Maybe the information from Microsoft in the link below may be of help in
it explains how some security option settings can persist in some cases
if they are changed to undefined which amounts to meaning "no change". I
know this happens when domain password complexity is enabled and then is
set to undefined.
http://technet2.microsoft.com/Windo...3a3a-4b6a-8d65-d8643722b5421033.mspx?mfr=true
What may help is to define those settings to be enabled but blank for
the default domain policy. The policy in question is computer
configuration so the mismatch for user configuration should not matter.
Another possible resolution would be to drill into the sysvol folder
[sysvol path\domain
name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit]
for that GPO to the GptTmpl.inf file to see if the registry entries
exist for those two settings, delete those lines after backing up
GptTmpl.inf file first, and then going to the gpt.ini file [sysvol
path\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}] for
that GPO and bumping up the version number, saving the file, and then
doing a gpupdate on that domain controller which ideally would be the
PDC smo. --- Steve
message I used regview.exe to look at the registry.pol file in
\\<dcname>\sysvol\<domain
name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine and it has
these messages enabled and the text
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: LegalNoticeCaption
ValueType: REG_SZ
Value: Welcome to the Dept of
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: LegalNoticeText
ValueType: REG_SZ
Value: Do not attempt to log on unless you are an authorized user. Use
of this equipment implies agreement to all applicable computer and
security policies. This includes, but is not limited to, blah blah blah
Yet if I edit the Default Domain controllers, these settings are not
enabled!!!!!!!
message GPOTOOL shows a version mismatch on NEW GROUP POLICY OBJECT on the
user side. DS =0 and sysvol = 10
Userenv debugging shows that it appears to be related to the Default
Doamin Policy REGISTRY.POL file......
USERENV(78c.9d0) 15:44:00:190 ResetPolicies: Entering.
USERENV(78c.9d0) 15:44:00:190 ParseRegistryFile: Entering with
<C:\Documents and Settings\All Users\ntuser.pol>.
<non releveant entries deleted>USERENV(78c.9d0) 15:44:00:190
DeleteRegistryValue: Deleted
Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
USERENV(78c.9d0) 15:44:00:190 DeleteRegistryValue: Deleted
Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
<non releveant entries deleted>
USERENV(78c.9d0) 15:44:00:268 ParseRegistryFile: Entering with
<\\<domain name>\sysvol\<domain
name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol>.
<non releveant entries deleted>
USERENV(78c.9d0) 15:44:00:283 SetRegistryValue: LegalNoticeCaption =>
Welcome to the Dept of [OK]
USERENV(78c.9d0) 15:44:00:283 SetRegistryValue: LegalNoticeText => Do
not attempt to log on unless you are an authorized user. Use of this
equipment implies agreement to all applicable computer and security
policies. This includes, but is not limited to blah blah blah [OK]
Interesting. Usually rsop.msc on the client computer or using the mmc
snapin for rsop on a Windows 2003 domain controller in
logging/planning
mode will expose any current Group Policies. If possible try joining
an XP
Pro computer to the domain that was not created from the image to see
what
happens. Though a bit tedious you also could try userenv debug
logging on
an XP Pro computer that displays the behavior and run the command
gpupdate
/force after enabling the debugging of userenv. Then by parsing the
userenv.log you may be able to find out what is happening. Another
possible explanation is that the client computer has not successfully
refreshed it's Group Policy in a while or you have conflicting
versions of
the same GPO on different domain controllers. Running gpresult on a
client
computer will show the last time that computer configuration was
applied
and from what domain controller. The tool Gpotool will check for
problems
with Group Policy replication. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 ---
userenv debug logging
http://support.microsoft.com/default.aspx?kbid=835302
message I suspect you are right and this may be an old policy that I removed
incorrectly back when I first started experimenting. HOWEVER....
(isn't
there always a "but"?)
I noticed this policy being applied even on brand new machines that
were
setup from a Windows XPSP2 CD based RIS image...The Image was
created
from a XPSP2 CD, and I do join the domain in the SIF file.......That
would seem to imply the policy is hiding somewhere, but I can not
find it
message
What you could try doing is to configure the setting for the
computers
via a domain level Group Policy that applies to those computers and
then
enable those settings and leave them blank. Then at next reboot or
after
the next Group Policy computer configuration refresh hopefully the
user
will no longer see a message. You can find the GUID number that you
see
in the registry that corresponds to a Group Policy by checking the
properties of your GPOs or running something like the RK tool
Gpotool
that will display GUID and display name of your GPOs. If nothing
matched
up then those are most likely old deleted GPOs. For Group Policy
settings other than administrative templates any settings that you
want
changed should be done and allowed to propagate before a Group
Policy is
deleted or unlinked. --- Steve
in
message Did that, and according to RSOP.MSC the setting is not applied.
Computer setting is "not applied" and source GPO is blank.........
Tried it on several machines with the same result.
message
If the computer is a member of an Active Directory domain then
another
GPO could be enforcing the setting. Run rsop.msc on the computer
to
see if it shows that it is being applied by Group Policy and from
which --- Steve
in
message I recently cleared the group policy Legal notice caption and
legal
notice text welcome screens in Group policy >Computer
configuration
Windows settings > Security settings > security options >
"Interactive
logon : Message title..." and Message text
The Group policy screen disappeared, but now I have a new legal
ntice
text screen showing up on boot . I serarched the registry and
found
them at
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy Objects\<domain
name>{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy Objects\<domain
name>{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy
Objects\neurology.swmed.org{6B93F732-AE72-4748-A422-2164D975D42D}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
XXXX-xxxxxx... is different in each of the above . These look
like
old policies, but I can't find them in GPO. even the old polices
that
have been disabled. How can I find where they comne from and
get
rid of them ?
