Win2K Group Policy and User Environment Debugging
I’ve been madly testing user profiles and system policies with a mix of Windows 2000 and Windows NT 4.0 clients in an NT 4.0 domain. Of course, when things don’t work as you expect them to, it’s difficult to debug layer upon layer of adjustments you made using computer policy, user policy, and logon scripts. As I approached the point of total frustration, I discovered a cool technique for debugging NT 4.0 system policy and Win2K Group Policy environment problems. (Although you can debug user environment problems in NT 4.0 if you install the debug version of userenv.dll, the solution is inconvenient because you have to reconfigure, shut down, and reboot the machine to activate the debugging features in the checked build of the DLL.)

Win2K includes several built-in environment debugging tools. To use them, all you have to do is add a key and one or more value entries to the registry. This feature is a real gift when you consider the task of troubleshooting local or domain Group Policy problems with computers or users, not to mention application management and IPsec policy.

Find your way to the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\ and add a new key called Diagnostics (this key doesn't appear in the registry by default). When prompted, leave the class key empty. You can add the following value entries to the Diagnostics key to achieve the different results:

  • RunDiagnosticLoggingGlobal:REG_DWORD:1 instructs Win2K to log all user environment activity.
  • RunDiagnosticLoggingGroupPolicy:REG_DWORD:1 enables Group Policy event logging.
  • RunDiagnosticLoggingIntelliMirror:REG_DWORD:1 logs remote boot activity.
  • RunDiagnosticLoggingAppDeploy:REG_DWORD:1 logs application management events.

Log off and back on and read through the copious records in the Application Event Log for indications of what's going wrong where. Remember to delete the Diagnostics key when you finish troubleshooting so that the Event Log doesn’t fill up with logged debug messages. See Microsoft article Q186454 or more information.

LPC Vulnerability Hotfix
Microsoft has released a public hotfix that closes some security holes in the local procedure call (LPC) component of Win2K and NT 4.0. LPC manages local system activity, so no one can exploit these vulnerabilities remotely. The hotfix eliminates four problems that can hang either platform—most of them spoofing related. The hotfix for both platforms is called 266433i.exe. You can download the Win2K version and the NT 4.0 equivalent from the Microsoft Web site.

French Outlook Hotfix Update
If you configure an NT 4.0 system with 128-bit encryption, set the locale to France, and then respond to an email message from a Microsoft Outlook Express user whose system has only 56-bit encryption, your computer might hang. Microsoft released a fix for this problem months ago, but it was apparently incomplete—the company just reissued an updated hotfix October 19. Download the hotfix, francfix.exe, from the Microsoft Web site.

NT 4.0 Doesn't Apply Default Profile to New User
Recently, a new user logged on to an NT 4.0 machine and found a completely blank desktop—no icons, no Start menu, no nothing. The user had logged on to the NT 4.0 domain successfully from a Win2K workstation, and NT 4.0's default computer policy was active. But when the same user logged on to an NT 4.0 system, the desktop disappeared. First, I adjusted permissions on the profile directory to accommodate the difference in how NT 4.0 and Win2K update a profile—nothing. Next, I tried copying a working profile to the user’s roaming profile directory—same result, nada. Finally, I decided that a corrupt default user profile must be to blame. I solved the problem by copying the default user profile from another NT 4.0 domain controller to the NT 4.0 system the user had logged on to. Like magic, the desktop reappeared. For a master list of profile references and how-to information from Microsoft Support Online, check out Microsoft article Q268487. The article describes this exact problem, but not in such gory detail!