Questions? Call or email

Troubleshooting janusSEAL Group Policy

Microsoft Group Policy is a rich and effective technology for centralised configuration of workstations and servers. janusSEAL uses Group Policy so that organisations can customise the janusSEAL settings to suit the organisation's requirements.

Group Policy has some 'features' which can be difficult to troubleshoot for administrators who are not experts with the technology.

Sometimes administrators can configure janusSEAL using the Group Policy Editor on a Windows Domain Controller, but when applied to a workstation, it does not behave as expected. Additional classifications may appear, or sometimes none, or sometimes the whole policy doesn't seem to work.

This article discusses a number of tips, tools and techniques to help resolve some of the more common issues which can complicate janusSEAL configuration using Group Policy. It assumes that you have had some experience with Group Policy, and the network on which you are deploying has Group Policy operating.

Contents:

Article Information
ID: 
kb/857
Type: 
how to
Date created: 
21 Feb, 2014
Last updated: 
25 Feb, 2014 13:19
More Information: 

Tips

Tip: Removing the Administrative Template from the Group Policy Editor does not remove settings from the Group Policy Object

When you need to update a Group Policy with updated administrative templates (.adm files) you may be tempted to simply remove the template and replace it with the new one. This may work in some circumstances, but it may not, and may also cause some strange results.

When the administrative template is removed, each of the Group Policy settings that have been Enabled or Disabled (as opposed to Not Configured) will remain in the Group Policy Object. If the replacement Administrative Template does not configure the same setting, then the setting becomes tombstoned. That is, as it remains in the Group Policy Object, it will still be applied to target machines. This is so even though the view in the Group Policy Editor shows that it has not been set.

Tip: Start with something simple

When starting to use Group Policy at the domain level, we suggest the following to ensure that the Group Policy is operating correctly.

  • A security group consisiting of a single test machine on the domain
  • A simple Group Policy Object
    • which consists, of say, just the janusSEAL license details
    • linked to the domain
    • filtered to the test machine security group

Reboot the test machine, and using gpresult, check that it has recognised that it is a member of the new security group.

Run gpupdate, and use regedit to check that license details have been deployed to the registry.

If the registry entries are there, then keep iterating the cycle of modifying the Group Policy, updating on the test machine, and restarting the MS Office application (Outlook, Word, etc). When you are confident with the configuration, then add further machines (say from a pilot group) into the test security group.

On the other hand, if there is no evidence in the registry (don't forget to refresh the view in regedit) then start looking at some of the techniques in the troubleshooting section.

Tip: Group Policy may be applied to up to 4 areas on the client

Group Policy can set registry setting for the machine and the user. On an x64 operating system, the registry settings are also reflected in the relevant Wow6432Node. See regedit for more detail.

Tip: Use of Security Groups is a simple way to manage Group Policy targets

When the Group Policy is linked to the domain, you can use security groups to apply the policy to specific groups.

This design can be used to manage how machines can be migrated between changes in policy. By moving a machine from one security group to another, it will always have one or the other Group Policy Object applied.

Tip: It can take 2 reboots to get policy onto a machine

The first reboot is required when the machine connects to the network, to discover the  security groups of which it is a member.

The second reboot is often used to retrieve the Group Policy applicable to the relevant security groups to which the machine belongs. Alternatively, once the machine is in the desired security group, you can just use gpupdate to retrieve the Group Policy.

Tip: It's not always necessary to reboot following a gpupdate

If the changes to the policy are only (registry) settings, then no reboot is required for janusSEAL. Following the gpupdate, simply restart the application (MS Outlook, Word, etc)

Tip: Be careful with Computer Settings and User Settings in the Group Policy Editor

To avoid confusion:

  • configure Computer Settings in the Group Policy Editor to Group Policy Objects which will be applied to machine groups.
  • configure User Settings in the Group Policy Editor to Group Policy Objects which will be applied to user groups.

Tip: Be aware of Group Policy processing and precedence

The Group Policy objects that are applied to a user or computer are not all equal. Settings that are applied later will override settings that have been applied earlier.

Group policy settings are applied in the following order

  1. Local Group Policy Object
  2. Site
  3. Domain
  4. Organisational Units

There are exceptions to the above, depending on GPO linkage, whether enforced or disabled.

References:

Tip: janusSEAL uses a combination of computer and user registry preference settings and registry policy settings for configuration

Registry values which janusSEAL reads for its configuration are not all equal.

janusSEAL configuration is based on registry settings from the following locations:

  1. HKLM\Software\Policy\janusNET\janusSEAL
  2. HKCU\Software\Policy\janusNET\janusSEAL
  3. HKLM\Software\janusNET\janusSEAL
  4. HKCU\Software\janusNET\janusSEAL

If a setting is read from multiple locations, then the setting from earlier in the above list is used.

If no setting is read from each of the above locations, then a default value (embedded in the software) is used.

Note that on an x64 operating system, running 32-bit Office and 32-bit janusSEAL, settings are read from the ..\SOFTWARE\Wow6432Node\.. node, instead of the ..\SOFTWARE\.. node.

See also:

Tip: If you are deploying janusSEAL msi's using Group Policy, ensure the machine has access to the package's network location

It is the machine that requires access to the software package (and it's network location), when it is connecting to the network, and before the user logs in. Even though you may have access from the machine using Windows Explorer, and can 'see' the package, you are using user credentials to do this. The machine may not have this access.

Issues will be evident in the machine's system event logs.


Toolset A: Group Policy client tools

These tools are used where the Group Policy is applied, which could be a workstation or a server.

gpupdate

Refreshes local and Active Directory-based Group Policy settings, including security settings.

