[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'
- From: Darren Mar-Elia <darren@xxxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Wed, 28 Nov 2007 16:03:31 -0800
Tazamal-
Now that you have the hive file loaded, you can make any changes to it as you
would a normal registry value. Once you unload that hive again, the changes are
then saved to the ntuser.dat file and subsequently created user accounts should
pick up the value change.
Darren
-----Original message-----
From: TAZAMAL HUSSAIN tazamal_hussain@xxxxxxxxxxx
Date: Wed, 28 Nov 2007 15:14:03 -0500
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
>
> Alan/Guys,
>
> Okay... I managed to load the Domain Default User Hive and yes, the registr>
> y key is in it and set....
>
> So, is it possible somehow to edit this and then replace the NTUSER.dat fil>
> e sitting in the default user profile.
>
> I;m getting out of my depth here BUT would really like to learn the interna>
> l workings here. I also dont see the .pol file in ANY of my roaming profile>
> users profile folders.... is this bad?
>
>
> From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: >
> Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 No>
> v 2007 13:41:22 +1100
>
>
>
>
>
>
>
>
> Hi Tazamal,
>
>
> To open the registry hive you must:-
>
> Start regedit
> Click on Hkey_Local_Machine
> Click on file/Load Hive
> Then navigate to the ntuser.dat file and select it
> Give it a new name (say aaaa) and you should be able to browse it
> When finished, click on the root of the attached hive (say aaaa) and click >
> file/Unload Hive. It gives a warning as to whether you are sure. Provided y>
> ou have clicked on the correct branch it will be OK.
> The fact that you do not see an NTUSER.pol file sort of explains your probl>
> em. It should have been copied over when the NTUser.dat file was copied ove> r
>
> To get round you current problems I would suggest a new policy with the set>
> ting set to DISABLED. This will fix your immediate problem, both for new an>
> d existing users. You can then go through and rebuild your default profile >
> at your leisure, test it and implement it. When this is done and you are co>
> nfident that all (most) of your registries sitting on machines have been fi>
> xed, remove the policy all together.
>
> Alan Cuthbertson
>
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of TAZAMAL HUSSAINSent: Wednesday, 28 November 2007 12:27 PMTo: gptal>
> k@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Problem with GPO Setting even after se>
> t to 'Not Configured'
>
> Guys After reading all the replies I think I need to take some time and mak>
> e sure this is done correctly. What Darren suggested was what I was going t>
> o do, now though i'm hestating as i;m not sure as there might be useful stu>
> ff in my default profile that i;m not aware of. As far as I remember I only>
> did desktop and start menu type clean ups, but it was a while back. I cant>
> find the document I produced :( Alan, some questions for you (please bear>
> with me if this basic stuff) from your points i'm unsure how to carry out:>
> 2) How do I open the registry hive?3) I dont see an NTUSER.pol file i only>
> see an NTUSER.dat fileI Copied the whole Default User profile folder from >
> the netlogon share to my laptop d:\ as suggested in step 1 Have I understoo>
> d what you meant correctly? In a locked down type environment do you guys h>
> ave a kind of good lockdown policy that you have previously documented and >
> have to hand when going into a new environment. A kind of standa
rd procedur> e the default profile should look like? In my case, users only
need to fire> up Microsoft Office, Internet Explorer, use certain mapped
drives, pick up> printers and run some LOB applications.. nothing else. I
would be very int> erested to see how the experienced guys deal with these
kinds of things... > might be asking for a lot. I understand this all down to
choice and situati> on that depoyment is taking place in, but any useful would
be handy to know> .... This is excellent learning for me... so thanks
>
>
>
> From: syspro@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: >
> Problem with GPO Setting even after set to 'Not Configured'Date: Wed, 28 No>
> v 2007 08:17:01 +1100
>
> Tazamal,
>
> While Darren is correct in what he suggests, I am not sure it is something >
> you want to rush in to. You may find there are a lot of useful things in yo>
> ur default profile that you are not really aware of. It really depends on h>
> ow well documented your process is for building the default profile.
