A.14 Windows Group Policy Troubleshooting

User associated Group Policy Object does not persists after logging out of the device

Source: ZENworks 2017 Update 2
Explanation: User associated Group Policy Object (GPO) does not persists after logging out of the device. The device GPO state rolls back to pre-zenworks state and workstation cache is applied.
Action: On the device create PersistPolicyatUserLogout registry key. For more information on PersistPolicyatUserLogout registry key, see the ZENworks Registry Keys Reference.

Limitations of using the PersistPolicyatUserLogout key

  • The registry key can be set only on ZENworks 2017 Update 2 managed devices.

  • The Registry key cannot be applied to a Terminal Server.

    NOTE:It is recommended that this registry key must be used only if same user logs into the device.

The Group Policy Helper tool is not backward compatible with the earlier versions of ZENworks Configuration Management releases

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Action: Install the version of the Group Policy Helper tool available with the corresponding ZENworks Configuration Management release.

Favorites configured by using the Group policy are not cleared when the group policy is unenforced

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the Internet Explorer Maintenance settings of the Group policy to configure favorites, the favorites are not cleared when the Group policy is unenforced.
Action: Use the Browser Bookmark policy to configure the favorites.

Internet Explorer Settings configured in the Group policy are not applied on the Internet Explorer

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On launching the Internet Explorer browser, the runonce page is displayed instead of the home page configured in the Group policy.
Action: On the runonce page, follow the on-screen prompts to configure the settings.

Security settings of the Windows Group policy are not effective on the device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the security settings are not configured in the Windows Group policy, the policy uses the default security settings of the device on which it was created. When more than one Windows Group policy is applied to a device, the security settings of the last applied policy are effective on the device.
Action: If you assign multiple policies to a device, ensure that the policy whose security settings you want to be effective on the device is applied last on the device.

The Security settings configured in the Windows Group policy are not applied on a Windows XP SP1 or SP2 managed device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Action: On the Windows XP SP1 or SP2 managed device, install Windows Hotfix KB897327 from the Microsoft Support Web site.

Unable to launch the Group Policy Helper tool on a Windows Vista or Windows 7 device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Group Policy Helper tool does not launch on a Windows 7/Vista device if the User Account Control (Start > Settings > Control Panel > User Accounts) is enabled and Mozilla Firefox or any other browser is used.
Action: Configure the Internet Explorer or Mozilla Firefox browser to run with administrator credentials.
  • To configure Internet Explorer or Mozilla Firefox for a session, right-click the selected browser’s shortcut icon on the desktop, then select Run as administrator.

  • To configure the Internet Explorer or Mozilla Firefox browser permanently:

    1. On the desktop, right-click the selected browser’s shortcut icon and select Properties. Click the Shortcut tab, then click the Advanced button. In the Advanced Properties dialog box, select Run as administrator.

      or

      In Windows Explorer, navigate to the Internet Explorer or Mozilla Firefox executable file, right-click the file, then select Properties. Click the Compatibility tab, then select Run this program as an administrator.

    2. Restart the browser.

For more information, see TID 7013019 in the Novell Support Knowledgebase

Policy Enforcement status is not properly displayed

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you assign more than one policy to a user or a device, the policy enforcement status is not properly displayed.The consolidated status of a Group policy is displayed in the ZENworks icon only for the last enforced policy. That is, if any of the Group policies fail, the last effective policy is displayed in the ZENworks icon as Failed and rest of the policies are displayed as Success.
Possible Cause: The consolidated settings are applied only for the last policy.
Action: None.

Unable to export Group policy content

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the zman command to export a policy with content, the content (.zip file) is not exported.
Action: Perform the following steps:
  1. In ZENworks Control Center, edit the policy you want to export.

  2. Click Upload to upload the policy settings to the content server.

  3. The Upload Confirm dialog box displays the name of the .zip file that stores the policy settings. Copy the .zip file to the required location, such as c:\.

