Solved

Problems with NT4 Domain Group Policy Applied to Win2k Pro machines

Posted on 2003-11-07
4
1,665 Views
Last Modified: 2007-12-19
On my NT4 domain, I've just put a group policy created with Poledit on the domain controller.  Now I'm finding seemingly random users have lost all of their start menu icons.  It appears that any icons in the all users directory don't show up anymore.  Also, when you right click on Start Menu, you no longer have the option to 'Open All Users'

The policy defined contained the following:

Default User - Nothing defined
Default Computer - Nothing defined
SomeSpecificUser - Horribly restricted

The restrictions for SomeSpecificUser worked properly, but I can't determine why these seemingly unrelated changes are taking place on a random selection of users.
0
Comment
Question by:benhanson
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 9705419
If SomeSpecificUser logs on to any other workstation he, in fact, is "tatooing" the registry on those machines.

Does he log on to other machines?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 9706634
It's not the "fault" of SomeSpecificUser. User settings influence only the HKCU registry part.
I suspect a corrupt ntconfig.pol file or some leftovers of testing while developping the policy.
I'd recommend to recreate the ntconfig.pol from scratch. Instead of applying it to a specific user, create a global group (for example "GPolRestricted"), apply the policy to this group, make the Horribly Restricted Account(s) member of this group.
In addition, create a second group "GAntiPolRestricted" and apply an "Anti" set of policies to it, where you do the opposite of the restriction enabled for the other group (so when a box is checked for "GPolRestricted", uncheck (!) it in "GAntiPolRestricted", and vice versa). Make sure that in the "Group Priority", the "Anti" policy group has priority over the "Restricted" policy group.
That way, if you want to cancel the policy for a user (for testing purposes or whatever), all you have to do is add him to the "Anti" group (I guess you are aware that, unlike the W2k group policies, setting an NT4 policy from "checked" to "grey" does not disable the policy).
As for the users who were unlucky enough to be unintentionally hit by the restriction, there are some posiibilities:
Either find out all of the settings that apply to them, create an anti-policy for this, make them member and have them log back on. Once their profile is fixed, remove them from the anti policy group.
The easier way might be to save whatever might be important in their profile (are they using local or roaming profiles?), then delete it. A registry that's been messed up with a policy is pretty hard to fix.
A third way might be to go through the affected users' registries, namely HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and HKCU\Software\Policies and fix the settings directly. You can do this remotely by using regedt32 and loading the user.dat hive from the user's ntuser.dat (preferrably while he's not logged on ...).
With this method, it's likely you won't be able to fix all settings, since some of the NT4 policies are not restricted to those hives.
I guess you are still using the NT4 .adm templates?
0
 
LVL 12

Author Comment

by:benhanson
ID: 9707947
I'm accepting oBdA's answer as a well put explanation.  There really is no solution to this one.  Problem stemmed from 'Default User' and 'Default Computer' being left in the policy by the admin who set it up.  Someone had 'unchecked' all settings in 'Default Computer' which ended up deleting quite a few registry keys, 4 of them being the common folder locations, %AllUserProfile%/Start Menu/ .../Programs .../Startup and one other I can't remember right now.

Key lesson learned:

NT4 Policy application overwrites registry entries and, unless you have a backup of original keys and values, there is NO WAY to undo an applied policy to get back to the original state.  You can go back to defaults if you know them, but you can't get back any custom settings unless they were documented beforehand.

I guess this is why GP's didn't get popular til Active Directory.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 9708081
Well, if you know what you (and the policies ...) are doing, and are careful about it, they're pretty useful. Just don't use the Default User or the Default Computer unless there's no other way or it's a safe setting. Most bothering about the NT4 system policies is that you can't group computers, so if you need computer settings, you either have to use the Default Computer or have all the machines listed ...
Anyway, the best way to get the hang of system/group policies is to create your own .adm template (which should of course be tested with a separate policy file ...)
Search for "remote update" on how to change the setting on a test machine to point to another file than ntconfig.pol:
Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winntas/maintain/prof_pol.asp
A good topic to start is to disable (set to monthly) Acrobat Reader's "Automatic Update" function, which for whatever reason is set to "monthly" for each user logging on to a machine ...
Oh, and while I'm at it: if you want to look further into creating your own templates, I have something you could use to make the W2k system.adm available in your NT4 poledit; if you still have NT4 clients, you could, as described above, create separate policies for each computer type.
If you want to use the W2k system.adm in NT4 poledit (maybe you've tried it before), there are some problems involved; the new .adm files are unicode, which might  make the NT4 poledit crash. Saving them as ANSI isn't enough either, you'd find that you don't have access to the policies, as Microsoft introduced some new features like "explain" and "clientext", so the W2k part is disabled.
You can use the batch below to clean the adm files from the "explain" entries (this involves heavy file handling/copying, so better don't run it over the network ...). Give it the (path and) name of the .adm file to be cleaned as argument; it will create a file in the same directory as the original with the same name and "-nt" added.
Once those entries are removed, you have to get rid of the poledit version check (the "#if version" ... "#endif" business) and all policies containing "clientext". Remove any other policies poledit might complain about.
As usual: No warranties included, use it at your own risk, test it before you apply it in earnest ...

====8<----[CleanAdm.cmd]----
@echo off
setlocal
set AdmEditor=notepad
if %1.==. goto leave
set AdmFile=%~1
set OutFile=%~dpn1-nt.adm
set ExpFile=%~dpn0.exp
set TmpFile=%~dpn0.tmp

set Explain=
copy "%AdmFile%" "%TmpFile%" >NUL
if exist "%TempFile%" del "%TempFile%"
for /f "tokens=2 eol= delims=!" %%a in ('type "%AdmFile%" ^| find /i "explain !!"') do (echo %%a)>>"%ExpFile%"
sort "%ExpFile%" /o "%ExpFile%"
for /f %%a in ('type "%ExpFile%"') do call :process %%a
goto leave

:process
if .%1.==.%Explain%. goto :eof
set Explain=%1
echo Removing "%Explain%" entries ...
type "%TmpFile%" | find /i /v "%Explain%" >"%OutFile%"
copy "%OutFile%" "%TmpFile%" >NUL
goto :eof

:leave
del "%TmpFile%"
del "%ExpFile%"
echo Done.
echo The generated file is %OutFile%.
echo Steps remaining:
echo At the beginning of the file, remove the complete section beginning with
echo (and including) "#if version ^<= 2" until "#if version ^>= 3".
echo In the line above the [strings] section, remove the "#endif" line that
echo closed the "#if version ^>= 3" if-bracket.
echo.
echo Remove or comment out any policies that contain "CLIENTEXT".
echo.
echo Press any key to edit the file now, or ^<Ctrl-C^> to finish.
echo pause >NUL
%AdmEditor% "%OutFile%"
:leave
====8<----[CleanAdm.cmd]----
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Starting your own business is always a daunting process, and for most people it is brand new experience. Avoid the common pitfalls by following these tips to start on the road to success.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question