Environment
Novell ZENworks Configuration Management 11.2.3a Policies
Situation
A Windows device does not receive a ZCM delivered group policy
configured to apply security settings.
The administrator edits the local Windows group policy security settings e.g., to allow a specific user account to login as local service.
On next user login the manually done group policy security settings change is gone.
The administrator edits the local Windows group policy security settings e.g., to allow a specific user account to login as local service.
On next user login the manually done group policy security settings change is gone.
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of
fixes" which can be found at
https://support.microfocus.com/kb/doc.php?id=7012027
Set the following registry value to exclude local group policy security settings from being backed-up and restored:
HKLM\Software\Novell\ZCM\GroupPolicy
IgnorePrezenworksSecuritySettings(REG_SZ): true
Workaround:
Before or after editing the local group policy but before user log off do the following configuration change:
1. Remove the folder %zenworks_home%\bin\handlers\CacheFiles\OriginalCache
2. Delete the registry value BackupTaken in HKLM\Software\Novell\ZCM\GroupPolicy\
This will cause that a new group policy back is taken on next login containing the manually done changes to the group policy security settings. Please note that this new backup copy might contain group policy settings as applied through a ZCM assign group policy so that those do no get unenforced any more.
Set the following registry value to exclude local group policy security settings from being backed-up and restored:
HKLM\Software\Novell\ZCM\GroupPolicy
IgnorePrezenworksSecuritySettings(REG_SZ): true
Workaround:
Before or after editing the local group policy but before user log off do the following configuration change:
1. Remove the folder %zenworks_home%\bin\handlers\CacheFiles\OriginalCache
2. Delete the registry value BackupTaken in HKLM\Software\Novell\ZCM\GroupPolicy\
This will cause that a new group policy back is taken on next login containing the manually done changes to the group policy security settings. Please note that this new backup copy might contain group policy settings as applied through a ZCM assign group policy so that those do no get unenforced any more.
Cause
In ZCM 11.2.3a the behavior has been changed to apply group policy
security settings from the cached copy of the original group policy
settings also when the ZCM delivered group policy does not contain
security settings. This cached copy gets created the first time a
ZCM delivered group policy is getting applied.
Additional Information
The fix implemented with ZCM 11.2.4 is a new agent feature to
completely ignore Windows Group Policy security settings. Please
find more information about troubleshooting Windows Group Policy in
ZCM online documentation at: Windows Group Policy Troubleshooting
With ZCM 11.1 this apply security settings from original cache was removed to allow manual group policy security settings changes to be effective but this code change got removed with 11.2.3. This code change has been undone with ZCM 11.2.3a so the local effective group policy security settings get reset if a ZCM Group Policy gets configured to no further apply security settings.
Please note without restoring the security setting from original cache, previously applied security settings through a ZCM delivered group policy, do stay effective.
Note: It has been reported that this IgnorePrezenworksSecuritySettings value appears to be case sensitive and a value of true enables this feature but True not. The related code path should ignore any case and this did not replicate in Novell internal testing based on ZCM 11.3.
With ZCM 11.1 this apply security settings from original cache was removed to allow manual group policy security settings changes to be effective but this code change got removed with 11.2.3. This code change has been undone with ZCM 11.2.3a so the local effective group policy security settings get reset if a ZCM Group Policy gets configured to no further apply security settings.
Please note without restoring the security setting from original cache, previously applied security settings through a ZCM delivered group policy, do stay effective.
Note: It has been reported that this IgnorePrezenworksSecuritySettings value appears to be case sensitive and a value of true enables this feature but True not. The related code path should ignore any case and this did not replicate in Novell internal testing based on ZCM 11.3.