User Config \ Windows Settings Missing Extensions

[Al]

I'm running XP Pro SP1.
I installed the 2003 Server Adminpak.
I installed GPMC.
Under User Config \ Windows Settings I only see Remote
Installation Services.
I am missing Folder Redirection, Security Settings and
Scripts.
I can see the missing extensions from a coworker's
workstation but not mine.

Can anyone help with this? How can I correct this?

 

[David Everett [MSFT]]

If your co-worker logs onto your machine can he see everything on the same
policy?

If you uninstall GPMC from your workstation and view the Group Policy using
dsa.msc from your workstation can you see everything?

 

[Al]

Okay, my co-worker logged in and he also cannot see the
missing extensions.
I uninstalled GPMC and used DSA with the same results
(extensions missing).

Any ideas? Thanks David!

 

[David Everett [MSFT]]

Open GPMC.msc on your co-worker's machine and right click the domain, select
Change Domain Controller and verify the "Current domain controller" listed
is the PDC Emulator. If it is a different DC, reinstall GPMC on your
workstation and focus GPMC on the same DC. Verify the extensions are
present. If they are all there then check the FRS event log on the PDC
Emulator and its inbound replication partner and see if it is getting
errors.

 

[Al]

Okay, I verified the DC via my co-workers GPMC and it is
the PDC Emulator.
I reinstalled GPMC on my box and verified that it is
using the same DC.
I still cannot see the Extensions.
I only have delegated rights to our OU and not the DC so
I don't have direct access to the FRS event log. If you
think that is my next step, I can try requesting an
export of the log. Hopefully our domain admins will help.
Should I ask for it or focus on something else?

Thanks again.

 

[David Everett [MSFT]]

So far it sounds like it is isolated to your workstation.

You stated you can see the extensions from your co-worker's machine. When
you do this I'm under the assumption you are logging him off and then
logging on with your own credentials.

If you go to any other machine do you have this problem? I was able to hide
these by adding a Restrict_Run value to some extensions in my registry.
Open the registry on your machine and go to
HKEY_CURRENT_USER\Software\Policies\Microsoft. See if you have a "mmc" key
defined with the following subkeys:

{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
{FC715823-C5FB-11D1-9EEF-00A0C90347FF}
{40B66650-4972-11D1-A7CA-0000F87571E3}

If these CLSIDs are listed and a Restrict_Run REG_DWORD value is set to 1
then these have been disabled in your profile.

If this restriction does not follow your user account to other machines, and
users who are not restricted on their machine get restricted on your machine
you might check gpresult output to see if this is being applied to your
computer. Otherwise, see if these entries were placed into the ntuser.dat
of the Default User profile.

 

[David Everett [MSFT]]

Here is an article discussing what CLSID belongs to which extension.

271135 Windows 2000 Microsoft Management Console and Snap-in Restrictions
http://support.microsoft.com/?id=271135
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Al]

The problem is on my machine and yes I logged on to my co-
worker's machine and was able to view the extensions.
Under: HKEY_CURRENT_USER\Software\Policies\Microsoft
I do not see a key for MMC (neither does co-worker box)
I searched the whole registry for "restrict_run" with no
hits.
I also searched the extension strings that I am missing
and do get hits but none have restrict values set.
I ran gpresult from mine and my co-workers machines,
compared the results and they all match up.
I don't know how to view the contents of the default user-
ntuser.dat file, but in searching the registry I didn't
see any restrictions.
If there is a way I can view the contents of the Dat file
I'd be willing to try it. Anything else I can try?
Thanks

 

[David Everett [MSFT]]

Hi Al,

Before trying to load ntuser.dat from the default user profile you might
want to check permissions on the following registry keys let's see if there
is a system-wide setting that might be causing this.

If you are a member of a particular Global Group in the domain that has
Delegated rights find out if that groups is listed in the Administrators
group (or some other local admin type group) of your co-workers machine but
not listed on yours.

I altered Permissions on the
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} (Security
Settings) key and it did not display in the snap-in.

If your delegated group is listed in the correct local group, verify
permissions on both keys for each extension are the same and that you have
Full Control to these:

NOTE: The keys under HKEY_LOCAL_MACHINE (HKLM) should have the "Allow
inheritable permissions from parent to propagate to this object" checked and
the following permissions assigned, HKEY_CLASSES_ROOT (HKCR) will inherit
its permissions from HKLM as long as HKEY_CLASSES_ROOT has "Allow
inheritable permissions from parent to propagate to this object" checked.

