| Title: | Windows NT |
| Notice: | See note 15.0 for HCL location |
| Moderator: | TARKIN::LIN�.com::FOLEY |
| Created: | Thu Oct 31 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 6086 |
| Total number of notes: | 31449 |
Hello,
A customer has the following query, Can anybody help?
Regards,
John Kilroy.
The situation is this :
He has installed 3 servers running NT 4.0.
There is a Primary Domain Caontoller & 2 Backup Domain Controllers.
He has 45 NT 4.0 workstations. Both the Servers and workstations
are running service Pack 2. He put a roaming profile on the PDC so
that everyone who logs on to the servers will get the same desktop
icons. This works fine.
His main problem is that the policies do not seem to work.
He wants to stop the user editing the registry on the local workstation
among other things. He set the files system on workstations (NTFS) to
read only.
This causes many problems.
1. The users cannot save a default printer, so they cannot print.
2. The 32 bit applications need to write to the registry and because
the file system is set to read only they can't write any info in the
registry. Therefore some applications won't work.
3. This is all controlled by the policy which is pulled from the PDC.
He can't find any way to remove a policy once it has been implemented.
Is there a way of removing an active policy ?
He feels he may have set the registry to read only in the original
policy and cannot deactivate it.
He needs to be able to set the registry so that applications can write
to it but users cannot edit it, How is this possible ?
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 5741.1 | Prepare to Reinstall | CSC32::K_MEADOWS | Tue Feb 25 1997 06:52 | 24 | |
The v4.0 policy stuff is not as straight forward as the readings might
have you believe.
Prepare your customer for reinstalling if they have made too many
willy-nilly changes - especially editing registry permissions!
The way policies are supposed to work - ntconfig.pol is merged with the
users profile into hkey_current_user at logon. ntconfig.pol comes from
the domain where the account is. removing the restrictive one should
restore back to "default" of none - but it also may write the changes
to the profile.
The local administrator and domain admin users should still be able to
access the registry on the clients if they did indeed edit the registry
permissions but if there were major changes made I'd reinstall.
>He needs to be able to set the registry so that applications can write
> to it but users cannot edit it, How is this possible ?
There is a setting to disable registry edits in the Policy
- its is usually better to restrict the use of the .exe than change
permissions on the data.
Have your customer set up a TEST environment and play there - it won't
be so painful.
| |||||
| 5741.2 | exit | SIOG::KILROY | Thu Feb 27 1997 04:59 | 27 | |
Hello again,
Thanks for your help.
I passed on your advise to the customer and he tried
the following:
He removed the NTCONFIG.POL file from the server and
workstation and the policy appears to remain active.
He installed a Back Domain Controller and promoted it
to be the Primary Domain Controller. This should overwrite
an existing policy with a valid untouched policy but this
does not appear to have happened.
Does he need to reinstall the workstations & servers ?
Is there any information on the policy editor, particularly
the registry editing section I would appreciate a copy if you
have any.
Regards,
John Kilroy.
| |||||
| 5741.3 | CSC32::K_MEADOWS | Thu Feb 27 1997 05:27 | 18 | ||
Check the resource kit for information on policies. If your
customer continues to have problems (and they have a support
contract or a credit card) have them call the CSC - we have the machines
to test this and with a call logged, the time AND the people
that can call Microsoft for a clarification if needed.
Now, if the policy is "still in effect" then it was merged
with the profile and written when the user logged out.
So, with your current config (no ntconfig.pol) logon a new user to
verify that a new user does not have the restrictions.
If so, you may be "saved" by deleting profiles.
but there is that little matter of registry permissions that
were changed so depending on the state of the domain
(production vs. test) reinstalling might be the best idea so you
start at a known place.
karen
| |||||