Using ZENworks, you can specify and edit group policies for Windows 2000/XP workstations (User and Workstation Package) and for Windows 2000/2003 Terminal Servers (User Package only).
NOTE: The Windows Group policy is contained in both the User Package and in the Workstation Package. When you configure the Windows Group policy in the User Package, the policy applies to all associated users regardless of the workstation they use. When you configure the Windows Group policy in the Workstation Package, the policy applies to all users who log in to an associated workstation.
The following sections contain additional information:
The Windows Group policy is an extension of extensible policies for Windows 2000/XP and Active Directory. There is some cross-over in policy settings between the Windows Group policy and Desktop Management extensible policies, such as under User Configuration > Administrative Templates. For more information about extensible policies, see Computer/User Extensible Policies (Workstation/User Packages).
NOTE: You should not configure group policies on a Windows 2000 Domain Controller using ConsoleOne. To edit group policies through ConsoleOne, you should use a Windows 2000 workstation to edit Windows 2000 group policies and a Windows XP workstation to edit Windows XP group policies.
If a workstation is a member of an Active Directory domain but is disconnected from the domain, Windows Group policies contained in both the User and Workstation packages do not apply.
Using ZENworks Desktop Management to distribute Group policies to workstations or users where Group policies are already distributed by Active Directory (or vice versa) is not supported because of the unpredictable behavior that occurs. ZENworks Desktop Management does support distributing Active Directory settings. For more information, see Importing Windows Group Policies (User and Workstation Packages).
For the following reasons, you must use UNC paths rather than mapped drives for importing this policy to Desktop Management:
With UNC paths, as long as the server is available, the policy will be found.
Group policies have changed significantly since the ZENworks for Desktops 3 initial release. Review the following sections for more information:
Group policies are now additive. This means that settings from multiple Windows Group policies are cumulatively effective, rather than individually. Settings from multiple Windows Group policies can affect users and workstations. Policies start with the local Windows Group policy settings and are applied in reverse of the policy search order. This means that a setting in a policy applied first has lowest priority and its value is overwritten by any other policy with the same setting.
Security settings are not additive; they are set by the last effective policy.
Windows Group policies now track the revision of the policies in effect. As long as the list of effective policies and their revisions remains the same, Windows Group policies are not processed, but use the cached Group policy.
NOTE: Each time the Edit Policies button is clicked, the revision of a Windows Group policy changes, causing the policies to be reprocessed.
The last-processed Windows Group policy is cached locally. This helps reduce network traffic by processing Windows Group policies only if necessary. If UserA logs in on a new machine, his or her effective Group policies are processed and then cached.
If UserA logs out and UserB logs in, and if UserB has the same effective Group policies as UserA, the locally-cached Group policy is restored instead of reprocessing Windows Group policies. If the list of effective policies is different or if the revision is changed on any policy, the Windows Group policies are reprocessed.
New functionality has been added to the Desktop Management Windows Group policy implementation. The Windows Group policy settings in both the User package and in the Workstation package can remain in effect even when the workstation is disconnected from the network.
The administrator determines if Windows Group policies are persistent or volatile. The persistent setting indicates that when the Windows Group policies are set, they remain set---even if a user happens to log in only to a workstation and not to the network.
The volatile setting indicates that the original local Windows Group policy settings will be restored when:
You can configure Windows Group policies in a User package for Windows 2000 and Windows 2003 Terminal Servers. You can also use the Window 2000-2003 Terminal Server platform page if you want to set policies that apply to both platforms to make managing Terminal Servers easier.
When configuring Windows Group policies for Terminal Servers, consider the following:
In ConsoleOne, right-click the User Package, click Properties, then click the appropriate platform page.
When choosing the appropriate platform page, take the following into account:
Windows NT: For more information about Desktop Management support for the Windows NT platform, see "Interoperability with Windows NT 4 Workstations" in the Novell ZENworks 6.5 Desktop Management Installation Guide.
Windows NT-2000-XP platform page: Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you cannot use the Windows NT-2000-XP platform page to edit the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.
In ZENworks 6.5 SP1, the Edit option on the Windows NT-2000-XP platform page has been disabled; you must use one of the specific platform pages to edit group policies.
Select the check box under the Enabled column for the Windows Group policy.
This both selects and enables the policy.
Click Properties to display the Windows Group Policies page.
Specify the network location for new or existing group policies.
Ensure that users have sufficient rights to access this network location.
If you use an environment variable in the Network Location of Existing/New Group Policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.