Administrators = Full
Authenticated Users = Read
Creator Owner = Not Defined
Everyone = Read
Server Operators = Read
System = Full

Verify HKEY_CLASSES_ROOT has "Allow inheritable permissions from parent to
propagate to this object" checked.

Scripts (Logon/Logoff)
HKCR\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}
HKLM\SOFTWARE\Classes\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}

Security Settings
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
HKCR\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}

Folder Redirection
HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
HKLM\SOFTWARE\Classes\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}

Software Installation (User)
HKLM\SOFTWARE\Classes\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}
HKCR\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}

 

[David Everett [MSFT]]

If permissions are incorrect on the HKLM keys and you make a change to them,
make sure to select the Advanced Security option of "Replace permission
entries on all child objects with entries shown her that apply to child
objects.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Al]

Hi David,

My registry didn't match yours in that I didn't see the
CLSID key under either of the paths you mentioned. I
built myself a new workstation and it's working there, so
I gave up and re-imaged the "bad" workstation.

I do appreciate your efforts though! I just couldn't
spend more time on it.

Thanks again.

-----Original Message-----
If permissions are incorrect on the HKLM keys and you make a change to them,
make sure to select the Advanced Security option of "Replace permission
entries on all child objects with entries shown her that apply to child
objects.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Al,

Before trying to load ntuser.dat from the default user profile you might
want to check permissions on the following registry

keys let's see if
there

is a system-wide setting that might be causing this.

If you are a member of a particular Global Group in the domain that has
Delegated rights find out if that groups is listed in the Administrators
group (or some other local admin type group) of your

co-workers machine
but

not listed on yours.

I altered Permissions on the
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0-

00A0C90F574B}

(Security
Settings) key and it did not display in the snap-in.

If your delegated group is listed in the correct local group, verify
permissions on both keys for each extension are the same and that you have
Full Control to these:

NOTE: The keys under HKEY_LOCAL_MACHINE (HKLM) should have the "Allow
inheritable permissions from parent to propagate to

this object" checked
and

the following permissions assigned, HKEY_CLASSES_ROOT (HKCR) will inherit
its permissions from HKLM as long as HKEY_CLASSES_ROOT has "Allow
inheritable permissions from parent to propagate to this object" checked.

Administrators = Full
Authenticated Users = Read
Creator Owner = Not Defined
Everyone = Read
Server Operators = Read
System = Full

Verify HKEY_CLASSES_ROOT has "Allow inheritable permissions from parent to
propagate to this object" checked.

Scripts (Logon/Logoff)
HKCR\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}
HKLM\SOFTWARE\Classes\CLSID\{40B66650-4972-11D1-A7CA- 0000F87571E3}

Security Settings
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0- 00A0C90F574B}
HKCR\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}

Folder Redirection
HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
HKLM\SOFTWARE\Classes\CLSID\{88E729D6-BDC1-11D1-BD2A- 00C04FB9603F}

Software Installation (User)
HKLM\SOFTWARE\Classes\CLSID\{BACF5C8A-A3C7-11D1-A760- 00C04FB9603F}
HKCR\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties,

and confers no
rights.

The problem is on my machine and yes I logged on to my co-
worker's machine and was able to view the extensions.
Under: HKEY_CURRENT_USER\Software\Policies\Microsoft
I do not see a key for MMC (neither does co-worker box)
I searched the whole registry for "restrict_run" with no
hits.
I also searched the extension strings that I am missing
and do get hits but none have restrict values set.
I ran gpresult from mine and my co-workers machines,
compared the results and they all match up.
I don't know how to view the contents of the default user-
ntuser.dat file, but in searching the registry I didn't
see any restrictions.
If there is a way I can view the contents of the Dat file
I'd be willing to try it. Anything else I can try?
Thanks


-----Original Message-----
Here is an article discussing what CLSID belongs to
which extension.

271135 Windows 2000 Microsoft Management Console and
Snap-in Restrictions
http://support.microsoft.com/?id=271135
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and
confers no rights.

"David Everett [MSFT]"

wrote in message
So far it sounds like it is isolated to your
workstation.

You stated you can see the extensions from your co-
worker's machine. When
you do this I'm under the assumption you are logging
him off and then
logging on with your own credentials.

