Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Possible GPO side effect (Failure to open Office docs.)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible GPO side effect (Failure to open Office docs.)

    We recently enabled a number of Group Policies on our domain. (Mixed Server 2000 and Server 2003 environment, Windows XP SP2 clients). The policies that we created are based on Windows 2000 policies. Nothing was 2003 specific yet.

    The problem that we encountered the day after enabling our policies is that users will log in when they arrive in the morning and immediately find that Outlook 2000 will not open messages with attachments. They're told that they don't have permission. Word 2000 refuses to open documents saying, "Word can't open the existing " □" and then goes into convulsions saying that can't be saved or that a file can only be opened as Read Only, but won't open it. InfoPath 2003 will scream, "Catastrophic Failure", when opening a previously created document.

    The resolution is to reboot the system.

    The reason I suspect one of our GPO's is because this started happening RIGHT after they were enabled. Below are the GPO's that we enabled:

    On the Domain
    "Message Text for Users Attempting to Log On" - This is the "popup" message that appears after pressing Control-Alt-Delete to log in. Seems totally harmless to me.
    "Enforce Strong Passwords" - We enabled this policy to ensure that our staff use complex passwords since we deal with private health information.
    "Windows Shutdown Script" - I made a batch script to empty the C:\Windows\Temp folder on the clients. Maybe this is a suspect? Here is the script...
    rd /s /q "C:\Windows\Temp"
    md "C:\Windows\Temp" {I added this line today as a troubleshooting step, even though I know that Windows will create the folder itself.}

    On the OU
    Disabled most control panel icons - We now only allow users to see the Mouse, Keyboard, Accessibility Options and Mail icons.
    Set Network Time - I created a User Logon script that synchronizes client system time with the time on our database server, which houses our Time Clock system.
    Empty *User's* Temp Files - I created another batch script that runs on User Logoff to empty their various temp files. Here's what that script looks like.
    rd /s /q "C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\"
    rd /s /q "C:\Documents and Settings\%username%\Local Settings\Temp\"
    del /f /s /q "C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\"
    md "C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\"
    md "C:\Documents and Settings\%username%\Local Settings\Temp\"
    The last two lines were added today to aid in troubleshooting.

    Could the fact that I'm havnig the temp file folders emptied and deleted be causing something wrong?

  • #2
    Re: Possible GPO side effect (Failure to open Office docs.)

    Do not remove the Temp Directory. Although it's created but do not delete this.

    Instead you can delete files lying under it.

    Most prob.. this is the only thing causing the issue.

    Kapil Sharma
    Life is too short, Enjoy It.


    • #3
      Re: Possible GPO side effect (Failure to open Office docs.)

      Check also the Eventviewer in the clients.
      Could it be that the user's "\Application Data\.." folder or subfolders are modified somehow?

      Most prob.. this is the only thing causing the issue
      By the information that was given, I think so too.
      Check the permissions on te windows\temp folder.
      By using the script to create the Temp folder again, it will this way inherit the security from the parent folder. That is not good, because now the users don't have permisions any more to create files and subfolders in this system temp folder. Thus, it is better not to recreate the temp folder in the Windows directory your self, after it was deleted, because Users must have special permissions on this folder.

      When you suspect the script might could causing the problems, why do you not just disable the script instead of adding more commands to it? This is not a testing environment. (And in the first place, is was easy to have this GPO tested before linking it to the users OU)

      The folder "%userprofile%\Local Settings\Temporary Internet Files" is a special folder too, it is part of the "Internet Zone". If you right click on that folder you see that it is different than all the other folders. Also do not delete this folder. Do not delete system folders.
      Besites when logged on even an Administrator can not delete the "Temporary Internet Files" folder, it is protectec by the system Also the folder "Content.IE5" cannot be deleteted because it probably will be alread in use. so that script will probably going to hang or terminate when the user is Logging off. AFAIK LogOff scripts are only executed when the users chooses the option to logoff and not when they choose to shutdown the computer.

      Like kapilsharma11 suggested, just delete the files and subfolders in the temp folder;
      @echo off& title,Windows Shutdown Script
      (Set Target=%SystemRoot%\Temp)
      :: Delete all files and subfolders
      If EXIST "%Target%",(
         cd/D "%target%" && (
         ATTRIB -S -H -R -A /D /S >nul & (
         For /f "Tokens=*" %%* in ('dir "%Target%" /B') Do (
          RD "%Target%\%%*" /S /Q || Del /F "%Target%\%%*")))
       )Else,echo.The target path does not exist on this computer
      Windows Time:
      Set Network Time - I created a User Logon script that synchronizes client system time with the time on our database server, which houses our Time Clock system.
      First of all, users do not have the rights to change their computer time, so that script will probably hang or terminate too.
      Secondly, This is absolutely not a recommended method for updating the time in the clients!. The time on the clients should always be insync with the DC's directly, you can configure this TimeService options by GPO. If you want the database server to be an authoritative Time server for the network, then update only the one DC that holds the role of PDC-emulator with the time on the database server, and disable the timeservice synchonization on database server so it won't sync anymore with a DC. The deaulft configurations is: Clients and member servers sync with a DC, DC's sync with the DC holding the PDC-emulator role. This one DC does not trying sync at all, or is set to sync with an 'outside' time server.


      Of course you have to fix the problem first before you can use the sample batch from above.

      The original purpose of the batch above was to empty the users temp folders from the local profiles!
      If you run it as Logon script, then just change the 'Target' to;
      (Set Target=%temp%)
      (Set Target=%userprofile%\Local Settings\Temporary Internet Files\Content.IE5)
      This deletes files and subfolder from the current user's temp folders (if is local)
      It might be possible to run it as a Startupscript that tries to delete the contents of all the temp folders from all the local profiles on the computer;
      @echo off& title,Windows Startup Script&COLOR 9E
      :: clean the temp folders of all local profiles (expects the default location) ::
      ::Set Search directory to "Documents and Settings" folder
      (Set Target=%AllUsersProfile:~0,-10%)
      If EXIST "%Target%",(
        For /f "Tokens=*" %%* in ('dir "%Target%" /B') Do (
         cd/D "%target%\%%*\Local Settings\Temp" && (
         ATTRIB -S -H -R -A /D /S >nul & (
        For /f "Tokens=*" %%* in ('dir /B') Do (
         RD "%%*" /S /Q ||Del /F "%%*" )))>nul)
       )Else,echo.The target path does not exist on this computer
      Personally would prefer to delete Temp Files only if they are older than 48 hours. Actualy I have never deleted temp files of users.
      Last edited by Rems; 24th November 2007, 13:17.

      This posting is provided "AS IS" with no warranties, and confers no rights.


      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts