RE: [ActiveDir] GPO question
Johnny- The problem with using Folder Redirection policy in the first place is that its all about moving files around. So, if you were to do something to change it when users log onto a Citrix box, you'll have files copying back and forth every time they move from one scope to another. You might want to consider something like using registry-based User Shell Folder redirection (under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Use r Shell Folders). You basically would create a custom ADM that controls where this points for My Documents and then redirect it back for Citrix users using loopback policy. The only downside to this is that this kind of redirection does not move the files around. You'd have to manage that manually. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, April 07, 2006 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question We have a GPO in place for all users to do Folder Redirection of My Documents. We are experiencing problems with long delays during this process when users connect to a Citrix Server. This started with 2003 SP1 (there is a potential hot fix from MS, but we are not crazy about it) The real question is that I am not finding a way to not apply that GPO when our users connect to the Citrix servers. Here is what I mean: A) Typically you can counteract a GPO applied above with a GPO that disables that same function, like we did recently with Screen Saver settings. But, Folder redirection of My Documents can not be disabled, it is just not configured or Configured and pointing to the redirection location. B) There are no GPOs applied to the Terminal Server or Citrix Servers OUs, but do not want to Block inheritance of GPOs (not best practices because it is hard to troubleshoot and I am not even sure it is an option in this case). The Folder Redirection GPO is applied to the USERS OU and sub OUs based on AD Group membership. C) Loopback processing seems to be the reverse of what I am trying to do. Unless I am just not getting it. Any other ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO question
Hello Johnny, you can use the loopback in replace mode which should do the trick (then a user gpo should be in the OU, even if empty) Friday, April 7, 2006, 5:38:20 PM, you wrote: FJ We have a GPO in place for all users to do Folder Redirection of My FJ Documents. We are experiencing problems with long delays during this FJ process when users connect to a Citrix Server. This started with 2003 FJ SP1 (there is a potential hot fix from MS, but we are not crazy about FJ it) FJ The real question is that I am not finding a way to not apply that GPO FJ when our users connect to the Citrix servers. Here is what I mean: FJ A) Typically you can counteract a GPO applied above with a GPO that FJ disables that same function, like we did recently with Screen Saver FJ settings. But, Folder redirection of My Documents can not be disabled, FJ it is just not configured or Configured and pointing to the FJ redirection location. FJ B) There are no GPOs applied to the Terminal Server or Citrix Servers FJ OUs, but do not want to Block inheritance of GPOs (not best practices FJ because it is hard to troubleshoot and I am not even sure it is an FJ option in this case). The Folder Redirection GPO is applied to the USERS FJ OU and sub OUs based on AD Group membership. FJ C) Loopback processing seems to be the reverse of what I am trying to FJ do. Unless I am just not getting it. FJ Any other ideas? FJ Thanks FJ Johnny Figueroa FJ Enterprise Network Consultant/Integrator FJ Network Services Banner Health Voice (602) FJ 495-4195 Fax (602) 495-4406 FJ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
yep! are you asking because of: http://support.microsoft.com/?kbid=823862 Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Mon 7/11/2005 10:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question You have two Domains. There is a two way non-transitive trust between those domains. The workstations are in one domain and user accounts in another domain. There is a policy in the domain with the users that is linked to an OU the users are in. Part of that policy is a login script. When the users login to the workstation should the policy still apply to the users and the login script run? Thanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Thanks that helps greatly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, July 11, 2005 4:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO question yep! are you asking because of: http://support.microsoft.com/?kbid=823862 Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Mon 7/11/2005 10:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question You have two Domains. There is a two way non-transitive trust between those domains. The workstations are in one domain and user accounts in another domain. There is a policy in the domain with the users that is linked to an OU the users are in. Part of that policy is a login script. When the users login to the workstation should the policy still apply to the users and the login script run? Thanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Yup, just set the below key to enabled and then any settings you put in the User Configuration part of that GPO will be applied to any user logging into any computer assigned that GPO. Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, March 14, 2005 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question Hi, I've been asked to do something quite unusual (for me though). I want to make GPOs from the Computer administrative templates apply to Users. I don't know if it's possible to do such thing, but I tried it and here is the result I got. COMPUTER SETTINGS -- Applied Group Policy Objects - dns Default Domain Policy The following GPOs were not applied because they were filtered out --- wallpaper Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) USER SETTINGS -- Applied Group Policy Objects - start menu and taskbar control panel network connections system_user MMC IE_user netmeeting_user desktop Default Domain Policy The following GPOs were not applied because they were filtered out --- system_machine Filtering: Not Applied (Empty) msn Messenger Filtering: Not Applied (Empty) Windows installer and update Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) ts_machine Filtering: Not Applied (Empty) As you can see, there are no settings applied because the system sees that there is no user policies defined in the object and vice versa. What is required is to apply the settings from the computer administrative templates on a per user basis instead of computer. Can you guys tell me if it's possible to do it? If yes how. Thanks for your time List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Thank you sir! I already seen this in the past, you just reminded me it! -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Crawford, Scott Envoyé : Monday, March 14, 2005 4:30 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO question Yup, just set the below key to enabled and then any settings you put in the User Configuration part of that GPO will be applied to any user logging into any computer assigned that GPO. Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, March 14, 2005 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question Hi, I've been asked to do something quite unusual (for me though). I want to make GPOs from the Computer administrative templates apply to Users. I don't know if it's possible to do such thing, but I tried it and here is the result I got. COMPUTER SETTINGS -- Applied Group Policy Objects - dns Default Domain Policy The following GPOs were not applied because they were filtered out --- wallpaper Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) USER SETTINGS -- Applied Group Policy Objects - start menu and taskbar control panel network connections system_user MMC IE_user netmeeting_user desktop Default Domain Policy The following GPOs were not applied because they were filtered out --- system_machine Filtering: Not Applied (Empty) msn Messenger Filtering: Not Applied (Empty) Windows installer and update Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) ts_machine Filtering: Not Applied (Empty) As you can see, there are no settings applied because the system sees that there is no user policies defined in the object and vice versa. What is required is to apply the settings from the computer administrative templates on a per user basis instead of computer. Can you guys tell me if it's possible to do it? If yes how. Thanks for your time List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
I am more concerned about my clients not being able to automatically download from the SUS Server if I configure that setting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Tuesday, December 14, 2004 4:00 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GPO Question I'm not sure about the SUS stuff. I have this set on my terminal servers. While I can access the site, I get a message telling me access is denied. You might want to set your SUS computer in a special OU, or setup the ACL for thr GPO to deny apply GPO settings for the SUS computer. Dennis On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I set the policy Remove access to all Windows Update Features will that prevent the Windows Update from updating from the SUS server I have configured using GPO as well? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
Your clients should continue to receive updates through SUS. However the will not be able to access Windows Update and install patches through the browser. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, December 14, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO Question I am more concerned about my clients not being able to automatically download from the SUS Server if I configure that setting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Tuesday, December 14, 2004 4:00 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GPO Question I'm not sure about the SUS stuff. I have this set on my terminal servers. While I can access the site, I get a message telling me access is denied. You might want to set your SUS computer in a special OU, or setup the ACL for thr GPO to deny apply GPO settings for the SUS computer. Dennis On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I set the policy Remove access to all Windows Update Features will that prevent the Windows Update from updating from the SUS server I have configured using GPO as well? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
That is under the user configuration so therefore it applies to the user logging in not the machine. So the machine should be able to still get and install updates deployed thru SUS. Course only positive way is to use a test OU with a test machine. On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I set the policy Remove access to all Windows Update Features will that prevent the Windows Update from updating from the SUS server I have configured using GPO as well? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO Question
I'm not sure about the SUS stuff. I have this set on my terminal servers. While I can access the site, I get a message telling me access is denied. You might want to set your SUS computer in a special OU, or setup the ACL for thr GPO to deny apply GPO settings for the SUS computer. Dennis On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I set the policy Remove access to all Windows Update Features will that prevent the Windows Update from updating from the SUS server I have configured using GPO as well? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO question
