RE: [ActiveDir] GPO question

[Darren Mar-Elia]

Johnny-
The problem with using Folder Redirection policy in the first place is
that its all about moving files around. So, if you were to do something
to change it when users log onto a Citrix box, you'll have files copying
back and forth every time they move from one scope to another. You might
want to consider something like using registry-based User Shell Folder
redirection (under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Use
r Shell Folders). You basically would create a custom ADM that controls
where this points for My Documents and then redirect it back for Citrix
users using loopback policy. The only downside to this is that this kind
of redirection does not move the files around. You'd have to manage that
manually. 

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Friday, April 07, 2006 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO question


We have a GPO in place for all users to do Folder Redirection of My
Documents. We are experiencing problems with long delays during this
process when users connect to a Citrix Server. This started with 2003
SP1 (there is a potential hot fix from MS, but we are not crazy about
it)

The real question is that I am not finding a way to not apply that GPO
when our users connect to the Citrix servers. Here is what I mean:

A) Typically you can counteract a GPO applied above with a GPO that
disables that same function, like we did recently with Screen Saver
settings. But, Folder redirection of My Documents can not be disabled,
it is just not configured or Configured and pointing to the
redirection location. 

B) There are no GPOs applied to the Terminal Server or Citrix Servers
OUs, but do not want to Block inheritance of GPOs (not best practices
because it is hard to troubleshoot and I am not even sure it is an
option in this case). The Folder Redirection GPO is applied to the USERS
OU and sub OUs based on AD Group membership.

C) Loopback processing seems to be the reverse of what I am trying to
do. Unless I am just not getting it. 

Any other ideas?

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO question

[Mathieu CHATEAU]

Hello Johnny,

you can use the loopback in replace mode which should do the trick
(then a user gpo should be in the OU, even if empty)




Friday, April 7, 2006, 5:38:20 PM, you wrote:

FJ We have a GPO in place for all users to do Folder Redirection of My
FJ Documents. We are experiencing problems with long delays during this
FJ process when users connect to a Citrix Server. This started with 2003
FJ SP1 (there is a potential hot fix from MS, but we are not crazy about
FJ it)

FJ The real question is that I am not finding a way to not apply that GPO
FJ when our users connect to the Citrix servers. Here is what I mean:

FJ A) Typically you can counteract a GPO applied above with a GPO that
FJ disables that same function, like we did recently with Screen Saver
FJ settings. But, Folder redirection of My Documents can not be disabled,
FJ it is just not configured or Configured and pointing to the
FJ redirection location. 

FJ B) There are no GPOs applied to the Terminal Server or Citrix Servers
FJ OUs, but do not want to Block inheritance of GPOs (not best practices
FJ because it is hard to troubleshoot and I am not even sure it is an
FJ option in this case). The Folder Redirection GPO is applied to the USERS
FJ OU and sub OUs based on AD Group membership.

FJ C) Loopback processing seems to be the reverse of what I am trying to
FJ do. Unless I am just not getting it. 

FJ Any other ideas?

FJ Thanks

FJ Johnny Figueroa
FJ Enterprise Network Consultant/Integrator
FJ Network Services Banner Health Voice (602)
FJ 495-4195 Fax (602) 495-4406
FJ  


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Almeida Pinto, Jorge de]

yep!
 
are you asking because of: http://support.microsoft.com/?kbid=823862
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Mon 7/11/2005 10:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO question



You have two Domains.  There is a two way non-transitive trust between 
those domains.  The workstations are in one domain and user accounts in 
another domain. There is a policy in the domain with the users that is 
linked to an OU the users are in.  Part of that policy is a login 
script. 

  When the users login to the workstation should the policy still apply 
to the users and the login script run? 


Thanks 

Jeff 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Cothern Jeff D. Team EITC]

Thanks that helps greatly.   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 11, 2005 4:51 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO question

yep!
 
are you asking because of: http://support.microsoft.com/?kbid=823862
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D.
Team EITC
Sent: Mon 7/11/2005 10:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO question



You have two Domains.  There is a two way non-transitive trust between
those domains.  The workstations are in one domain and user accounts in
another domain. There is a policy in the domain with the users that is
linked to an OU the users are in.  Part of that policy is a login
script. 

  When the users login to the workstation should the policy still apply
to the users and the login script run? 


Thanks 

Jeff 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Crawford, Scott]

Yup, just set the below key to enabled and then any settings you put in
the User Configuration part of that GPO will be applied to any user
logging into any computer assigned that GPO.

Computer Configuration\Administrative Templates\System\Group Policy\User
Group Policy loopback processing mode


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, March 14, 2005 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO question

Hi, 
I've been asked to do something quite unusual (for me though). 

I want to make GPOs from the Computer administrative templates apply to
Users.
I don't know if it's possible to do such thing, but I tried it and here
is the result I got. 


COMPUTER SETTINGS
--
Applied Group Policy Objects
-
dns
Default Domain Policy

The following GPOs were not applied because they were filtered out
---
wallpaper
Filtering:  Not Applied (Empty)
Local Group Policy
Filtering:  Not Applied (Empty)


USER SETTINGS
--
Applied Group Policy Objects
-
start menu and taskbar
control panel
network connections
system_user
MMC
IE_user
netmeeting_user
desktop
Default Domain Policy

The following GPOs were not applied because they were filtered out
---
system_machine
Filtering:  Not Applied (Empty)
msn Messenger
Filtering:  Not Applied (Empty)
Windows installer and update
Filtering:  Not Applied (Empty)
Local Group Policy
Filtering:  Not Applied (Empty)
ts_machine
Filtering:  Not Applied (Empty)



As you can see, there are no settings applied because the system sees
that there is no user policies defined in the object and vice versa. 

What is required is to apply the settings from the computer
administrative templates on a per user basis instead of computer. 

Can you guys tell me if it's possible to do it? If yes how.


Thanks for your time


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Bruyere, Michel]

Thank you sir! I already seen this in the past, you just reminded me it! 


 -Message d'origine-
 De : [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] De la part de Crawford, Scott
 Envoyé : Monday, March 14, 2005 4:30 PM
 À : ActiveDir@mail.activedir.org
 Objet : RE: [ActiveDir] GPO question
 
 Yup, just set the below key to enabled and then any settings you put in
 the User Configuration part of that GPO will be applied to any user
 logging into any computer assigned that GPO.
 
 Computer Configuration\Administrative Templates\System\Group Policy\User
 Group Policy loopback processing mode
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
 Sent: Monday, March 14, 2005 3:16 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] GPO question
 
 Hi,
   I've been asked to do something quite unusual (for me though).
 
 I want to make GPOs from the Computer administrative templates apply to
 Users.
 I don't know if it's possible to do such thing, but I tried it and here
 is the result I got.
 
 
 COMPUTER SETTINGS
 --
 Applied Group Policy Objects
 -
 dns
 Default Domain Policy
 
 The following GPOs were not applied because they were filtered out
 ---
 wallpaper
 Filtering:  Not Applied (Empty)
 Local Group Policy
 Filtering:  Not Applied (Empty)
 
 
 USER SETTINGS
 --
 Applied Group Policy Objects
 -
 start menu and taskbar
 control panel
 network connections
 system_user
 MMC
 IE_user
 netmeeting_user
 desktop
 Default Domain Policy
 
 The following GPOs were not applied because they were filtered out
 ---
 system_machine
 Filtering:  Not Applied (Empty)
 msn Messenger
 Filtering:  Not Applied (Empty)
 Windows installer and update
 Filtering:  Not Applied (Empty)
 Local Group Policy
 Filtering:  Not Applied (Empty)
 ts_machine
 Filtering:  Not Applied (Empty)
 
 
 
 As you can see, there are no settings applied because the system sees
 that there is no user policies defined in the object and vice versa.
 
 What is required is to apply the settings from the computer
 administrative templates on a per user basis instead of computer.
 
 Can you guys tell me if it's possible to do it? If yes how.
 
 
 Thanks for your time
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Salandra, Justin A.]

