Windows Group Policies

You can specify and edit group policies for Windows* 2000/XP workstations and for Windows 2000/2003 Terminal Servers.

Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you should not use the Windows NT-2000-XP platform page to configure the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.

Microsoft has implemented security changes in Windows XP2. If you have workstations running Windows XP SP2, see Windows XP SP2 and ZENworks 7 Windows Group Policies in the ZENworks 7 Desktop Management Administration Guide.

You should not configure group policies on a Windows 2000 Domain Controller using ConsoleOne^®. To edit group policies through ConsoleOne, you should use a Windows 2000 workstation to edit Windows 2000 group policies and a Windows XP workstation to edit Windows XP group policies.

If a workstation is a member of an Active Directory domain but is disconnected from the domain, Windows Group policies contained in both the User and Workstation packages do not apply.

There is some cross-over in policy settings between Windows group policies and ZENworks^® Desktop Management Extensible Policies, such as under User Configuration > Administrative Templates.

The Windows settings (for Security and Administrative Templates) are stored on the NetWare^® server.

Network Location of Existing/New Group Policies
Enter or browse for the location of the Windows group policies.

WARNING: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory* group policy is copied to it.

If you accidentally select a directory that does not contain a group policy, Microsoft* Management Console (MMC) displays your server's default settings and saves those settings into the selected directory when you exit MMC.

If you use an environment variable in the Network Location of Existing/New Group Policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.

Edit Policies
When you click the Edit Policies button, the MMC editor is launched, where you can edit a User Package policy. After you have finished editing the policy, click the Close button. The menus do not provide an Exit option.

IMPORTANT: Even if no changes are subsequently made, clicking this button time-stamps Directory Services, pushes the policy the next time it runs, and sends additional packets on the wire.

Note: If the Network Location of Existing/New Group Policies path is set to a Linux file server, permission must be set from a Linux machine to allow read rights for users and workstations.
Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.

Because of changes in Windows XP, you cannot currently edit the following Windows XP Security settings using Desktop Management:

Security Settings > Account Policies > Password Policy > Password Must Meet Complexity Requirements

Security Settings > Account Policies > Password Policy > Store Password Using Reversible Encryption

Security Settings > Local Policies > Security Options > Network Access: Allow Anonymous SID/Name Translation

Import Policy
If you want to import group policies from Active Directory or a security settings file, click Import Policy, then fill in the fields:

Import Active Directory Group Policy
Lets you import all group policies in the Active Directory folder. If you select this option, in the Source Location field, specify the UNC path to the folder containing group policies created by Active Directory that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the directory from where you will import the Active Directory group policy. You can find the Unique Name by examining the properties of the Active Directory Group policy.

Import Security Settings File
Lets you import security settings from a file. If you select this option, in the Source Location field, specify the UNC path to the file containing the security settings that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the file that you will import into the group policy.

If you import Group policy settings or a security file, Desktop Management stores the settings in the zensec.inf file. For more information, see Imported Security Settings.

WARNING: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.

Group Policies Remain in Effect On User Logout
Select this check box to indicate that the pushed group policies will remain in effect on the local Windows desktop after the user logs out.

Important: We do not recommend using both the Group Policies Remain in Effect On User Logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.

Cache User Configuration
Caching user configuration settings is different than enabling the Group Policies Remain in Effect on User Logout check box.

The Group Policies Remain in Effect on User Logout functionality enables the administrator to retain the group policy settings of the last logged on user. The limitation with this approach is that any user who logs in locally (workstation only) receives the group policy settings of the last person who logged in to the network on that workstation. If an Administrator was the last user to log in to the network on a particular workstation, any subsequent local logins result in the user receiving the Administrator's policy settings.

To avoid this situation, you can enable the Cache User Configuration check box to allow each user's settings to be cached.

Consider the following before you enable caching of settings in the User package's Windows Group policy:

The cache user settings functionality works with both NetWare or Windows on the back end. If you are using a Windows server on the back end, consider the following:
- The user must be logged in with a local user account, not a cached domain account. Windows Group policy settings apply to domain accounts as long as the user is logging in to the domain. When the user does not log in to the domain, but uses a cached domain account, the Desktop Management Windows Group policy settings do not apply.
- If you store Group policy files on an Active Directory server, the Active Directory username and password must match the eDirectory credentials.
Users must have unique local user accounts. The Windows Group policy settings are cached in the local user's profile, so users with different effective Windows Group policies need to have different local user accounts.
Each user must have a profile on the machine in which to cache the settings. You can provide this profile by using local user accounts or by using Dynamic Local User (DLU) accounts; however, the account cannot removed. If the DLU policy removes the local user account (either by a using a volatile user account or by using an expired cached volatile user account), the user is not able to log in locally.
Only the settings contained in the \user\registry.pol file are cached. This is roughly equivalent to the User Settings in the Group Policy editor with the exception of the logon/logoff scripts (they are stored in the Scripts folder under \User, and therefore not cached).

Enabling the Cache User Configuration check box causes the user configuration settings of each user's effective Windows Group policies to be stored in each user’s local profile. When each user logs in locally, the user settings are read from the cached copy of the registry.pol in that user’s profile and are applied. The only settings cached are those stored in the registry.pol file in the User folder. Other settings are not cached, including logon/logoff scripts, computer settings, and security settings.

Important: We do not recommend using both the Group Policies Remain in Effect On User Logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.

Applied Settings Types
Select to allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. This differs from earlier releases in which user settings were pushed with User packages and computer and security settings were pushed with Workstation packages.

User Configuration
Select to push settings under User Configuration with the Group policy.

Computer Configuration
Select to push settings under Computer Configuration (Except Security Settings) with the Group policy.

Security Settings
Select to push Windows security settings with the Group policy. Enabling this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies and policies are not additive, except imported security files.

Apply
Click to apply policy settings to eDirectory.

ZENworks Desktop Management Online Documentation

A trademark symbol (^®, ^TM, etc.) denotes a Novell trademark. An asterisk denotes a third-party trademark. For information on trademarks, see Legal Notices.