You can specify and edit group policies for Windows* 2000 and Windows XP workstations.
Because of the differences between Windows 2000 and Windows XP in regards to how security settings are saved, you should not use the Windows NT-2000-XP platform page to configure the Windows Group policy. For Windows 2000, security settings are saved in the gpttml.inf file; for Windows XP, security settings are saved in the xpsec.dat file. Both files are located in the \group policies\machine\microsoft\windows nt\secedit directory.
Microsoft has implemented security changes in Windows XP2. If you have workstations running Windows XP SP2, see Windows XP SP2 and ZENworks 7 Windows Group Policies in the ZENworks 7 Desktop Management Administration Guide.
You should not configure group policies on a Windows 2000 Domain Controller using ConsoleOne®. To edit group policies through ConsoleOne, you should use a Windows 2000 workstation to edit Windows 2000 group policies and a Windows XP workstation to edit Windows XP group policies.
If a workstation is a member of an Active Directory domain but is disconnected from the domain, Windows Group policies contained in both the User and Workstation packages do not apply.
There is some cross-over in policy settings between Windows group policies and ZENworks® Desktop Management Extensible Policies, such as under User Configuration > Administrative Templates.
The Windows settings (for Security and Administrative Templates) are stored on the NetWare® server.
Because the Windows desktop files finish loading before group policy settings are loaded, some group policies in the Desktop Management Workstation package might exhibit odd behavior if they are scheduled to run at user login. Specifically, any changes to desktop settings (for example, hide My Network Place, hide all icons on desktop, etc.) do not occur, nor do any programs that you have scheduled to run at user login through use of a login script. If the user logs off and logs back on, the settings display correctly.
To prevent this behavior, do not configure group policies in the Workstation package to run at user login. Instead, configure them to run at system startup, on a daily basis, or on some other regular schedule.
Network Location of Existing/New Group Policies
Specify the location of the Windows group policies.
WARNING: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory* group policy is copied to it.
If you accidentally select a directory that does not contain a group policy, Microsoft* Management Console (MMC) displays your server's default settings and saves those settings into the selected directory when you exit MMC.
If you use an environment variable in the Network Location of Existing/New Group Policies field, you must first set the environment variable on the management workstation on which you are running ConsoleOne and on any workstations that receive the group policy. You must also exit and restart ConsoleOne before the variable is recognized.
Edit Policies
When you click the Edit Policies button, the MMC editor is launched, where you
can edit a User Package policy. After you have finished editing the policy,
click the Close button. The menus do not provide an Exit option.
IMPORTANT: Even if no changes are subsequently made, clicking this button time-stamps Directory Services, pushes the policy the next time it runs, and sends additional packets on the wire.
Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.
Note: If the Network Location of Existing/New Group Policies path is set to a Linux file server, permission must be set from a Linux machine to allow read rights for users and workstations.
Because of changes in Windows XP, you cannot currently edit the following Windows XP Security settings using Desktop Management:
Security Settings > Account Policies > Password Policy > Password Must Meet Complexity Requirements
Security Settings > Account Policies > Password Policy > Store Password Using Reversible Encryption
Security Settings > Local Policies > Security Options > Network Access: Allow Anonymous SID/Name Translation
Import Policy
If you want to import group policies from Active Directory or a security settings
file, click Import Policy, then fill in the fields:
Import Active Directory Group Policy
Lets you import all group policies in the Active Directory folder. If you select this option, in the Source Location field, specify the UNC path to the folder containing group policies created by Active Directory that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the directory from where you will import the Active Directory group policy. You can find the Unique Name by examining the properties of the Active Directory Group policy.Import Security Settings File
Lets you import security settings from a file. If you select this option, in the Source Location field, specify the UNC path to the file containing the security settings that you want to migrate to the directory listed in the Destination Location of Migrated Group Policies field. You must know or browse for the Unique Name of the file that you will import into the group policy.
If you import Group policy settings or a security file, Desktop Management stores the settings in the zensec.inf file. For more information, see Imported Security Settings.
WARNING: Make sure you have selected the correct directory path because you could destroy data. All of the files in the selected directory as well as the Adm, User, and Machine subdirectories are deleted before the Active Directory group policy is copied to it.
Persist Workstation Settings
Select to indicate that all workstation settings that Desktop Management supports
(user, machine, and security settings) in the Workstation package's Windows
Group Policy can remain in effect (are cached) regardless of network connectivity.
Consider the following before you enable caching of settings in the Workstation package's Windows Group policy:
Enabling the Persist Workstation Settings check box causes the workstation's effective Windows Group policy settings that are already stored in windows_directory\system32\group policy.wkscache to be applied, even if that workstation is unable to log in to the network as the Workstation object (for example, when the workstation is disconnected from the network).
Applied Settings Types
Select to allow Windows user, computer, and security settings to be pushed with
a User or Workstation policy. This differs from earlier releases in which user
settings were pushed with User packages and computer and security settings were
pushed with Workstation packages.
User Configuration
Select to push settings under User Configuration with the Group policy.Computer Configuration
Select to push settings under Computer Configuration (Except Security Settings) with the Group policy.Security Settings
Select to push Windows security settings with the Group policy. Selecting this option applies all security settings under Computer Configuration > Windows Settings > Security Settings, including: Account Policies, Local Policies, Public Key Policies, and IP Security Policies on Local Machine. You cannot choose to push individual policies, and policies are not additive (except imported security settings).
Group Policy Loopback Support
Select this box to give precedence to Workstation policies. Loopback support
has two modes: replace mode and merge mode.
Don't Apply User's Policy Settings (Replace Mode)
Select to ignore all User policy settings; Workstation policy settings will be applied.Apply Workstation's Policy Settings Last (Merge Mode)
Select to apply User policy settings first, then Workstation policy settings. This lets you apply user settings but override conflicting settings with workstation settings. If a user setting does not conflict, it remains in effect.
Apply
Click to apply the policy changes to eDirectory.
Scheduling Tips: Be aware of the following as you schedule Windows Group policies in the Workstation Package:
- Because the Windows desktop files finish loading before group policy settings are loaded, some group policies in the Workstation Package might exhibit odd behavior if they are scheduled to run at user login. Specifically, any changes to desktop settings (for example, hide My Network Place, hide all icons on desktop, etc.) do not occur, and programs won't run if you have scheduled them to run at user login through use of a login script. If the user logs off and back on, the settings display correctly.
To prevent this behavior, do not configure group policies in the Workstation package to run at user login. Instead, configure them to run at system startup, on a daily basis, or on some other regular schedule.
- If you configure group policies to run startup scripts and you schedule those policies to run at system startup, you should select the Persist Workstation Settings option. Because Windows 2000/XP looks for and runs startup scripts before Workstation Manager authenticates and applies policies, group policies that you configure to run startup scripts might fail to run when scheduled to run at system startup. If you select the Persist Workstation Settings option, the Workstation Package group policy settings (and startup scripts) are cached and can be applied correctly at the next system startup.
ZENworks
Desktop Management Online Documentation
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk denotes a third-party trademark. For information on trademarks, see Legal Notices.