Re: [ActiveDir] Working on policy for IE
Jeff, You could try looking at BrndLog.TXT under C:\Documents and Settings\xx\Application Data\Microsoft\Internet Explorer (x is the username) It gives a detailed log of the IE processing and might give you a hint of what is happening. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Thursday, September 29, 2005 5:07 AM Subject: RE: [ActiveDir] Working on policy for IE Hi Jeff... Might I suggest putting the sites you wish to be in the trusted sites on your Internet Options on your administrative machine, then open the policy, and tell it to import. It works fine here doing it that way. John "Cothern Jeff D. Team EITC" <[EMAIL PROTECTED] To l> Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] Working on policy for IE 09/28/2005 01:56 PM Please respond to [EMAIL PROTECTED] tivedir.org Yes it says it is applied but when I go in and look it says no sites when I am looking under trusted sites. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID Sent: Wednesday, September 28, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Working on policy for IE What does gpresult say? Is it applying the policy? David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, September 28, 2005 1:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Working on policy for IE I verified in the policy that the box is NOT checked. Perhaps I am not doing something correctly. So I will go thru the steps I did. Created a new policy. Went under IE maintenance. THen Security. Double clicked on Security Zones and Content Rating. Checked import current settings then clicked on modify settings. Once in modify settings I went to Trusted Sites \ settings and unchecked the Require Server verification. I then entered *.domain.com and clicked Add. Then hit OK out to the policy. Closed that and had it apply to the machine. Logged into machine. GPupdate \force then rebooted machine. Logged in as standard user. No change. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID Sent: Wednesday, September 28, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Working on policy for IE One thing I noticed in trusted sites GPO is that you should almost always uncheck https sites only, otherwise any non https site added in there invalidates the policy and it never applies, even though gpresult says it does apply. I hope this helps. It does work fine for us. Regards, David Chianese RHCE, MCSE+I, CNE, CNA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, September 28, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Working on policy for IE At a lose here.. I setup a policy that added the trusted sites but it doesnt appear this is doing anything as the trusted sites are not being added. The IEAK communite group is of no help. Anyone had any success modifying the trusted sites thru policy? Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, September 27, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Working on policy for IE Gentlemen I need to come up with policy for IE I believe. We have a Sharepoint portal running. When initially the user goes their on a new drive the Digital Dashboard tries to install. Currently with the security level that is set it wont install unless an admin logs into the machine and goes to the website. My question is. If I set the Portal web page as a trusted site which it is as its internal web site. Would the Digital Dashboard install correctly with no further act
Re: [ActiveDir] Group policy security setting
Hi Charlie, If it is a user registry setting (other than Binary) there should be no problem with a custom ADM template. Can you explain what registry key it is and exactly what is not working? Alan Cuthbertson - Original Message - From: "Charlie Kaiser" <[EMAIL PROTECTED]> To: Sent: Saturday, September 03, 2005 8:51 AM Subject: [ActiveDir] Group policy security setting This is driving me nuts I'm trying to set up a W2K3 SP1 terminal server machine, managed by group policy, that will allow users to run certain apps that actually load from another server. Here's the problem... When I try and launch one of those apps, I get the security warning box "open file - security warning" "Are you sure you want to run this software?" I finally figured out how to disable it; in IE properties, security, trusted sites, custom level, there's a setting: "Launching applications and unsafe files". If I set that to enable, the box goes away. (I'm using software restrictions to only allow certain apps, so the warning box is irrelevant). I want to be able to set this value via GP rather than through the IE interface. The IE ADM template seems to include every setting except for this one. Why? I've tried creating a custom ADM for the setting, but I'm getting nowhere with that. I'll probably try that again next week. But I'm curious why this particular setting is not available in the template? Any ideas? Am I missing something? ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the "must change password" is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Aaron Visser" <[EMAIL PROTECTED]> To: Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them to change > their password... Unless I am missing something. > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user must > change password at next logon" and they are able to change it, even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > - Original Message - > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > To: > Sent: Saturday, August 27, 2005 2:56 AM > Subject: RE: [ActiveDir] Password policy change > > > > Help desk sets he password to something "something", tells the user to > change their password to whatever they want it to be and the user can not. I > thought about having the HD check the box that makes it so the user has to > change the password the next time they log in but I think that would > effectively lock out the OWA only users. > > The point is that the HD gets the user going by setting the password to > something generic, then the user is supposed to change it to whatever they > want to keep. > > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Friday, August 26, 2005 9:45 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Password policy change > > Which part is "not working" and how is it "not working"? > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny > Sent: Fri 8/26/2005 9:34 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Password policy change > > > > > Good morning folks, yesterday I changed the domain password security to > retain password history for 5 passwords and the password can not be changed > for one day. > > Our help desk used to set passwords to a default value when they got a call > from a user and then tell the user to change it to something they want. It > looks like that is not working for them > > Is there anyway around this ? > > Thanks > > Johnny Figueroa > Enterprise Network Consultant/Integrator Network Services Banner Health >
Re: [ActiveDir] Password policy change
Johnny, We do exactly what you suggest, change the password and set the "user must change password at next logon" and they are able to change it, even within the "password cannot be changed period". What do you mean by "that would effectively lock out the OWA only users"? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Figueroa, Johnny" <[EMAIL PROTECTED]> To: Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something "something", tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is "not working" and how is it "not working"? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Hi Peter,
It could be NetBiosName that I am looking for. I tried it on my domain, but
it had no value. However that could be because my domain was not built pre
Windows 2000. I will try it on the offending domain and see what it returns.