(Conditional) If you want to import group policies from Active Directory, click Import Policy.
For more information, see Importing Windows Group Policies (User and Workstation Packages).
(Conditional) If you want to edit existing group policies, click Edit Policies.
For more information, see Editing Existing Windows Group Policies (User and Workstation Packages).
(Optional) Select the Group Policies Remain in Effect on User Logout check box to indicate that the pushed group policies remain in effect on the local Windows desktop after the user logs out.
IMPORTANT: We do not recommend using both the Group Policies Remain in Effect On User Logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.
(Optional) Select the Cache User Configuration check box.
Caching user configuration settings is different than enabling the Group Policies Remain in Effect on User Logout check box.
The Group Policies Remain in Effect on User Logout functionality enables the administrator to retain the group policy settings of the last logged on user. The limitation with this approach is that any user who logs in locally (workstation only) receives the group policy settings of the last person who logged in to the network on that workstation. If an Administrator was the last user to log in to the network on a particular workstation, any subsequent local logins result in the user receiving the Administrator's policy settings.
To avoid this situation, you can enable the Cache User Configuration check box to allow each user's settings to be cached.
Consider the following before you enable caching of settings in the User package's Windows Group policy:
Selecting the Cache User Configuration check box causes the user configuration settings of each user's effective Windows Group policies to be stored in each user's local profile. When each user logs in locally, the user settings are read from the cached copy of the registry.pol in that user's profile and are applied. The only settings cached are those stored in the registry.pol file in the User folder. Other settings are not cached, including logon/logoff scripts, computer settings, and security settings.
IMPORTANT: We do not recommend using both the Group Policies Remain in Effect On User Logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.
In the Applied Setting Type box, enable the desired options.
These options allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. This differs from earlier releases in which user settings were pushed with User packages and computer and security settings were pushed with Workstation packages.
User Configuration: Select to push settings under User Configuration with the Windows Group policy.
Computer Configuration: Select to push settings under Computer Configuration (Except Security Settings) with the Windows Group policy.
Security Settings: Select to push Windows security settings with the Windows Group policy. Selecting this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies and policies are not additive.
NOTE: Only the User Configuration settings under Applied Settings Types apply to Terminal Servers. The Computer Configuration and Security Settings options are not available for Terminal Servers.
Click the Policy Schedule tab > select a schedule type:
You can click Advanced Settings to set additional settings such as Completion, Fault, Impersonation, Priority, and Time Limit. For detailed information on each of these settings, click the Help button on each page.
Click OK to save the policy.
When you have finished configuring all of the policies for this package, continue with the steps under Associating the User or Workstation Package to associate the policy package.
In ConsoleOne, right-click the Workstation Package, click Properties, then click the appropriate platform page.
When choosing the appropriate platform page, take the following into account:
Windows NT: For more information about Desktop Management support for the Windows NT platform, see "Interoperability with Windows NT 4 Workstations" in the Novell ZENworks 6.5 Desktop Management Installation Guide.
Windows NT-2000-XP platform page: Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you cannot use the Windows NT-2000-XP platform page to edit the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.
In ZENworks 6.5 SP1, the Edit option on the Windows NT-2000-XP platform page has been disabled; you must use one of the specific platform pages to edit group policies.
Select the check box under the Enabled column for the Windows Group policy.
This both selects and enables the policy.
Click Properties to display the Windows Group Policies page.
Specify the network location for new or existing group policies.
Ensure that users have sufficient rights to access this network location.
If you use an environment variable in the Network Location of Existing/New Group Policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.
(Conditional) If you want to import group policies from Active Directory, click Import Policy.
For more information, see Importing Windows Group Policies (User and Workstation Packages).
(Conditional) If you want to edit existing group policies, click Edit Policies.
For more information, see Editing Existing Windows Group Policies (User and Workstation Packages).
(Optional) Select the Persist Workstation Settings check box.
Selecting this option specifies that all workstation settings that Desktop Management supports (user, machine, and security settings) in the Workstation Package's Windows Group Policy can remain in effect (are cached) regardless of network connectivity.
Consider the following before you enable caching of settings in the Workstation Package's Windows Group policy:
Selecting the Persist Workstation Settings check box causes the workstation's effective Windows Group policy settings that are already stored in windows_directory\system32\group policy.wkscache to be applied, even if that workstation is unable to log in to the network as the Workstation object (for example, when the workstation is disconnected from the network).
In the Applied Setting Type box, enable the desired options.
