User Reg Keys and User Policy "interval"

  • Thread starter Thread starter Gerry Hickman
  • Start date Start date
G

Gerry Hickman

Hi,

I've had group policies set up for some time and in general it all works as
expected with the built-in policies, however I set up a policy to change an
HKCU registry setting today and it's not working as expected! It works the
first ever time they log in after the policy has been changed, but not after
that.

As I understand it, the "interval" should not be an issue here, because
policies are supposed to be refreshed EVERY time they log in?

The setting I'm working with is the one that defaults the logoff dialog "Log
Off", "Restart", "Shutdown" and I can see the GP editor has correctly
created a Registry.pol file on the DC. The first ever time I logged in as
the test user, I notice the setting had been correctly changed, I logged
off, then on, and it doesn't work. I then changed the Group Policy, and it
worked straight away, but only once!

The DCs are Win2k3 and the clients are Win2k.
 
Hi,

I've had group policies set up for some time and in general it all works as
expected with the built-in policies, however I set up a policy to change an
HKCU registry setting today and it's not working as expected! It works the
first ever time they log in after the policy has been changed, but not after
that.

As I understand it, the "interval" should not be an issue here, because
policies are supposed to be refreshed EVERY time they log in?

The setting I'm working with is the one that defaults the logoff dialog "Log
Off", "Restart", "Shutdown" and I can see the GP editor has correctly
created a Registry.pol file on the DC. The first ever time I logged in as
the test user, I notice the setting had been correctly changed, I logged
off, then on, and it doesn't work. I then changed the Group Policy, and it
worked straight away, but only once!

The DCs are Win2k3 and the clients are Win2k.
Click to expand...

See tip 10101 » Internet Explorer Maintenance Group Policies do NOT apply during subsequent logons to Windows 2000 client computers? 30-Jan-06
in the 'Tips & Tricks' at http://www.jsifaq.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
 
Hi Jerold,

Thanks for the tip. I'm sure the problem is related to the GP version
number, but this raises more questions than it answers:

1. I'm not having trouble with the Internet Explorer settings as such, so
there's not much point setting the machine policy that tell them to apply
even if they haven't changed (although it might be worth trying that
anyway).

2. Your tips imply that group policies will never be applied a second time
unless the Administrator keeps editing them (thereby forcing the version
number to update). The whole idea of Group Policy is that it's supposed to
"enforce" settings, so if the user changes something, the policy is supposed
to revert at next logon. If this doesn't work, it doesn't make any sense to
me?

If I ask the question in a different way, can anyone tell me how to do this
simple task:-

I want to set up my user environments so the user will see "Log Off" as the
default on their screens every time they choose "Start : Shutdown". I have
an ADM file that achieves this the first ever time I apply the group policy,
but the policy is ignored on subsequest user logons.

Thanks again for all the help!

--
Gerry Hickman


Jerold Schulman said:
See tip 10101 » Internet Explorer Maintenance Group Policies do NOT apply
Click to expand...
during subsequent logons to Windows 2000 client computers? 30-Jan-06
Click to expand...
 
Hi,

I think I found the answer, there's a machine policy defined in SYSTEM.ADM
just above the IE maintenance policy that has an option to apply registry
policy even if it hasn't changed. I don't want to actually set machine
policies on my network, but I guess I can create the registry key at

HKLM\SOFTWARE\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
ValueName: NoGPOListChanges
Value 0

on all machines. Grr, what a hasstle.

--
Gerry Hickman

Gerry Hickman said:
Hi Jerold,

Thanks for the tip. I'm sure the problem is related to the GP version
number, but this raises more questions than it answers:

1. I'm not having trouble with the Internet Explorer settings as such, so
there's not much point setting the machine policy that tell them to apply
even if they haven't changed (although it might be worth trying that
anyway).

2. Your tips imply that group policies will never be applied a second time
unless the Administrator keeps editing them (thereby forcing the version
number to update). The whole idea of Group Policy is that it's supposed to
"enforce" settings, so if the user changes something, the policy is supposed
to revert at next logon. If this doesn't work, it doesn't make any sense to
me?

If I ask the question in a different way, can anyone tell me how to do this
simple task:-

I want to set up my user environments so the user will see "Log Off" as the
default on their screens every time they choose "Start : Shutdown". I have
an ADM file that achieves this the first ever time I apply the group policy,
but the policy is ignored on subsequest user logons.

Thanks again for all the help!
Click to expand...
 
Gerry-
First off, its not clear to me why your setting is being "ignored". Once a
setting is made, it isn't un-made unless the user unmakes or unless it no
longer applies (or is explicitly removed in the case of preferences). It is
true that policy will not process unless a GPO has changed, but this should
not prevent the previously applied policy from being in effect. I suspect
that something else is going wrong here.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy



Gerry Hickman said:
Hi,

I think I found the answer, there's a machine policy defined in SYSTEM.ADM
just above the IE maintenance policy that has an option to apply registry
policy even if it hasn't changed. I don't want to actually set machine
policies on my network, but I guess I can create the registry key at

HKLM\SOFTWARE\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
ValueName: NoGPOListChanges
Value 0

on all machines. Grr, what a hasstle.
Click to expand...
 
Hi Darren,

I think Jerold was on the right track (see above).

The problem stems from setting things that the user can change. Here are
two contrasting examples:

1. If you set a policy to prevent a user changing their home page, it
will work perfectly for months/years, even if it's not actually
"applied" at each logon - it's locked down, so once the policy is set,
it only needs applied once.

2. If you set a user's "shutdown" dialog to default to "logoff" it will
work the first ever time they log in, but if they change it back to
"shutdown" then go home and log in the next day, the policy _won't_ be
re-applied!!

It's a bit like the "Maintenance" vs "Preferences" modes of IE; the
maintenance is locked down, but the preferences are merely defaults that
they can change.

My understanding is therefore that Group Policy is not well suited to
forcing default preferences that are enforced at each logon?

To answer your question, my setting is not being "ignored", it's being
applied perfectly, but ONLY the first time they log in. Next time they
log in, it's ignored because the policy version number has not been
incremented!

Maybe there's an easy answer or a better way to achieve what I want to do?
 
Gerry-
What exactly is the policy that you are setting? Is it a MS policy or one
that you've created a custom .ADM for? You could certainly use the option
under Computer Config.\Admin Templates\System\Group Policy\Registry Policy
Processing to always process even if the GPO has not changed, but I'm
curious what the setting actually is that the user can override it each
time. That doesn't sound like a policy but rather a "preference" (in the
registry policy sense, not the IE maintenance sense).

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
 
Have you considered using the following

Computer Configuration\Admin Templates\System\Group Policy

"Registry policy processing key" which has the option "Process even if the
Group Policy objects have not changed"

This may help achieve the result you are looking for
 
Hi Dave,

Yes, this looks like the official solution.

I used to think User policies were applied every time the user logged on,
even if the GPO had not been updated, it seems this is not the case.
 
Hi,

In the end, I decided to change the strategy.

Instead of changing machine policy defaults to force user policies to be
applied at logon even if they haven't changed, I decided to use logon
scripts to manage HKCU instead, which seems much better as it now does
it at every logon, but I don't need (or want) an "interval". It also
means I don't need ADM files or have to "reverse" HKCU policies when I
decide they're no longer needed (to get rid of Registry.pol)
 
Back
Top