Problems with NT4 Domain Group Policy Applied to Win2k Pro machines

On my NT4 domain, I've just put a group policy created with Poledit on the domain controller.  Now I'm finding seemingly random users have lost all of their start menu icons.  It appears that any icons in the all users directory don't show up anymore.  Also, when you right click on Start Menu, you no longer have the option to 'Open All Users'

The policy defined contained the following:

Default User - Nothing defined
Default Computer - Nothing defined
SomeSpecificUser - Horribly restricted

The restrictions for SomeSpecificUser worked properly, but I can't determine why these seemingly unrelated changes are taking place on a random selection of users.
LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If SomeSpecificUser logs on to any other workstation he, in fact, is "tatooing" the registry on those machines.

Does he log on to other machines?
It's not the "fault" of SomeSpecificUser. User settings influence only the HKCU registry part.
I suspect a corrupt ntconfig.pol file or some leftovers of testing while developping the policy.
I'd recommend to recreate the ntconfig.pol from scratch. Instead of applying it to a specific user, create a global group (for example "GPolRestricted"), apply the policy to this group, make the Horribly Restricted Account(s) member of this group.
In addition, create a second group "GAntiPolRestricted" and apply an "Anti" set of policies to it, where you do the opposite of the restriction enabled for the other group (so when a box is checked for "GPolRestricted", uncheck (!) it in "GAntiPolRestricted", and vice versa). Make sure that in the "Group Priority", the "Anti" policy group has priority over the "Restricted" policy group.
That way, if you want to cancel the policy for a user (for testing purposes or whatever), all you have to do is add him to the "Anti" group (I guess you are aware that, unlike the W2k group policies, setting an NT4 policy from "checked" to "grey" does not disable the policy).
As for the users who were unlucky enough to be unintentionally hit by the restriction, there are some posiibilities:
Either find out all of the settings that apply to them, create an anti-policy for this, make them member and have them log back on. Once their profile is fixed, remove them from the anti policy group.
The easier way might be to save whatever might be important in their profile (are they using local or roaming profiles?), then delete it. A registry that's been messed up with a policy is pretty hard to fix.
A third way might be to go through the affected users' registries, namely HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and HKCU\Software\Policies and fix the settings directly. You can do this remotely by using regedt32 and loading the user.dat hive from the user's ntuser.dat (preferrably while he's not logged on ...).
With this method, it's likely you won't be able to fix all settings, since some of the NT4 policies are not restricted to those hives.
I guess you are still using the NT4 .adm templates?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
benhansonAuthor Commented:
I'm accepting oBdA's answer as a well put explanation.  There really is no solution to this one.  Problem stemmed from 'Default User' and 'Default Computer' being left in the policy by the admin who set it up.  Someone had 'unchecked' all settings in 'Default Computer' which ended up deleting quite a few registry keys, 4 of them being the common folder locations, %AllUserProfile%/Start Menu/ .../Programs .../Startup and one other I can't remember right now.

Key lesson learned:

NT4 Policy application overwrites registry entries and, unless you have a backup of original keys and values, there is NO WAY to undo an applied policy to get back to the original state.  You can go back to defaults if you know them, but you can't get back any custom settings unless they were documented beforehand.

I guess this is why GP's didn't get popular til Active Directory.
Well, if you know what you (and the policies ...) are doing, and are careful about it, they're pretty useful. Just don't use the Default User or the Default Computer unless there's no other way or it's a safe setting. Most bothering about the NT4 system policies is that you can't group computers, so if you need computer settings, you either have to use the Default Computer or have all the machines listed ...
Anyway, the best way to get the hang of system/group policies is to create your own .adm template (which should of course be tested with a separate policy file ...)
Search for "remote update" on how to change the setting on a test machine to point to another file than ntconfig.pol:
Guide to MS Windows NT 4.0 Profiles and Policies
A good topic to start is to disable (set to monthly) Acrobat Reader's "Automatic Update" function, which for whatever reason is set to "monthly" for each user logging on to a machine ...
Oh, and while I'm at it: if you want to look further into creating your own templates, I have something you could use to make the W2k system.adm available in your NT4 poledit; if you still have NT4 clients, you could, as described above, create separate policies for each computer type.
If you want to use the W2k system.adm in NT4 poledit (maybe you've tried it before), there are some problems involved; the new .adm files are unicode, which might  make the NT4 poledit crash. Saving them as ANSI isn't enough either, you'd find that you don't have access to the policies, as Microsoft introduced some new features like "explain" and "clientext", so the W2k part is disabled.
You can use the batch below to clean the adm files from the "explain" entries (this involves heavy file handling/copying, so better don't run it over the network ...). Give it the (path and) name of the .adm file to be cleaned as argument; it will create a file in the same directory as the original with the same name and "-nt" added.
Once those entries are removed, you have to get rid of the poledit version check (the "#if version" ... "#endif" business) and all policies containing "clientext". Remove any other policies poledit might complain about.
As usual: No warranties included, use it at your own risk, test it before you apply it in earnest ...

@echo off
set AdmEditor=notepad
if %1.==. goto leave
set AdmFile=%~1
set OutFile=%~dpn1-nt.adm
set ExpFile=%~dpn0.exp
set TmpFile=%~dpn0.tmp

set Explain=
copy "%AdmFile%" "%TmpFile%" >NUL
if exist "%TempFile%" del "%TempFile%"
for /f "tokens=2 eol= delims=!" %%a in ('type "%AdmFile%" ^| find /i "explain !!"') do (echo %%a)>>"%ExpFile%"
sort "%ExpFile%" /o "%ExpFile%"
for /f %%a in ('type "%ExpFile%"') do call :process %%a
goto leave

if .%1.==.%Explain%. goto :eof
set Explain=%1
echo Removing "%Explain%" entries ...
type "%TmpFile%" | find /i /v "%Explain%" >"%OutFile%"
copy "%OutFile%" "%TmpFile%" >NUL
goto :eof

del "%TmpFile%"
del "%ExpFile%"
echo Done.
echo The generated file is %OutFile%.
echo Steps remaining:
echo At the beginning of the file, remove the complete section beginning with
echo (and including) "#if version ^<= 2" until "#if version ^>= 3".
echo In the line above the [strings] section, remove the "#endif" line that
echo closed the "#if version ^>= 3" if-bracket.
echo Remove or comment out any policies that contain "CLIENTEXT".
echo Press any key to edit the file now, or ^<Ctrl-C^> to finish.
echo pause >NUL
%AdmEditor% "%OutFile%"
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.