[gptalk] Re: Problem with GPO Setting even after set to 'Not Configured'
- From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2007 16:40:17 +1100
Darren,
It depends on how you build your default profile. If you are copying the
NTUser.dat file from a user that has never had a policy applied, then you
are correct, you don't need the ntuser.pol file (obviously, since it would
not exist). If you apply a policy, that creates an entry under
software\policy, then an entry is created in the ntuser.pol file and you
must copy it to the default policy. If you don't, and the policy is not
applied to the new user, then Tattoo processing doesn't know that it needs
to remove it from the user's copy of the default policy.
Tazamal,
Looking at your file, it would seem that the entry is already in the
registry but is not in the NTUSER.POL , so tattoo processing doesn't know
that it has to remove it. This will happen if the default profile has been
incorrectly built. It also agrees with the fact that if you deactivate the
policy, the key is deleted and won't come back. Try deleting it manually and
it won't come back either.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of TAZAMAL HUSSAIN
Sent: Tuesday, 27 November 2007 12:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Alan, Darren, Jamie....
Your responses and guidance has been very much appreciated. I've done some
screen scrapes to try and eliminate any things you guys may think i might be
doing wrong... I hope these help us find a solution.
I have attached a file, its not too big, hope you dont mind...
Thanks so far on the quick responses so far.
Lozz
_____
From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Date: Mon, 26 Nov 2007 16:23:32 -0800
Alan-
Just to clarify, ntuser.pol should not exist in a default profile. It is
created on the fly (both per-user and per-computer) for a given user and, as
you correctly point out, contains the admin template policy settings (as
well as preferences by the way) for the current user. The per-user version
is held in the current user's profile directory. It is responsible for the
policy clean up process inasmuch as each time Admin. Template policy is
processed, this "archive" file is read and any policy keys found in it are
removed before the current Admin. Template policies are re-applied. So it is
possible that this .pol file somehow did not get the policy in question
added to it, and thus would not remove it. But this seems like a strange
scenario.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Monday, November 26, 2007 3:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Can you try removing the registry key manually, then reapplying the policy
and see if it comes back?
What I suspect you may have done is got your default Profile screwed up.
There are two files in the Default profile, the NTUser.dat file which
contains the registry keys that are in use, plus the NTUser.Pol file that
stores all of the non-tattooed polices that are to be removed. If these get
out of synch, you can have the case that NTUser.dat contains a registry key
but NTUser.Pol doesn't contain the key for removal. This will happen if when
building the default profile, you copy across NTuser.dat but not NTUSER.POL
This means that new users inherit a registry which contains the key but the
NTUSER.POL does not contain the key to remove it as part of tattoo
processing. However, once you manually remove it, it wont come back. While
the best way to fix it for new users is to rebuild your Default profile from
scratch, if this is the only error, you can simply remove the entry from the
NTUSER.DAT. Existing users are somewhat harder to fix. I suspect the only
way is a batch file that removes the key on a once of basis. The trouble is
that you need to leave it running until all profiles on all machines have
been fixed.,
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: Tuesday, 27 November 2007 4:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Then, as Darren suggested, you need to run a RSoP on that system/user
and ensure you're not getting it from somewhere else. Eliminate that
possibility first.
Also, are you sure GP is processing correctly on the system? When you
run your RSoP, check and see if any GP related events occurred.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of TAZAMAL HUSSAIN
Sent: Monday, November 26, 2007 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
Hi Jamie,
Yup... gave that a go.. rebooted few times etc but still that setting is
coming down and shown in the user registry hive. Within the GPMC
settings view of the defdompol, there is no sign that this setting
(ForcePST) is now set... and the only GPO applied to this User is
defdompol...
Thanks for you reply
Loz
> Subject: [gptalk] Re: Problem with GPO Setting even after set to 'Not
Configured'
> Date: Mon, 26 Nov 2007 10:58:51 -0600
> From: Jamie.Nelson.ctr@xxxxxxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
>
> Have you done a 'gpupdate /force /target:user' from the command-line?
> Sometimes if you forcefully reapply the policy it will correct things
> like that.
>
> Regards,
> Jamie Nelson
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of TAZAMAL HUSSAIN
> Sent: Sunday, November 25, 2007 5:36 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Problem with GPO Setting even after set to 'Not
> Configured'
>
> Hi Guys,
>
> I have also posted this to Group Policy Forums @ Microsoft. Trying to
> get some exposure to this problem... hoping someone can shed some
light.
> I have tried to describe exactly what is going on being a descriptive
as
> possible. If I get an answer on the on the Microsoft forum i'll post
it
> over to here if anyone is interested....
