GPO/local policy hell-EnableLinkedConnections -Vista/2k3
markm75
"Administrator", the mapped drives for our domain were not visible under my
computer..
I found the solution in the registry entry of EnableLinkedConnections,
setting the value to 1..
So at one point i made a custom admx file for this setting, which shows up
in GPO or local policy under Computer Config.. Admin. Tools..
"EnableLinkedConnections" folder with settings of enable/disable/not
configured on the right..
I think i must have gotten something wrong here.. but my new test Virtual PC
machine is working fine with elevation.. i checked and the registry setting
was in place...
I had created a 2003 GPO that would use the admx file (I updated the admx
files on the network so they were there etc too).. i called it Vista
Specific.. it had this setting..
So this is all well and good on the test machine.. the setting takes
effect.. but on every other vista machine (4 of them) the setting gets
"erased" when i do a gpupdate /force on the local machine if i manually put
it in..
I think the problem is related to "local policy" overriding it, even though
local policy also seems to have the setting enabled.. I tried removing the
setting (not configured) in local policy and refreshing things, now the test
machine is not keeping the setting.. its getting wiped, despite the "vista
specific" server based gpo..
Any thoughts on how to fix this...
I'm confused on this local policy effect.. I guess modifying the local
policy affects all vista machines, even though this isnt through the group
policy manager on the server?
Is it best practice to NOT modify the local policy even if a domain admin
and use the admx files on a 2003 server GPO setting instead (like i'm also
doing)?
I think i have some sort of conflict here but i'm not sure where or what to
fix..
Thanks
Darren Mar-Elia
a registry policy defined in the local GPO will only be overwritten if it is
also defined on a domain-based GPO. So, if you are defining it as enabled on
the local GPO and its not-configured elsewhere, then you should be good. If
that's not the case, then I suspect something else is going on but its not
clear what from your description below.
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
*******************************
Secure and configure your Windows desktops accurately every time without
having to learn or install new technology.
Find out more about Desktop Policy Manager at
http://www.sdmsoftware.com/desktop_management
*******************************
"markm75" <mar...@discussions.microsoft.com> wrote in message
news:F435201B-6638-41C9...@microsoft.com...
markm75
"Darren Mar-Elia" wrote:
I dug a little deeper.. and maybe this explaination will help clarify..
I have the enablelinkedconnections custom admx set on the domain policy..
but i also had it in the Policy Definitions folder on the local vista machine
that i administer from...
The two admx files did not exist, locally, on any other vista machine (i
thought if they were out on the domain policy they would get pushed but i
guess not?)..
So i logged into another vista machine.. did gpedit.msc... looked under
admin templates (unchecked the show only managed ones option).. Then under
System.. i did NOT see the "EnableLinkedCOnnections" entry.. however.. as
soon as i copied the admx file down from say my usual admin workstation where
i had stored it in the policy definitions.. i was then able to see the entry
under the local policy settings..
But.. at this point on my domain based GPO for "vista settings" i have the
enablelinkedconnections setting set (i want everything to be done via my main
GPO's on 2003).. (I'm still not clear how/why anyone would want to configure
vista gpo settings in the local policy from a vista box itself)
Now.. on the local policy of this one machine (another vista).. i was now
able to see the entry after copying the admx files over.. I made sure that
entry was set to "not configured".. but despite this.. when i would manually
enter the register entry (the domain gpo wasnt putting in it for some
reason).. if i ran gpupdate from that box.. the entry would get deleted from
the registry despite being set to "not configured" in the local policy entry
and set to enabled via the domain one..
I'm not clear still, as to why this is happening..
markm75
enabled.. it still gets wiped out from the registry when the gpupdate command
is run...
Again, oddly, on a fresh Vista x86 virtual machine, joined to the domain..
this policy setting is working fine (and NOT visible in the local policy, but
the domain one must be overriding properly as the registry entry is there),
**though i can see under administrative templates.. "network" the entry for
background MITS.. "maximum network bandwidth for BITS" set to disabled..
actually i see two entries for "network" with this setting (i dont recall
setting this before either).
Alex Moffitt
Have you tried creating the policy from the vista machine? Try putting
GPMC on there and see what turns up. Vista has a little more control
over it's policies than the server does.
Darren Mar-Elia
put it there, so that is why that issue was happening. As for the other
issue, I'm still not sure I follow all of what you are doing, but maybe the
following explanation will help. When registry policy is processed (i.e.
during a gpupdate /force) any registry values within the managed policy keys
in the registry,that were set within GPOs will first be removed. That is how
the non-tattooing behavior of policy keys work. They are first removed, and
then reapplied. If you have manually (i.e. going through regedit) put a
value into one of the policy keys, it will be unknown to GP and will
essentially tattoo the registry. Thus is it possible that policy keys that
should be removed during a normal refresh cycle will not. Now I'm not sure
that's what you are seeing but it could account for some of the issues
you're having.
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
*******************************
Secure and configure your Windows desktops accurately every time without
having to learn or install new technology.
Find out more about Desktop Policy Manager at
http://www.sdmsoftware.com/desktop_management
*******************************
"markm75" <mar...@discussions.microsoft.com> wrote in message
news:B54BB929-DE53-42EF...@microsoft.com...
markm75
> Have you tried creating the policy from the vista machine? Try putting
> GPMC on there and see what turns up. Vista has a little more control
> over it's policies than the server does.
>
Actually this is what i am doing.. i'm using GPMC from a vista box to set
the enableLinkedConnections to a value of 1 (so that mapped drives will show
up in elevated programs)..
But for some reason it seems like the local policy is wiping this out now
(ie: i'm on vista.. i do a gpedit.msc).. even from a vista box just editing
the local policy, i see my entry for the enablelinkedconnections.. whether i
try turning it on, on the server and/or turning it on or off via gpedit on
the local policy.. i cant get any combo of these settings to stick.
I'm not real clear on this.. but i thought that the domain policy set from
GPMC whether from the vista box or from 2003.. would override any local
policy settings done by using gpedit.msc on a vista box alone?
I think it is here that the confusion may be occurring.. ie: best bet is to
use GPMC from say a vista box or 2003 server and set vista policies here
correct?
(If so.. how can i undo the gpedit.msc local policy, short of going in and
choosing disable on say the computer config section, which i think does work
and make the mapped drives setting stick)?
markm75
"Darren Mar-Elia" wrote:
I dont know if this helps.. but running rsop.msc reveals an exclaimation
mark next to the computer config section.. when look for the custom setting
in the admin templates area.. its not there (even though it shows up in the
local policy as well)...
Properties on the computer config.. error info.. show registry failed..
Registry failed due to the error listed below.
Unspecified error
When i look in the operational log i dont see much further info:
I just see a bunch of these:
EventiID 7016, source grouppolicy.. Completed EFS recovery Extension
Processing in 0 milliseconds
In the system logs.. i do have this every once in awhile:
The processing of Group Policy failed because of an internal system error.
Please see the Group Policy operational log for the specific error message.
An attempt will be made to process Group Policy again at the next refresh
cycle.
- <EventData>
<Data Name="SupportInfo1">2</Data>
<Data Name="SupportInfo2">1964</Data>
<Data Name="ProcessingMode">2</Data>
<Data Name="ProcessingTimeInMilliseconds">82213</Data>
<Data Name="ErrorCode">87</Data>
<Data Name="ErrorDescription">The parameter is incorrect.</Data>
</EventData>
markm75
"markm75" wrote:
>
>
> "Darren Mar-Elia" wrote:
>
I also took a look at the admx file i created, which now reside out on the
DCs.. sysvol\domain\policies\policy definitions
I suspect i have something wrong in the admx file below?:
<policyDefinitions revision="1.0" schemaVersion="1.0">
<policyNamespaces>
<target prefix="fullarmor"
namespace="FullArmor.Policies.42DD9B38_02BE_4543_98A5_0FE974110C3C" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<supersededAdm fileName="" />
<resources minRequiredRevision="1.0" />
<categories>
<category name="CAT_288EA4B2_0FB4_46E2_9845_B3F3D5CEE0C9"
displayName="$(string.CAT_288EA4B2_0FB4_46E2_9845_B3F3D5CEE0C9)">
<parentCategory ref="windows:System" />
</category>
</categories>
<policies>
<policy name="POL_0B3CD7C1_1FEE_4A3D_840A_A50FAEBCA343" class="Machine"
displayName="$(string.POL_0B3CD7C1_1FEE_4A3D_840A_A50FAEBCA343)"
explainText="$(string.POL_0B3CD7C1_1FEE_4A3D_840A_A50FAEBCA343_Help)"
presentation="$(presentation.POL_0B3CD7C1_1FEE_4A3D_840A_A50FAEBCA343)"
key="EnableLinkedConnections"
valueName="SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System">
<parentCategory ref="CAT_288EA4B2_0FB4_46E2_9845_B3F3D5CEE0C9" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<enabledList>
<item
key="SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
valueName="EnableLinkedConnections">
<value>
<decimal value="1" />
</value>
</item>
</enabledList>
</policy>
</policies>
</policyDefinitions>
markm75
the local policy folder as well as the domain one.. i removed them from the
local one and when in GPMC i couldnt see the key (entry) in the settings for
computer config..
Once i put it back i could see the setting.. i noticed that it shows up as
extra registry settings in the settings.. i had 4 entries at first.. i then
went in and tried turning off the setting (not configured).. now i have 2
entries instead of none.
Setting it to not configured only got rid of 2 of the 4..
markm75
machine AND the domain policy folder as well..
I then discovered that in Vista sp1.. the gpmc has a new section called
"Preferences".. in here it allows custom registry entries to be put there..
i'm guessing it does some sort of on the fly admx creation?
At any rate.. after putting the linkedconnections registry entry in there
and running gpupdate /force.. it appears to have created the registry entry
successfully now.
The only thing is.. i'm still getting the exclaimation on COmputer settings
and the registry unspecified error.. so i'm not sure how this is even
working...
Alex Moffitt
markm75
"Alex Moffitt" wrote:
> Is it working on another vista machine also?
>
>
Yes.. same situation though.. the registry key has been made.. but going
into rsop reveals the same "!" and registry error.. unspecified error ...
Since the computer config section isnt being applied.. i'm not sure how its
working.