I am more concerned about my clients not being able to automatically
download from the SUS Server if I configure that setting.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp
Sent: Tuesday, December 14, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] GPO Question

I'm not sure about the SUS stuff.  I have this set on my terminal
servers.  While I can access the site, I get a message telling me
access is denied.  You might want to set your SUS computer in a
special OU, or setup the ACL for thr GPO to deny apply GPO settings
for the SUS computer.

Dennis

On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A.
[EMAIL PROTECTED] wrote:
 If I set the policy Remove access to all Windows Update Features
will
 that prevent the Windows Update from updating from the SUS server I
have
 configured using GPO as well?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 212.752.7300 - office
 917.455.0110 - cell
 [EMAIL PROTECTED]
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Bernard, Aric]

Your clients should continue to receive updates through SUS.  However
the will not be able to access Windows Update and install patches
through the browser.

Regards,

Aric 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, December 14, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO Question

I am more concerned about my clients not being able to automatically
download from the SUS Server if I configure that setting.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp
Sent: Tuesday, December 14, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] GPO Question

I'm not sure about the SUS stuff.  I have this set on my terminal
servers.  While I can access the site, I get a message telling me
access is denied.  You might want to set your SUS computer in a
special OU, or setup the ACL for thr GPO to deny apply GPO settings
for the SUS computer.

Dennis

On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A.
[EMAIL PROTECTED] wrote:
 If I set the policy Remove access to all Windows Update Features
will
 that prevent the Windows Update from updating from the SUS server I
have
 configured using GPO as well?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 212.752.7300 - office
 917.455.0110 - cell
 [EMAIL PROTECTED]
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Cothern Jeff D. Team EITC]

That is under the user configuration so therefore it applies to the user
logging in not the machine.  So the machine should be able to still get
and install updates deployed thru SUS.  Course only positive way is to
use a test OU with a test machine.  



On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A.
[EMAIL PROTECTED] wrote:
 If I set the policy Remove access to all Windows Update Features
will
 that prevent the Windows Update from updating from the SUS server I
have
 configured using GPO as well?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 212.752.7300 - office
 917.455.0110 - cell
 [EMAIL PROTECTED]
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO Question

[Dennis Depp]

I'm not sure about the SUS stuff.  I have this set on my terminal
servers.  While I can access the site, I get a message telling me
access is denied.  You might want to set your SUS computer in a
special OU, or setup the ACL for thr GPO to deny apply GPO settings
for the SUS computer.

Dennis

On Tue, 14 Dec 2004 13:31:42 -0500, Salandra, Justin A.
[EMAIL PROTECTED] wrote:
 If I set the policy Remove access to all Windows Update Features will
 that prevent the Windows Update from updating from the SUS server I have
 configured using GPO as well?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 212.752.7300 - office
 917.455.0110 - cell
 [EMAIL PROTECTED]
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO question

[Tomasz Onyszko]

On Mon, 6 Dec 2004 14:46:38 -0500, Bruyere, Michel wrote
 Hi, 
   I would like to know if its possible for a Win2k Sp4 to push
 GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site
 and I want to push some of them. I did take the .adm from a XPsp2 
 and I added them to the Win 2k server. The problem is that I get a 
 whole lot of messages: The following entry in the [string] section 
 is too long and has been truncated. And, just below this message, I 
 have what looks like explanations of some policies. I can see/use 
 the GPOs after I clicked OK 2 trilions times.
 
 Is there a way to get around t

Read this KB:
http://support.microsoft.com/kb/842933

-- 
Tomasz Onyszko - [EMAIL PROTECTED]
http://www.w2k.pl

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Brian Desmond]

Yep! You need this QFE which is available for all 2k OS' on 
download.microsoft.com: http://support.microsoft.com/kb/842933. 

Thanks.
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Bruyere, Michel
 Sent: Monday, December 06, 2004 1:47 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] GPO question
 
 Hi,
   I would like to know if its possible for a Win2k Sp4 to push
 GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site
 and I want to push some of them. I did take the .adm from a XPsp2 and I
 added them to the Win 2k server. The problem is that I get a whole lot
 of messages:
 The following entry in the [string] section is too long and has been
 truncated.
 And, just below this message, I have what looks like explanations of
 some policies. I can see/use the GPOs after I clicked OK 2 trilions
 times.
 
