Novell Home

Workaround for Group Policy Restriction Problems

Novell Cool Solutions: Tip
By David Frey

Digg This - Slashdot This

Posted: 31 Aug 2005
 

"David is correct, as the TID he quotes states, this won't be fixed for ZfD4.x (because it required a rewrite of the Group Policy process). This workaround may be useful for ZfD4.x users."
--Shaun Pond, ZENworks Product Specialist

PROBLEM: The solution detailed in TID 10088881 does not work in all situations. "Restricting a user from editing a Group Policy prevents the Administrator from changing the Group Policy at a later time."

Another workaround is as follows:

  1. Create/modify affected registry keys and underlying values to allow MMC access and Group Policy editing.
  2. Modify permissions to deny System account permission to change settings to those keys.

Note: only tested with XP-SP2, NC491, ZFD4-IR5

Example

This can, of course, be done via an app object. Email me for a copy of the AOT if you wish.

  1. Use following reg file to create/modify keys/values:

    REGEDIT4
    
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]
    "Restrict_Run"=dword:00000000
    
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}]
    "Restrict_Run"=dword:00000000


  2. Use subinacl utility from Microsoft (www.microsoft.com/downloads) to modify permissions for System account:

    subinacl /noverbose /output=%TEMP%\Subinacl_MMC-1.log /subkeyreg HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} /display /deny=system=s
    subinacl /noverbose /output=%TEMP%\Subinacl_MMC-2.log /subkeyreg HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23} /display /deny=system=s


NOTE: The permission issue is important because the System account is used by ZENworks for Desktops to add GP settings to the registry. Just creating the keys and setting the "Restrict_Run" value to 0 is not enough; ZfD will set it back to 1 when you open the policy for editing, thus preventing access to the MMC GP snap-in.

Don't worry about messing up the permissions (using the above syntax). One can simply delete the HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC key and re-import the reg file above, or let GP recreate it.

If you have any questions you may contact David at dfreyREMOVETHIS@genesys-computer.com


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell