’s what I would do. If you have a vanilla XP image, just copy the default 
profile from c:\documents and settings\default user up to the Netlogon share, 
over the existing one, using the System control panel applet. Then you can 
customize it however you want by removing shortcuts, etc. 
 
Darren
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 11:34 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Darren, Okay, i'm going to look into doing this tonight hopefully. Do i take 
the NTUSER.dat file of a new user created while the PST setting was set to 
disabled? My confusion is around the fact that to create another Template User 
I will have to create another Domain User and if I do this, the registry 
setting for the ForcePST path will already have been set to the network 
location... Doesn;t this mean this setting will then go into the template?



From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem 
with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007 
09:53:53 -0800

Well, you only need to recreate the ntuser.dat file as that is where the policy 
settings are held, but it may just be easier to do the whole thing and then 
manually remove what you need to. 
 
And yes, all existing users who already have profiles will not get 
affected—only new users creating new profiles will pick up the new defaults.
 
Darren
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:44 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Darren... I get you... So i;m sure new users are getting there Default profile 
from netlogon, as a Default User profile does exist there.  Should I try and 
re-create this to keep troubleshooting? If I do, will all existing users still 
keep the settings they have today (primarily all rubbish removed from start 
menu and desktop etc etc)... I expect they will keep the settings (which is 
what I want)....  



From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem 
with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007 
09:32:03 -0800

Tazamal-
Yes, what we’re saying is that wherever your default user profile is getting 
built from, that is likely where the setting is stuck. There are two places 
this can come from. If you have a default profile up in your Netlogon share on 
your domain controllers, then a new user logging into a workstation for the 
first time will have their user profile created under %userprofile%\<username> 
on the workstation based on that default profile. If you haven’t put a default 
profile under Netlogon, then the user grabs it from c:\documents and 
settings\default user on the workstation that they log onto.  So I suspect, 
depending upon your situation, its coming from one of those two places.
 
Darren
 
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:21 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
All, I'm not sure i understand the question (a bit slow like that)... so I will 
atempt to answer it. These test users where created by right clicking in the OU 
where I placed them and creating a new account (i have also copied existin 
accounts and the get same results). These domain users, i guess then when they 
log into an xp desktop I get their profile from the domain default user profile 
(??) and not the local All Users profile on the desktop (??). I created this a 
while back by creating a new user, logging in, configuring desktop, logging 
out, logging in as admin and copying the profile to the domain somewhere... I 
can get the details if it helps, i tend to document everything. So are you 
saying that the domain default profile is where this stuck setting could be? 
Have i answered your question? Sorry have been slow to emails today...



From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem 
with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007 
17:29:04 -0800

Looking at the doc, it sounds like this setting is stuck in the user’s profile, 
as Alan had suggested. How are your new user’s profiles created? My guess is 
that they are created from a template Default User Profile that has that path 
stuck in it.
 
Darren
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: Monday, November 26, 2007 5:00 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Alan, Darren, Jamie.... Your responses and guidance has been very much 
appreciated. I've done some screen scrapes to try and eliminate any things you 
guys may think i might be doing wrong... I hope these help us find a solution.  
I have attached a file, its not too big, hope you dont mind... Thanks so far on 
the quick responses so far. Lozz



From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem 
with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007 
16:23:32 -0800

Alan-
Just to clarify, ntuser.pol should not exist in a default profile. It is 
created on the fly (both per-user and per-computer) for a given user and, as 
you correctly point out, contains the admin template policy settings (as well 
as preferences by the way) for the current user. The per-user version is held 
in the current user’s profile directory. It is responsible for the policy clean 
up process inasmuch as each time Admin. Template policy is processed, this 
“archive” file is read and any policy keys found in it are removed before the 
current Admin. Template policies are re-applied. So it is possible that this 
.pol file somehow did not get the policy in question added to it, and thus 
would not remove it. But this seems like a strange scenario.
 
Darren
 
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & MargaretSent: Monday, November 26, 2007 3:19 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after 
set to 'Not Configured'
 
Can you try removing the registry key manually, then reapplying the policy and 
see if it comes back?
 
