A.14 Windows Group Policy Troubleshooting

The Group Policy Helper tool is not backward compatible with the earlier versions of ZENworks Configuration Management releases

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Action: Install the version of the Group Policy Helper tool available with the corresponding ZENworks Configuration Management release.

Favorites configured by using the Group policy are not cleared when the group policy is unenforced

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the Internet Explorer Maintenance settings of the Group policy to configure favorites, the favorites are not cleared when the Group policy is unenforced.
Action: Use the Browser Bookmark policy to configure the favorites.

Internet Explorer Settings configured in the Group policy are not applied on the Internet Explorer

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On launching the Internet Explorer browser, the runonce page is displayed instead of the home page configured in the Group policy.
Action: On the runonce page, follow the on-screen prompts to configure the settings.

Security settings of the Windows Group policy are not effective on the device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the security settings are not configured in the Windows Group policy, the policy uses the default security settings of the device on which it was created. When more than one Windows Group policy is applied to a device, the security settings of the last applied policy are effective on the device.
Action: If you assign multiple policies to a device, ensure that the policy whose security settings you want to be effective on the device is applied last on the device.

The Security settings configured in the Windows Group policy are not applied on a Windows XP SP1 or SP2 managed device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Action: On the Windows XP SP1 or SP2 managed device, install Windows Hotfix KB897327 from the Microsoft Support Web site.

Unable to launch the Group Policy Helper tool on a Windows Vista or Windows 7 device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Group Policy Helper tool does not launch on a Windows 7/Vista device if the User Account Control (Start > Settings > Control Panel > User Accounts) is enabled and Mozilla Firefox or any other browser is used.
Action: Configure the Internet Explorer or Mozilla Firefox browser to run with administrator credentials.

  • To configure Internet Explorer or Mozilla Firefox for a session, right-click the selected browser’s shortcut icon on the desktop, then select Run as administrator.

  • To configure the Internet Explorer or Mozilla Firefox browser permanently:

    1. On the desktop, right-click the selected browser’s shortcut icon and select Properties. Click the Shortcut tab, then click the Advanced button. In the Advanced Properties dialog box, select Run as administrator.

      or

      In Windows Explorer, navigate to the Internet Explorer or Mozilla Firefox executable file, right-click the file, then select Properties. Click the Compatibility tab, then select Run this program as an administrator.

    2. Restart the browser.

For more information, see TID 7013019 in the Novell Support Knowledgebase

Policy Enforcement status is not properly displayed

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you assign more than one policy to a user or a device, the policy enforcement status is not properly displayed.The consolidated status of a Group policy is displayed in the ZENworks icon only for the last enforced policy. That is, if any of the Group policies fail, the last effective policy is displayed in the ZENworks icon as Failed and rest of the policies are displayed as Success.
Possible Cause: The consolidated settings are applied only for the last policy.
Action: None.

Unable to export Group policy content

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you use the zman command to export a policy with content, the content (.zip file) is not exported.
Action: Perform the following steps:

  1. In ZENworks Control Center, edit the policy you want to export.

  2. Click Upload to upload the policy settings to the content server.

  3. The Upload Confirm dialog box displays the name of the .zip file that stores the policy settings. Copy the .zip file to the required location, such as c:\.

  4. Run the zman petf command to export the policy to an XML file, such as export.xml.

    For example, zman petf \policies c:\export.xml.

  5. Edit the export_actioncontentinfo.xml file to update the path of the .zip file.

Log-on and Log-off scripts that launch GUI applications do not functional properly on terminal server and Windows Vista devices

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On the terminal server and Windows Vista devices, the log-on and log-off scripts launching GUI applications do not functional properly because the Graphical User Interface is not launched on the desktop.
Action: Use Directive bundles to launch the GUI applications:

  1. Create a Directive bundle.

  2. Add a Launch Windows Executable action to launch a GUI application, such as mspaint.

  3. Assign the bundle to a device.

  4. Select Launch Schedule, then select the schedule type as Event.

  5. Select the User Login or User Logout event to trigger the schedule.

Assigning an Active Directory Group policy to a user or a device might generate some application event logs on the device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you configure an Active Directory Group policy and assign the policy to a user or a device, some application event logs might be generated on the device even if the policy is successfully enforced on the device.
Action: Ignore the application event logs.