On Mon, 6 Dec 2004 14:46:38 -0500, Bruyere, Michel wrote Hi, I would like to know if its possible for a Win2k Sp4 to push GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site and I want to push some of them. I did take the .adm from a XPsp2 and I added them to the Win 2k server. The problem is that I get a whole lot of messages: The following entry in the [string] section is too long and has been truncated. And, just below this message, I have what looks like explanations of some policies. I can see/use the GPOs after I clicked OK 2 trilions times. Is there a way to get around t Read this KB: http://support.microsoft.com/kb/842933 -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Yep! You need this QFE which is available for all 2k OS' on download.microsoft.com: http://support.microsoft.com/kb/842933. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, December 06, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO question Hi, I would like to know if its possible for a Win2k Sp4 to push GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site and I want to push some of them. I did take the .adm from a XPsp2 and I added them to the Win 2k server. The problem is that I get a whole lot of messages: The following entry in the [string] section is too long and has been truncated. And, just below this message, I have what looks like explanations of some policies. I can see/use the GPOs after I clicked OK 2 trilions times. Is there a way to get around this?? Thanks M.Bruyere Network/systems administrator CompTIA A+, Network+ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Hi Thanks for the information. I had tried the 323593 fix but no go ;) now hopefully this one will work -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Tomasz Onyszko Envoyé : Monday, December 06, 2004 3:16 PM À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] GPO question On Mon, 6 Dec 2004 14:46:38 -0500, Bruyere, Michel wrote Hi, I would like to know if its possible for a Win2k Sp4 to push GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site and I want to push some of them. I did take the .adm from a XPsp2 and I added them to the Win 2k server. The problem is that I get a whole lot of messages: The following entry in the [string] section is too long and has been truncated. And, just below this message, I have what looks like explanations of some policies. I can see/use the GPOs after I clicked OK 2 trilions times. Is there a way to get around t Read this KB: http://support.microsoft.com/kb/842933 -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
Thanks!!! That helped out! But now I have another question In the Screen Saver Section of the GPO: Screen Saver is enabled but no executable is specified, time is set. I know that if you do not have a screen saver specified in the configuration, the screen saver setting will not be enabled unless there is a selection made in the display properties Question: Is there a way to get the screen saver enabled where it will not override default screen savers already in place and/or get rid of the NONE option in the Screen Saver so when we enable this through policy it will be enabled Please help! Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 31, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
I don't think that's possible through the available GPO settings. One option would be to set up a second GPO that specified a particular screen saver, and then use a WMI filter to only apply that GPO to users who had not chosen anything for a screen saver. Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question Thanks!!! That helped out! But now I have another question In the Screen Saver Section of the GPO: Screen Saver is enabled but no executable is specified, time is set. I know that if you do not have a screen saver specified in the configuration, the screen saver setting will not be enabled unless there is a selection made in the display properties Question: Is there a way to get the screen saver enabled where it will not override default screen savers already in place and/or get rid of the NONE option in the Screen Saver so when we enable this through policy it will be enabled Please help! Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 31, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
I have used WMI from pulling data. Where can I read about doing this to GPO's? Is this through an external script? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, September 02, 2004 1:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question I don't think that's possible through the available GPO settings. One option would be to set up a second GPO that specified a particular screen saver, and then use a WMI filter to only apply that GPO to users who had not chosen anything for a screen saver. Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question Thanks!!! That helped out! But now I have another question In the Screen Saver Section of the GPO: Screen Saver is enabled but no executable is specified, time is set. I know that if you do not have a screen saver specified in the configuration, the screen saver setting will not be enabled unless there is a selection made in the display properties Question: Is there a way to get the screen saver enabled where it will not override default screen savers already in place and/or get rid of the NONE option in the Screen Saver so when we enable this through policy it will be enabled Please help! Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 31, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
My GPO is as follows: Activate Screen Saver: Enabled Screen Saver EXE Name: NOT CONFIGURED Password Protect Screen Saver: Enabled Screen Saver Timeout: Enabled (1200 sec) That config will allow the user to choose their own screen saver but not allow them to change the lock screensaver feature or the timeout. If no screen saver is defined (none) then it uses a blank screen. -Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, September 02, 2004 11:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question I have used WMI from pulling data. Where can I read about doing this to GPO's? Is this through an external script? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, September 02, 2004 1:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question I don't think that's possible through the available GPO settings. One option would be to set up a second GPO that specified a particular screen saver, and then use a WMI filter to only apply that GPO to users who had not chosen anything for a screen saver. Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question Thanks!!! That helped out! But now I have another question In the Screen Saver Section of the GPO: Screen Saver is enabled but no executable is specified, time is set. I know that if you do not have a screen saver specified in the configuration, the screen saver setting will not be enabled unless there is a selection made in the display properties Question: Is there a way to get the screen saver enabled where it will not override default screen savers already in place and/or get rid of the NONE option in the Screen Saver so when we enable this through policy it will be enabled Please help! Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 31, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended
RE: [ActiveDir] GPO Question
I would expect there to be information about this on Microsoft's site. Another starting point: http://www.serverwatch.com/tutorials/article.php/2205741 -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 12:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question I have used WMI from pulling data. Where can I read about doing this to GPO's? Is this through an external script? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, September 02, 2004 1:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question I don't think that's possible through the available GPO settings. One option would be to set up a second GPO that specified a particular screen saver, and then use a WMI filter to only apply that GPO to users who had not chosen anything for a screen saver. Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question Thanks!!! That helped out! But now I have another question In the Screen Saver Section of the GPO: Screen Saver is enabled but no executable is specified, time is set. I know that if you do not have a screen saver specified in the configuration, the screen saver setting will not be enabled unless there is a selection made in the display properties Question: Is there a way to get the screen saver enabled where it will not override default screen savers already in place and/or get rid of the NONE option in the Screen Saver so when we enable this through policy it will be enabled Please help! Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 31, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO Question In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor
RE: [ActiveDir] GPO Question
In your GPO, it's under User Configuration-Administrative Templates-Control Panel-Display-Screen Saver timeout Hunter -Original Message- From: Rosales, Mario [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is there a way to set the Screen Saver settings on a GPO? For example set it for 20 Minutes? I know how to do it through the registry but I still cannot see where I can do that through the GPO's. Well I can see where to add a registry entry but is there an easier way? Any help would be appreciate it. Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
Coincidentally, I noticed this today. Haven't used it before, but it sounds like it might be what you're looking for. http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone Sent: Friday, July 30, 2004 16:53 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is it possible to control the power options, specifically for the monitor, on WINXP and WIN2K boxes thru a GPO? Right now I have to set it for each user. If I log in as admin, set it to 2 hours, then a user logs in his profile is set to 20 minutes and that's when it powers down. Running 2003 server, if that matters. Thanks. Robert List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO Question
This might works. Thanks!!! Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Fri Jul 30 18:10:14 2004 Subject: RE: [ActiveDir] GPO Question Coincidentally, I noticed this today. Haven't used it before, but it sounds like it might be what you're looking for. http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone Sent: Friday, July 30, 2004 16:53 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Is it possible to control the power options, specifically for the monitor, on WINXP and WIN2K boxes thru a GPO? Right now I have to set it for each user. If I log in as admin, set it to 2 hours, then a user logs in his profile is set to 20 minutes and that's when it powers down. Running 2003 server, if that matters. Thanks. Robert List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO question concerning LOCAL GPO
Hey Jeff...If you can get them to use cached credentials on the laptops, you can do a loopback policy. They'll cache it locally and get the settings even when off the wire. Not sure this fits your needsAnd it does make for some complaints, travellers doing presentations etc. John |-+-- | | Cothern Jeff D. Team | | | EITC | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 07/01/2004 05:48 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] GPO question concerning LOCAL GPO | --| We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesnt see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff .+-wi0-+YbmPi0-+bf.+-j! 0j!oryIV+v*
RE: [ActiveDir] GPO question concerning LOCAL GPO
