Manual done local group policy security settings get removed

  • 7012752
  • 02-Jul-2013
  • 25-Feb-2016

Environment

Novell ZENworks Configuration Management 11.2.3a Policies

Situation

A Windows device does not receive a ZCM delivered group policy configured to apply security settings.
The administrator edits the local Windows group policy security settings e.g., to allow a specific user account to login as local service.

On next user login the manually done group policy security settings change is gone.

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7012027

Set the following registry value to exclude local group policy security settings from being backed-up and restored:
HKLM\Software\Novell\ZCM\GroupPolicy
IgnorePrezenworksSecuritySettings(REG_SZ): true


Workaround:

Before or after editing the local group policy but before user log off do the following configuration change:
1. Remove the folder %zenworks_home%\bin\handlers\CacheFiles\OriginalCache
2. Delete the registry value BackupTaken in HKLM\Software\Novell\ZCM\GroupPolicy\

This will cause that a new group policy back is taken on next login containing the manually done changes to the group policy security settings. Please note that this new backup copy might contain group policy settings as applied  through a ZCM assign group policy so that those do no get unenforced any more.

Cause

In ZCM 11.2.3a the behavior has been changed to apply group policy security settings from the cached copy of the original group policy settings also when the ZCM delivered group policy does not contain security settings. This cached copy gets created the first time a ZCM delivered group policy is getting applied.

Additional Information

The fix implemented with ZCM 11.2.4 is a new agent feature to completely ignore Windows Group Policy security settings. Please find more information about troubleshooting Windows Group Policy in ZCM online documentation at: Windows Group Policy Troubleshooting

With ZCM 11.1 this apply security settings from original cache was removed to allow manual group policy security settings changes to be effective but this code change got removed with 11.2.3. This code change has been undone with ZCM 11.2.3a so the local effective group policy security settings get reset if a ZCM Group Policy gets configured to no further apply security settings.

Please note without restoring the security setting from original cache, previously applied security settings through a ZCM delivered group policy, do stay effective.


Note: It has been reported that this IgnorePrezenworksSecuritySettings value appears to be case sensitive and a value of true enables this feature but True not. The related code path should ignore any case and this did not replicate in Novell internal testing based on ZCM 11.3.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.