>
> As a short term check I would do the following:-
>
>
> Copy the default profile to somewhere where you can play with it
> Open the registry hive and see whether the offending key is present
> Open the NTUSER.pol file with notepad and see if the key is present there. >
> (The file is a bit messy, but you should be able to read it )
>
> If you find the key is present in step 2 and not present in step 3, then th>
> at explains your problem. The quick fix is then to either remove the entry >
> from the registry hive in the default user profile or to create a policy wi>
> th the entry set to DISABLED.
>
> Note: If you fix the default profile without creating the DISABLED policy, >
> you will only fix new users, not existing users. You may be stuck with havi>
> ng a policy setting to disable the entry until all existing users have been>
> fixed. Since a user can have profiles on multiple machines, it is not ?f>
> ixed? until all copies have been fixed.
>
> So? it?s all a bit messy. The moral of the story is either follow Darre> n?s
> advice and make sure no policies are applied to your default profile,> or
> else ensure the NTUSER.pol is always copied across as well.
>
> Alan Cuthbertson
>
>
> Policy Management Software:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
> ADM Template Editor:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
> Policy Log Reporter(Free)
> http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtm> l
>
>
>
>
>
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of Darren Mar-EliaSent: Wednesday, 28 November 2007 6:53 AMTo: gptalk>
> @freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set>
> to 'Not Configured'
>
> Here?s what I would do. If you have a vanilla XP image, just copy the def>
> ault profile from c:\documents and settings\default user up to the Netlogon>
> share, over the existing one, using the System control panel applet. Then >
> you can customize it however you want by removing shortcuts, etc.
>
> Darren
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 11:34 AMTo: gptalk>
> @freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set>
> to 'Not Configured'
>
> Darren, Okay, i'm going to look into doing this tonight hopefully. Do i tak>
> e the NTUSER.dat file of a new user created while the PST setting was set t>
> o disabled? My confusion is around the fact that to create another Template>
> User I will have to create another Domain User and if I do this, the regis>
> try setting for the ForcePST path will already have been set to the network>
> location... Doesn;t this mean this setting will then go into the template?
>
>
>
> From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble>
> m with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007>
> 09:53:53 -0800
>
> Well, you only need to recreate the ntuser.dat file as that is where the po>
> licy settings are held, but it may just be easier to do the whole thing and>
> then manually remove what you need to.
>
> And yes, all existing users who already have profiles will not get affected>
> ?only new users creating new profiles will pick up the new defaults.
>
> Darren
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:44 AMTo: gptalk@>
> freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set >
> to 'Not Configured'
>
> Darren... I get you... So i;m sure new users are getting there Default prof>
> ile from netlogon, as a Default User profile does exist there. Should I tr>
> y and re-create this to keep troubleshooting? If I do, will all existing us>
> ers still keep the settings they have today (primarily all rubbish removed >
> from start menu and desktop etc etc)... I expect they will keep the setting>
> s (which is what I want)....
>
>
>
> From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble>
> m with GPO Setting even after set to 'Not Configured'Date: Tue, 27 Nov 2007>
> 09:32:03 -0800
>
> Tazamal-
> Yes, what we?re saying is that wherever your default user profile is gett>
> ing built from, that is likely where the setting is stuck. There are two pl>
> aces this can come from. If you have a default profile up in your Netlogon >
> share on your domain controllers, then a new user logging into a workstatio>
> n for the first time will have their user profile created under %userprofil>
> e%\<username> on the workstation based on that default profile. If you have>
> n?t put a default profile under Netlogon, then the user grabs it from c:\>
> documents and settings\default user on the workstation that they log onto. >
> So I suspect, depending upon your situation, its coming from one of those >
> two places.
