Local GPO not applied

[Jan Israelsson]

Hi,
I'm trying to change the ScreenSaveTimeOut value by replacing
"%SYSTEMRROT%\System32\GroupPolicy\User\Registry.pol" with a new file
and after this I use gpupdate (have tried /force as well) to apply the
change. However the change does not apply to all users, it only
applies to the local administrator account. When opening gpedit it
looks just fine, but somehow the policy change seems to be ignored for
all other users. The only way to apply the change is to open gpedit
and open some parameter (it does not matter which) and clicking OK
(without making any change!) and this does the trick!. However this is
no option since I would like to deploy this change to a large number
of computers. Does anyone know why this happens and how I can make it
work? All computers are running WinXP.

Please advice.
Regards Jan Israelsson.

 

[Mike Aubert]

Hi Jan,

The reason it works after you open the local policy object and edit one of
the policies (even if you change the setting and then change it back to the
way it was before clicking OK) is the Version number in
%SYSTEMROOT%\System32\GroupPolicy\gpt.ini is incremented.

When you run gpupdate /force I'm assuming you only run it when logged on as
the administrator? Running gpupdate updates the policy for the local
computer and the currently logged on user - but no other users. The /force
switch indicates that all the group policy objects should be applied - even
if the version number has not changed.

In any event, editing the local GPO like that is not recommended (I'm
assuming you're not running Active Directory). A much better solution is to
use System Policy - or at least a .reg file with the necessary changes - if
you don't have Active Directory. What type of network operating system are
you running? NT 4.0? Novell?



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jan Israelsson]

Hi Jan,

The reason it works after you open the local policy object and edit one of
the policies (even if you change the setting and then change it back to the
way it was before clicking OK) is the Version number in
%SYSTEMROOT%\System32\GroupPolicy\gpt.ini is incremented.

When you run gpupdate /force I'm assuming you only run it when logged on as
the administrator? Running gpupdate updates the policy for the local
computer and the currently logged on user - but no other users. The /force
switch indicates that all the group policy objects should be applied - even
if the version number has not changed.

In any event, editing the local GPO like that is not recommended (I'm
assuming you're not running Active Directory). A much better solution is to
use System Policy - or at least a .reg file with the necessary changes - if
you don't have Active Directory. What type of network operating system are
you running? NT 4.0? Novell?



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Mike,
Yes, I'm running gpupdate when logged on as administrator (I have a
kix script that performs a number of things and the new registry.pol
is one of them). No we do not have AD, yet, still running NT4 as
network OS (All clients WinXP however). The reason for doing this is
that we have deployed a client (WinXP based, DriveImage) to all
computers and the only thing controlled by GPO is the screen saver and
now we would like to change the timeout value in a simple way. The way
I understand it I now have 3 options (if I understand this correct,
and they are:
1. Increment the version number in gpt.ini (by script of course, if it
would work?).
2. Loop through user hives and change the
"\Software\Policies\Microsoft\Windows\Control Panel\ScreenSaveTimeOut"
value to the same as in the new registry.pol (unless this causes other
problems?) This would be easy as this loop exists in the script
already for some other registry changes and I would only have to add
this one.
3. System Policy, but I'm not sure how to go about it (policy
beginner), but the system policys however "tattos" the registry I
think and that makes this alternative less attractive.

Maybe another option would be to add a "gpupdate /force" to RunOnce
for the users of the computers?

Am I on the wrong track here or could any of theese options work?

Please advice.
Regards Jan Israelsson.

 

[Mike Aubert]

All three options should work, but the second or third are the way to go.
Either option is going to "tattoo" the registry - so using a script or
system policies is up to you.

Here is some more info on system policies:
http://www.jsiinc.com/SUBF/TIP2700/rh2786.htm
http://www.jsiinc.com/SUBE/tip2200/rh2296.htm

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.