Troubleshooting System Policies

This section discusses some common problems that you might encounter when implementing system policies and suggests some ways to fix these problems.

In general, when troubleshooting problems with system policies, verify the following:

• The related registry key is correct in the policy template (ADM) file.
• The related policy is set properly in the policy (POL) file.
• The related application actually uses the registry key being changed.
• The policy file is located in the correct network location, and the network location is accessible from the computer running Windows 98.
• For group policies, the user name, group name, and computer name are correct, and the user is a member of the specified group.

When troubleshooting system policies, you should turn on error messages. You can do this from the Remote Update policy, as explained in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. This setting displays error messages when policies cannot be downloaded correctly; the error messages might help identify the problem.

The computer seems to be picking up some of the policies, but not all of them.

In this case, the computer might not be picking up any policies for Default User or for a particular user; it might be picking up only policies set for Default Computer or for a particular computer. In this case, make sure that user profiles are enabled on that computer. In Control Panel, double-click Passwords, click the User Profiles tab, and then set the desired options.

The computer does not seem to be picking up policies from a Config.pol file on the Windows NT domain.

• Make sure that there is a Config.pol file in the Netlogon share or folder on the primary domain controller on the Windows NT network.\\PDC\x$\WINNT\system32\Repl\Import\Scripts\Config.pol (where x = SystemDrive).
• Make sure that the client computer has its domain set properly in the properties for Client for Microsoft Networks, in the Network option in Control Panel.
• Make sure that the client computer is successfully logging on to that domain.
• Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. Windows 98 is configured for automatic policy downloading by default.
• Enable error messages on the client computer, and see if an error message is displayed.

The computer running Microsoft Client for NetWare Networks does not seem to be picking up the policies from a Config.pol file on the NetWare server.

• Make sure that there is a Config.pol in the Public directory on the SYS: volume of a NetWare 3.x or 4.x server. You cannot put the Config.pol file on a computer running Windows 98 with File and Printer Sharing for NetWare Networks unless you are set up for manual downloading of system policies.
• Make sure that the client computer has its Preferred Server set to the NetWare server that contains Config.pol. This setting is located in the properties for Client for NetWare Networks, in the Network option in Control Panel.
• Make sure that the client computer is successfully logging on to that preferred server.
• Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter.
• Enable error messages on the client computer, and see if an error message is displayed.

The computer running a Novell-supplied VLM or NETX client does not seem to be picking up the policies from the Config.pol on the NetWare server, even though the file is in SYS:PUBLIC.

Automatic downloading of system policies on a NetWare server works only when the client computer is running Microsoft Client for NetWare Networks. If the computer is running the Novell-supplied VLM or NETX client, you must use manual downloading from a mapped drive. For more information, see "Setting Up for Manual Downloading of System Policies" earlier in this chapter.

The client computer is set for manual downloading, but it is not picking up the policies.

• Make sure that the path specified for manual downloading includes the name of the policy file itself.
• Make sure that the directory in which you placed the policy file can be accessed by the user that is logging on to the computer running Windows 98.

You have implemented a policy and then cleared it, but it appears to still be in effect, or it does not do what you thought it would do.

Does the policy have an edit box that needs to be completed? For example, do you need to specify the wallpaper or workgroup name? If so, clearing the policy actually deletes the registry setting for that value. For example, by clearing the wallpaper policy, the wallpaper registry setting is made to be blank, and thus the user will have no wallpaper.

For all policies that involve settings that users can manipulate by using an option in Control Panel, the best way to stop enforcing that policy is to make sure that policy setting is unavailable, in order to allow the users to make their own choices. These policies are listed in "Using System Policy Editor" earlier in this chapter.

Does the user have the correct POL file? In automatic downloading of the policy file, the latest POL file may not yet have replicated to the other domain controllers at the time the user logs on. If this happens, and the user downloads an old copy of the POL file, ensure the policy has been replicated to the user’s logon server, restart the Windows 98 machine, and then logon again to download the new POL file.

You set up group policies, but one or more of the users do not get these group policies when they log on.

• Is there a policy for that particular user? If so, group policies are ignored by design. This allows you to make exceptions to group policies for particular users.
• Make sure that the client computer is set up for group policy support.
• Make sure that the user or users are really members of that group.
• Make sure that the user or users are members of another group with higher priority.
• Make sure that user profiles are enabled on the client computer.

You used the policy named Only Run Allowed Windows Applications, but then you could not turn off this policy because you forgot to include Poledit.exe in the list.

• Did you set this policy for all users? If not, log on as another user, and run System Policy Editor to cancel this policy.
• If you can run Registry Editor, go to the following key and delete the RestrictRun entry:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore

• If you previously set this policy for the Default User, and as a result, no user can run System Policy Editor or Registry Editor, try the following:
  • If possible, disable user profiles in the Passwords option in Control Panel. You should be able to log on and run System Policy Editor. Then undo the policy and re-enable user profiles.
  • If you cannot disable user profiles because the Passwords option in Control Panel has been disabled, you must either rename the policy file on the server and logon as a user who has not logged on at the computer and change the policy, reinstall Windows 98 (so that user profiles will not be enabled), or use the Windows 98 startup disk and run the real-mode Registry Editor to disable user profiles.

You need to prevent users from modifying their computer configuration, including even more restrictions than are available through standard system policies.

Use one or more of the following methods for ensuring administrative control of the computer’s configuration.

• In Msdos.sys for the user’s computer, set BootKeys=0 and BootSafe=0 so the user cannot press F8 to avoid starting Windows 98 and to prevent the computer from booting in Safe Mode. In addition, make sure that floppy disk startup is not enabled in the computer’s complementary metal oxide semiconductor (CMOS) settings, and use password protection to prevent CMOS modifications. For more information about making these changes, see the documentation from your computer’s manufacturer.
• For the registry on the user’s computer, use System Policy Editor to enable the registry setting named Require Validation By Network For Windows Access.
• In the system policies that are downloaded when the user logs on, set the policy named Disable Registry Editing Tools.