Group policy created on a device with a specific operating system is not enforced on a device with a different operating system

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The Windows Group policy containing the local group policy settings is not applied on a device if the operating system of the device where the policy is applied is different from the operating system of the device where the policy is created.
Action: Remove the Operating System specific System Requirement from the Windows Group policy and then apply the policy.

However, the security settings are applied only if the operating system version of the device where the policy is applied is later than the operating system version of the device where the policy is created.

Scripts configured through Active Directory Group policy are not enforced on a device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The scripts configured through Active Directory group policy are not enforced on a device even though the policy displays success in the ZENworks Adaptive Agent Policies page. However, the other settings if any configured in the policy are enforced on the device.
Action: Configure scripts through Local Group policy.

Security settings that have not been configured in a ZENworks Group Policy are also enforced on a managed device when the ZENworks Group Policy is enforced on the managed device

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you create a Windows Group policy through the ZENworks Control Center of a device that already has some security settings configured and assign this policy to a managed device, the security settings that were configured on the device, on which you created the group policy, are also applied on the managed device.
Action: To remove all the previously configured security settings on a device, run the following command before you launch the ZENworks Control Center on the device to create the Group policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

The screen remains blank after logging into a terminal server

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When enforcing few group policy settings, ZCM restarts the explorer.exe or Relaunching of Windows Explorer may have failed.
Action: To manually launch the explorer perform the following steps:

  1. Press Ctrl+Shift+Esc to launch the Windows Task Manager.

  2. Select File > New Task (Run)

  3. In the Create New Task pane, enter explorer.

  4. Click OK, to launch the Windows Explorer.

    or

    Set a registry key value DisableExplorerRestart at HKLM\Software\Novel\ZCM\GroupPolicy and set it to true. This ensures that ZENworks Configuration Management does not restart the explorer.

Partial failure of Group Policy unenforcement settings

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When Group Policy settings are unenforced on a device, URLs added in Favorites and Links do not get removed.
Action: To unenforce the Group Policy settings and restore the system to a clean state, make sure you select the option Delete Existing Favorites and Links, if present, when the system is in the default state prior to applying any policies.

Users need to log in again on a managed device, even though the setting for a forced login is not selected

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: After applying an updated Windows Group Policy on a managed device, logged-in users are forced to log out even though the After enforcement, force a re-login on the managed device, if necessary setting is not selected.
Action: To ensure that a user does not need to log in again to the managed device, deselect the After enforcement, force a re-login on the managed device, if necessary option on any Roaming Profile Policy that is associated with the same user or device.

For more information, see TID 7007600 in the Novell Support Knowledgebase.

Security settings are not applied randomly for Group policies at device startup

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: Security settings are not applied randomly for Group policies at device startup if Haspolicychanged flag is false.
Action: Even if there is no change in the Group policy, you can apply Group policy again at device start up:

  1. On a Windows managed device, open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\GroupPolicy.

  3. Configure the ReApplyPolicyatDeviceStartup registry key, with any string value other than Null.

    If configured, the device assigned Group policy gets processed, even if the value of the Haspolicychanged parameter is False.

Group policy user settings are not always enforced for a user if there is no change in the user-assigned group policy from a previous login

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If you have assigned Group policy settings to a user, and there is no change in the policy from the previous enforcement, the settings might not apply on a logged-in user.
Action: To configure the Group policy settings:

  1. On a Windows managed device, open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\GroupPolicy.

  3. Configure the ReApplyPolicyatUserPredeskTop registry key with any string value other than Null.

    If you configure this registry key, logging in might be slow.

The Group policy security settings created locally gets overridden by zenworks Group policy settings

Source: ZENworks 11 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: ZENworks Configuration Management enforces default security settings even if the option ApplyAllSettingsExceptSecuritySettings is selected in the policy. This will override the security settings configured in the local group policy of the managed device.
Action: The registry key IgnorePrezenworksSecuritySettings needs to be created at HKLM\Software\Novell\ZCM\GroupPolicy\ and set to True before applying the Group policies on the managed device.