Alan C
- Original Message -
From: "Peter Jessop" <[EMAIL PROTECTED]>
To:
Sent: Sunday, August 21, 2005 7:45 PM
Subject: Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
If I understand you correctly you are looking for the Pre Windows 2000
name of computers (not the domain).
The property name is sAMAccountName.
i.e in order to find the pre Windows 2000 names of object in the DDD
ou within domain BBB.CCC the script would be.
Set objContainer = GetObject("LDAP://ou=DDD,dc=BBB,dc=CCC")
For Each objcomputer In objContainer
WScript.Echo objComputer.Name & vbTab & objComputer.sAMAccountName
next
The pre Windows 2000 name of the domain has a property called nETBIOSName.
Regards
Peter Jessop
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Hi Michael,
Thanks for the response, But it isn't quite what I
want. The code you give gives the NetBios name of the
logged on user. I am trying to find the NetBios name
for another domain.
I have tried enumerating all machines on the domain
and then pinging them, but it takes too long. We have 20,000 machines, of which
10,000 are offline. Each ping to an offline machine takes 1 sec to time out, so
it takes over 3 hours! I was looking a for a quicker way
Alan C
- Original Message -
From:
Michael B.
Smith
To: [EMAIL PROTECTED]
Sent: Sunday, August 21, 2005 8:47
PM
Subject: RE: [ActiveDir] Getting the Pre
Windows 2000 name for a domain
As to the first question:
Dim objWSHNetwork
Set
objWSHNetwork = CreateObject ("WScript.Network")' get the
NetBIOS domain namestrNetBIOSDomain =
objWSHNetwork.UserDomainSet objWSHNetwork =
Nothing
As
to the second question, see
http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb07.mspx
and
http://msdn.microsoft.com/library/default.asp?url="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro
SupportSent: Sunday, August 21, 2005 1:54 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Getting the Pre
Windows 2000 name for a domain
Hi,
I have a requirement to determine
the machines that are currently online for a particular domain. I use the
Net View command and give it a domain name such as:
Net View /Domain:DomName
Since I know the Fully qualified
Domain name AAA.BBB.CCC then I use:-
Net View /Domain:AAA
and it normally works. However I have one client
that uses a different Pre Windows 2000 name (don't ask me why). I tried the
following bit of code to try and programmatically work out the Pre Windows
2000 name:-
Dim Sdou As
IADs Dim PropertyValue As
Variant Set Sdou =
GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC")
For Each PropertyValue In
Sdou.GetEx("Name") If
PropertyValue <> ""
Then
MsgBox PropertyValue End
If Next
but it just returned AAA.
So, is there a property in Active Directory that
returns the Pre Windows 2000 name?
Alternatively, is there anyway to determine the
machines that are online via AD, rather than via the Net View
command?