I just wanted to say that this is an awesome reply! Thank you Darren. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, July 01, 2004 7:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO A user-driven script is not likely to work. These policies are set in HKCU but the keysinvolvedare permissioned away from normal users by default--to prevent a normal user from undoing a policy. There are a couple of ways you could skin this. If you want to pay money, Full Armor has a tool called GPAnywhere that lets you do mass manipulation of the local GPO. If you want to do it on the cheap then there is another way, but it is abit tricky. Essentially, all Admin. Template policy for the local GPO is stored in two files on the local drive. Any machine-specific Admin. Template policy is stored in %windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver policies you talk about below, these are user-specific and so would be stored in the user-specific registry.pol file. If you are reasonably sure that all of the affected machines have roughly the same local GPO, then you could pick one of them, edit it to include your new screen saver settings, and then just copy over that user registry.pol file on all the desired machines. Then, you have to increment the version number of the local GPO, so that when the user logs on, it knows there are new policy settings and it processes them. The version number is stored in a file called GPT.ini, found in %windir%\system32\grouppolicy. GPT.ini typically looks something like this: [General] gPCFunctionalityVersion=2 gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}] Version=917538 gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}] You'll need to increment the Version= key and, if there were no Admin Template policies formerly found in the local GPO, you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in the value gPCUserExtensionNames key, as it is above. The version number should be incremented according to how many policy changes you make. If you want to stick to Microsoft's byzantine versioning scheme for GPOs, then for each user-specific change you make (which is what you'll be doing in this case), the version number is increased by 65536. So three changes to user policy would result in a version number increase of 65536 x 3 or 196608, which gets added to the existing version number (so in the example above, 917538+196608=new version number). So what you can do is copy the registry.pol file and an updated gpt.ini (again this assumes thatall machines have the same startinggpt.ini version number)to each of the target machines and then the next time the user logs on, they should get the correct screen saver policy. Like I said, tricky, but not impossible. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO If the machine is standalone, you could e-mail them a script that makes the proposed registry changes. How else are you going to touch a machine that doesn't login regularly to have a GPO applied ? Kevin Gent Pearson Digital Learning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, July 01, 2004 6:49 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO question concerning LOCAL GPO We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesnt see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff
RE: [ActiveDir] GPO question concerning LOCAL GPO
If the machine is standalone, you could e-mail them a script that makes the proposed registry changes. How else are you going to touch a machine that doesn't login regularly to have a GPO applied ? Kevin Gent Pearson Digital Learning -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITCSent: Thursday, July 01, 2004 6:49 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO question concerning LOCAL GPO We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesnt see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff
RE: [ActiveDir] GPO question concerning LOCAL GPO
A user-driven script is not likely to work. These policies are set in HKCU but the keysinvolvedare permissioned away from normal users by default--to prevent a normal user from undoing a policy. There are a couple of ways you could skin this. If you want to pay money, Full Armor has a tool called GPAnywhere that lets you do mass manipulation of the local GPO. If you want to do it on the cheap then there is another way, but it is abit tricky. Essentially, all Admin. Template policy for the local GPO is stored in two files on the local drive. Any machine-specific Admin. Template policy is stored in %windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver policies you talk about below, these are user-specific and so would be stored in the user-specific registry.pol file. If you are reasonably sure that all of the affected machines have roughly the same local GPO, then you could pick one of them, edit it to include your new screen saver settings, and then just copy over that user registry.pol file on all the desired machines. Then, you have to increment the version number of the local GPO, so that when the user logs on, it knows there are new policy settings and it processes them. The version number is stored in a file called GPT.ini, found in %windir%\system32\grouppolicy. GPT.ini typically looks something like this: [General]gPCFunctionalityVersion=2gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}] Version=917538gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}] You'll need to increment the Version= key and, if there were no Admin Template policies formerly found in the local GPO, you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in the value gPCUserExtensionNames key, as it is above. The version number should be incremented according to how many policy changes you make. If you want to stick to Microsoft's byzantine versioning scheme for GPOs, then for each user-specific change you make (which is what you'll be doing in this case), the version number is increased by 65536. So three changes to user policy would result in a version number increase of 65536 x 3 or 196608, which gets added to the existing version number (so in the example above, 917538+196608=new version number). So what you can do is copy the registry.pol file and an updated gpt.ini (again this assumes thatall machines have the same startinggpt.ini version number)to each of the target machines and then the next time the user logs on, they should get the correct screen saver policy. Like I said, tricky, but not impossible. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 01, 2004 3:57 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO question concerning LOCAL GPO If the machine is standalone, you could e-mail them a script that makes the proposed registry changes. How else are you going to touch a machine that doesn't login regularly to have a GPO applied ? Kevin Gent Pearson Digital Learning -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITCSent: Thursday, July 01, 2004 6:49 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO question concerning LOCAL GPO We have identified an issue with a security policy (the paper kind) that conflicts with how our current build is set on our workstations. The workstations are running Windows 2000. I need to see if there is a way to change the LOCAL GPO on say 2000+ machines on the domain without having to remotely or sneaker login. Anyone know if a script could be written that say changes the GPO so the screen saver activates in 600 seconds, password protected and the user doesnt see the screen saver tab. I have already worked out the GPOs for users with these settings but the question was posed to me what about if the machine is operating in a standalone mode temporarily, IE laptop. Any ideas or suggestions would be appreciated. Jeff
