Re: gp still tatooing!
From: Piotr Majcher (PiotrMajcher_at_discussions.microsoft.com)
Date: 12/15/04
- Next message: Lee Flight: "Re: Adam Replication error"
- Previous message: ptwilliams: "Re: Windows Version for an Enterprise AD"
- In reply to: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Next in thread: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Reply: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 15 Dec 2004 15:43:04 -0800
thanks for answering Jimmy
but i checked the registry and there is no entry with hide clock tattooed!
(of course there is antry when the policy is enabled otherwise its gone)
i checked the adm file and found registry path corresponding to the
setting in registry but the registry is absolutely clean!
check it yourself if you want. its simple:
1.create the policy with setting "hide clock from notofication area" enabled
2.assign the gpo
3.log on to the domain using domain account with no profile assigned
4.notice thet there is no clock
5.delete the gpo
6. log on again onto the same workstation - notice that the clock is still
gone
i was advised during the webcast to create another policy which will be
setting
affected setting to disable so it should reverse the setting to another state
but that doesn't work!
i did some extensive testing and it seems like there is a bug in GP and
local user profile
it affects for sure the setting "remove clock from the notification area"
when this particular setting is enabled and then the GPO is deleted or
unlinked
then this setting tattoos the local user profile!!!
what is more interesting i checked the portion of registry responsible for
hiding
clock and the registry is clean!!! no setting there!!!
i checked roaming profiles - all the settings worked well!
so this issue only applies to this particular setting "remove clock from the
notification area" and local user profiles
SO IT LOOKS LIKE A BUG TO ME!!! :)
can anybody confirm that?
whom should i report this issue to? :)
Thanks for your answers
Piotr Majcher
"Jimmy Andersson [MVP]" wrote:
> A work-around would be to script the reghack, apply it during logon, and
> reverse it with a logoff script. It's not the best solution but it should
> work if it's a big issue for you.
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "Piotr Majcher" <PiotrMajcher@discussions.microsoft.com> wrote in message
> news:631BD2BD-5B67-40D7-A713-C495DA72F2A9@microsoft.com...
> >i still have no answer to my question :(
> >
> > does anyone know how can I avoid tattooing local user profiles?
> >
> > Piotr Majcher
> >
> >
> >
> > "Piotr Majcher" wrote:
> >
> >> thanks for answering,
> >> I took a look at the www you advised me to look and I have read
> >> the article "Understanding Policy Tattooing"
> >>
> >> but there is no explanation and solution to my problem
> >>
> >> the "hide clock" policy is not considered gp-tattooing but in my case it
> >> tatoos
> >> the local user profile how can i deal with such situation?
> >>
> >> is the only solution to manually clean the registry?
> >>
> >>
> >> Piotr Majcher
> >>
> >>
> >>
> >>
> >>
> >>
> >> "Thor Vanden Reysen" wrote:
> >>
> >> > hi,
> >> > Here is a good link :
> >> > http://www.gpoguy.com
> >> > @+
> >> >
> >> >
> >> > "Piotr Majcher" wrote:
> >> >
> >> > > I have remarked such a strange behaviour of policies
> >> > >
> >> > > I showed the students on my IT classess the GPO and such stuff and we
> >> > > were
> >> > > testing GP precedence. everything worked well when we added (linked
> >> > > to OU)
> >> > > more and more policies. the problem appears when i remove (unlink) or
> >> > > disable
> >> > > policies ( no matter if 1, 2 or all of them)
> >> > >
> >> > > some of the settings ARE STILL APPLIED :(
> >> > > (checked and confirmed: "hide clock" , "hide IE icon on the
> >> > > deskktop", "hide
> >> > > network places on desktop") those settings are permament in the
> >> > > user's
> >> > > environment!
> >> > >
> >> > > i check affected user with GPResults and it showes than no policies
> >> > > are
> >> > > applied however the user still has the restrictions from the state
> >> > > where the
> >> > > policies were working
> >> > >
> >> > > I AM NOT USING roaming prfiles for my users just local and I guess
> >> > > that the
> >> > > policies tatooed locally stored locopy of user profile and when the
> >> > > profile
> >> > > is used the restrictions are still applied.
> >> > >
> >> > > when the affected user logs onto another workstation (the one that he
> >> > > had
> >> > > never log on to) he gets a new local profile and no policies are
> >> > > applied to
> >> > > him.
> >> > >
> >> > > when the user logs onto a workstation and there is a copy of his
> >> > > profile
> >> > > (which was using when the policies were linked) the user uses its
> >> > > profile and
> >> > > despite there are no policies now he is being applied the old shadow
> >> > > policies
> >> > >
> >> > > when i delete the copy of the profile so the user gets a new one,
> >> > > everything
> >> > > is ok
> >> > >
> >> > > I DO NOT WANT to use roaming nor mandatory roaming profiles, I want
> >> > > to let
> >> > > my users use their local profiles
> >> > >
> >> > >
> >> > > Do You have any idea on fixing the problem?
> >> > >
> >> > >
> >> > > Have a good day
> >> > > Piotr Majcher
> >> > >
> >> > >
> >> > >
>
>
>
- Next message: Lee Flight: "Re: Adam Replication error"
- Previous message: ptwilliams: "Re: Windows Version for an Enterprise AD"
- In reply to: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Next in thread: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Reply: Jimmy Andersson [MVP]: "Re: gp still tatooing!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