Alan Cuthbertson
[ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Hi,
I have a requirement to determine the machines
that are currently online for a particular domain. I use the Net View
command and give it a domain name such as:
Net View /Domain:DomName
Since I know the Fully qualified Domain
name AAA.BBB.CCC then I use:-
Net View /Domain:AAA
and it normally works. However I have one client
that uses a different Pre Windows 2000 name (don't ask me why). I tried the
following bit of code to try and programmatically work out the Pre Windows 2000
name:-
Dim Sdou As
IADs Dim PropertyValue As
Variant Set Sdou =
GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC")
For Each PropertyValue In
Sdou.GetEx("Name") If
PropertyValue <> ""
Then
MsgBox PropertyValue End
If Next
but it just returned AAA.
So, is there a property in Active Directory that
returns the Pre Windows 2000 name?
Alternatively, is there anyway to determine the
machines that are online via AD, rather than via the Net View
command?
Alan Cuthbertson
Re: [ActiveDir] OT: Cloned machine domain membership
Douglas, The key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange =1. Further Information is available from http://support.microsoft.com/?id=154501 Alan Cuthbertson - Original Message - From: "SysPro Support" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 07, 2005 7:09 AM Subject: Re: [ActiveDir] OT: Cloned machine domain membership > Douglas, > > There are some registry settings that turn of password changes on the > machine. This means that since the machine password is always the same you > can simply reinstate the image and it will still be part of the domain. Not > sure of the keys though, will check at work today. > > When we first installed VMWARE (great product for testing upgrades) we had > lots of snapshots, then the password changed on the workstation and we had > to reconnect each snapshot to the domain. Each time you swapped to a new > snapshot, you had to re-add it to the domain. A real pain so we scrapped the > lot, started again and disabled password changing. > > Of course there are some security concerns, since someone could take an > image, reinstate it in 6 months time and be automatically part of the > domain, but in our organisation that is not a concern. > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > - Original Message - > From: "Al Garrett" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, June 07, 2005 2:07 AM > Subject: RE: [ActiveDir] OT: Cloned machine domain membership > > > We've had issues with reimaged machines and the 30-day secure channel > machine password. > A machine reimaged with an old image has an old password. The only > solution after imaging seems to be remove from the domain and re-add. > Since I'm the network side vs. the user machine side, I have the luxury > of telling the techs that it's their problem to fix. > > I don't know if they found a solution but I'll check around and see if > they solved it. > > -Original Message- > From: Douglas M. Long [mailto:[EMAIL PROTECTED] > Sent: Monday, June 06, 2005 8:32 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OT: Cloned machine domain membership > > > I am trying to figure out the best way to re-image our labs (XP only) > without any interaction. Currently we are using Ghost 7.5, and it will > add the machine account to the domain, but doesn't actually join the > machine to the domain. This would be fine if the machines only needed > re-imaged twice a year, but at times they need re-imaged weekly. Any > suggestions on a way to do this with what we have? Other suggestions? > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Cloned machine domain membership
Douglas, There are some registry settings that turn of password changes on the machine. This means that since the machine password is always the same you can simply reinstate the image and it will still be part of the domain. Not sure of the keys though, will check at work today. When we first installed VMWARE (great product for testing upgrades) we had lots of snapshots, then the password changed on the workstation and we had to reconnect each snapshot to the domain. Each time you swapped to a new snapshot, you had to re-add it to the domain. A real pain so we scrapped the lot, started again and disabled password changing. Of course there are some security concerns, since someone could take an image, reinstate it in 6 months time and be automatically part of the domain, but in our organisation that is not a concern. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Al Garrett" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 07, 2005 2:07 AM Subject: RE: [ActiveDir] OT: Cloned machine domain membership We've had issues with reimaged machines and the 30-day secure channel machine password. A machine reimaged with an old image has an old password. The only solution after imaging seems to be remove from the domain and re-add. Since I'm the network side vs. the user machine side, I have the luxury of telling the techs that it's their problem to fix. I don't know if they found a solution but I'll check around and see if they solved it. -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Monday, June 06, 2005 8:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Cloned machine domain membership I am trying to figure out the best way to re-image our labs (XP only) without any interaction. Currently we are using Ghost 7.5, and it will add the machine account to the domain, but doesn't actually join the machine to the domain. This would be fine if the machines only needed re-imaged twice a year, but at times they need re-imaged weekly. Any suggestions on a way to do this with what we have? Other suggestions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO being denied
