15.9 Windows Group Policy (User and Workstation Packages)

You can specify and edit group policies for Windows 2000/XP workstations (User and Workstation Package) and for Windows 2000/2003 Terminal Servers (User Package only).

NOTE:The Windows Group policy is contained in both the User Package and in the Workstation Package. When you configure the Windows Group policy in the User Package, the policy applies to all associated users regardless of the workstation they use. When you configure the Windows Group policy in the Workstation Package, the policy applies to all users who log in to an associated workstation.

The following sections contain additional information:

15.9.1 Understanding the Windows Group Policy

The Windows Group policy is an extension of extensible policies for Windows 2000/XP and Active Directory. There is some cross-over in policy settings between the Windows Group policy and Desktop Management extensible policies, such as under User Configuration > Administrative Templates. For more information about extensible policies, see Section 15.2, Computer/User Extensible Policies (Workstation/User Packages).

NOTE:You should not configure group policies on a Windows 2000 Domain Controller using ConsoleOne. To edit group policies through ConsoleOne, you should use a Windows 2000 workstation to edit Windows 2000 group policies and a Windows XP workstation to edit Windows XP group policies.

If a workstation is a member of an Active Directory domain but is disconnected from the domain, Windows Group policies contained in both the User and Workstation packages do not apply.

Using ZENworks Desktop Management to distribute Group policies to workstations or users where Group policies are already distributed by Active Directory (or vice versa) is not supported because of the unpredictable behavior that occurs. ZENworks Desktop Management does support distributing Active Directory settings. For more information, see Section 15.9.5, Importing Windows Group Policies (User and Workstation Packages).

For the following reasons, you must use UNC paths rather than mapped drives for importing this policy to Desktop Management:

  • Users could change their login scripts, altering drive mappings

  • Workstation objects are often logged in before users are, so there are no drive mappings available

With UNC paths, as long as the server is available, the policy is found.

Group policies have changed significantly since the ZENworks for Desktops 3 initial release. Review the following sections for more information:

Additive Group Policies

Group policies are now additive. This means that settings from multiple Windows Group policies are cumulatively effective, rather than individually. Settings from multiple Windows Group policies can affect users and workstations. Policies start with the local Windows Group policy settings and are applied in reverse of the policy search order. This means that a setting in a policy applied first has lowest priority and its value is overwritten by any other policy with the same setting.

Security settings are not additive; they are set by the last effective policy.

Revision Checking

Windows Group policies now track the revision of the policies in effect. As long as the list of effective policies and their revisions remains the same, Windows Group policies are not processed, but use the cached Group policy.

NOTE:Each time the Edit Policies button is clicked, the revision of a Windows Group policy changes, causing the policies to be reprocessed.

Group Policy Caching

The last-processed Windows Group policy is cached locally. This helps reduce network traffic by processing Windows Group policies only if necessary. If UserA logs in on a new machine, his or her effective Group policies are processed and then cached.

If UserA logs out and UserB logs in, and if UserB has the same effective Group policies as UserA, the locally-cached Group policy is restored instead of reprocessing Windows Group policies. If the list of effective policies is different or if the revision is changed on any policy, the Windows Group policies are reprocessed.

New functionality has been added to the Desktop Management Windows Group policy implementation. The Windows Group policy settings in both the User Package and in the Workstation Package can remain in effect even when the workstation is disconnected from the network.

Persistent and Volatile Settings

The administrator determines if Windows Group policies are persistent or volatile. The persistent setting indicates that when the Windows Group policies are set, they remain set—even if a user happens to log in only to a workstation and not to the network.

The volatile setting indicates that the original local Windows Group policy settings will be restored when:

  • The user logs out (the user Group policy settings are removed)

  • The system shuts down (the workstation Group policy settings are removed)

Using Group Policies on Terminal Servers

You can configure Windows Group policies in a User Package for Windows 2000 and Windows 2003 Terminal Servers. You can also use the Window 2000-2003 Terminal Server platform page if you want to set policies that apply to both platforms to make managing Terminal Servers easier.

When configuring Windows Group policies for Terminal Servers, consider the following:

  • Applied Settings Types: Only the User Configuration settings under Applied Settings Types apply to Terminal Servers. The Computer Configuration and Security Settings options are not available for Terminal Servers.

  • Logoff Scripts: Logoff scripts are not supported in a Terminal Server environment.

