Tazamal- Now that you have the hive file loaded, you can make any changes to it as you would a normal registry value. Once you unload that hive again, the changes are then saved to the ntuser.dat file and subsequently created user accounts should pick up the value change. Darren -----Original message----- From: TAZAMAL HUSSAIN tazamal_hussain@xxxxxxxxxxx Date: Wed, 28 Nov 2007 15:14:03 -0500 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not Configured' > > Alan/Guys, > > Okay... I managed to load the Domain Default User Hive and yes, the registr> > y key is in it and set.... > > So, is it possible somehow to edit this and then replace the NTUSER.dat fil> > e sitting in the default user profile. > > I;m getting out of my depth here BUT would really like to learn the interna> > l workings here. I also dont see the .pol file in ANY of my roaming profile> > users profile folders.... is this bad? > > > From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: > > Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 No> > v 2007 13:41:22 +1100 > > > > > > > > > Hi Tazamal, > > > To open the registry hive you must:- > > Start regedit > Click on Hkey_Local_Machine > Click on file/Load Hive > Then navigate to the ntuser.dat file and select it > Give it a new name (say aaaa) and you should be able to browse it > When finished, click on the root of the attached hive (say aaaa) and click > > file/Unload Hive. It gives a warning as to whether you are sure. Provided y> > ou have clicked on the correct branch it will be OK. > The fact that you do not see an NTUSER.pol file sort of explains your probl> > em. It should have been copied over when the NTUser.dat file was copied ove> r > > To get round you current problems I would suggest a new policy with the set> > ting set to DISABLED. This will fix your immediate problem, both for new an> > d existing users. You can then go through and rebuild your default profile > > at your leisure, test it and implement it. When this is done and you are co> > nfident that all (most) of your registries sitting on machines have been fi> > xed, remove the policy all together. > > Alan Cuthbertson > > > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of TAZAMAL HUSSAINSent: Wednesday, 28 November 2007 12:27 PMTo: gptal> > k@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after se> > t to 'Not Configured' > > Guys After reading all the replies I think I need to take some time and mak> > e sure this is done correctly. What Darren suggested was what I was going t> > o do, now though i'm hestating as i;m not sure as there might be useful stu> > ff in my default profile that i;m not aware of. As far as I remember I only> > did desktop and start menu type clean ups, but it was a while back. I cant> > find the document I produced :( Alan, some questions for you (please bear> > with me if this basic stuff) from your points i'm unsure how to carry out:> > 2) How do I open the registry hive?3) I dont see an NTUSER.pol file i only> > see an NTUSER.dat fileI Copied the whole Default User profile folder from > > the netlogon share to my laptop d:\ as suggested in step 1 Have I understoo> > d what you meant correctly? In a locked down type environment do you guys h> > ave a kind of good lockdown policy that you have previously documented and > > have to hand when going into a new environment. A kind of standa rd procedur> e the default profile should look like? In my case, users only need to fire> up Microsoft Office, Internet Explorer, use certain mapped drives, pick up> printers and run some LOB applications.. nothing else. I would be very int> erested to see how the experienced guys deal with these kinds of things... > might be asking for a lot. I understand this all down to choice and situati> on that depoyment is taking place in, but any useful would be handy to know> .... This is excellent learning for me... so thanks > > > > From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: > > Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 No> > v 2007 08:17:01 +1100 > > Tazamal, > > While Darren is correct in what he suggests, I am not sure it is something > > you want to rush in to. You may find there are a lot of useful things in yo> > ur default profile that you are not really aware of. It really depends on h> > ow well documented your process is for building the default profile. > > As a short term check I would do the following:- > > > Copy the default profile to somewhere where you can play with it > Open the registry hive and see whether the offending key is present > Open the NTUSER.pol file with notepad and see if the key is present there. > > (The file is a bit messy, but you should be able to read it ) > > If you find the key is present in step 2 and not present in step 3, then th> > at explains your problem. The quick fix is then to either remove the entry > > from the registry hive in the default user profile or to create a policy wi> > th the entry set to DISABLED. > > Note: If you fix the default profile without creating the DISABLED policy, > > you will only fix new users, not existing users. You may be stuck with havi> > ng a policy setting to disable the entry until all existing users have been> > fixed. Since a user can have profiles on multiple machines, it is not ?f> > ixed? until all copies have been fixed. > > So? it?s all a bit messy. The moral of the story is either follow Darre> n?s > advice and make sure no policies are applied to your default profile,> or > else ensure the NTUSER.pol is always copied across as well. > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtm> l > > > > > > > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of Darren Mar-EliaSent: Wednesday, 28 November 2007 6:53 AMTo: gptalk> > @freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set> > to 'Not Configured' > > Here?s what I would do. If you have a vanilla XP image, just copy the def> > ault profile from c:\documents and settings\default user up to the Netlogon> > share, over the existing one, using the System control panel applet. Then > > you can customize it however you want by removing shortcuts, etc. > > Darren > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 11:34 AMTo: gptalk> > @freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set> > to 'Not Configured' > > Darren, Okay, i'm going to look into doing this tonight hopefully. Do i tak> > e the NTUSER.dat file of a new user created while the PST setting was set t> > o disabled? My confusion is around the fact that to create another Template> > User I will have to create another Domain User and if I do this, the regis> > try setting for the ForcePST path will already have been set to the network> > location... Doesn;t this mean this setting will then go into the template? > > > > From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble> > m with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007> > 09:53:53 -0800 > > Well, you only need to recreate the ntuser.dat file as that is where the po> > licy settings are held, but it may just be easier to do the whole thing and> > then manually remove what you need to. > > And yes, all existing users who already have profiles will not get affected> > ?only new users creating new profiles will pick up the new defaults. > > Darren > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:44 AMTo: gptalk@> > freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set > > to 'Not Configured' > > Darren... I get you... So i;m sure new users are getting there Default prof> > ile from netlogon, as a Default User profile does exist there. Should I tr> > y and re-create this to keep troubleshooting? If I do, will all existing us> > ers still keep the settings they have today (primarily all rubbish removed > > from start menu and desktop etc etc)... I expect they will keep the setting> > s (which is what I want).... > > > > From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble> > m with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007> > 09:32:03 -0800 > > Tazamal- > Yes, what we?re saying is that wherever your default user profile is gett> > ing built from, that is likely where the setting is stuck. There are two pl> > aces this can come from. If you have a default profile up in your Netlogon > > share on your domain controllers, then a new user logging into a workstatio> > n for the first time will have their user profile created under %userprofil> > e%\<username> on the workstation based on that default profile. If you have> > n?t put a default profile under Netlogon, then the user grabs it from c:\> > documents and settings\default user on the workstation that they log onto. > > So I suspect, depending upon your situation, its coming from one of those > > two places. > > Darren > > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:21 AMTo: gptalk@> > freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set > > to 'Not Configured' > > All, I'm not sure i understand the question (a bit slow like that)... so I > > will atempt to answer it. These test users where created by right clicking > > in the OU where I placed them and creating a new account (i have also copie> > d existin accounts and the get same results). These domain users, i guess t> > hen when they log into an xp desktop I get their profile from the domain de> > fault user profile (??) and not the local All Users profile on the desktop > > (??). I created this a while back by creating a new user, logging in, confi> > guring desktop, logging out, logging in as admin and copying the profile to> > the domain somewhere... I can get the details if it helps, i tend to docum> > ent everything. So are you saying that the domain default profile is where > > this stuck setting could be? Have i answered your question? Sorry have been> > slow to emails today... > > > > From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble> > m with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007> > 17:29:04 -0800 > > Looking at the doc, it sounds like this setting is stuck in the user?s pr> > ofile, as Alan had suggested. How are your new user?s profiles created? M> y > guess is that they are created from a template Default User Profile that > > has that path stuck in it. > > Darren > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of TAZAMAL HUSSAINSent: Monday, November 26, 2007 5:00 PMTo: gptalk@f> > reelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set t> > o 'Not Configured' > > Alan, Darren, Jamie.... Your responses and guidance has been very much appr> > eciated. I've done some screen scrapes to try and eliminate any things you > > guys may think i might be doing wrong... I hope these help us find a soluti> > on. I have attached a file, its not too big, hope you dont mind... Thanks > > so far on the quick responses so far. Lozz > > > > From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble> > m with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007> > 16:23:32 -0800 > > Alan- > Just to clarify, ntuser.pol should not exist in a default profile. It is cr> > eated on the fly (both per-user and per-computer) for a given user and, as > > you correctly point out, contains the admin template policy settings (as we> > ll as preferences by the way) for the current user. The per-user version is> > held in the current user?s profile directory. It is responsible for the > > policy clean up process inasmuch as each time Admin. Template policy is pro> > cessed, this ?archive? file is read and any policy keys found in it are> > removed before the current Admin. Template policies are re-applied. So it > > is possible that this .pol file somehow did not get the policy in question > > added to it, and thus would not remove it. But this seems like a strange sc> > enario. > > Darren > > > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B> > ehalf Of Alan & MargaretSent: Monday, November 26, 2007 3:19 PMTo: gptalk@f> > reelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set t> > o 'Not Configured' > > Can you try removing the registry key manually, then reapplying the policy > > and see if it comes back? > > What I suspect you may have done is got your default Profile screwed up. Th> > ere are two files in the Default profile, the NTUser.dat file which contain> > s the registry keys that are in use, plus the NTUser.Pol file that stores a> > ll of the non-tattooed polices that are to be removed. If these get out of > > synch, you can have the case that NTUser.dat contains a registry key but NT> > User.Pol doesn't contain the key for removal. This will happen if when buil> > ding the default profile, you copy across NTuser.dat but not NTUSER.POL > > This means that new users inherit a registry which contains the key but the> > NTUSER.POL does not contain the key to remove it as part of tattoo process> > ing. However, once you manually remove it, it wont come back. While the bes> > t way to fix it for new users is to rebuild your Default profile from scrat> > ch, if this is the only error, you can simply remove the entry from the NTU> > SER.DAT. Existing users are somewhat harder to fix. I suspect the only way > > is a batch file that removes the key on a once of basis. The trouble is tha> > t you need to leave it running until all profiles on all machines have been> > fixed., > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtm> l > > > > -----Original Message-----From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-> > bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAFSent: T> > uesday, 27 November 2007 4:21 AMTo: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] R> > e: Problem with GPO Setting even after set to 'Not Configured' > > Then, as Darren suggested, you need to run a RSoP on that system/user > and ensure you're not getting it from somewhere else. Eliminate that > possibility first. > > Also, are you sure GP is processing correctly on the system? When you > run your RSoP, check and see if any GP related events occurred. > > Regards, > Jamie Nelson > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of TAZAMAL HUSSAIN > Sent: Monday, November 26, 2007 11:12 AM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not > Configured' > > Hi Jamie, > > Yup... gave that a go.. rebooted few times etc but still that setting is > coming down and shown in the user registry hive. Within the GPMC > settings view of the defdompol, there is no sign that this setting > (ForcePST) is now set... and the only GPO applied to this User is > defdompol... > > Thanks for you reply > > Loz > > > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not > Configured' > > Date: Mon, 26 Nov 2007 10:58:51 -0600 > > From: Jamie.Nelson.ctr@xxxxxxxxxxxxx > > To: gptalk@xxxxxxxxxxxxx > > > > Have you done a 'gpupdate /force /target:user' from the command-line? > > Sometimes if you forcefully reapply the policy it will correct things > > like that. > > > > Regards, > > Jamie Nelson > > > > -----Original Message----- > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > > On Behalf Of TAZAMAL HUSSAIN > > Sent: Sunday, November 25, 2007 5:36 PM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Problem with GPO Setting even after set to 'Not > > Configured' > > > > Hi Guys, > > > > I have also posted this to Group Policy Forums @ Microsoft. Trying to > > get some exposure to this problem... hoping someone can shed some > light. > > I have tried to describe exactly what is going on being a descriptive > as > > possible. If I get an answer on the on the Microsoft forum i'll post > it > > over to here if anyone is interested.... > > > > I have pasted the Thread I have started already: > > > > > > 2 posts altogether: > > > > Hey Guys, > > > > > > Okay, although I have not found an answer yet, I *think* I have made > > some > > > progress and am on the right lines, again if anyone has any comments > > please > > > do let me know. > > > > > > .... after a lot of googling everything was pointing to the fact > that > > I MUST > > > HAVE at some point applied the Outlook ADM to the def-dom-pol with > the > > > > > setting for 'default path for PST Files' pointing to my network > > location. > > > After applying it I must have ripped out the ADM template from the > > > def-dom-pol and applied it specifically to the OU where I wanted the > > GPO to > > > apply. Hence this *probably* caused GPMC to give the output of > > 'display names > > > for some setting cannot be found....' > > > > > > So... in an attempt to correct this.... Within the def-dom-pol I > added > > the > > > Outlook ADM template back in... And set the setting for the PST path > > to 'not > > > configured'.. . Rebooted an XP client, logged in with a new user but > > still > > > outlook is pushing the path of the PST to the network store when > > configuring a POP3 email account. > > > > > > The strange thing still is even though I have configured the setting > > now to > > > 'Not Configured' (and hence it does not now display in the GPMC > > settings tab > > > for the def-dom-pol GPO as being set at all) AND the ONLY policy > that > > is > > > applied to Users (for new users created after this change as well) > is > > the > > > def-dom-pol ONLY, the users registry hive is still showing the > network > > location path in the > > > ForcePST registry key under > > > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought > > was a > > > protected registry area that doesn;t suffer from tatooing i.e.... is > > this > > > tatooing? > > > > > > My head is kind of spinning now... as i think i am getting out of my > > depth... > > > any steer would be great. All i am looking to achieve is for users > > (not within a specific OU) default outlook PST path to point to where > it > > would have pointed if I didn;t mess with this setting... its as if the > > default PST location value is now the network path if I leave this > > setting to 'Not Configured' > > > > > > lozza > > > > > > > > > 'lozza' wrote: > > > > > > > Hi Guys, > > > > > > > > I am confused by what is going on here.... looking for some help: > > > > > > > > In AD i have an OU with a GPO applied. This GPO, as well as other > > user > > > > settings, sets User Configuration\Administrative Tools\Microsoft > > Office > > > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST > > files.... to > > > > a network location (I dont have any other option!). Now my > > understanding was > > > > that this should apply to all users within the OU that is GPO is > > linked to... > > > > and it does, just fine, was happy until today > > > > > > > > However.... > > > > > > > > When I create a new user in AD, and place him in any other OU that > > does not > > > > have this GPO linked to it (and only the Default domain Policy), > > this setting > > > > still applies to the user when configuring outlook... it > shouldn't, > > should it? > > > > > > > > So... I went into GPMC, clicked the OU the user sits in on the > left > > hand side, > > > > clicked 'Group Policy Inheritance' tab on the right pane and see > > that ONLY > > > > the Default Domain Policy is being applied... which it should > be... > > good > > > > > > > > So... I clicked on the Default domain policy on the left hand side > > pane of > > > > GPMC and on the right hand side pane clicked the settings tab > which > > shows me > > > > all configured settings within this GPO. AND THERE IT WAS! under > > User > > > > Configuration, Administrative Templates, Extra Registry Settings > it > > says: > > > > > > > > 'Display names for some settings cannot be found. You might be > able > > to > > > > resolve this issue by updating the .ADM files used by Group Policy > > > > > Management' > > > > > > > > and directly under that it specifies: > > > > > > > > Setting: > > Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath > > > > State: \\Network File server where PSTs are stored in the GPO its > > configured > > > > for... > > > > > > > > So why is this setting, that is set in another GPO specifically > > linked to one particular OU also in my Default Domain Policy? When I > > > > open the defdompol to configure it I dont see the template that > sets > > this setting, in fact I dont see any of the Microsoft > > > > Office stuff in the defdompol GPO as I didn't add any additional > > administrative templates to the Default Domain GPO. > > > > > > > > Truly confused and a bit worried that I've messed my default > domain > > > > policy... does anyone know what i;m talking about? > > > > > > > > Lozz > > > > > > ________________________________ > > > > The next generation of MSN Hotmail has arrived - Windows Live Hotmail > > <http://www.newhotmail.co.uk> > > *********************** > > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the list > are available at //www.freelists.org/archives/gptalk/ > > > ************************ > > > > ________________________________ > > Get free emoticon packs and customisation from Windows Live. Pimp My > Live! <http://www.pimpmylive.co.uk> > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@freelist> > s.org with 'unsubscribe' in the Subject field OR by logging into the freeli> > sts.org Web interface. Archives for the list are available at http://www.fr> > eelists.org/archives/gptalk/ > ************************ > > > > > Are you the Quizmaster? Play BrainBattle with a friend now! > > > > > Do you know a place like the back of your hand? Share local knowledge with > > BackOfMyHand.com > > > > > The next generation of MSN Hotmail has arrived - Windows Live Hotmail > > > > > Do you know a place like the back of your hand? Share local knowledge with > > BackOfMyHand.com > > > > > Do you know a place like the back of your hand? Share local knowledge with > > BackOfMyHand.com > _________________________________________________________________ > Celeb spotting ? Play CelebMashup and win cool prizes > https://www.celebmashup.com> *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************