Hi Tom, I have included comments in your text in <> Alan C - Original Message - From: "Kern, Tom" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Friday, May 20, 2005 12:07 PM Subject: RE: [ActiveDir] GPO being denied well, the machine has to have read and apply for its gpo to process. regardless of whether its merge or replace. in fact, loopback is set in the computer config part of the machine's gpo. so the machine has to be able to read and apply the gpo for loopback to occur to begin with. then if its merge, the user's part of the user's gpo will be processed, followed by the user portion of the machine's gpo. in replace, the user's portion of the user's gpo is ignored and just the machine's gpo's user portion will be processed. we're talking about 2 gpo's here and 2 seperate parts of the gpo-first the user part of the user accounts gpo and second the user part of the machine's gpo. its the user part of the machine's gpo that you want to merge or replace, hence the machine has to have rights to that gpo. In reference to your example, are you sure there isn't a gpo with the same settings as policy 1 coming from somewhere(like the user's ou or linked at the domain level)? is the authenticated users group defined in the acl for policy 1's gpo? i'm sorry if this is unclear. its most likely my fault. i'm no AD expert and i'm sure joe or al or gil or any of the other much much more knowledgable people will jump in and correct the hell out of me. i apologize if i've confused you more. thanks-Original Message-From: SysPro Support [mailto:[EMAIL PROTECTED]Sent: Thursday, May 19, 2005 9:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GPO being deniedTom,This is not the way I thought it worked (but I may have misread what you aresaying or I may just be wrong!)I thought that if Loop back processing was active on the machine as Replace,when the user logged on, they received the policies as if they were membersof the Machine OU.If Loop back processing was active on the machine as Merge, when the userlogged on, they received the policies based on their own OU membership,followed by the policies as if they were members of the Machine OU.Whether the machine had apply or read access to these polices wasirrelevant.I just did the following test where I created two polices:Policy 1 (User has apply access, machine has neither read nor apply access).Contains one user settingPolicy 2 (User and machine both have apply access). Contains loopbackprocessing as merge plus a user based settingBoth policies applied to TEST Ou. Machine belongs to Test OU but Userdoesn't.My reading of your statement is that the user will only get the second Userbased setting. In fact when I tried it, the user got both settings.Alan CPolicy Management Software:- http://www.sysprosoft.com/pol_summary.shtmlADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtmlPolicy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml- Original Message - From: "Kern, Tom" <[EMAIL PROTECTED]>To: <ActiveDir@mail.activedir.org>Sent: Friday, May 20, 2005 10:29 AMSubject: Re: [ActiveDir] GPO being deniedTo repeat-You're getting that error because if the computer object or authenticatedusers is not on the acl to apply gpo and reaf gpo, the user portion of thegpo which is defined for the ou the computer object is in, will not apply.Both the gpo defined on the user and the user portion of the gpo defined onthe computer are applied in merge mode.If the pc doesn't have rights, the user portion of the computer's gpo willnot apply and you'll get that error--Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO being denied
Tom, This is not the way I thought it worked (but I may have misread what you are saying or I may just be wrong!) I thought that if Loop back processing was active on the machine as Replace, when the user logged on, they received the policies as if they were members of the Machine OU. If Loop back processing was active on the machine as Merge, when the user logged on, they received the policies based on their own OU membership, followed by the policies as if they were members of the Machine OU. Whether the machine had apply or read access to these polices was irrelevant. I just did the following test where I created two polices: Policy 1 (User has apply access, machine has neither read nor apply access). Contains one user setting Policy 2 (User and machine both have apply access). Contains loopback processing as merge plus a user based setting Both policies applied to TEST Ou. Machine belongs to Test OU but User doesn't. My reading of your statement is that the user will only get the second User based setting. In fact when I tried it, the user got both settings. Alan C Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml - Original Message - From: "Kern, Tom" <[EMAIL PROTECTED]> To: Sent: Friday, May 20, 2005 10:29 AM Subject: Re: [ActiveDir] GPO being denied To repeat- You're getting that error because if the computer object or authenticated users is not on the acl to apply gpo and reaf gpo, the user portion of the gpo which is defined for the ou the computer object is in, will not apply. Both the gpo defined on the user and the user portion of the gpo defined on the computer are applied in merge mode. If the pc doesn't have rights, the user portion of the computer's gpo will not apply and you'll get that error -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO being denied