>
> Darren
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of TAZAMAL HUSSAINSent: Tuesday, November 27, 2007 9:21 AMTo: gptalk@>
> freelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set >
> to 'Not Configured'
>
> All, I'm not sure i understand the question (a bit slow like that)... so I >
> will atempt to answer it. These test users where created by right clicking >
> in the OU where I placed them and creating a new account (i have also copie>
> d existin accounts and the get same results). These domain users, i guess t>
> hen when they log into an xp desktop I get their profile from the domain de>
> fault user profile (??) and not the local All Users profile on the desktop >
> (??). I created this a while back by creating a new user, logging in, confi>
> guring desktop, logging out, logging in as admin and copying the profile to>
> the domain somewhere... I can get the details if it helps, i tend to docum>
> ent everything. So are you saying that the domain default profile is where >
> this stuck setting could be? Have i answered your question? Sorry have been>
> slow to emails today...
>
>
>
> From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble>
> m with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007>
> 17:29:04 -0800
>
> Looking at the doc, it sounds like this setting is stuck in the user?s pr>
> ofile, as Alan had suggested. How are your new user?s profiles created? M> y
> guess is that they are created from a template Default User Profile that >
> has that path stuck in it.
>
> Darren
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of TAZAMAL HUSSAINSent: Monday, November 26, 2007 5:00 PMTo: gptalk@f>
> reelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set t>
> o 'Not Configured'
>
> Alan, Darren, Jamie.... Your responses and guidance has been very much appr>
> eciated. I've done some screen scrapes to try and eliminate any things you >
> guys may think i might be doing wrong... I hope these help us find a soluti>
> on. I have attached a file, its not too big, hope you dont mind... Thanks >
> so far on the quick responses so far. Lozz
>
>
>
> From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Proble>
> m with GPO Setting even after set to 'Not Configured'Date: Mon, 26 Nov 2007>
> 16:23:32 -0800
>
> Alan-
> Just to clarify, ntuser.pol should not exist in a default profile. It is cr>
> eated on the fly (both per-user and per-computer) for a given user and, as >
> you correctly point out, contains the admin template policy settings (as we>
> ll as preferences by the way) for the current user. The per-user version is>
> held in the current user?s profile directory. It is responsible for the >
> policy clean up process inasmuch as each time Admin. Template policy is pro>
> cessed, this ?archive? file is read and any policy keys found in it are>
> removed before the current Admin. Template policies are re-applied. So it >
> is possible that this .pol file somehow did not get the policy in question >
> added to it, and thus would not remove it. But this seems like a strange sc>
> enario.
>
> Darren
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On B>
> ehalf Of Alan & MargaretSent: Monday, November 26, 2007 3:19 PMTo: gptalk@f>
> reelists.orgSubject: [gptalk] Re: Problem with GPO Setting even after set t>
> o 'Not Configured'
>
> Can you try removing the registry key manually, then reapplying the policy >
> and see if it comes back?
>
> What I suspect you may have done is got your default Profile screwed up. Th>
> ere are two files in the Default profile, the NTUser.dat file which contain>
> s the registry keys that are in use, plus the NTUser.Pol file that stores a>
> ll of the non-tattooed polices that are to be removed. If these get out of >
> synch, you can have the case that NTUser.dat contains a registry key but NT>
> User.Pol doesn't contain the key for removal. This will happen if when buil>
> ding the default profile, you copy across NTuser.dat but not NTUSER.POL
>
> This means that new users inherit a registry which contains the key but the>
> NTUSER.POL does not contain the key to remove it as part of tattoo process>
> ing. However, once you manually remove it, it wont come back. While the bes>
> t way to fix it for new users is to rebuild your Default profile from scrat>
> ch, if this is the only error, you can simply remove the entry from the NTU>
> SER.DAT. Existing users are somewhat harder to fix. I suspect the only way >
> is a batch file that removes the key on a once of basis. The trouble is tha>
> t you need to leave it running until all profiles on all machines have been>
> fixed.,
>
> Alan Cuthbertson
>
>
> Policy Management Software:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
> ADM Template Editor:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
> Policy Log Reporter(Free)
> http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtm> l
>
>
>
> -----Original Message-----From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk->
> bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAFSent: T>
> uesday, 27 November 2007 4:21 AMTo: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] R>
> e: Problem with GPO Setting even after set to 'Not Configured'
>
> Then, as Darren suggested, you need to run a RSoP on that system/user
> and ensure you're not getting it from somewhere else. Eliminate that
> possibility first.
>
> Also, are you sure GP is processing correctly on the system? When you
> run your RSoP, check and see if any GP related events occurred.
>
> Regards,
> Jamie Nelson
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of TAZAMAL HUSSAIN
> Sent: Monday, November 26, 2007 11:12 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
> Configured'
>
> Hi Jamie,
>
> Yup... gave that a go.. rebooted few times etc but still that setting is
> coming down and shown in the user registry hive. Within the GPMC
> settings view of the defdompol, there is no sign that this setting
> (ForcePST) is now set... and the only GPO applied to this User is
> defdompol...
>
> Thanks for you reply
>
> Loz
>
> > Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
> Configured'
> > Date: Mon, 26 Nov 2007 10:58:51 -0600
> > From: Jamie.Nelson.ctr@xxxxxxxxxxxxx
> > To: gptalk@xxxxxxxxxxxxx
> >
> > Have you done a 'gpupdate /force /target:user' from the command-line?
> > Sometimes if you forcefully reapply the policy it will correct things
> > like that.
> >
> > Regards,
> > Jamie Nelson
> >
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of TAZAMAL HUSSAIN
> > Sent: Sunday, November 25, 2007 5:36 PM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Problem with GPO Setting even after set to 'Not
> > Configured'
> >
> > Hi Guys,
> >
> > I have also posted this to Group Policy Forums @ Microsoft. Trying to
> > get some exposure to this problem... hoping someone can shed some
> light.
> > I have tried to describe exactly what is going on being a descriptive
> as
> > possible. If I get an answer on the on the Microsoft forum i'll post
> it
> > over to here if anyone is interested....
> >
> > I have pasted the Thread I have started already:
> >
> >
> > 2 posts altogether:
> >
> > Hey Guys,
> > >
> > > Okay, although I have not found an answer yet, I *think* I have made
> > some
> > > progress and am on the right lines, again if anyone has any comments
> > please
> > > do let me know.
> > >
> > > .... after a lot of googling everything was pointing to the fact
> that
> > I MUST
> > > HAVE at some point applied the Outlook ADM to the def-dom-pol with
> the
> >
> > > setting for 'default path for PST Files' pointing to my network
> > location.
> > > After applying it I must have ripped out the ADM template from the
> > > def-dom-pol and applied it specifically to the OU where I wanted the
> > GPO to
> > > apply. Hence this *probably* caused GPMC to give the output of
> > 'display names
> > > for some setting cannot be found....'
> > >
> > > So... in an attempt to correct this.... Within the def-dom-pol I
> added
> > the
> > > Outlook ADM template back in... And set the setting for the PST path
> > to 'not
> > > configured'.. . Rebooted an XP client, logged in with a new user but
> > still
> > > outlook is pushing the path of the PST to the network store when
> > configuring a POP3 email account.
> > >
> > > The strange thing still is even though I have configured the setting
> > now to
> > > 'Not Configured' (and hence it does not now display in the GPMC
> > settings tab
> > > for the def-dom-pol GPO as being set at all) AND the ONLY policy
> that
> > is
> > > applied to Users (for new users created after this change as well)
> is
> > the
> > > def-dom-pol ONLY, the users registry hive is still showing the
> network
> > location path in the
> > > ForcePST registry key under
> > > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought
> > was a
> > > protected registry area that doesn;t suffer from tatooing i.e.... is
> > this
> > > tatooing?
> > >
> > > My head is kind of spinning now... as i think i am getting out of my
> > depth...