15.9.2 Configuring the Windows Group Policy in the User Package

  1. In ConsoleOne, right-click the User Package, click Properties, then click the appropriate platform page.

    When choosing the appropriate platform page, take the following into account:

    • Windows NT: For more information about Desktop Management support for the Windows NT platform, see Interoperability with Windows NT 4 Workstations in the Novell ZENworks 7 Desktop Management Installation Guide.

    • Windows NT-2000-XP platform page: Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you cannot use the Windows NT-2000-XP platform page to edit the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.

      In ZENworks 7, the Edit option on the Windows NT-2000-XP platform page has been disabled; you must use one of the specific platform pages to edit group policies.

  2. Select the check box under the Enabled column for the Windows Group policy.

    This both selects and enables the policy.

  3. Click Properties to display the Windows Group Policies page.

    The Windows Group Policies page.

  4. Specify the network location for new or existing group policies.

    Make sure that users have sufficient rights to access this network location.

    If you use an environment variable in the Network location of existing/new group policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.

  5. (Conditional) If you want to import group policies from Active Directory, click Import Policy.

    For more information, see Section 15.9.5, Importing Windows Group Policies (User and Workstation Packages).

  6. (Conditional) If you want to edit existing group policies, click Edit Policies.

    For more information, see Section 15.9.4, Editing Existing Windows Group Policies (User and Workstation Packages).

  7. (Optional) Select the Group Policies remain in effect on user logout check box to indicate that the pushed group policies remain in effect on the local Windows desktop after the user logs out.

    IMPORTANT:We do not recommend using both the Group policies remain in effect on user logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.

  8. (Optional) Select the Cache User Configuration check box.

    Caching user configuration settings is different than enabling the Group Policies remain in effect on user logout check box.

    Setting the Group policies remain in effect on user logout option enables the administrator to retain the group policy settings of the last logged-in user. The limitation with this approach is that any user who logs in locally (workstation only) receives the Group policy settings of the last person who logged in to the network on that workstation. If an administrator was the last user to log in to the network on a particular workstation, any subsequent local logins result in the user receiving the administrator’s policy settings.

    To avoid this situation, you can enable the Cache User Configuration check box to allow each user's settings to be cached.

    Consider the following before you enable caching of settings in the User Package's Windows Group policy:

    • The cache user settings functionality works with both NetWare or Windows on the back end. If you are using a Windows server on the back end, consider the following:

      • The user must be logged in with a local user account, not a cached domain account. Windows Group policy settings apply to domain accounts as long as the user is logging in to the domain. When the user does not log in to the domain, but uses a cached domain account, the Desktop Management Windows Group policy settings do not apply.

      • If you store Group policy files on an Active Directory server, the Active Directory username and password must match the eDirectory credentials.

    • Users must have unique local user accounts. The Windows Group policy settings are cached in the local user’s profile, so users with different effective Windows Group policies must have different local user accounts.

    • Each user must have a profile on the machine in which to cache the settings. You can provide this profile by using local user accounts or by using Dynamic Local User (DLU) accounts; however, the account cannot be removed. If the DLU policy removes the local user account (either by a using a volatile user account or by using an expired cached volatile user account), the user cannot log in locally.

    • Only the settings contained in the \user\registry.pol file are cached. This is roughly equivalent to the User Settings in the Group Policy editor with the exception of the logon/logoff scripts (they are stored in the Scripts folder under \user, and therefore not cached).

    Selecting the Cache User Configuration check box causes the user configuration settings of each user’s effective Windows Group policies to be stored in each user's local profile. When each user logs in locally, the user settings are read from the cached copy of the registry.pol in that user's profile and are applied. The only settings cached are those stored in the registry.pol file in the \user folder. Other settings are not cached, including logon/logoff scripts, computer settings, and security settings.

    IMPORTANT:We do not recommend using both the Group Policies remain in effect on user logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.

  9. In the Applied Settings Types group box, enable the desired options.

    These options allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. This differs from earlier releases in which user settings were pushed with User Packages and computer and security settings were pushed with Workstation Packages.

    User Configuration: Select to push settings under User Configuration with the Windows Group policy.

    Computer Configuration: Select to push settings under Computer Configuration (except Security Settings) with the Windows Group policy.

    Security Settings: Select to push Windows security settings with the Windows Group policy. Selecting this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies and policies are not additive.

    Only the User Configuration settings under Applied Settings Types apply to Terminal Servers. The Computer Configuration and Security Settings options are not available for Terminal Servers.

