Environment
Novell ZENworks 10 Configuration Management
Situation
In some cases, user assigned GPOs were failing to apply sucessfully.
Resolution
Somehow the workstations already had a previous GPO file with unexpected format: C:\WINDOWS\system32\GroupPolicy\gpt.ini
[General]
[{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Version=65537
[{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Version=65537
ZENworks Policy enforcer requires that version be under the [General] tag. Because an extra ini section is included, the version is not updated and the policy does not apply.
In this case, removing the bad ini file or editing to remove the extraneous [ ... ] section then renaming \program files\novell\zenworks\bin\handlers\cachefiles and rebooting fixed the problem.
Additional Information
Notes regarding symptoms of the problem:
The zmd-messages.log showed that the policy was seen and the Windows API called to apply:
The zmd-messages.log shows that ZENworks agent is setting up the policy:
[ZenworksWindowsService] [25] [] [grouppolicy] [] [ZEN GP Handler - - Entered prepare for apply user-predesktop] [] []
...
[ZenworksWindowsService] [2600] [] [WindowsGPNativeHelper] [] [Refresh GPT exiting with code 0]
etc.
Running gpedit showed the correct policy setting (for example remove run from start menu), but it was not applied.
Running gpupdate /f on the workstation did not apply the policies.
If any single change was made in gpedit even to undo and re-do a single setting, then the GPO was saved and gpupdate /f applied, then all policies in the set would apply.
Note: In this case the preexisting gpt.ini file was already present. To ensure that a bad version is not being pushed out with ZENworks, run ZCC from a workstation that does not have the problem, edit the Group Policy, when uploading, copy the local zip prior to completing the upload and confirm that the gpt.ini file is valid.