Case of the Group Policy Preference Fail

A customer had an issue with mail not appearing in their Inbox. Their Exchange team had advised to set a registry value under HKEY_CURRENT_USER\Software\Policies\Microsoft\Office15.0\Outlook\Options\mail

A group policy had been created to set the value, and it successfully worked on five test users. However after widespread deployment many users failed to receive the setting.

Using ProcMon with a filter to include Path Contains Software\Policies\Microsoft\Office15.0\Outlook\Options\mail we could see when gpupdate was run the result was ACCESS DENIED.

This is due to the fact the policy was set to apply current user keys “as the user”

By default users do not have write access to to keys under HKCU\Policies

While they have write access to SOFTWARE

image

Under Policies they only have Read access. This is to ensure a non-admin user can’t just run a script to remove/change their user based policies.

image

The reason it worked on the test users is they had all been from the IT department and all had local admin. That’s a bad idea, although not a new one.( https://chentiangemalc.wordpress.com/2012/04/12/an-epic-battle-of-adobe-vs-ie-vs-sap/ )

In this case the solution was not to deploy the Policies key via Group Policy Preferences. As it is a “Policies” key we downloaded the Office ADMX files from Microsoft Website (http://www.microsoft.com/en-us/download/details.aspx?id=35554) and set the policy that way.

We confirmed this fixed the issue.

What if I only knew the registry key but not the policy name? You can use this technique to quickly find it https://chentiangemalc.wordpress.com/2014/03/25/finding-prevent-performance-of-first-run-wizard-in-windows-8-1-group-policy/

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Group Policy and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s