  10. Click the Policy Schedule tab > select a schedule type:

    • Package Schedule
    • Event
    • Daily
    • Weekly
    • Monthly
    • Yearly

    You can click Advanced Settings to set additional settings such as Completion, Fault, Impersonation, Priority, and Time Limit. For detailed information on each of these settings, click the Help button on each page.

  11. Click OK to save the policy.

  12. When you have finished configuring all of the policies for this package, continue with the steps under Section 15.13, Associating the User or Workstation Package to associate the policy package.

15.9.3 Configuring the Windows Group Policy in the Workstation Package

  1. In ConsoleOne, right-click the Workstation Package, click Properties, then click the appropriate platform page.

    When choosing the appropriate platform page, take the following into account:

    • Windows NT: For more information about Desktop Management support for the Windows NT platform, see Interoperability with Windows NT 4 Workstations in the Novell ZENworks 7 Desktop Management Installation Guide.

    • Windows NT-2000-XP platform page: Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you cannot use the Windows NT-2000-XP platform page to edit the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.

      In ZENworks 7, the Edit option on the Windows NT-2000-XP platform page has been disabled; you must use one of the specific platform pages to edit group policies.

  2. Select the check box under the Enabled column for the Windows Group policy.

    This both selects and enables the policy.

  3. Click Properties to display the Windows Group Policies page.

    The Windows Group Policies page.

  4. Specify the network location for new or existing group policies.

    Make sure that users have sufficient rights to access this network location.

    If you use an environment variable in the Network location of existing/new Group Policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.

  5. (Conditional) If you want to import group policies from Active Directory, click Import Policy.

    For more information, see Section 15.9.5, Importing Windows Group Policies (User and Workstation Packages).

  6. (Conditional) If you want to edit existing group policies, click Edit Policies.

    For more information, see Section 15.9.4, Editing Existing Windows Group Policies (User and Workstation Packages).

  7. (Optional) Select the Persist workstation settings check box.

    Selecting this option specifies that all workstation settings that Desktop Management supports (user, machine, and security settings) in the Workstation Package's Windows group policy can remain in effect (are cached) regardless of network connectivity.

    Consider the following before you enable caching of settings in the Workstation Package's Windows group policy:

    • The persistent workstation settings functionality works with both NetWare or Windows on the back end. If you are using a Windows server on the back end and you store Windows Group policy files on a Windows server, the workstation must be a member of that domain.

    • In order to use persistent workstation settings, you cannot enable the Group Policy LoopBack Support option in the Windows Group policy associated to the workstations for which you want to cache settings (this includes either the Replace Mode or the Merge Mode options). By not enabling loopback support, the configuration in the user’s policy always takes precedence over the configuration in the Workstation Package's Windows Group policy if conflicting settings exist.

    Selecting the Persist Workstation Settings check box causes the workstation’s effective Windows Group policy settings that are already stored in windows_directory\system32\group policy.wkscache to be applied, even if that workstation is unable to log in to the network as the Workstation object (for example, when the workstation is disconnected from the network).

  8. In the Applied Settings Types group box, enable the desired options.

    These options allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. This differs from earlier releases in which user settings were pushed with User Packages and computer and security settings were pushed with Workstation Packages.

    User Configuration: Select this option to push settings under User Configuration with the Windows Group policy.

    Computer Configuration: Select this option to push settings under Computer Configuration (except Security Settings) with the Windows Group policy.

    Security Settings: Select this option to push Windows security settings with the Windows Group policy. Selecting this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies and policies are not additive.

  9. (Optional) Select the Group Policy Loopback Support check box, then select a mode.

    Enabling this option gives precedence to Workstation Package policies over User Package policies. Loopback support has two modes, replace and merge:

    Don’t Apply User’s Policy Settings (Replace Mode): Select this option to ignore all User policy settings; Workstation policy settings are applied.

    Apply Workstation’s Policy Settings Last (Merge Mode): Select this option to apply User policy settings first and then Workstation policy settings. This lets you apply user settings but override conflicting settings with workstation settings. If a user setting does not conflict, it remains in effect.