  4. Run the zman petf command to export the policy to an XML file, such as export.xml.

    For example, zman petf \policies c:\export.xml.

  5. Edit the export_actioncontentinfo.xml file to update the path of the .zip file.

Log-on and Log-off scripts that launch GUI applications do not functional properly on terminal server and Windows Vista devices

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On the terminal server and Windows Vista devices, the log-on and log-off scripts launching GUI applications do not functional properly because the Graphical User Interface is not launched on the desktop.
Action: Use Directive bundles to launch the GUI applications:
  1. Create a Directive bundle.

  2. Add a Launch Windows Executable action to launch a GUI application, such as mspaint.

  3. Assign the bundle to a device.

  4. Select Launch Schedule, then select the schedule type as Event.

  5. Select the User Login or User Logout event to trigger the schedule.

Assigning an Active Directory Group policy to a user or a device might generate some application event logs on the device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you configure an Active Directory Group policy and assign the policy to a user or a device, some application event logs might be generated on the device even if the policy is successfully enforced on the device.
Action: Ignore the application event logs.

Group policy created on a device with a specific operating system is not enforced on a device with a different operating system

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Windows Group policy containing the local group policy settings is not applied on a device if the operating system of the device where the policy is applied is different from the operating system of the device where the policy is created.
Action: Remove the Operating System specific System Requirement from the Windows Group policy and then apply the policy.

However, the security settings are applied only if the operating system version of the device where the policy is applied is later than the operating system version of the device where the policy is created.

Scripts configured through Active Directory Group policy are not enforced on a device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The scripts configured through Active Directory group policy are not enforced on a device even though the policy displays success in the ZENworks Agent Policies page. However, the other settings if any configured in the policy are enforced on the device.
Action: Configure scripts through Local Group policy.

Security settings that have not been configured in a ZENworks Group Policy are also enforced on a managed device when the ZENworks Group Policy is enforced on the managed device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you create a Windows Group policy through the ZENworks Control Center of a device that already has some security settings configured and assign this policy to a managed device, the security settings that were configured on the device, on which you created the group policy, are also applied on the managed device.
Action: To remove all the previously configured security settings on a device, run the following command before you launch the ZENworks Control Center on the device to create the Group policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

The screen remains blank after logging into a terminal server

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: Relaunching of Windows Explorer may have failed.
Action: To manually launch the explorer perform the following steps:
  1. Press Ctrl+Shift+Esc to launch the Windows Task Manager.

  2. Select File > New Task (Run)

  3. In the Create New Task pane, enter explorer.

  4. Click OK, to launch the Windows Explorer.

Partial failure of Group Policy unenforcement settings

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When Group Policy settings are unenforced on a device, URLs added in Favorites and Links do not get removed.
Action: To unenforce the Group Policy settings and restore the system to a clean state, make sure you select the option Delete Existing Favorites and Links, if present, when the system is in the default state prior to applying any policies.

Users need to log in again on a managed device, even though the setting for a forced login is not selected

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: After applying an updated Windows Group Policy on a managed device, logged-in users are forced to log out even though the After enforcement, force a re-login on the managed device, if necessary setting is not selected.
Action: To ensure that a user does not need to log in again to the managed device, deselect the After enforcement, force a re-login on the managed device, if necessary option on any Roaming Profile Policy that is associated with the same user or device.

For more information, see TID 7007600 in the Novell Support Knowledgebase.

Security settings are not applied randomly for Group policies at device startup

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: Security settings are not applied randomly for Group policies at device startup if Haspolicychanged flag is false.
Action: Even if there is no change in the Group policy, you can apply Group policy again at device start up:
  1. On a Windows managed device, open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\GroupPolicy.

  3. Configure the ReApplyPolicyatDeviceStartup registry key, with any string value other than Null.

    If configured, the device assigned Group policy gets processed, even if the value of the Haspolicychanged parameter is False.

