Local Computer Policies apply, then change back

[Gabe Knuth]

Hello,

I hope this is the right place to post this question. My apologies if
it is not.

My system: 2 Win2k/Citrix MetaFrame Terminal Servers, Novell Client32
4.90, Win2k SP4, NT4 domain.

I'm trying to work around the addition of the "Do not check for user
ownership of Roaming Profile Folders" policy in Win2k SP4 by enabling
this new policy in the Local Computer Policy. It has caused quite a
bit of grief among the users of this server. My problem is that, at
some random (as far as I can tell) time after setting the policy, the
changes are wiped clean. It does this on both of the servers.

The only events that I can see in the log are fairly typical

Source: Userenv
Type: Error
EventID: 1000
Description: The Group Policy client-side extension Scripts was passed
flags (16) and returned a failure status code of (3).

Sometimes, the flags number is 17 and the status code is 2.

Also, if I make a change to the policy again I also get another entry
in the System Log:

Source: SceCli
Type: Information
EventID: 1704
Description: Security policy in the Group policy objects are applied
successfully.

If anyone can help, I'd really appreciate it. I've seen a few threads
like this, but nobody has posted to actual fix.

Thanks in advance,
Gabe

 

[David Everett [MSFT]]

Hi Gabe,

If I understand correctly the "Do not check for user ownership of Roaming
Profile Folders" policy does not remain Enabled in gpedit.msc, is this
correct?

Do you find that this policy is set to Disabled or Not Configured in
gpedit.msc when this happens? If it shows as Enabled in gpedit.msc do you
find that it is still applied in the CompatibleRUPSecurity registry value
under HKLM\Software\Policies\Microsoft\Windows\System? This value should be
set to 1.

If you expand HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon do
you have a REG_DWORD value called CompatibleRUPSecurity set to anything
other than 1? If you do then delete this value and reboot and allow the
policy to manage this.

NOTE: You could use this setting instead of the policy if you wish.

I understand this was supposed to be fixed in Novell Client 32 4.83 SP3 but
have you verified this problem continues to occur once Novell 4.90 is
removed from the server?

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10074402.htm

Are you using ZEN Works 3.2 in the environment?

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086908.htm

Is it possible a registry change being deployed with ZEN Works?

If you open gpedit.msc is there a Startup or Logon script defined in the
local policy that might have an incorrect registry value being applied to
the server?

Have you tried Enabling Object and Policy Auditing for Success against the
HKLM\Software\Policies\Microsoft\Windows\System key?