Hi Jeff, Can't think of anything immediately. When you say " Its saying security filter" are you getting that from the UserEnv log, or somewhere else? I always find it useful to activate full logging and then read the UserEnv.Log in %windir%\debug\usermode to find out what is happening (maybe you have already done this). We have a free tool that helps display the log in a (slightly) more meaningful way. Or you can email me the log offline and I will have a look to see if I can see anything. Here is a reference to activating the logging:http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> and here is a link to our free software http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml Alan C Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml - Original Message - From: Cothern Jeff D. Team EITC To: ActiveDir@mail.activedir.org Sent: Friday, May 20, 2005 7:10 AM Subject: [ActiveDir] GPO being denied Ok here is scenario. I have a Terminal Server with a Policy assigned to it. Thru this policy user are unable to have any local peripherals redirected and used thru TS. Now a requirement has come up for a few users to have this ability. So I created a policy that allows this to happen. I set that policy on the OU the TS system is in. I also set the group as the security filter for it. When the test user account logs into the system the policy that is suppose to change the setting to allow the printer redirection is being denied. Its saying security filter. But I checked and the user is in the allowprinter group and that group is the one that is in the security filter and under advance both read and apply gpo are checked. I dont understand why the user is denied from that policy. Any ideas? Jeff
Re: [ActiveDir] GPO
Justin, I would agree... it should all work. One way of debugging this is to look at the article here. http://www.jsiinc.com/SUBH/tip3700/rh3799.htm It explains how to enable logging and creates a log that shows everything that is happening as the policies are applied in the machine. It's a bit messy, but worth going through in detail and you may well find out exactly what is happening. I am actually in the process of trying to write a program to make sense of the log, so if you like, you can send me the Userenv.log file and I will see what I can do with it. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: "MatjaÅ Ladava" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 14, 2004 8:17 AM Subject: RE: [ActiveDir] GPO > No. GPO's are registry based (At least admin templates), so they should work on XP box without the need of Windows Server 2003. It is enough if you set them up from XP box or import them in 2000 DC (adm templates). What policies are we talking about ? Run gpresult /v to get verbose information about your policies being aplied on your workstations. > > Regrds > > Matjaz Ladava > MVP Windows Server - Directory Services > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. > Sent: Tuesday, April 13, 2004 11:11 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] GPO > > I used a Windows XP client running the GPMC and setup items in a GPO that are for Windows XP and higher, however it appears that they are not going into effect. I should not need a 2003 DC running in order to have these GPO settings take effect right? > > Justin A. Salandra, MCSE > Senior Network Engineer > Catholic Healthcare System > 212.752.7300 - office > 917.455.0110 - cell > [EMAIL PROTECTED] > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > . .jjry v List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domain Policy Settings
Hi Steve, What sort of Registry keys do you mean? When you say "under local Policy, a mess of registry settings are listed" do you mean "Under the registry key \Machine\Software\Policy" or are you somehow looking at the registry keys that are being applied via Local Policy. If the latter, how are you seeing these keys? are you using RSOP.MSC on an XP workstation? I ask this because we work on 2000 workstations and have always had trouble trying to extract this sort of info. I have had a brief look at polices under XP and it shows a lot of additional stuff, but I haven't really got in to it yet and was wondering what tools are available. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: Steve Shaff To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 7:44 AM Subject: [ActiveDir] Domain Policy Settings Group, I have had some strange settings being applied within our group policy. For example, under local Policy, a mess of registry settings are listed. No one here added them, nor did I. Same goes for the File System; there is no way that a person added all these settings. Does anyone know if there is a template that might have been applied or an application that would add these settings? Just trying to come up with a How did this happen. Thanks,S
[ActiveDir] Format of UserEnv.Log
Does anyone know of some software that formats UserEnv.Log into an intelligent format? Alternatively, does anyone know of documentation on how it is formatted, so I can write my own program? (I would even post it back here for general use!) I have spent a lot of time crawling through this file and am slowly getting the hang of it, but it isn't really a "user-friendly" log. Alan Cuthbertson
Re: [ActiveDir] Testing other GPO's to DC's