RE: [ActiveDir] GPO Question
Use the GPO to run a logon script that creates the shortcut http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5 6/html/wsconcreatingshortcut.asp -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:09 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
How are the users organized? Is there some attribute populated already in your AD that can properly match the user to the directory shortcut they should receive? I think I'd use a login script for this... mc -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
You'll need a logon script to do this. There's a CreateShortcut method in Wscript.Shell which you can use. If you need a code sample, let me know I'll look up the syntax. --Brian -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Fri 5/28/2004 1:08 PM To: '[EMAIL PROTECTED]' Cc: Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] GPO Question
The issue you'll run into is that the computer GPO and user GPO settings aren't identical - there is some overlap but not significant enough to be able to exclusively use one or the other. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Charles Carerros [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 5:49 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO Question Hey all, For the past few years I have been doing my GPOs primarily based up on the user settings. (We don't have a firewall on my campus so by disabling a lot of stuff using the security portion of the user GPO I can help reduce the security risk.) However, I have just been asked to only use computer based GPOs (a migration scheme will leave me no access to user accounts). 1) I was wondering if anyone has any suggestion (pro or con) to doing only computer based policies? 2) Are there any really good documents that might help clarify the process by which loopback (and troubleshooting loopback) is utilized? I will probably need to implement this in order to have a good policy. 3) Does anyone here only do computer based policies? What is your experience with them? I am going to re-read the Microsoft Group Policy white paper tonight, but if anyone knows of any additional documentation that is related to this and might discuss the issues (negative or positive) about this type of organization scheme, it would be tremendously helpful. Just for a little more background, if I end up implementing the scheme that was suggested to me today it would consist of a five level OU structure with 1 OU at 1 tier, 1 OU at 2 tier, 35 OUs at 3 tier, 4 OUs at 4 tier and 2 OUs at 5 tier (not all of the 4th tier OUs will have a fifth, only about 40% of them.) Does anyone have any feedback of having a five level nested OU structure. I would like to maintain my current 3 tier OU structure, but I need some technical ammo to defend my structure with. Thanks, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO Question
Hi, 1) Are you saying that you dont have any protection at all from the internet, except your policies? If so then that is a dangerous situation to be in have u had a decent port scan / vulnerability test done? 2) I know that it's good practice not to go deeper than 3 OUs down on most environment and recommended on a wide scale mostly down to policy processing time though if I remember... I guess it depends on the amount of policies you are running... then again if you haven't got a firewall as u say... u must be running a good few. How are you accessing the Internet? Best Regards, Rob Charles Carerros [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] GPO Question tivedir.org 30/07/2003 22:48 Please respond to ActiveDir Hey all, For the past few years I have been doing my GPOs primarily based up on the user settings. (We don't have a firewall on my campus so by disabling a lot of stuff using the security portion of the user GPO I can help reduce the security risk.) However, I have just been asked to only use computer based GPOs (a migration scheme will leave me no access to user accounts). 1) I was wondering if anyone has any suggestion (pro or con) to doing only computer based policies? 2) Are there any really good documents that might help clarify the process by which loopback (and troubleshooting loopback) is utilized? I will probably need to implement this in order to have a good policy. 3) Does anyone here only do computer based policies? What is your experience with them? I am going to re-read the Microsoft Group Policy white paper tonight, but if anyone knows of any additional documentation that is related to this and might discuss the issues (negative or positive) about this type of organization scheme, it would be tremendously helpful. Just for a little more background, if I end up implementing the scheme that was suggested to me today it would consist of a five level OU structure with 1 OU at 1 tier, 1 OU at 2 tier, 35 OUs at 3 tier, 4 OUs at 4 tier and 2 OUs at 5 tier (not all of the 4th tier OUs will have a fifth, only about 40% of them.) Does anyone have any feedback of having a five level nested OU structure. I would like to maintain my current 3 tier OU structure, but I need some technical ammo to defend my structure with. Thanks, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info :