If you go to any other machine do you have this
problem? I was able to
hide
these by adding a Restrict_Run value to some
extensions in my registry.
Open the registry on your machine and go to
HKEY_CURRENT_USER\Software\Policies\Microsoft. See if
you have a "mmc"
key
defined with the following subkeys:

{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
{FC715823-C5FB-11D1-9EEF-00A0C90347FF}
{40B66650-4972-11D1-A7CA-0000F87571E3}

If these CLSIDs are listed and a Restrict_Run
REG_DWORD value is set to 1
then these have been disabled in your profile.

If this restriction does not follow your user account
to other machines,
and
users who are not restricted on their machine get
restricted on your
machine
you might check gpresult output to see if this is
being applied to your
computer. Otherwise, see if these entries were placed
into the ntuser.dat
of the Default User profile.

--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties,
and confers no
rights.

message
Okay, I verified the DC via my co-workers GPMC and
it is
the PDC Emulator.
I reinstalled GPMC on my box and verified that it is
using the same DC.
I still cannot see the Extensions.
I only have delegated rights to our OU and not the
DC so
I don't have direct access to the FRS event log. If
you
think that is my next step, I can try requesting an
export of the log. Hopefully our domain admins will
help.
Should I ask for it or focus on something else?

Thanks again.

-----Original Message-----
Open GPMC.msc on your co-worker's machine and right
click the domain, select
Change Domain Controller and verify the "Current
domain
controller" listed
is the PDC Emulator. If it is a different DC,
reinstall
GPMC on your
workstation and focus GPMC on the same DC. Verify
the
extensions are
present. If they are all there then check the FRS
event
log on the PDC
Emulator and its inbound replication partner and
see if
it is getting
errors.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no
warranties, and
confers no rights.

message
Okay, my co-worker logged in and he also cannot
see the
missing extensions.
I uninstalled GPMC and used DSA with the same
results
(extensions missing).

Any ideas? Thanks David!

-----Original Message-----
If your co-worker logs onto your machine can he
see
everything on the same
policy?

If you uninstall GPMC from your workstation and
view
the
Group Policy using
dsa.msc from your workstation can you see
everything?
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no
warranties,
and
confers no rights.

in
message
[email protected]...
I'm running XP Pro SP1.
I installed the 2003 Server Adminpak.
I installed GPMC.
Under User Config \ Windows Settings I only see
Remote
Installation Services.
I am missing Folder Redirection, Security
Settings
and
Scripts.
I can see the missing extensions from a
coworker's
workstation but not mine.

Can anyone help with this? How can I correct
this?



.



.





.

.

 

[David Everett [MSFT]]

Glad to help.

A rebuild is probably the best thing. If you did not have a CLSID then
these errors were probably just the beginning of things to come.

Just as a test I deleted
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}and
Security Settings were not present in group policies. This would apply to
all users logging onto the system.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi David,

My registry didn't match yours in that I didn't see the
CLSID key under either of the paths you mentioned. I
built myself a new workstation and it's working there, so
I gave up and re-imaged the "bad" workstation.

I do appreciate your efforts though! I just couldn't
spend more time on it.

Thanks again.

-----Original Message-----
If permissions are incorrect on the HKLM keys and you make a change to them,
make sure to select the Advanced Security option of "Replace permission
entries on all child objects with entries shown her that apply to child
objects.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Al,

Before trying to load ntuser.dat from the default user profile you might
want to check permissions on the following registry

keys let's see if
there

is a system-wide setting that might be causing this.

If you are a member of a particular Global Group in the domain that has
Delegated rights find out if that groups is listed in the Administrators
group (or some other local admin type group) of your

co-workers machine
but

not listed on yours.

I altered Permissions on the
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0-

00A0C90F574B}

(Security
Settings) key and it did not display in the snap-in.

If your delegated group is listed in the correct local group, verify
permissions on both keys for each extension are the same and that you have
Full Control to these:

NOTE: The keys under HKEY_LOCAL_MACHINE (HKLM) should have the "Allow
inheritable permissions from parent to propagate to

this object" checked
and

the following permissions assigned, HKEY_CLASSES_ROOT (HKCR) will inherit
its permissions from HKLM as long as HKEY_CLASSES_ROOT has "Allow
inheritable permissions from parent to propagate to this object" checked.

Administrators = Full
Authenticated Users = Read
Creator Owner = Not Defined
Everyone = Read
Server Operators = Read
System = Full

Verify HKEY_CLASSES_ROOT has "Allow inheritable permissions from parent to
propagate to this object" checked.