Group policy user settings are not always enforced for a user if there is no change in the user-assigned group policy from a previous login

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you have assigned Group policy settings to a user, and there is no change in the policy from the previous enforcement, the settings might not apply on a logged-in user.
Action: To configure the Group policy settings:
  1. On a Windows managed device, open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\GroupPolicy.

  3. Configure the ReApplyPolicyatUserPredeskTop registry key with any string value other than Null.

    If you configure this registry key, logging in might be slow.

While creating group policy, Failure importing group policy setting error message appears

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: While creating group policy, Failure importing group policy settings error message appear when VC++ 2012 re-distribute package is not installed or MSVCR110.dll is not available in the machine.
Action: Install the VC++ 2012 re-distribute package.

ZENworks plug-ins installed on a device do not show up in the Managed add-ons list in Internet Explorer 8

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: ZENworks plug-ins installed on a device do not appear in the Managed addons list in Internet Explorer 8. Example: Group policy helper plug-in works fine, but does not appear in the managed add-ons list.
Action: Reset the Internet Explorer settings. This will affect the previously configured IE settings. Once listed, the addons can be enabled or disabled. Use the workaround only if it is really necessary to enable or disable the add-on.

Group Policy helper installed using Internet Explorer might not be enabled on Firefox

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If Group Policy helper is installed from Internet Explorer, add-ons might not show up in Firefox.
Action: Manually enable Group Policy helper on Firefox.

When you try to launch Group Policy helper, it shows the error message, Another instance of Group Policy helper is running even if there is no running, instance of the Helper

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When you try to launch Group Policy helper, it shows an error message, Another instance of Group Policy helper is running, even if there is no running instance of the Helper.
Possible Cause: Previously, Group Policy helper was abruptly closed during the creation of or editing of a Group Policy.
Action: Manually delete the registry key HelperThreadId and ToolRunning from HKEY_CURRENT_USER\Software\Novell\ZCM\GroupPolicy\Helper.

Group Policy Helper does not work on Internet Explorer 10 in Enable Protected Mode

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: Group Policy Helper does not work on Internet Explorer 10 in Enable Protected Mode (EPM).
Action: Open Internet Explorer 10 in Run as administrator mode.

or

Configure the following:

  1. Open Internet Explorer.

  2. Go to Tools > Internet Options > Security > Local Intranet.

  3. Set the Enable Protected Mode check box.

  4. Ensure that the following ActiveX parameter settings under Tools > Internet Options > Security are as shown in the table below:

    ActiveX Controls and Plug-ins

    Local Intranet

    Trusted Sites

    Allow ActiveX Filtering

    Disable

    Disable

    Allow previously unused ActiveX controls to run without prompt

    Enable

    Enable

    Allow Scriptlets

    Enable

    Enable

    Automatic prompting for ActiveX controls

    Enable

    Enable

    Binary and script behaviours

    Enable

    Enable

    Display video and animation on a webpage that does not use external media player

    Disable

    Disable

    Download signed ActiveX controls

    Enable

    Enable

    Download unsigned ActiveX controls

    Enable

    Enable

    Only allow approved domains to use ActiveX without prompt

    Enable

    Enable

    Run ActiveX controls and plugins

    Enable

    Enable

    Script ActiveX controls marked safe for Scripting

    Enable

    Enable

    Enable Enhanced Protected Mode

    Enable

    Disable

    NOTE:Add the URLs to Trusted Sites. Ensure that you add URLs of all primary servers that are used to create group policies.

On a Windows 8.1 machine, logon related group policy settings does not work as expected

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If required Windows update package is not present on a Windows 8.1 machine then, group policy refresh operation does not complete when the user logs out. It completes on next logon. As a result, logon related Group Policy setting do not work as expected.
Possible Cause: Windows updates KB2919394 and KB2911106 are not installed.
Action: Along with other important Windows update, ensure to install KB2919394 and KB2911106 optional updates. And ensure that, Interactive Logon: Do not require CTRL+ALT+DEL setting is set to Disabled in applied Group Policy.

NOTE:Ensure that there is atleast a gap of 30 sec between log off and log on.