Resultant Set of Policy (RSoP) does not display a Group Policy setting that has been set; however, the restriction is enforced upon the user. Also, the setting is displayed in either of the following registry keys:
This problem can occur in the following situation:
- A user with a roaming profile logs on to two computers (Computer_A and Computer_B) at a time (Time_1) and applies a policy (Policy_1) that sets a screensaver. When the policy is applied, Ntuser.dat is updated with the registry change. Ntuser.pol is also updated, which changes the time stamp of Ntuser.pol to Time_1.
- At time Time_2, an administrator removes Policy_1.
- At time Time_3, Computer_A refreshes Group Policy. When it does so, the registry setting is removed for the screensaver policy in Ntuser.dat, and Ntuser.pol is updated. The user logs off of Computer_A, and Ntuser.dat and Ntuser.pol are saved to the roaming profile destination with the time stamp Time_3.
- Shortly thereafter, at time Time_4, the user logs off of Computer_B before it refreshes Group Policy. The copy of Ntuser.dat on Computer_B has a timestamp of Time_4 because it was just unloaded. Ntuser.pol on Computer_B has a time stamp of Time_1, which is the last time Computer_B applied Group Policy. When the profile is copied to the roaming profile destination, Ntuser.dat is replaced with the copy from Computer_B. Ntuser.pol is not copied to the roaming profile destination because the copy in the roaming profile destination that was put there by Computer_A has a newer timestamp (Time_3) than the copy on Computer_B (Time_1).
At this point the registry still has the setting for the screensaver policy but the Ntuser.pol file does not show that the policy is set. When Group Policy is refreshed, the setting is not removed and the screensaver policy continues to be enforced.
To resolve this problem:
- Recreate a policy that configures a setting that continues to be enforced (in the example described in the preceding section, the screensaver policy).
- Log on to a single computer using the roaming profile.
- Remove the policy and refresh Group Policy by using Gpupdate.exe.
After you complete this procedure, both the user's registry (Ntuser.dat) and Ntuser.pol are synchronized with each other and the setting is no longer enforced. (Depending on the setting, you may have to log off and log on for the setting to no longer be enforced.)
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Article ID: 304478 - Last Review: January 15, 2006 - Revision: 1.2
- Microsoft Windows XP Professional
|kbgrppolicyprob kbprb kbui KB304478|