I am interested in the comment that OU's are a better way to manage Policies than using group based filtering. Is this for performance reasons, management reasons or safety reasons? I could see a very small improvement in performance, using OU's is a little easier to see what is going on and it is a little safer since if you make a mistake it only messes up the servers in that OU. In this case the main argument for using a separate OU would seem safety but I wonder if I have missed something? I personally would probably use group filtering, especially since it is only for testing. We tend to use OU's to delegate management of the workstations. We have a single domain managed centrally, but delegate day to day management to staff in the region. If you are in Eastern region, you go in the Eastern OU's and the Eastern staff manage you. I find managing policies by OU much more of a headache than using Group Filtering. If you have one policy, you only need two OU's. However, if you have 5 policies, you need (potentially) 32 groups to cover every permutation. 5 groups can be used to manage 5 policies and if you use a name to make clear it is only for Policy management, it is all pretty easy to follow. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 04, 2004 3:50 AM Subject: RE: [ActiveDir] Testing other GPO's to DC's Yes, this would be my preference as well. Avoid group based filtering. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, March 31, 2004 10:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Testing other GPO's to DC's or create a sub-ou underneath the domain controllers OU which you link the GPO to. then put those DCs into the sub-OU. not only good for testing purposes... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Mittwoch, 31. März 2004 19:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Testing other GPO's to DC's Yes, that's exactly it. Grant those specific DCs the Read and Apply Group Policy rights on the GPO. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, March 31, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Testing other GPO's to DC's Hi, I'm sure this has been covered in previous posts but how can I create a GPO object and link it to the Domain Controllers OU but only apply it to a couple of domain controllers for testing purposes? Is it removing the authenticated users group and adding the specific domain controllers to the ACL's? Thanks, _ Check out MSN PC Safety & Security to help ensure your PC is protected and safe. http://specials.msn.com/msn/security.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Custom .ADM (Code Included)
These things are notoriously tricky, cos there are so many things to go wrong. have you check in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History to check that the policy is actually being applied? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml . - Original Message - From: "Michael Wassell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, April 03, 2004 4:57 AM Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) There must be something I'm doing wrong then... I have no idea what it might be but it must be something I guess I'll just go RSOP my brains out and hopefully I'll catch something :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 02, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) that really is odd i took the text, pasted it into notepad, opened my local policy, imported the adm, filtered the view, enabled it...and it created the registry key fine... are there other settings in the same policy that are getting applied? |-+--> | | "Michael Wassell" | | | <[EMAIL PROTECTED]| | | om>| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 04/02/2004 12:36 PM| | | Please respond to | | | ActiveDir | | | | |-+--> >--- ---| | | | To: <[EMAIL PROTECTED]> | | cc: | | Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) | >--- ---| The registry is not being accessed at all from any of my attempts. I've even gone as far as to run a registry monitor to see if the registry is even being accessed and it is not. I have modified the system.adm file (created by default) to include the code and forced the GPO that does not apply either. I havn't run the registry monitor during boottime, but I have tried restarting numerous times and the registry is not changed in any way. I have modified the code to create a key also to see if the key is created and it is not. As a temporary solution (the application was only distributed to a limited amount of users) I have made the modifications manually to my own registry, extracted them and pushed them out to all of the workstations that are having the problem. Users have not been taught or instructed on how to use the new software yet so I have a bit of time to toy with thankfully. Definately a head scratcher From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 02, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Really... Hmm. Printers are generally profile specific, and the issue you're having sounds like it is user specific. Are you seeing the GPO get applied (verifying the registry settings) but they aren't working, or is the registry not being changed at all? As far as permissions, I believe GPO's are applied as localsystem - so there shouldn't be a perms problem. Not 100% sure what to tell you - other than verify the registry is actually being changed. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 12:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Unfortunately not in this case Roger :-( Although, I do appreciate the advice. This particular printer is automatically created from an installer, which in turn creates the printer object underneath the HKLM hive. This allows for every user that logs into the workstation to have the printer automatically created, but unfortunately there is a bug causing the properties of the printer object to point to the %USERPROFILE%\Temp folder of the user that installed the client. Hence, insufficient rights when the user attempts to print to the printer object, which is why I'm trying to design the GPO to change the value in the registry to point to a folder all users have rights to (C:\temp). Would this inconsistency prevent the .ADM from functioning properly? From: [EMAIL PROTECTED]
Re: [ActiveDir] Cross forest policies - boxes in Win2k domain, users in win2k3 s ingle domain forest
Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest Hi Stephen, LoopBack processing should do the trick. Basically it says "Apply the policies using the user's Group membership as if he was a member of the OU that the Citrix server belongs to". You can use Merge (apply the settings the user would normally get, followed by the ones they would get if in the Citrix machine's OU) or Replace (only apply the settings the user would get if they were in the Citrix machine's OU) I have no experience about your comment "Cross forest GPO's only work when both domains are W2K3" but if it is correct, it sounds as if the GPO's held in the User's domain would not apply. This may stop "Merge" from working, but "Replace" may still work since the GPO's are held in the Citrix domains. I would therefore try the following:- 1. Create the restrictive policy in the Citrix OU 2. Enable loopback with replace 3. Add the Administrators to the Policy and give them Deny Apply You could try merge in Step 2 and see if it picks up their normal policies as well Should work. Tell us what happens. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: Wilkinson, Stephen To: [EMAIL PROTECTED] Cc: Kent, Ben Sent: Thursday, April 01, 2004 12:36 AM Subject: [ActiveDir] Cross forest policies - boxes in Win2k domain, users in win2k3 s ingle domain forest Hello all, Having moved all of our users from an NT4 account domain to a Windows 2003 domain, we have a requirement to set policies on our citrix servers which sit in a separate windows 2000 forest, to control policies for users from our trusted single domain windows 2003 forest. E.g. to run registry editing tools etc This a bit long-winded but this is what we are trying to do and are not sure how to proceed: The "Default User" on the Citrix servers is configured with some default settings, including the "disable registry editing tools" policies. When we were still using an NT4 account domain the Citrix servers were configured to get .POL files from the hard drive instead of the DC's, this way we had NT4 policies that were only in effect when logging into the Citrix servers, also there were group membership controls in the .POL files so that admin accounts had the policies lifted. The problems we need to solve are 1. Policy lockdown for users coming from outside the win2k domain (where the Citrix servers live) when they logon to the Citrix servers. At present we are relying on the settings inherited from "Default User", for the Win2k3 domain accounts. We need a way to have policies that apply to the Win2k3 domain users, but only when they logon to the Citrix servers (which are the only member computers in the win2k domain), policy loop back has been suggested (apply the computer policy to users regardless of the domain they logged on from), which looks promising, assuming they can be controlled by user group memberships (in win2k3 domain) to stop the admins getting the user policies. 2. Not to apply the policies for Admin Win2k3 domain accounts when logging onto the Citrix boxes. Cross forest GPO's only work when both domains are W2K3, which I would expect is not going to happen any time soon. And we need to relax the policies being picked by the admins Hope this make sense !? Stephen WilkinsonTel +44(0)207 4759276Mobile +44(0)7973 143970E-Mail: [EMAIL PROTECTED] The information contained herein is confidential and is intended solely for theaddressee. Access by any other party is unauthorised without the express written permission of the sender. If you are not the intended recipient, please contact the sender either via the company switchboard on +44 (0)20 7623 8000, orvia e-mail return. If you have received this e-mail in error or wish to read oure-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender.
Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
David,
Another thought. Go through the registry key on your target machine and look
in \current_user\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History. There should be a subkey for IE (I think it is
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} ) . You will find under that a list
of keys, one for each policy applying IE settings. This shows the policies
and the order they apply which may give you a hint.
Also, you can get into a mess if you apply policies both via the IE
extension and via the ADM extension
Alan C
- Original Message -
From: "SysPro Support" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 27, 2004 1:25 PM
Subject: Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO
Issue
> David,
>
> >From your description I can't see any problem, but these things are often
> more complex than you think. Maybe another policy is inadvertently setting
> it. I have just started marketing a program for interrogating Policy
> configurations and it should tell you exactly what is going on.
>
> Feel free to install it and give it a try. It still may be hard to sort
out,
> so if you still can't figure it out, my program will dump all of your
Policy
> information to a directory, you can send it to me and I will try to
> interpret it for you.
>
> Alan Cuthbertson
>
> Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
> ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml
>
>
>
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, March 27, 2004 1:40 AM
> Subject: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
>
>
> > I have set up a GPO for IE proxy settings at my domain level in a GPO I
> use
> > for "suggested" policies that I can later override with OU specific
> > policies. I am now trying to apply a GPO setting for IE proxies on an OU
> > with a different proxy setting than the default domain, among other
> > settings. I have enabled loop back mode (merge) on this GPO, and all
> other
> > settings that should be overridden for the computer and user settings
are.
> > I have tried Preference mode and enabling the computer \ administrative
> > Templates \ internet explorer make proxy settings per computer, but the
> > domain GPO still wins in application of this setting.