  10. Click the Policy Schedule tab > select a schedule type:

    • Package Schedule
    • Event
    • Daily
    • Weekly
    • Monthly
    • Yearly

    Because the Windows desktop files finish loading before group policy settings are loaded, some group policies in the Workstation Package might exhibit odd behavior if they are scheduled to run at user login. Specifically, any changes to desktop settings (for example, hide My Network Place, hide all icons on desktop, etc.) do not occur, and programs won't run if you have scheduled them to run at user login through use of a login script. If the user logs off and back on, the settings display correctly.

    To prevent this behavior, do not configure group policies in the Workstation Package to run at user login. Instead, configure them to run at system startup, on a daily basis, or on some other regular schedule.

    If you configure group policies to run startup scripts and you schedule those policies to run at system startup, you should select the Persist Workstation Settings option in Step 7. Because Windows 2000/XP looks for and runs startup scripts before Workstation Manager authenticates and applies policies, group policies that you configure to run startup scripts might fail to run when scheduled to run at system startup. If you select the Persist Workstation Settings option, the Workstation Package group policy settings (and startup scripts) are cached and can be applied correctly at the next system startup.

    You can click Advanced Settings to set additional settings such as Completion, Fault, Impersonation, Priority, and Time Limit. For detailed information on each of these settings, click the Help button on each page.

  11. Click OK to save the policy.

  12. When you have finished configuring all of the policies for this package, continue with the steps under Section 15.13, Associating the User or Workstation Package to associate the policy package.

15.9.4 Editing Existing Windows Group Policies (User and Workstation Packages)

  1. In ConsoleOne, right-click the User or Workstation Package, click Properties, then click the appropriate platform page.

  2. Select the check box under the Enabled column for the Windows Group policy.

    This both selects and enables the policy.

  3. Click Properties to display the Windows Group Policies page.

  4. Specify the network location for new or existing group policies.

  5. Click Edit Policies.

    When you click the Edit Policies button, the Microsoft Management Console editor is launched, where you can edit a User Package policy or a Workstation Package policy. For more information, click Help in the dialog boxes. After you have finished editing the policy, click the Close button.

    When you edit group policies, be aware of the following:

    • Directory Path: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the \adm, \user, and \machine subdirectories are deleted before the Active Directory group policy is copied to it.

      NOTE:If the Network Location of Existing/New Group Policies path is set to a Linux file server, permission must be set from a Linux machine to allow read rights for users and workstations.

    • Security Settings that Cannot be Edited in Windows XP: Because of changes in Windows XP, you cannot currently edit the following Windows XP Security settings using Desktop Management:

      • Under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy:

         Password Must Meet Complexity Requirements   Store Password Using Reversible Encryption

      • Under Security Settings > Local Policies > Security Options:

         Network Access: Allow Anonymous SID/Name Translation   Accounts: Administrator Account Status   Accounts: Guest Account Status

    • Operating System Version and Service Pack Level Checking in ZENworks 7: New functionality has been added to ZENworks 7 to check the operating system version and service pack level while editing group policies on all platforms on which you can edit group policies (Windows 2000, Windows XP, and Windows Server 2003). For example, if a group policy was created on a Windows XP SP1 or earlier workstation and you attempt to edit it on a Windows XP SP2 workstation, ZENworks displays a warning dialog box. ZENworks also prohibits you from editing a group policy that was created on a Windows XP SP2 workstation if you are using a workstation with either Windows XP or Windows XP SP1 installed.

    • Disabling Group Policy Settings using ZENworks 7: In ZENworks 7, new functionality has been included to let you disable certain group policy settings without preventing future editing of the policy.

      In previous versions of ZENworks, disabling certain settings disabled the group policy editor, preventing you from editing that policy in the future. These settings include the following (depending on the OS and service pack level, not all settings might be present):

      • Under User Configuration > Administrative Templates > Windows Components > Microsoft Management Console:

          Restrict the user from entering author mode   Restrict users to the explicitly permitted list of snap-ins

      • Under User Configuration > Administrative Templates > Windows Components > Microsoft Management Console > Restricted/Permitted Snap-ins > Group Policy:

          Group Policy Management   Group Policy Object Editor

      • Under User Configuration > Administrative Templates > Windows Components > Microsoft Management Console > Restricted/Permitted Snap-ins > Group Policy > Group Policy snap-in extensions:

          Administrative Templates (Computers)   Administrative Templates (Users)   Folder Redirection   Internet Explorer Maintenance   Remote Installation Services   Scripts (Logon/Logoff)   Scripts (Startup/Shutdown)   Security Settings   Software Installation (Computers)   Software Installation (Users)   Wireless network (IEEE 802.11) Policies

      If you disable any of these settings and then attempt to edit the policy, an error message displays stating that the snap-in has been restricted by policy. In addition, the group policy editor does not open.

      To avoid this problem in ZENworks 7, these settings are removed from the group policy and saved in a temporary local location. When you close the editor, the settings in the temporary file are merged with the settings in the newly configured group policy. If you made any changes to these settings while using the editor and they conflict with those settings that were saved in the temporary file, the new settings take precedence over the original settings that were moved to the temporary file.

  6. Click OK to save the policy.

15.9.5 Importing Windows Group Policies (User and Workstation Packages)

  1. In ConsoleOne, right-click the User or Workstation Package, click Properties, then click the appropriate platform page.

  2. Select the check box under the Enabled column for the Windows Group policy.

    This both selects and enables the policy.

  3. Click Properties to display the Windows Group Policies page.

  4. Specify the network location for new or existing group policies.

  5. If you want to import group policies from Active Directory, click Import Policy, then fill in the fields.

    1. Select an import option:

      Import Whole Active Directory Folder: Lets you import all group policies in the Active Directory folder. If you select this option, use the Source Location field to specify the UNC path to the folder containing group policies created by Active Directory that you want to migrate to the directory listed in the Destination location of migrated group policies field. You must know or browse for the Unique Name of the directory from where you import the Active Directory group policy. You can find the Unique Name by examining the properties of the Active Directory Group policy.

      Import Security Settings: Lets you import security settings from a file. If you select this option, use the Source Location field to specify the UNC path to the file containing the security settings created by Active Directory that you want to migrate to the directory listed in the Destination location of migrated group policies field. You must know or browse for the Unique Name of the file that you import into the group policy.

      Imported security settings let administrators set only certain security settings without affecting all remaining security settings. Security settings can be imported from an Active Directory Group policy or can be created with the Security Templates snap-in in the Microsoft Management Console (MMC). For more information, see Creating Security Settings Using the Security Templates Snap-In in the Microsoft Management Console (MMC).

      When you import an Active Directory Group policy containing security settings or import a security settings file, the imported settings are saved in a new file called zensec.inf.

      The security settings in zensec.inf are used instead of the regular security settings displayed when editing the Group policy in MMC. The security settings shown in MMC are not accurate and any changes made are not applied. If imported security settings are detected while editing a Group policy, a message box informs the user that the security settings in zensec.inf will be used in place of the regular security settings and give the user the option of displaying the settings in the zensec.inf file.

      IMPORTANT:You should use UNC paths rather than mapped drives for group policies.

    2. Click Import.

      This copies the Active Directory group policy or file to the directory specified in the Destination Location of Migrated Group Policies field. If the specified directory does not exist, it is created.

      WARNING:Make sure you have selected the correct directory path in the Destination Location of Migrated Group Policies field because you could destroy data. All of the files in the selected directory as well as the \adm, \user, and \machine subdirectories are deleted before the Active Directory group policy is copied to it.

  6. Click OK to save the policy.

Creating Security Settings Using the Security Templates Snap-In in the Microsoft Management Console (MMC)

We recommend that you create new security settings rather than editing existing settings in the MMC. If you edit existing security settings, they might contain default settings that you do not need and might take a significant amount of time to process. You can avoid this problem by generating new settings.

NOTE:You must be logged on as an administrator or a member of the Administrators group to create security templates. Network policy settings might also prevent you from creating security templates.

To create new security settings using the Security Templates snap-in:

  1. Click the Start button, then click Run.

  2. Type mmc, then click OK.

  3. Click File > Add/Remove Snap-in to display the Add/Remove Snap-in dialog box.

  4. In the Standalone page, click Add.

  5. In the Add Standalone Snap-in dialog box, click Security Templates, click Add, then click Close to close the Add Standalone Snap-in dialog box.

  6. In the Add Remove Snap-in dialog box, click OK.

  7. (Optional) In the console tree, right-click Security Templates, click New Template Search Path, then select the new location.

    A folder with the path of the new location appears in the console tree.

  8. Right-click the folder where you want to store the new template, then click New Template.

  9. Type a template name and description, then click OK.

  10. In the console tree, double-click the new security template to display the security areas and navigate until the security setting you want to configure is in the right pane.

  11. Double-click the security setting you want to configure, select the Define This Policy setting in the Template check box, edit the settings, then click OK.