> > > any steer would be great. All i am looking to achieve is for users
> > (not within a specific OU) default outlook PST path to point to where
> it
> > would have pointed if I didn;t mess with this setting... its as if the
> > default PST location value is now the network path if I leave this
> > setting to 'Not Configured'
> > >
> > > lozza
> > >
> > >
> > > 'lozza' wrote:
> > >
> > > > Hi Guys,
> > > >
> > > > I am confused by what is going on here.... looking for some help:
> > > >
> > > > In AD i have an OU with a GPO applied. This GPO, as well as other
> > user
> > > > settings, sets User Configuration\Administrative Tools\Microsoft
> > Office
> > > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST
> > files.... to
> > > > a network location (I dont have any other option!). Now my
> > understanding was
> > > > that this should apply to all users within the OU that is GPO is
> > linked to...
> > > > and it does, just fine, was happy until today
> > > >
> > > > However....
> > > >
> > > > When I create a new user in AD, and place him in any other OU that
> > does not
> > > > have this GPO linked to it (and only the Default domain Policy),
> > this setting
> > > > still applies to the user when configuring outlook... it
> shouldn't,
> > should it?
> > > >
> > > > So... I went into GPMC, clicked the OU the user sits in on the
> left
> > hand side,
> > > > clicked 'Group Policy Inheritance' tab on the right pane and see
> > that ONLY
> > > > the Default Domain Policy is being applied... which it should
> be...
> > good
> > > >
> > > > So... I clicked on the Default domain policy on the left hand side
> > pane of
> > > > GPMC and on the right hand side pane clicked the settings tab
> which
> > shows me
> > > > all configured settings within this GPO. AND THERE IT WAS! under
> > User
> > > > Configuration, Administrative Templates, Extra Registry Settings
> it
> > says:
> > > >
> > > > 'Display names for some settings cannot be found. You might be
> able
> > to
> > > > resolve this issue by updating the .ADM files used by Group Policy
>
> > > > Management'
> > > >
> > > > and directly under that it specifies:
> > > >
> > > > Setting:
> > Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath
> > > > State: \\Network File server where PSTs are stored in the GPO its
> > configured
> > > > for...
> > > >
> > > > So why is this setting, that is set in another GPO specifically
> > linked to one particular OU also in my Default Domain Policy? When I
> > > > open the defdompol to configure it I dont see the template that
> sets
> > this setting, in fact I dont see any of the Microsoft
> > > > Office stuff in the defdompol GPO as I didn't add any additional
> > administrative templates to the Default Domain GPO.
> > > >
> > > > Truly confused and a bit worried that I've messed my default
> domain
> > > > policy... does anyone know what i;m talking about?
> > > >
> > > > Lozz
> >
> >
> > ________________________________
> >
> > The next generation of MSN Hotmail has arrived - Windows Live Hotmail
> > <http://www.newhotmail.co.uk>
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at //www.freelists.org/archives/gptalk/
>
> > ************************
>
>
>
> ________________________________
>
> Get free emoticon packs and customisation from Windows Live. Pimp My
> Live! <http://www.pimpmylive.co.uk>
> ***********************
> You can unsubscribe from gptalk by sending email to gptalk-request@freelist>
> s.org with 'unsubscribe' in the Subject field OR by logging into the freeli>
> sts.org Web interface. Archives for the list are available at http://www.fr>
> eelists.org/archives/gptalk/
> ************************
>
>
>
>
> Are you the Quizmaster? Play BrainBattle with a friend now!
>
>
>
>
> Do you know a place like the back of your hand? Share local knowledge with >
> BackOfMyHand.com
>
>
>
>
> The next generation of MSN Hotmail has arrived - Windows Live Hotmail
>
>
>
>
> Do you know a place like the back of your hand? Share local knowledge with >
> BackOfMyHand.com
>
>
>
>
> Do you know a place like the back of your hand? Share local knowledge with >
> BackOfMyHand.com
> _________________________________________________________________
> Celeb spotting ? Play CelebMashup and win cool prizes
> https://www.celebmashup.com>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