> >
> > Any Ideas? What am I missing?
> >
> > David Frost
> > Directory Engineering,
> > Messaging, Directories and PKI Engineering Services
> > Industry Canada
> >
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
David, >From your description I can't see any problem, but these things are often more complex than you think. Maybe another policy is inadvertently setting it. I have just started marketing a program for interrogating Policy configurations and it should tell you exactly what is going on. Feel free to install it and give it a try. It still may be hard to sort out, so if you still can't figure it out, my program will dump all of your Policy information to a directory, you can send it to me and I will try to interpret it for you. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 27, 2004 1:40 AM Subject: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue > I have set up a GPO for IE proxy settings at my domain level in a GPO I use > for "suggested" policies that I can later override with OU specific > policies. I am now trying to apply a GPO setting for IE proxies on an OU > with a different proxy setting than the default domain, among other > settings. I have enabled loop back mode (merge) on this GPO, and all other > settings that should be overridden for the computer and user settings are. > I have tried Preference mode and enabling the computer \ administrative > Templates \ internet explorer make proxy settings per computer, but the > domain GPO still wins in application of this setting. > > Any Ideas? What am I missing? > > David Frost > Directory Engineering, > Messaging, Directories and PKI Engineering Services > Industry Canada > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domian VS Local
I think you can go in to Local Group policy on the machine and set it. However, if the machine is on the domain, you will need to take steps to ensure the global policy doesn't override it (e.g. make the machine a member of a group and then make the group No Apply for the Domain policy) I haven't tried it, but give it a go Alan C - Original Message - From: Mike Hogenauer To: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 8:41 AM Subject: [ActiveDir] Domian VS Local Does anyone know how to set an account expiration date on a local system saccount like you can with a domain accout? Thanks, Mike
Re: [ActiveDir] Group Policy - Overview
Anders, We market a product call PolMan that will produce a report of all settings that are enabled within your AD Policy. It provides a list of all entries with columns for the Policy name, the extension type, key name etc. We also market a nice little ADM Template editor. Feel free to download it and get the results you want. If you have any hassles or comments, drop us a line. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 7:24 PM Subject: [ActiveDir] Group Policy - Overview Is there any way to get a nice overview (on excel etc) on the ADM templates that exist in AD? Have been trying to export all the settings [even the ones not set] with no luck. Any help would be appreciated. Regards, Anders ==This email and any attached files are confidential and maybe legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the addressee, any disclosure, reproduction,copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify the sender immediately by telephone at ++353 1 6035800 or email [EMAIL PROTECTED] and then delete this email.Email transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message, and shall have no liability for any loss or damagesuffered by the user, which arise as a result of email transmission. If verification is required please request a hard copy version.
Re: [ActiveDir] Upgrading W2K GPOs to XP GPOs (The KB Number would Help)
Robert, As a general rule, replacing ADM templates can be a problem if you already have some policies set since you can get left with "orphan" entries. You can see this effect by setting a policy, then removing the ADM file. it looks like the policy is no longer set. If you then add the ADM template back again, the policy is shown as being active again. The same effect happens if you change the keys that control whether a policy is active or not. The safest way is to disable all the policies in the GPO, replace the ADM template, then reenable it. Alan C - Original Message - From: "Darren Mar-Elia" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 18, 2004 10:15 AM Subject: RE: [ActiveDir] Upgrading W2K GPOs to XP GPOs (The KB Number would Help) > Robert- > I've seen this behavior too, and yes, manually adding the XP ADMs into a > GPO is safe. However, because XP is supposed to support this > automatically, you might want to check the following policy on your XP > machine that you're using to edit those GPOs: > User Configuration|Administrative Templates|System|Group Policy|Turn off > Automatic Update of ADM files to make sure this isn't enabled. > > Darren > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Toole > Sent: Wednesday, March 17, 2004 1:46 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Upgrading W2K GPOs to XP GPOs (The KB Number > would Help) > > oops, > > KB 307900 > > Robert Toole > > Robert Toole wrote: > > I found a KB article to upgrade my W2K Group policies for XP, followed > > > it but it did not work. > > > > When I create a new GPO with an XP box, the new GPO also does not > > contain the settings for XP > > > > I found that I could get the extra XP settings into the GPO by > > overwriting the administrative templates with the ones from XP. > > > > My question is is this safe? or is there another way to do this? > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