What I suspect you may have done is got your default Profile screwed up. There 
are two files in the Default profile, the NTUser.dat file which contains the 
registry keys that are in use, plus the NTUser.Pol file that stores all of the 
non-tattooed polices that are to be removed. If these get out of synch, you can 
have the case that NTUser.dat contains a registry key but NTUser.Pol doesn't 
contain the key for removal. This will happen if when building the default 
profile, you copy across NTuser.dat but not NTUSER.POL
 
This means that new users inherit a registry which contains the key but the 
NTUSER.POL does not contain the key to remove it as part of tattoo processing. 
However, once you manually remove it, it wont come back. While the best way to 
fix it for new users is to rebuild your Default profile from scratch, if this 
is the only error, you can simply remove the entry from the NTUSER.DAT. 
Existing users are somewhat harder to fix. I suspect the only way is a batch 
file that removes the key on a once of basis. The trouble is that you need to 
leave it running until all profiles on all machines have been fixed., 
 
Alan Cuthbertson
 
 
 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
 
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
 
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
 
 
 
-----Original Message-----From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 
CS/SCBAFSent: Tuesday, 27 November 2007 4:21 AMTo: gptalk@xxxxxxxxxxxxxxxxxxxx: 
[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'
 
Then, as Darren suggested, you need to run a RSoP on that system/user
and ensure you're not getting it from somewhere else. Eliminate that
possibility first.
 
Also, are you sure GP is processing correctly on the system? When you
run your RSoP, check and see if any GP related events occurred.
 
Regards,
Jamie Nelson
 
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of TAZAMAL HUSSAIN
Sent: Monday, November 26, 2007 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
 
Hi Jamie,
 
Yup... gave that a go.. rebooted few times etc but still that setting is
coming down and shown in the user registry hive. Within the GPMC
settings view of the defdompol, there is no sign that this setting
(ForcePST) is now set... and the only GPO applied to this User is
defdompol... 
 
