Troubleshooting with System Policy Editor
This section contains some common problems that you might encounter when implementing system policies and some suggestions for fixing those problems.
In general, when troubleshooting problems with system policies, verify the following:
- The related Registry key is correct in the policy template (.ADM) file.
- The related policy is set properly in the policy (.POL) file.
- The related application actually uses the Registry key being changed.
- The policy file is located in the correct network location, and the network location is accessible from the computer running Windows 95.
- For group policies, the user name, group name, and computer name are correct, and the user is a member of the specified group.
When troubleshooting system policies, you should turn on error messages. You can do this from the Remote Update policy, as explained in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. This setting displays error messages when policies cannot be downloaded correctly; the error messages might help identify the problem.
The computer seems to be picking up some of the policies, but not all of them.
In this case, the computer might not be picking up any policies for Default User or for a particular user; it might be picking up only policies set for Default Computer or for a particular computer. In this case, make sure that user profiles are enabled on that computer. In the Passwords option in Control Panel, click the User Profile tab and set the desired options.
The computer does not seem to be picking up policies from a CONFIG.POL file on the Windows NT domain.
- Make sure that there is a CONFIG.POL file in the NETLOGON directory on the primary domain controller on the Windows NT network.
- Make sure that the client computer has its domain set properly in the properties for Client for Microsoft Networks in the Network option in Control Panel.
- Make sure that the client computer is successfully logging on to that domain.
- Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. Windows 95 is configured for automatic policy downloading by default.
- Enable error messages on the client computer and see if an error message is displayed.
The computer running Microsoft Client for NetWare Networks does not seem to be picking up the policies from a CONFIG.POL file on the NetWare server.
- Make sure that there is a CONFIG.POL in the PUBLIC directory on the SYS: volume of a NetWare 3.x or 4.x server. You cannot put the CONFIG.POL file on a computer running Windows 95 with File and Print Sharing for NetWare Networks.
- Make sure that the client computer has its Preferred Server set to the NetWare server that contains CONFIG.POL. This setting is located in the properties for Client for NetWare Networks in the Network option in Control Panel.
- Make sure that the client computer is successfully logging on to that preferred server.
- Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter.
- Enable error messages on the client computer and see if an error message is displayed.
The computer running a Novell-supplied VLM or NETX client does not seem to be picking up the policies from the CONFIG.POL on the NetWare server, even though the file is in SYS:PUBLIC.
Automatic downloading of system policies on a NetWare server works only when the client computer is running Microsoft Client for NetWare Networks. If the computer is running the Novell-supplied VLM or NETX client, then you must use manual downloading from a mapped drive. For information, see "Setting Up for Manual Downloading of System Policies" earlier in this chapter.
The client computer is set for manual downloading, but it is not picking up the policies.
- Make sure that the path specified for manual downloading includes the name of the policy file itself.
- Make sure that the directory in which you placed the policy file can be accessed by the user that is logging on to the computer running Windows 95.
You have implemented a policy and then cleared it, but it appears to still be in effect, or it does not do what you thought it would do.
Does the policy have an edit box that needs to be completed? For example, do you need to specify the wallpaper or workgroup name? If so, then by clearing the policy, you are actually deleting the Registry setting for that value. For example, by clearing the wallpaper policy, the wallpaper Registry setting is made to be blank, and thus the user will have no wallpaper.
For all policies that involve settings that users can manipulate by using an option in Control Panel, the best way to stop enforcing that policy is to make sure that policy setting is grayed, in order to allow the users to make their own choices. These policies are listed in "System Policy Editor" earlier in this chapter.
You set up group policies, but one or more of the users do not get these group policies when they log on.
- Is there a policy for that particular user? If so, then group policies are ignored by design. This allows you to make exceptions to group policies for particular users.
- Make sure that the client computer is set up for group support.
- Make sure that the user or users are really members of that group.
- Make sure that user profiles are enabled on the client computer.
You used the policy named Only Run Allowed Windows Applications, but then you could not turn off this policy because you forgot to include POLEDIT.EXE in the list.
- Did you set this policy for all users? If not, then log on as another user, and run System Policy Editor to cancel this policy.
- If you can run Registry Editor, go to the following key and delete the RestrictRun entry:
- Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies
\Explore - If you previously set this policy for the Default User and, as a result, no user can run System Policy Editor or Registry Editor, then try the following:
- If possible, disable user profiles in the Passwords option in Control Panel. Then you should be able to log on and run System Policy Editor. Then undo the policy and re-enable user profiles.
- If you cannot disable user profiles because the Passwords option in Control Panel has been disabled, you must either reinstall Windows 95 (so that user profiles will not be enabled). Or use the Windows 95 startup disk and run the real-mode Registry Editor to disable user profiles.
You need to prevent users from modifying their computer configuration, including even more restrictions than are available through standard system policies.
Use one or more of the following methods for ensuring administrative control of the computer's configuration.
- In MSDOS.SYS for the user's computer, set BootKeys=1 so the user cannot press F8 to avoid starting Windows 95. In addition, make sure that floppy-disk startup is not enabled in the computer's CMOS settings, and use password protection to prevent CMOS modifications. For information about making these changes, see the documentation from your computer's manufacturer.
- For the Registry on the user's computer, use System Policy Editor to enable the Registry setting named Require Validation By Network For Windows Access.
- In the system policies that are downloaded when the user logs on, set the policy named Disable Registry Editing Tools.
- Set the policy named Only Run Allowed Windows Applications, and make sure that System Policy Editor and Registry Editor are not on the list of allowed applications.
- Set up the user's computer to run Windows 95 as a shared installation, as described in Chapter 4, "Server-Based Setup for Windows 95."