Solved

Problems with NT4 Domain Group Policy Applied to Win2k Pro machines

Posted on 2003-11-07
4
1,661 Views
Last Modified: 2007-12-19
On my NT4 domain, I've just put a group policy created with Poledit on the domain controller.  Now I'm finding seemingly random users have lost all of their start menu icons.  It appears that any icons in the all users directory don't show up anymore.  Also, when you right click on Start Menu, you no longer have the option to 'Open All Users'

The policy defined contained the following:

Default User - Nothing defined
Default Computer - Nothing defined
SomeSpecificUser - Horribly restricted

The restrictions for SomeSpecificUser worked properly, but I can't determine why these seemingly unrelated changes are taking place on a random selection of users.
0
Comment
Question by:benhanson
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If SomeSpecificUser logs on to any other workstation he, in fact, is "tatooing" the registry on those machines.

Does he log on to other machines?
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
It's not the "fault" of SomeSpecificUser. User settings influence only the HKCU registry part.
I suspect a corrupt ntconfig.pol file or some leftovers of testing while developping the policy.
I'd recommend to recreate the ntconfig.pol from scratch. Instead of applying it to a specific user, create a global group (for example "GPolRestricted"), apply the policy to this group, make the Horribly Restricted Account(s) member of this group.
In addition, create a second group "GAntiPolRestricted" and apply an "Anti" set of policies to it, where you do the opposite of the restriction enabled for the other group (so when a box is checked for "GPolRestricted", uncheck (!) it in "GAntiPolRestricted", and vice versa). Make sure that in the "Group Priority", the "Anti" policy group has priority over the "Restricted" policy group.
That way, if you want to cancel the policy for a user (for testing purposes or whatever), all you have to do is add him to the "Anti" group (I guess you are aware that, unlike the W2k group policies, setting an NT4 policy from "checked" to "grey" does not disable the policy).
As for the users who were unlucky enough to be unintentionally hit by the restriction, there are some posiibilities:
Either find out all of the settings that apply to them, create an anti-policy for this, make them member and have them log back on. Once their profile is fixed, remove them from the anti policy group.
The easier way might be to save whatever might be important in their profile (are they using local or roaming profiles?), then delete it. A registry that's been messed up with a policy is pretty hard to fix.
A third way might be to go through the affected users' registries, namely HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and HKCU\Software\Policies and fix the settings directly. You can do this remotely by using regedt32 and loading the user.dat hive from the user's ntuser.dat (preferrably while he's not logged on ...).
With this method, it's likely you won't be able to fix all settings, since some of the NT4 policies are not restricted to those hives.
I guess you are still using the NT4 .adm templates?
0
 
LVL 12

Author Comment

by:benhanson
Comment Utility
I'm accepting oBdA's answer as a well put explanation.  There really is no solution to this one.  Problem stemmed from 'Default User' and 'Default Computer' being left in the policy by the admin who set it up.  Someone had 'unchecked' all settings in 'Default Computer' which ended up deleting quite a few registry keys, 4 of them being the common folder locations, %AllUserProfile%/Start Menu/ .../Programs .../Startup and one other I can't remember right now.

Key lesson learned:

NT4 Policy application overwrites registry entries and, unless you have a backup of original keys and values, there is NO WAY to undo an applied policy to get back to the original state.  You can go back to defaults if you know them, but you can't get back any custom settings unless they were documented beforehand.

I guess this is why GP's didn't get popular til Active Directory.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Well, if you know what you (and the policies ...) are doing, and are careful about it, they're pretty useful. Just don't use the Default User or the Default Computer unless there's no other way or it's a safe setting. Most bothering about the NT4 system policies is that you can't group computers, so if you need computer settings, you either have to use the Default Computer or have all the machines listed ...
Anyway, the best way to get the hang of system/group policies is to create your own .adm template (which should of course be tested with a separate policy file ...)
Search for "remote update" on how to change the setting on a test machine to point to another file than ntconfig.pol:
Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winntas/maintain/prof_pol.asp
A good topic to start is to disable (set to monthly) Acrobat Reader's "Automatic Update" function, which for whatever reason is set to "monthly" for each user logging on to a machine ...
Oh, and while I'm at it: if you want to look further into creating your own templates, I have something you could use to make the W2k system.adm available in your NT4 poledit; if you still have NT4 clients, you could, as described above, create separate policies for each computer type.
If you want to use the W2k system.adm in NT4 poledit (maybe you've tried it before), there are some problems involved; the new .adm files are unicode, which might  make the NT4 poledit crash. Saving them as ANSI isn't enough either, you'd find that you don't have access to the policies, as Microsoft introduced some new features like "explain" and "clientext", so the W2k part is disabled.
You can use the batch below to clean the adm files from the "explain" entries (this involves heavy file handling/copying, so better don't run it over the network ...). Give it the (path and) name of the .adm file to be cleaned as argument; it will create a file in the same directory as the original with the same name and "-nt" added.
Once those entries are removed, you have to get rid of the poledit version check (the "#if version" ... "#endif" business) and all policies containing "clientext". Remove any other policies poledit might complain about.
As usual: No warranties included, use it at your own risk, test it before you apply it in earnest ...

====8<----[CleanAdm.cmd]----
@echo off
setlocal
set AdmEditor=notepad
if %1.==. goto leave
set AdmFile=%~1
set OutFile=%~dpn1-nt.adm
set ExpFile=%~dpn0.exp
set TmpFile=%~dpn0.tmp

set Explain=
copy "%AdmFile%" "%TmpFile%" >NUL
if exist "%TempFile%" del "%TempFile%"
for /f "tokens=2 eol= delims=!" %%a in ('type "%AdmFile%" ^| find /i "explain !!"') do (echo %%a)>>"%ExpFile%"
sort "%ExpFile%" /o "%ExpFile%"
for /f %%a in ('type "%ExpFile%"') do call :process %%a
goto leave

:process
if .%1.==.%Explain%. goto :eof
set Explain=%1
echo Removing "%Explain%" entries ...
type "%TmpFile%" | find /i /v "%Explain%" >"%OutFile%"
copy "%OutFile%" "%TmpFile%" >NUL
goto :eof

:leave
del "%TmpFile%"
del "%ExpFile%"
echo Done.
echo The generated file is %OutFile%.
echo Steps remaining:
echo At the beginning of the file, remove the complete section beginning with
echo (and including) "#if version ^<= 2" until "#if version ^>= 3".
echo In the line above the [strings] section, remove the "#endif" line that
echo closed the "#if version ^>= 3" if-bracket.
echo.
echo Remove or comment out any policies that contain "CLIENTEXT".
echo.
echo Press any key to edit the file now, or ^<Ctrl-C^> to finish.
echo pause >NUL
%AdmEditor% "%OutFile%"
:leave
====8<----[CleanAdm.cmd]----
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now