Thanks for you reply
 
Loz  
 
> Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
> Date: Mon, 26 Nov 2007 10:58:51 -0600
> From: Jamie.Nelson.ctr@xxxxxxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
> 
> Have you done a 'gpupdate /force /target:user' from the command-line?
> Sometimes if you forcefully reapply the policy it will correct things
> like that.
> 
> Regards,
> Jamie Nelson
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of TAZAMAL HUSSAIN
> Sent: Sunday, November 25, 2007 5:36 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Problem with GPO Setting even after set to 'Not
> Configured'
> 
> Hi Guys,
> 
> I have also posted this to Group Policy Forums @ Microsoft. Trying to
> get some exposure to this problem... hoping someone can shed some
light.
> I have tried to describe exactly what is going on being a descriptive
as
> possible. If I get an answer on the on the Microsoft forum i'll post
it
> over to here if anyone is interested.... 
> 
> I have pasted the Thread I have started already:
> 
> 
> 2 posts altogether:
> 
> Hey Guys,
> > 
> > Okay, although I have not found an answer yet, I *think* I have made
> some 
> > progress and am on the right lines, again if anyone has any comments
> please 
> > do let me know.
> > 
> > .... after a lot of googling everything was pointing to the fact
that
> I MUST 
> > HAVE at some point applied the Outlook ADM to the def-dom-pol with
the
> 
> > setting for 'default path for PST Files' pointing to my network
> location. 
> > After applying it I must have ripped out the ADM template from the 
> > def-dom-pol and applied it specifically to the OU where I wanted the
> GPO to 
> > apply. Hence this *probably* caused GPMC to give the output of
> 'display names 
> > for some setting cannot be found....'
> > 
> > So... in an attempt to correct this.... Within the def-dom-pol I
added
> the 
> > Outlook ADM template back in... And set the setting for the PST path
> to 'not 
> > configured'.. . Rebooted an XP client, logged in with a new user but
> still 
> > outlook is pushing the path of the PST to the network store when
> configuring a POP3 email account.
> > 
> > The strange thing still is even though I have configured the setting
> now to 
> > 'Not Configured' (and hence it does not now display in the GPMC
> settings tab 
> > for the def-dom-pol GPO as being set at all) AND the ONLY policy
that
> is 
> > applied to Users (for new users created after this change as well)
is
> the 
> > def-dom-pol ONLY, the users registry hive is still showing the
network
> location path in the 
> > ForcePST registry key under 
> > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought
> was a 
> > protected registry area that doesn;t suffer from tatooing i.e.... is
> this 
> > tatooing? 
> > 
> > My head is kind of spinning now... as i think i am getting out of my
> depth... 
> > any steer would be great. All i am looking to achieve is for users
> (not within a specific OU) default outlook PST path to point to where
it
> would have pointed if I didn;t mess with this setting... its as if the
> default PST location value is now the network path if I leave this
> setting to 'Not Configured'
> > 
> > lozza 
> > 
> > 
> > 'lozza' wrote:
> > 
> > > Hi Guys,
> > > 
> > > I am confused by what is going on here.... looking for some help:
> > > 
> > > In AD i have an OU with a GPO applied. This GPO, as well as other
> user
> > > settings, sets User Configuration\Administrative Tools\Microsoft
> Office 
> > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST
> files.... to 
> > > a network location (I dont have any other option!). Now my
> understanding was 
> > > that this should apply to all users within the OU that is GPO is
> linked to... 
> > > and it does, just fine, was happy until today
> > > 
> > > However....
> > > 
> > > When I create a new user in AD, and place him in any other OU that
> does not 
> > > have this GPO linked to it (and only the Default domain Policy),
> this setting 
> > > still applies to the user when configuring outlook... it
shouldn't,
> should it?
> > > 
> > > So... I went into GPMC, clicked the OU the user sits in on the
left
> hand side, 
> > > clicked 'Group Policy Inheritance' tab on the right pane and see
> that ONLY 
> > > the Default Domain Policy is being applied... which it should
be...
> good
> > > 
> > > So... I clicked on the Default domain policy on the left hand side
> pane of 
> > > GPMC and on the right hand side pane clicked the settings tab
which
> shows me 
> > > all configured settings within this GPO. AND THERE IT WAS! under
> User 
> > > Configuration, Administrative Templates, Extra Registry Settings
it
> says:
> > > 
> > > 'Display names for some settings cannot be found. You might be
able
> to 
> > > resolve this issue by updating the .ADM files used by Group Policy
 
> > > Management' 
> > > 
> > > and directly under that it specifies:
> > > 
> > > Setting:
> Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath
> > > State: \\Network File server where PSTs are stored in the GPO its
> configured 
> > > for...
> > > 
> > > So why is this setting, that is set in another GPO specifically
> linked to one particular OU also in my Default Domain Policy? When I
> > > open the defdompol to configure it I dont see the template that
sets
> this setting, in fact I dont see any of the Microsoft 
> > > Office stuff in the defdompol GPO as I didn't add any additional
> administrative templates to the Default Domain GPO.
> > > 
> > > Truly confused and a bit worried that I've messed my default
domain 
> > > policy... does anyone know what i;m talking about?
> > > 
> > > Lozz
> 
> 
> ________________________________
> 
> The next generation of MSN Hotmail has arrived - Windows Live Hotmail
> <http://www.newhotmail.co.uk> 
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
 
> ************************
 
 
 
________________________________
 
Get free emoticon packs and customisation from Windows Live. Pimp My
Live! <http://www.pimpmylive.co.uk> 
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
 



Are you the Quizmaster? Play BrainBattle with a friend now! 
 



Do you know a place like the back of your hand? Share local knowledge with 
BackOfMyHand.com
 



The next generation of MSN Hotmail has arrived - Windows Live Hotmail
 



Do you know a place like the back of your hand? Share local knowledge with 
BackOfMyHand.com
 



Do you know a place like the back of your hand? Share local knowledge with 
BackOfMyHand.com
_________________________________________________________________
Who's friends with who and co-starred in what?
http://www.searchgamesbox.com/celebrityseparation.shtml

Other related posts: