A.14 Windows Group Policy Troubleshooting

The Group Policy Helper tool is not backward compatible with the earlier versions of ZENworks Configuration Management releases

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Action: Install the version of the Group Policy Helper tool available with the corresponding ZENworks Configuration Management release.

Favorites configured by using the Group policy are not cleared when the group policy is unenforced

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the Internet Explorer Maintenance settings of the Group policy to configure favorites, the favorites are not cleared when the Group policy is unenforced.
Action: Use the Browser Bookmark policy to configure the favorites.

Internet Explorer Settings configured in the Group policy are not applied on the Internet Explorer

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On launching the Internet Explorer browser, the runonce page is displayed instead of the home page configured in the Group policy.
Action: On the runonce page, follow the on-screen prompts to configure the settings.

Security settings of the Windows Group policy are not effective on the device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the security settings are not configured in the Windows Group policy, the policy uses the default security settings of the device on which it was created. When more than one Windows Group policy is applied to a device, the security settings of the last applied policy are effective on the device.
Action: If you assign multiple policies to a device, ensure that the policy whose security settings you want to be effective on the device is applied last on the device.

The Security settings configured in the Windows Group policy are not applied on a Windows XP SP1 or SP2 managed device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Action: On the Windows XP SP1 or SP2 managed device, install Windows Hotfix KB897327 from the Microsoft Support Web site.

Unable to launch the Group Policy Helper tool on a 32-bit Windows Vista or Windows 7 device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Group Policy Helper tool does not launch on a 32-bit Windows 7/Vista device if the User Account Control (Start > Settings > Control Panel > User Accounts) is enabled and Mozilla Firefox or any other browser is used.
Action: Configure the Internet Explorer or Mozilla Firefox browser to run with administrator credentials.

  • To configure Internet Explorer or Mozilla Firefox for a session, right-click the selected browser’s shortcut icon on the desktop, then select Run as administrator.

  • To configure the Internet Explorer or Mozilla Firefox browser permanently:

    1. On the desktop, right-click the selected browser’s shortcut icon and select Properties. Click the Shortcut tab, then click the Advanced button. In the Advanced Properties dialog box, select Run as administrator.

      or

      In Windows Explorer, navigate to the Internet Explorer or Mozilla Firefox executable file, right-click the file, then select Properties. Click the Compatibility tab, then select Run this program as an administrator.

    2. Restart the browser.

Policy Enforcement status is not properly displayed

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you assign more than one policy to a user or a device, the policy enforcement status is not properly displayed.The consolidated status of a Group policy is displayed in the ZENworks icon only for the last enforced policy. That is, if any of the Group policies fail, the last effective policy is displayed in the ZENworks icon as Failed and rest of the policies are displayed as Success.
Possible Cause: The consolidated settings are applied only for the last policy.
Action: None.

Unable to export Group Policy content

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the zman command to export a policy with content, the content (.zip file) is not exported.
Action: Perform the following steps:

  1. In ZENworks Control Center, edit the policy you want to export.

  2. Click Upload to upload the policy settings to the content server.

  3. The Upload Confirm dialog box displays the name of the .zip file that stores the policy settings. Copy the .zip file to the required location, such as c:\.

  4. Run the zman petf command to export the policy to an XML file, such as export.xml.

    For example, zman petf \policies c:\export.xml.

  5. Edit the export_actioncontentinfo.xml file to update the path of the .zip file.

Unable to view the 64 bit snap-ins in the Group Policy Helper tool

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: While creating or editing the Group policy in ZENworks Control Center, you cannot view the 64-bit snap-ins in the Group Policy Helper tool because the 32-bit version of the Group Policy Helper tool is launched by default.
Action: None.

Log-on and Log-off scripts that launch GUI applications do not functional properly on terminal server and Windows Vista devices

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On the terminal server and Windows Vista devices, the log-on and log-off scripts launching GUI applications do not functional properly because the Graphical User Interface is not launched on the desktop.
Action: Use Directive bundles to launch the GUI applications:

  1. Create a Directive bundle.

  2. Add a Launch Windows Executable action to launch a GUI application, such as mspaint.

  3. Assign the bundle to a device.

  4. Select Launch Schedule, then select the schedule type as Event.

  5. Select the User Login or User Logout event to trigger the schedule.

Assigning an Active Directory Group policy to a user or a device might generate some application event logs on the device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you configure an Active Directory Group policy and assign the policy to a user or a device, some application event logs might be generated on the device even if the policy is successfully enforced on the device.
Action: Ignore the application event logs.

Group Policy created on a device with a specific operating system is not enforced on a device with a different operating system

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Windows Group policy containing the local group policy settings is not applied on a device if the operating system of the device where the policy is applied is different from the operating system of the device where the policy is created.
Action: Remove the Operating System specific System Requirement from the Windows Group policy and then apply the policy.

However, the security settings are applied only if the operating system version of the device where the policy is applied is later than the operating system version of the device where the policy is created.

Configuring Group Policy on a 64-bit version of Windows Vista device, Windows Server 2008, and Windows 7 device is not yet supported

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: You cannot configure Group policy on 64-bit version of Windows Vista device, Windows Server 2008, and Windows 7 device. However, you can enforce Group policy on these devices.
Action: To enforce Group Policy on 64-bit version of a device, configure a Group policy on a corresponding 32-bit version of the device and assign it to the 64-bit device. For example, create a Group policy on a 32-bit Windows 7 device and assign it to a 64-bit Windows 7 device.

Scripts configured through Active Directory Group policy are not enforced on a device.

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The scripts configured through Active Directory group policy are not enforced on a device even though the policy displays success in the ZENworks Adaptive Agent Policies page. However, the other settings if any configured in the policy are enforced on the device.
Action: Configure scripts through Local Group policy.

Security settings that have not been configured in a ZENworks Group Policy are also enforced on a managed device when the ZENworks Group Policy is enforced on the managed device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you create a Windows Group Policy through the ZENworks Control Center of a device that already has some security settings configured and assign this policy to a managed device, the security settings that were configured on the device, on which you created the group policy, are also applied on the managed device.
Action: To remove all the previously configured security settings on a device, run the following command before you launch the ZENworks Control Center on the device to create the Group policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Partial failure of Group Policy unenforcement settings

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When Group Policy settings are unenforced on a device, URLs added in Favourites and Links do not get removed.
Action: To unenforce the Group Policy settings and restore the system to a clean state, make sure you select the option Delete existing Favourites and Links, if present, when the system is in the default state prior to applying any policies.

Users need to log in again on a managed device, even though the setting for a forced login is not selected

Source: ZENworks 11 SP2 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: After applying an updated Windows Group Policy on a managed device, logged-in users are forced to log out even though the After enforcement, force a re-login on the managed device, if necessary setting is not selected.
Action: To ensure that a user does not need to log in again to the managed device, deselect the After enforcement, force a re-login on the managed device, if necessary option on any Roaming Profile Policy that is associated with the same user or device.

For more information, see TID 7007600 in the Novell Support Knowledgebase.