benhanson
asked on
Problems with NT4 Domain Group Policy Applied to Win2k Pro machines
On my NT4 domain, I've just put a group policy created with Poledit on the domain controller. Now I'm finding seemingly random users have lost all of their start menu icons. It appears that any icons in the all users directory don't show up anymore. Also, when you right click on Start Menu, you no longer have the option to 'Open All Users'
The policy defined contained the following:
Default User - Nothing defined
Default Computer - Nothing defined
SomeSpecificUser - Horribly restricted
The restrictions for SomeSpecificUser worked properly, but I can't determine why these seemingly unrelated changes are taking place on a random selection of users.
The policy defined contained the following:
Default User - Nothing defined
Default Computer - Nothing defined
SomeSpecificUser - Horribly restricted
The restrictions for SomeSpecificUser worked properly, but I can't determine why these seemingly unrelated changes are taking place on a random selection of users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm accepting oBdA's answer as a well put explanation. There really is no solution to this one. Problem stemmed from 'Default User' and 'Default Computer' being left in the policy by the admin who set it up. Someone had 'unchecked' all settings in 'Default Computer' which ended up deleting quite a few registry keys, 4 of them being the common folder locations, %AllUserProfile%/Start Menu/ .../Programs .../Startup and one other I can't remember right now.
Key lesson learned:
NT4 Policy application overwrites registry entries and, unless you have a backup of original keys and values, there is NO WAY to undo an applied policy to get back to the original state. You can go back to defaults if you know them, but you can't get back any custom settings unless they were documented beforehand.
I guess this is why GP's didn't get popular til Active Directory.
Key lesson learned:
NT4 Policy application overwrites registry entries and, unless you have a backup of original keys and values, there is NO WAY to undo an applied policy to get back to the original state. You can go back to defaults if you know them, but you can't get back any custom settings unless they were documented beforehand.
I guess this is why GP's didn't get popular til Active Directory.
Well, if you know what you (and the policies ...) are doing, and are careful about it, they're pretty useful. Just don't use the Default User or the Default Computer unless there's no other way or it's a safe setting. Most bothering about the NT4 system policies is that you can't group computers, so if you need computer settings, you either have to use the Default Computer or have all the machines listed ...
Anyway, the best way to get the hang of system/group policies is to create your own .adm template (which should of course be tested with a separate policy file ...)
Search for "remote update" on how to change the setting on a test machine to point to another file than ntconfig.pol:
Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winntas/maintain/prof_pol.asp
A good topic to start is to disable (set to monthly) Acrobat Reader's "Automatic Update" function, which for whatever reason is set to "monthly" for each user logging on to a machine ...
Oh, and while I'm at it: if you want to look further into creating your own templates, I have something you could use to make the W2k system.adm available in your NT4 poledit; if you still have NT4 clients, you could, as described above, create separate policies for each computer type.
If you want to use the W2k system.adm in NT4 poledit (maybe you've tried it before), there are some problems involved; the new .adm files are unicode, which might make the NT4 poledit crash. Saving them as ANSI isn't enough either, you'd find that you don't have access to the policies, as Microsoft introduced some new features like "explain" and "clientext", so the W2k part is disabled.
You can use the batch below to clean the adm files from the "explain" entries (this involves heavy file handling/copying, so better don't run it over the network ...). Give it the (path and) name of the .adm file to be cleaned as argument; it will create a file in the same directory as the original with the same name and "-nt" added.
Once those entries are removed, you have to get rid of the poledit version check (the "#if version" ... "#endif" business) and all policies containing "clientext". Remove any other policies poledit might complain about.
As usual: No warranties included, use it at your own risk, test it before you apply it in earnest ...
====8<----[CleanAdm.cmd]--
@echo off
setlocal
set AdmEditor=notepad
if %1.==. goto leave
set AdmFile=%~1
set OutFile=%~dpn1-nt.adm
set ExpFile=%~dpn0.exp
set TmpFile=%~dpn0.tmp
set Explain=
copy "%AdmFile%" "%TmpFile%" >NUL
if exist "%TempFile%" del "%TempFile%"
for /f "tokens=2 eol= delims=!" %%a in ('type "%AdmFile%" ^| find /i "explain !!"') do (echo %%a)>>"%ExpFile%"
sort "%ExpFile%" /o "%ExpFile%"
for /f %%a in ('type "%ExpFile%"') do call :process %%a
goto leave
:process
if .%1.==.%Explain%. goto :eof
set Explain=%1
echo Removing "%Explain%" entries ...
type "%TmpFile%" | find /i /v "%Explain%" >"%OutFile%"
copy "%OutFile%" "%TmpFile%" >NUL
goto :eof
:leave
del "%TmpFile%"
del "%ExpFile%"
echo Done.
echo The generated file is %OutFile%.
echo Steps remaining:
echo At the beginning of the file, remove the complete section beginning with
echo (and including) "#if version ^<= 2" until "#if version ^>= 3".
echo In the line above the [strings] section, remove the "#endif" line that
echo closed the "#if version ^>= 3" if-bracket.
echo.
echo Remove or comment out any policies that contain "CLIENTEXT".
echo.
echo Press any key to edit the file now, or ^<Ctrl-C^> to finish.
echo pause >NUL
%AdmEditor% "%OutFile%"
:leave
====8<----[CleanAdm.cmd]--
Anyway, the best way to get the hang of system/group policies is to create your own .adm template (which should of course be tested with a separate policy file ...)
Search for "remote update" on how to change the setting on a test machine to point to another file than ntconfig.pol:
Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winntas/maintain/prof_pol.asp
A good topic to start is to disable (set to monthly) Acrobat Reader's "Automatic Update" function, which for whatever reason is set to "monthly" for each user logging on to a machine ...
Oh, and while I'm at it: if you want to look further into creating your own templates, I have something you could use to make the W2k system.adm available in your NT4 poledit; if you still have NT4 clients, you could, as described above, create separate policies for each computer type.
If you want to use the W2k system.adm in NT4 poledit (maybe you've tried it before), there are some problems involved; the new .adm files are unicode, which might make the NT4 poledit crash. Saving them as ANSI isn't enough either, you'd find that you don't have access to the policies, as Microsoft introduced some new features like "explain" and "clientext", so the W2k part is disabled.
You can use the batch below to clean the adm files from the "explain" entries (this involves heavy file handling/copying, so better don't run it over the network ...). Give it the (path and) name of the .adm file to be cleaned as argument; it will create a file in the same directory as the original with the same name and "-nt" added.
Once those entries are removed, you have to get rid of the poledit version check (the "#if version" ... "#endif" business) and all policies containing "clientext". Remove any other policies poledit might complain about.
As usual: No warranties included, use it at your own risk, test it before you apply it in earnest ...
====8<----[CleanAdm.cmd]--
@echo off
setlocal
set AdmEditor=notepad
if %1.==. goto leave
set AdmFile=%~1
set OutFile=%~dpn1-nt.adm
set ExpFile=%~dpn0.exp
set TmpFile=%~dpn0.tmp
set Explain=
copy "%AdmFile%" "%TmpFile%" >NUL
if exist "%TempFile%" del "%TempFile%"
for /f "tokens=2 eol= delims=!" %%a in ('type "%AdmFile%" ^| find /i "explain !!"') do (echo %%a)>>"%ExpFile%"
sort "%ExpFile%" /o "%ExpFile%"
for /f %%a in ('type "%ExpFile%"') do call :process %%a
goto leave
:process
if .%1.==.%Explain%. goto :eof
set Explain=%1
echo Removing "%Explain%" entries ...
type "%TmpFile%" | find /i /v "%Explain%" >"%OutFile%"
copy "%OutFile%" "%TmpFile%" >NUL
goto :eof
:leave
del "%TmpFile%"
del "%ExpFile%"
echo Done.
echo The generated file is %OutFile%.
echo Steps remaining:
echo At the beginning of the file, remove the complete section beginning with
echo (and including) "#if version ^<= 2" until "#if version ^>= 3".
echo In the line above the [strings] section, remove the "#endif" line that
echo closed the "#if version ^>= 3" if-bracket.
echo.
echo Remove or comment out any policies that contain "CLIENTEXT".
echo.
echo Press any key to edit the file now, or ^<Ctrl-C^> to finish.
echo pause >NUL
%AdmEditor% "%OutFile%"
:leave
====8<----[CleanAdm.cmd]--
Does he log on to other machines?