NAL does not launch after upgrading to XPsp2.
(Last modified: 11Feb2006)
This document (10095342) is provided subject to the disclaimer at the end of this document.
Novell ZENworks 6.5 Desktop Management - ZfD6.5
Novell ZENworks for Desktops 4.0.1 - ZfD4.0.1
Novell ZENworks Desktop Management - Group Policies
Microsoft Windows XP Professional SP2
NAL does not launch after upgrading to XPsp2.
NALWIN, NALVIEW, or MYAPPS.HTML exit memory after 1 or 2 seconds of trying to load.
MSI functionality is lost.
"Error 1719. The Windows Installer Service cannot be accessed..." is displayed when any MSI functions are attempted.
WMI functionality is lost.
Error "Can't Collect Information" when attempting to run MSINFO32.
Search for Files or Folders does not work.
DCOM errors may be seen.
These symptoms can occur to workstations whose lifecycle have followed either of the following paths:
start with XPsp1 > ZfD GroupPolicies have been applied > upgrade to XPsp2
start with XPsp2 > ZfD GroupPolicies (created with XPsp1 machine) have been applied
These symptoms should not occur to workstations whose lifecycle have followed the following path:
start with XPsp2 > ZfD GroupPolicies (created with XPsp2 machine) have been applied
To understand the cause of the issue, some background information applies:
XPsp2 introduces two new User Rights Assignments inside of the Security Settings of Group Policies. These are "Create Global Objects" and "Impersonate a client after authentication" and can be found underneath Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments in the Group Policy editor (gpedit.msc).
When ZfD applies the User Rights Assignments portion of Group Policies, it first clears all assignments, and then sets up the assignments according to those recorded in the Group Policy.
When ZfD Group Policies have been applied on a workstation the first time, a GroupPolicy.WMOriginal folder is created under Windows\System32. This stores a copy of the machines group policy as it was before ZfD started applying GroupPolicies to the workstation. On a logoff attempt, or on a login attempt after a restart - this WMOriginal policy is restored before the network policy is restored. The only time WMOriginal is not restored is if Persist Workstation Settings is being used within an effective Workstation Package.
Herein lies the problem - the WMOriginal that exists on a XPsp1 workstation does not know about the 2 new User Rights Assignments introduced by XPsp2. So, after upgrading to sp2 on the workstation, the WMOriginal is restored on the next login. While applying this WMOriginal, all User Rights Assignments are cleared and the assignments stored in the WMOriginal\Machine\Microsoft\Windows NT\Secedit\XPsec.dat are re-applied. However, since the WMOriginal doesn't know about the two new rights - they don't get set. Consequently, some OS features and 3rd party applications stop functioning, specifically because SERVICE is not assigned to the "Impersonate a client after authentication" right.
Fixed in Service Pack 1 for ZENworks 6.5 Desktop Management
For ZfD4.x, fixed in zfd401_ir6.exe or later found at Novell Product Updates
Note, for the complete fix, both the agent and the server must be updated.
WORKAROUND - If your workstation is in a broken state, you will need to do two things to restore and maintain functionality without uninstalling XPsp2:
rename program files\novell\zenworks\WMGRPPOL.DLL (this will stop the applying of the WMOriginal group policy... but it also disables the ability for ZfD to apply Group Policies too)
set the two new User Rights with their default assignments (see NOTE below)
Alternative WORKAROUND - If you have many workstations in a broken state, you may be able to do the following steps to restore and maintain functionality without uninstalling XPsp2:
use an XPsp2 box running ConsoleOne to edit the existing ZfD GroupPolicies on the network... set the two new User Rights Assignments with their default assignments (see NOTE below)
ensure that a Workstation Package is being used to deliver Security Settings to the workstations, and that Persist Workstation Settings is enabled.
Alternative WORKAROUND - To fix up the rights, you could also run the following command line
secedit /configure /db %WINDIR%\security\database\secedit.sdb /cfg %WINDIR%\security\templates\<new_user_rights.inf> /overwrite
provided that you have created a new INF (see TID 10096450) that contains the User Rights Assignments mentioned below.
The two new User Rights Assignments introduced in XPsp2 should have the following minimum assignments by default:
"Create Global Objects" - Administrators, INTERACTIVE, SERVICE
"Impersonate a client after authentication" - Administrators, SERVICE (and ASPNET if the .NET framework is installed)
In order to set Persist Workstation Settings, for ZENworks 6.5, there is a checkbox in the Workstation Package. For 4.x, follow the instructions in the ZfD4.x Documentation, ZENworks for Desktops 4.0.1 Administration Guide->Workstation Management->Enabling Windows Group Policy Caching Enhancements ->Using Cached Workstation Settings
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.