1

I have a XenApp Server running on Server 2008, and would like to apply a Group Policy Object to the server to modify the following registry setting:

HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\LaunchSMCGui

Changing the value from "1" to "0". Note, this is 'best practice' setup recommended from Symantec - it stops new instances of Symantec from starting on each application started on the XenApp server for users.

I have my new Group Policy Object, and have applied it to a test folder with 2 servers in there. For testing purposes, I have applied 'Domain Computers' and also one of the Servers AD Object to the 'Security Filtering' section of the GPO (neither are working on getting the reg key change working).

I run 'gpupdate /force' on the servers, but the reg key stays the same value. It does ask for a log off to complete some policies - but I cannot do that as these are in use during the day (the servers are rebooted each night, but I'd like to know that I've got the settings above correct before waiting 24 hours to check each time).

Can any GPO guru's check the above and tell me if I'm set, or is there something else to do? Thank you.

The Woo
  • 569
  • 6
  • 20
  • 39

1 Answers1

2

Because you're talking about a setting in HKEY_LOCAL_MACHINE I assume you set the Registry Group Policy Preference (GPP) setting in the Computer section of the Group Policy Object (GPO) you created and linked.

I would return the "Security Filtering" settings back to default. As long as you don't mind the setting applying to all the computers in the OU where you've linked the GPO the default security settings are appropriate. (Security Filtering isn't something you should be using unless you have a particular need for it. The default setting is sane and reasonable.)

The output of either the gpresult /z command or the Resultant Set of Policy Tool (RSoP) from one of the server computers where you expect the policy to apply will help you out troubleshooting this. You should be looking to see that the newly-created GPO is being applied in either of those tools' output.

You should also be looking over the Event Log (Application and System) for Group Policy application related errors.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks for the information on troubleshooting. There is an event log for this exact issue: 0x80070005 Access is denied. Now I'm trying to work out where/how/why... – The Woo Oct 09 '14 at 02:40
  • @TheWoo - On that basis I'd strongly recommend returning the "Security Filtering" on the GPO back to default. – Evan Anderson Oct 09 '14 at 02:56
  • Yes, sorry should have mentioned that I had done that on your recommendation. I found the cause of the issue - Symantec client on the server had "Tamper Protection" turned on. This was stopping the policy. Thank you very much for your assistance. – The Woo Oct 09 '14 at 02:57
  • @TheWoo - So the Group Policy Preferences client side extension (CSE) was getting its access denied when trying to make a registry modification. Interesting. What an awful "feature". Glad you were able to find the cause. – Evan Anderson Oct 09 '14 at 03:00
  • Yeah, the whole registry is now locked down for Symantec via Tamper Protection since v12.1 I think. Now I have to manually go to all 70+ Citrix Servers and turn that off before applying the GPO... Hooray! Thanks again for your time and help. – The Woo Oct 09 '14 at 03:21
  • Thanks for the bit about using the right section. I was trying to apply a LOCAL_USER key in the computer section which just doesn't make sense. Whacked some sense into me. – Allison Aug 07 '17 at 17:44