These options allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. This differs from earlier releases in which user settings were pushed with User packages and computer and security settings were pushed with Workstation packages.
User Configuration: Select to push settings under User Configuration with the Windows Group policy.
Computer Configuration: Select to push settings under Computer Configuration (Except Security Settings) with the Windows Group policy.
Security Settings: Select to push Windows security settings with the Windows Group policy. Selecting this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies and policies are not additive.
(Optional) Select the Group Policy Loopback Support check box, then select a mode.
Enabling this option gives precedence to Workstation Package policies over User Package policies. Loopback support has two modes, replace and merge:
Don't Apply User's Policy Settings (Replace Mode): Select to ignore all User policy settings; Workstation policy settings are applied.
Apply Workstation's Policy Settings Last (Merge Mode): Select to apply User policy settings first and then Workstation policy settings. This lets you apply user settings but override conflicting settings with workstation settings. If a user setting does not conflict, it remains in effect.
Click the Policy Schedule tab > select a schedule type:
Because the Windows desktop files finish loading before group policy settings are loaded, some group policies in the Workstation Package might exhibit odd behavior if they are scheduled to run at user login. Specifically, any changes to desktop settings (for example, hide My Network Place, hide all icons on desktop, etc.) do not occur, and programs won't run if you have scheduled them to run at user login through use of a login script. If the user logs off and back on, the settings display correctly.
To prevent this behavior, do not configure group policies in the Workstation package to run at user login. Instead, configure them to run at system startup, on a daily basis, or on some other regular schedule.
If you configure group policies to run startup scripts and you schedule those policies to run at system startup, you should select the Persist Workstation Settings option in Step 7. Because Windows 2000/XP looks for and runs startup scripts before Workstation Manager authenticates and applies policies, group policies that you configure to run startup scripts might fail to run when scheduled to run at system startup. If you select the Persist Workstation Settings option, the Workstation Package group policy settings (and startup scripts) are cached and can be applied correctly at the next system startup.
You can click Advanced Settings to set additional settings such as Completion, Fault, Impersonation, Priority, and Time Limit. For detailed information on each of these settings, click the Help button on each page.
Click OK to save the policy.
When you have finished configuring all of the policies for this package, continue with the steps under Associating the User or Workstation Package to associate the policy package.
In ConsoleOne, right-click the User or Workstation Package, click Properties, then click the appropriate platform page.
Select the check box under the Enabled column for the Windows Group policy.
This both selects and enables the policy.
Click Properties to display the Windows Group Policies page.
Specify the network location for new or existing group policies.
Click Edit Policies.
When you click the Edit Policies button, the Microsoft Management Console editor is launched, where you can edit a User Package policy or a Workstation Package policy. For more information, click Help in the dialog boxes. After you have finished editing the policy, click the Close button.
When you edit group policies, be aware of the following:
Directory Path: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.
Security Settings that Cannot be Edited in Windows XP: Because of changes in Windows XP, you cannot currently edit the following Windows XP Security settings using Desktop Management:
Password Must Meet Complexity Requirements
Store Password Using Reversible Encryption
Network Access: Allow Anonymous SID/Name Translation
Accounts: Administrator Account Status
Accounts: Guest Account Status
Operating System Version and Service Pack Level Checking in ZENworks 6.5 SP1: New functionality has been added to ZENworks 6.5 SP1 to check the operating system version and service pack level while editing group policies on all platforms on which you can edit group policies (Windows 2000, Windows XP, and Windows Server 2003). For example, if a group policy was created on a Windows XP SP1 or earlier workstation and you attempt to edit it on a Windows XP SP2 workstation, ZENworks SP1 displays a warning dialog box. ZENworks 6.5 SP1 also prohibits you from editing a group policy that was created on a Windows XP SP2 workstation if you are using a workstation with either Windows XP or Windows XP SP1 installed.
Disabling Group Policy Settings using ZENworks 6.5 SP1: In ZENworks 6.5 Support Pack 1 (SP1), new functionality has been included to let you disable certain group policy settings without preventing future editing of the policy.
In previous versions of ZENworks, disabling certain settings disabled the group policy editor, preventing you from editing that policy in the future. These settings include the following (depending on the OS and service pack level, not all settings might be present):
Restrict the user from entering author mode
Restrict users to the explicitly permitted list of snap-ins
Group Policy Management
Group Policy Object Editor
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
Remote Installation Services
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Wireless network (IEEE 802.11) Policies
If you disable any of these settings and then attempt to edit the policy, an error message displays stating that the snap-in has been restricted by policy. In addition, the group policy editor does not open.