With Windows Server 2012 R2 and Windows Server 2012, the update can be forced on a remote group (Force a Remote Group Policy Refresh (GPUpdate).)

References:

  • Windows XP Command Line Reference (Technet): Gpupdate

gpresult

Displays Group Policy settings and Resultant Set of Policy (RSOP) for a user or a computer.

References:

  • Windows XP Command-line reference (Technet): Gpresult

RSoP (logging mode)

The RSoP Snap–in lets you verify the policies in effect for a given user or computer. This is a benefit that allows administrators to quickly assess configurations throughout an organization. RSoP is fully remotable, which means administrators can direct the snap–in to check policies for any computer or user on a domain.

References:

regedit

View registry settings (including policy settings on the machine)

janusSEAL Machine Group Policy settings are located under the following registry key

  • HKLM\SOFTWARE\Policies\janusNET\janusSEAL

janusSEAL User Group Policy settings are located under the following registry key

  • HKCU\SOFTWARE\Policies\janusNET\janusSEAL

Note that on x64 operating systems, you should also check

  • HKLM\SOFTWARE\Wow6432Node\Policies\janusNET\janusSEAL
  • HKCU\SOFTWARE\Wow6432Node\Policies\janusNET\janusSEAL

Toolset B: Group Policy Administration Tools

Group Policy Management Console (GPMC)

Group Policy Management Console (GPMC) is a Microsoft Manement Console (MMC) snap-in which provides a single administrative tool for managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.

Amongst other tasks, GPMC is used for

  • managing Group Policy Object lifecycle (create, backup, restore, import and copy)
  • managing the scope of Group Policy Objects
  • managing the precedence of Group Policy Objects
  • determining the Resultant Set of Policy

References:

Group Policy Editor

gpedit is an MMC snap-in to edit the local Group Policy Object, or Group POlicy Objects that will be applied to the domain.

References:

RSoP (Modelling Mode)

Group Policy Modelling requests Group Policy settings that are applied to a user or computer. However the data reported is from a service that simulates RSoP for a combination of computer and user.

References:

Toolset C: janusNET Tools

janusSEAL Schema

janusSEAL Schema is a software application from janusNET that is used by an organisation to express its security classification schema in an electronic representation suitable for use in any of the janusSEAL suite of products.

Removing extraneous settings from Group Policy

An online tool that can assist with removing extraneous policy settings associated with janusNET software. The tool produces an ADM file that can be loaded into the Group Policy Editor to set the extraneous policy settings to "Not Configued" and thereby remove the values.

Retrieve diagnostic information from a domain computer

A tool  to help system administrators to quickly and simply gather diagnostic information about janusSEAL application(s) running on domain member computers (either desktops or servers).

 


Troubleshooting Techniques

Problem: No policy is being applied to the target machine

Cause: the machine is not in the security group which is being used to filter the Group Policy Object

Test: run gpresult from the command line to quickly test if the machine is in the expected security group(s). Resolution: if the machine was recently added to the security group, it may need to be rebooted to discover that it is a member of a new security group.
Test: run Active Directory Users and Computers  to check if the machine is in the security group Resolution: Add the machine  to the security group.

Cause: the Group Policy has not yet been applied

Test: use regedit to check if policy settings are present or noot in the machine's registry Resolution: use gpupdate to update the policy on the machine

Cause: the Group Policy Object is not linked to an Organisation Unit

TBA  

Cause: the Group Policy Object is not filtered to the correct Security Group

TBA  

Problem: Classifications which aren't enabled in the Group Policy Editor are showing up in janusSEAL

Cause: Some policy settings are tombstoned.

Test: use RSoP - Planning Mode to check if there are extraneous setting in the policy. Resolution: To remove the extraneous settings use the janusNET tool to remove extraneous policy settings.

Problem: janusSEAL does not load when the parent application starts

Cause: the package has not been installed

Test: check the machine's file system using Window Explorer.

On an x64 operating system, the default installation folder for janusSEAL 64-bit is

Program Files\janusNET\janusSEAL XXX.

On an x64 operating system, the default installation folder for janusSEAL 32-bit is

Program Files (x86)\janusNET\janusSEAL XXX.

On an x86 operating system, the default installation folder for janusSEAL 32-bit is

Program Files\janusNET\janusSEAL XXX.
To resolve: Check the system event logs to identify the cause of the installation failure

Cause: the wrong package has been deployed (Not really a Group Policy issue, but added for completeness!)

Test: check the 'bitness' of MS Office and that the installed janusSEAL has matching 'bitness'.

You may have have 32-bit MS Office even though you have an x64 operating system.

In Office 2010: select File | Help. The right hand pane "About Microsoft XXX" displays the version and whwther it is 32-bit or 64-bit.

On an x64 operating system, the default installation folder for janusSEAL 64-bit is

Program Files\janusNET\janusSEAL XXX.

On an x64 operating system, the default installation folder for janusSEAL 32-bit is

Program Files (x86)\janusNET\janusSEAL XXX.

On an x86 operating system, the default installation folder for janusSEAL 32-bit is

Program Files\janusNET\janusSEAL XXX.
Resolution:Deploy the matching package of janusSEAL.

Cause: the installer does not have access to the package on the network

Test: use the machine's event log to check if there were any issues when attempting to access the janusSEAL package

Resolution: Ensure that the machine (not just the user) has access to the network location.

Resolution: Ensure that the path advertised in the policy is a network location, and not the local machine path on the machine providing the share.

 

Applies To
Version(s): 
2
3
References