Scripts (Logon/Logoff)
HKCR\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}
HKLM\SOFTWARE\Classes\CLSID\{40B66650-4972-11D1-A7CA- 0000F87571E3}

Security Settings
HKLM\SOFTWARE\Classes\CLSID\{803E14A0-B4FB-11D0-A0D0- 00A0C90F574B}
HKCR\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}

Folder Redirection
HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
HKLM\SOFTWARE\Classes\CLSID\{88E729D6-BDC1-11D1-BD2A- 00C04FB9603F}

Software Installation (User)
HKLM\SOFTWARE\Classes\CLSID\{BACF5C8A-A3C7-11D1-A760- 00C04FB9603F}
HKCR\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties,

and confers no
rights.

The problem is on my machine and yes I logged on to my co-
worker's machine and was able to view the extensions.
Under: HKEY_CURRENT_USER\Software\Policies\Microsoft
I do not see a key for MMC (neither does co-worker box)
I searched the whole registry for "restrict_run" with no
hits.
I also searched the extension strings that I am missing
and do get hits but none have restrict values set.
I ran gpresult from mine and my co-workers machines,
compared the results and they all match up.
I don't know how to view the contents of the default user-
ntuser.dat file, but in searching the registry I didn't
see any restrictions.
If there is a way I can view the contents of the Dat file
I'd be willing to try it. Anything else I can try?
Thanks


-----Original Message-----
Here is an article discussing what CLSID belongs to
which extension.

271135 Windows 2000 Microsoft Management Console and
Snap-in Restrictions
http://support.microsoft.com/?id=271135
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and
confers no rights.

"David Everett [MSFT]"

wrote in message
So far it sounds like it is isolated to your
workstation.

You stated you can see the extensions from your co-
worker's machine. When
you do this I'm under the assumption you are logging
him off and then
logging on with your own credentials.

If you go to any other machine do you have this
problem? I was able to
hide
these by adding a Restrict_Run value to some
extensions in my registry.
Open the registry on your machine and go to
HKEY_CURRENT_USER\Software\Policies\Microsoft. See if
you have a "mmc"
key
defined with the following subkeys:

{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
{FC715823-C5FB-11D1-9EEF-00A0C90347FF}
{40B66650-4972-11D1-A7CA-0000F87571E3}

If these CLSIDs are listed and a Restrict_Run
REG_DWORD value is set to 1
then these have been disabled in your profile.

If this restriction does not follow your user account
to other machines,
and
users who are not restricted on their machine get
restricted on your
machine
you might check gpresult output to see if this is
being applied to your
computer. Otherwise, see if these entries were placed
into the ntuser.dat
of the Default User profile.

--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties,
and confers no
rights.

message
Okay, I verified the DC via my co-workers GPMC and
it is
the PDC Emulator.
I reinstalled GPMC on my box and verified that it is
using the same DC.
I still cannot see the Extensions.
I only have delegated rights to our OU and not the
DC so
I don't have direct access to the FRS event log. If
you
think that is my next step, I can try requesting an
export of the log. Hopefully our domain admins will
help.
Should I ask for it or focus on something else?

Thanks again.

-----Original Message-----
Open GPMC.msc on your co-worker's machine and right
click the domain, select
Change Domain Controller and verify the "Current
domain
controller" listed
is the PDC Emulator. If it is a different DC,
reinstall
GPMC on your
workstation and focus GPMC on the same DC. Verify
the
extensions are
present. If they are all there then check the FRS
event
log on the PDC
Emulator and its inbound replication partner and
see if
it is getting
errors.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no
warranties, and
confers no rights.

message
Okay, my co-worker logged in and he also cannot
see the
missing extensions.
I uninstalled GPMC and used DSA with the same
results
(extensions missing).

Any ideas? Thanks David!

-----Original Message-----
If your co-worker logs onto your machine can he
see
everything on the same
policy?

If you uninstall GPMC from your workstation and
view
the
Group Policy using
dsa.msc from your workstation can you see
everything?
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no
warranties,
and
confers no rights.

in
message
[email protected]...
I'm running XP Pro SP1.
I installed the 2003 Server Adminpak.
I installed GPMC.
Under User Config \ Windows Settings I only see
Remote
Installation Services.
I am missing Folder Redirection, Security
Settings
and
Scripts.
I can see the missing extensions from a
coworker's
workstation but not mine.

Can anyone help with this? How can I correct
this?



.



.





.

.

 

[Jetro]

It happened recently with my systems and the quick fix was to re-register
the .dlls responsible for those extensions, i.e.

regsvr32 wsecedit.dll gptext.dll fde.dll appmgr.dll

BTW, re-registering appmgr.dll removed the huge hole in the
Add/RemovePrograms list.