To avoid this problem, in ZENworks 6.5 SP1, these settings are removed from the group policy and saved in a temporary local location. When you close the editor, the settings in the temporary file are merged with the settings in the newly configured group policy. If you made any changes to these settings while using the editor and they conflict with those settings that were saved in the temporary file, the new settings take precedence over the original settings that were moved to the temporary file.
Using Windows XP SP2 and ZENworks 6.5: Windows XP SP2 contains two new user rights assignments inside the security settings of group policies: Create Global Objects and Impersonate a Client After Authentication. These user rights assignments are found in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments in the Group Policy editor (gpedit.msc).
Because of these changes, if you edit a group policy that was created on a Windows XP SP1 or earlier workstation using a Windows XP SP2 workstation, or vice versa, the policy is saved with Windows XP SP2 settings, which might cause problems when pushed to a Windows XP SP1 or earlier workstation.
If you use ZENworks 6.5, as opposed to ZENworks 6.5 SP1, to manage group policies, we recommend that you do not upgrade to Windows XP SP2 because of known issues. These issues have been addressed in ZENworks 6.5 SP1.
If you have already installed Windows XP SP2 and you will continue using ZENworks 6.5, see TID 10095342.
Click OK to save the policy.
In ConsoleOne, right-click the User or Workstation Package, click Properties, then click the appropriate platform page.
Select the check box under the Enabled column for the Windows Group policy.
This both selects and enables the policy.
Click Properties to display the Windows Group Policies page.
Specify the network location for new or existing group policies.
If you want to import group policies from Active Directory, click Import Policy, then fill in the fields.
Select an import option:
Import Whole Active Directory Folder: Lets you import all group policies in the Active Directory folder. If you select this option, in the Source Location field, specify the UNC path to the folder containing group policies created by Active Directory that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the directory from where you will import the Active Directory group policy. You can find the Unique Name by examining the properties of the Active Directory Group policy.
Import Security Settings: Lets you import security settings from a file. If you select this option, in the Source Location field, specify the UNC path to the file containing the security settings created by Active Directory that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the file that you will import into the group policy.
Imported security settings let administrators set only certain security settings without affecting all remaining security settings. Security settings can be imported from an Active Directory Group policy or can be created with the Security Templates snap-in in the Microsoft Management Console (MMC). For more information, see Creating Security Settings Using the Security Templates Snap-In in the Microsoft Management Console (MMC).
When you import an Active Directory Group policy containing security settings or import a security settings file, the imported settings are saved in a new file called zensec.inf.
The security settings in zensec.inf will be used instead of the regular security settings displayed when editing the Group policy in MMC. The security settings shown in MMC will not be accurate and any changes made will not be applied. If imported security settings are detected while editing a Group policy, a message box will inform the user that the security settings in zensec.inf will be used in place of the regular security settings and give the user the option of displaying the settings in the zensec.inf file.
IMPORTANT: You should use UNC paths rather than mapped drives for group policies.
Click Import.
This copies the Active Directory group policy or file to the directory specified in the Destination Location of Migrated Group Policies field. If the specified directory does not exist, it is created.
WARNING: Make sure you have selected the correct directory path in the Destination Location of Migrated Group Policies field because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.
Click OK to save the policy.
We recommend that you create new security settings rather than editing existing settings in the MMC. The problem with editing existing security settings is that they may contain default settings that you do not need and may take a significant amount of time to process. You can avoid this problem by generating new settings.
NOTE: You must be logged on as an administrator or a member of the Administrators group to create security templates. Network policy settings might also prevent you from creating security templates.
To create new security settings using the Security Templates snap-in:
Click the Start button, then click Run.
Type mmc, then click OK.
Click File > Add/Remove Snap-in to display the Add/Remove Snap-in dialog box.
On the Standalone page, click Add.
In the Add Standalone Snap-in dialog box, click Security Templates, click Add, then click Close to close the Add Standalone Snap-in dialog box.
On the Add Remove Snap-in dialog box, click OK.
(Optional) In the console tree, right-click Security Templates, click New Template Search Path, then select the new location.
A folder with the path of the new location appears in the console tree.
Right-click the folder where you want to store the new template, then click New Template.
Type a template name and description, then click OK.
In the console tree, double-click the new security template to display the security areas and navigate until the security setting you want to configure is in the right pane.
Double-click the security setting you want to configure, select the Define This Policy Setting in the Template check box, edit the settings, then click OK.