>
> I have pasted the Thread I have started already:
>
>
> 2 posts altogether:
>
> Hey Guys,
> >
> > Okay, although I have not found an answer yet, I *think* I have made
> some
> > progress and am on the right lines, again if anyone has any comments
> please
> > do let me know.
> >
> > .... after a lot of googling everything was pointing to the fact
that
> I MUST
> > HAVE at some point applied the Outlook ADM to the def-dom-pol with
the
>
> > setting for 'default path for PST Files' pointing to my network
> location.
> > After applying it I must have ripped out the ADM template from the
> > def-dom-pol and applied it specifically to the OU where I wanted the
> GPO to
> > apply. Hence this *probably* caused GPMC to give the output of
> 'display names
> > for some setting cannot be found....'
> >
> > So... in an attempt to correct this.... Within the def-dom-pol I
added
> the
> > Outlook ADM template back in... And set the setting for the PST path
> to 'not
> > configured'.. . Rebooted an XP client, logged in with a new user but
> still
> > outlook is pushing the path of the PST to the network store when
> configuring a POP3 email account.
> >
> > The strange thing still is even though I have configured the setting
> now to
> > 'Not Configured' (and hence it does not now display in the GPMC
> settings tab
> > for the def-dom-pol GPO as being set at all) AND the ONLY policy
that
> is
> > applied to Users (for new users created after this change as well)
is
> the
> > def-dom-pol ONLY, the users registry hive is still showing the
network
> location path in the
> > ForcePST registry key under
> > HKCU\Software\Policies\Microsoft\Office\Outlook..... which I thought
> was a
> > protected registry area that doesn;t suffer from tatooing i.e.... is
> this
> > tatooing?
> >
> > My head is kind of spinning now... as i think i am getting out of my
> depth...
> > any steer would be great. All i am looking to achieve is for users
> (not within a specific OU) default outlook PST path to point to where
it
> would have pointed if I didn;t mess with this setting... its as if the
> default PST location value is now the network path if I leave this
> setting to 'Not Configured'
> >
> > lozza
> >
> >
> > 'lozza' wrote:
> >
> > > Hi Guys,
> > >
> > > I am confused by what is going on here.... looking for some help:
> > >
> > > In AD i have an OU with a GPO applied. This GPO, as well as other
> user
> > > settings, sets User Configuration\Administrative Tools\Microsoft
> Office
> > > Outlook 2003\Miscellaneous\PST Settings\Default location for PST
> files.... to
> > > a network location (I dont have any other option!). Now my
> understanding was
> > > that this should apply to all users within the OU that is GPO is
> linked to...
> > > and it does, just fine, was happy until today
> > >
> > > However....
> > >
> > > When I create a new user in AD, and place him in any other OU that
> does not
> > > have this GPO linked to it (and only the Default domain Policy),
> this setting
> > > still applies to the user when configuring outlook... it
shouldn't,
> should it?
> > >
> > > So... I went into GPMC, clicked the OU the user sits in on the
left
> hand side,
> > > clicked 'Group Policy Inheritance' tab on the right pane and see
> that ONLY
> > > the Default Domain Policy is being applied... which it should
be...
> good
> > >
> > > So... I clicked on the Default domain policy on the left hand side
> pane of
> > > GPMC and on the right hand side pane clicked the settings tab
which
> shows me
> > > all configured settings within this GPO. AND THERE IT WAS! under
> User
> > > Configuration, Administrative Templates, Extra Registry Settings
it
> says:
> > >
> > > 'Display names for some settings cannot be found. You might be
able
> to
> > > resolve this issue by updating the .ADM files used by Group Policy
> > > Management'
> > >
> > > and directly under that it specifies:
> > >
> > > Setting:
> Software\Policies\Microsoft\Office\11.0\Outlook\ForcePSTPath
> > > State: \\Network File server where PSTs are stored in the GPO its
> configured
> > > for...
> > >
> > > So why is this setting, that is set in another GPO specifically
> linked to one particular OU also in my Default Domain Policy? When I
> > > open the defdompol to configure it I dont see the template that
sets
> this setting, in fact I dont see any of the Microsoft
> > > Office stuff in the defdompol GPO as I didn't add any additional
> administrative templates to the Default Domain GPO.
> > >
> > > Truly confused and a bit worried that I've messed my default
domain
> > > policy... does anyone know what i;m talking about?
> > >
> > > Lozz
>
>
> ________________________________
>
> The next generation of MSN Hotmail has arrived - Windows Live Hotmail
> <http://www.newhotmail.co.uk>
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
> ************************
________________________________
Get free emoticon packs and customisation from Windows Live. Pimp My
Live! <http://www.pimpmylive.co.uk>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
_____
Are you the Quizmaster? Play BrainBattle
<http://specials.uk.msn.com/brainbattle> with a friend now!
Other related posts:
