RE: [ActiveDir] GPO question concerning LOCAL GPO

[Edwin]

I just wanted to say that this is an awesome reply!   Thank you Darren.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, July 01, 2004 7:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO   A user-driven script is not likely to work. These policies are set in HKCU but the keys involved are permissioned away from normal users by default--to prevent a normal user from undoing a policy. There are a couple of ways you could skin this. If you want to pay money, Full Armor has a tool called GPAnywhere that lets you do mass manipulation of the local GPO. If you want to do it on the cheap then there is another way, but it is a bit tricky. Essentially, all Admin. Template policy for the local GPO is stored in two files on the local drive. Any machine-specific Admin. Template policy is stored in %windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver policies you talk about below, these are user-specific and so would be stored in the user-specific registry.pol file. If you are reasonably sure that all of the affected machines have roughly the same local GPO, then you could pick one of them, edit it to include your new screen saver settings, and then just copy over that user registry.pol file on all the desired machines. Then, you have to increment the version number of the local GPO, so that when the user logs on, it knows there are new policy settings and it processes them. The version number is stored in a file called GPT.ini, found in %windir%\system32\grouppolicy. GPT.ini typically looks something like this:   [General] gPCFunctionalityVersion=2 gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]      Version=917538 gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]    You'll need to increment the Version= key and, if there were no Admin Template policies formerly found in the local GPO, you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in the value gPCUserExtensionNames key, as it is above. The version number should be incremented according to how many policy changes you make. If you want to stick to Microsoft's byzantine versioning scheme for GPOs, then for each user-specific change you make (which is what you'll be doing in this case), the version number is increased by 65536. So three changes to user policy would result in a version number increase of 65536 x 3 or 196608, which gets added to the existing version number (so in the example above, 917538+196608=new version number). So what you can do is copy the registry.pol file and an updated gpt.ini (again this assumes that all machines have the same starting gpt.ini version number) to each of the target machines and then the next time the user logs on, they should get the correct screen saver policy. Like I said, tricky, but not impossible.   Darren   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO If the machine is standalone, you could e-mail them a script that makes the proposed registry changes. How else are you going to touch a machine that doesn't login regularly to have a GPO applied ?   Kevin Gent Pearson Digital Learning -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, July 01, 2004 6:49 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO question concerning LOCAL GPO We have identified an issue with a security policy (the paper kind)  that conflicts with how our current build is set on our workstations.  The workstations are running Windows 2000.  I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login.  Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesn’t see the screen saver tab.  I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop.    Any ideas or suggestions would be appreciated.   Jeff