Re: Local Policy reverting back to old settings

Hi,

I'm somewhat confused by the terminology you are using. "Local Policy" to me means the MACHINE Policy.

But you are talking about user policies, and this would usually hit the user's HKCU hive. I don't think of this as local because it's usually a roaming profile.

The policy to enable async logon scripts can be set for the machine _or_ the user, so are you sure you don't have the machine setting over-riding the user setting? Check the actual HKLM on one of the machines.

It's also worth noting this setting can be set outside of Group Policy at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, if this value conflicts with the GP value it would also explain unexpected behaviour.

You can set up a test OU and change the test user's password every ten minutes, then you can find out exactly what's going on at the test laptop without disrupting the rest of the network.

Fastenal-LPT Tech wrote:
Yes we've tried it both ways:
A reg hack to fix the user on the spot and get the user to what they need, knowing that this would revert back.

but:
Have also made the changes via gpedit thinking that this would change the policy, but after the password change, not expired, it reverts back to the original settings, it definately relates to the password change, so it seems that every three months when that password chg GPO comes into play it also puts the original local settings back into play.

Is it possible that it creates a backup of the original policy file and every time this happens it goes back to the backup of the original and rewrites the registry.pol files?

We do a scripted install, then apply and local policy settings, and put software in place. Next we sysprep the machine, then shoot the image up to our Ghost server. This image is then used on all the laptops to follow of that particular type and model.

This policy went out for the first 3 months before the problem was noticed and caught, we since had redone the image without the login sync setting, so the machines to follow do not have the problem. I'm not sure if that will shed any light into what happens, other than those first machines revert back to that original policy they were born with. The only sure fix has been to reimage one with the newer image, but we put out about 60 machines in that 3 month period, so maybe the Domain GPO to all laptops might be the only sure fix with re-doing all 60.


"Roger Abell [MVP]" wrote:

So you are saying that if the user changes their password, then the
reversions you have done get undone (or is it only if the password
has been expired and then changed).
I notice that you are discussing two User policy settings, and also,
you stated initially
. . . and either by reg hack or gpedit would make
the change and turn it off.
Clearly, if the reversion were done my "reg hack" they would be
undone at the first time policy is reapplied. The local policy would
still be in force, but with hacked effect, until then, and it would say
to set things as originally configured.

Are you sure this is happening on machines where use of gpedit
was the method for making the reversions?

And again, reverting those settings with an AD based GPO would
be one way to overrule the local settings without use of per-machine
gpedit.

"Fastenal-LPT Tech" <FastenalLPTTech@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F1C653C1-67B4-41D1-98AC-7632B84FF030@xxxxxxxxxxxxxxxx
Based on domain GPO, passwords are required to be changed every 3 months, and
it seems that as soon as the user does this, the old local policy settings
come back even tho they have been manually changed in gpedit prior. So it
would seem that the machines revert back to the original local policy
settings from the image. We create an image for each model of laptop we use,
included in the image is a local policy, and this is where it gets the
original settings. One would think that when changes are made thru gpedit
that it would edit .POL files which write these to the registry. We have also
noticed in the past that we have the c: drive hidden from the users since
they're profile and user data is stored on the d: drive. If we unhide these,
these settings also revert back to hidden.

"Roger Abell [MVP]" wrote:

What is this "every three month mandatory password change" ?
More specifically, are you sure it only changes passwords??

Why not apply a reversing setting via AD based GPO? Once
this is seen by a machine being local, it will be cached and so
remain in force even when the machine is non-local, and if the
"every three month" thing fires off, if it is tweaking local settings
those also would still be below the AD based setting in pecking
order.

"Fastenal-LPT Tech" <Fastenal-LPT Tech@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:E5DEC335-7667-4457-8D6B-0E47827F3A10@xxxxxxxxxxxxxxxx
We have 700+ laptops in our network, last year in the local policy one
tech
thought it would speed up the login process by running login scripts
sycronously.

This caused the laptops that received the image with this to take 10
minutes
before loading up the desktop when not plugged into the network. We since
figured out this was the cause and either by reg hack or gpedit would make
the change and turn it off.

But every 3 months after the mandatory password change it reverts back to
the old local policy and brings back these settings, does anyone know why
this happens even after going in and changing the local policy setting?
What
are the steps to completely wipe out old local policy and replace with a
new
one.






--
Gerry Hickman (London UK)
.

Relevant Pages

  • Re: Local Policy reverting back to old settings
    ... knowing that this would revert back. ... puts the original local settings back into play. ... We do a scripted install, then apply and local policy settings, and put ... the machines to follow do not have the problem. ...
    (microsoft.public.windows.group_policy)
  • Re: Local Policy reverting back to old settings
    ... reversions you have done get undone (or is it only if the password ... I notice that you are discussing two User policy settings, and also, ... Are you sure this is happening on machines where use of gpedit ... it seems that as soon as the user does this, the old local policy settings ...
    (microsoft.public.windows.group_policy)
  • Re: Possible Bad Question
    ... > question states that the Local Policy locks her out after 3 attempts ... > the DDC GPO, wouldn't the Domain policy OVERRIDE the Local policy? ... >> the DDC GPO settings not DD GPO settings. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Possible Bad Question
    ... > question states that the Local Policy locks her out after 3 attempts ... > the DDC GPO, wouldn't the Domain policy OVERRIDE the Local policy? ... >> the DDC GPO settings not DD GPO settings. ...
    (microsoft.public.cert.exam.mcse)
  • Re: 2003 Group Policies??
    ... if you can do this using an AD based GPO. ... if you mean doing this with gpedit in local policy. ... has a ton and a half of docs on use of Group Policy ...
    (microsoft.public.windows.server.security)