 
 Is there a way to get around this??
 Thanks
 
 
 M.Bruyere
 Network/systems administrator
 CompTIA A+, Network+
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO question

[Bruyere, Michel]

Hi 
Thanks for the information. 
I had tried the 323593 fix but no go ;) now hopefully this one will work


 -Message d'origine-
 De : [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] De la part de Tomasz Onyszko
 Envoyé : Monday, December 06, 2004 3:16 PM
 À : [EMAIL PROTECTED]
 Objet : Re: [ActiveDir] GPO question
 
 On Mon, 6 Dec 2004 14:46:38 -0500, Bruyere, Michel wrote
  Hi,
  I would like to know if its possible for a Win2k Sp4 to push
  GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site
  and I want to push some of them. I did take the .adm from a XPsp2
  and I added them to the Win 2k server. The problem is that I get a
  whole lot of messages: The following entry in the [string] section
  is too long and has been truncated. And, just below this message, I
  have what looks like explanations of some policies. I can see/use
  the GPOs after I clicked OK 2 trilions times.
 
  Is there a way to get around t
 
 Read this KB:
 http://support.microsoft.com/kb/842933
 
 --
 Tomasz Onyszko - [EMAIL PROTECTED]
 http://www.w2k.pl
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Rosales, Mario]

Thanks!!! That helped out!

But now I have another question

In the Screen Saver Section of the GPO:

Screen Saver is enabled but no executable is specified, time is set.

I know that if you do not have a screen saver specified in the
configuration, the screen saver setting will not be enabled unless there is
a selection made in the display properties

Question:   Is there a way to get the screen saver enabled where it will
not override default screen savers already in place and/or get rid of the
NONE option in the Screen Saver so when we enable this through policy it
will be enabled

Please help!

Thanks,
Mario

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, August 31, 2004 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example set
it for 20 Minutes?  I know how to do it through the registry but I still
cannot see where I can do that through the GPO's.  Well I can see where to
add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


*** 
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Coleman, Hunter]

I don't think that's possible through the available GPO settings. One option
would be to set up a second GPO that specified a particular screen saver,
and then use a WMI filter to only apply that GPO to users who had not chosen
anything for a screen saver.

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 02, 2004 10:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

Thanks!!! That helped out!

But now I have another question

In the Screen Saver Section of the GPO:

Screen Saver is enabled but no executable is specified, time is set.

I know that if you do not have a screen saver specified in the
configuration, the screen saver setting will not be enabled unless there is
a selection made in the display properties

Question:   Is there a way to get the screen saver enabled where it will
not override default screen savers already in place and/or get rid of the
NONE option in the Screen Saver so when we enable this through policy it
will be enabled

Please help!

Thanks,
Mario

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, August 31, 2004 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example set
it for 20 Minutes?  I know how to do it through the registry but I still
cannot see where I can do that through the GPO's.  Well I can see where to
add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Rosales, Mario]

I have used WMI from pulling data.  Where can I read about doing this to
GPO's?  Is this through an external script?

Thanks,
Mario 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, September 02, 2004 1:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

I don't think that's possible through the available GPO settings. One option
would be to set up a second GPO that specified a particular screen saver,
and then use a WMI filter to only apply that GPO to users who had not chosen
anything for a screen saver.

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 02, 2004 10:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

Thanks!!! That helped out!

But now I have another question

In the Screen Saver Section of the GPO:

Screen Saver is enabled but no executable is specified, time is set.

I know that if you do not have a screen saver specified in the
configuration, the screen saver setting will not be enabled unless there is
a selection made in the display properties

Question:   Is there a way to get the screen saver enabled where it will
not override default screen savers already in place and/or get rid of the
NONE option in the Screen Saver so when we enable this through policy it
will be enabled

Please help!

Thanks,
Mario

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, August 31, 2004 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example set
it for 20 Minutes?  I know how to do it through the registry but I still
cannot see where I can do that through the GPO's.  Well I can see where to
add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


*** 
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Alex Fontana]

My GPO is as follows:

Activate Screen Saver: Enabled
Screen Saver EXE Name: NOT CONFIGURED
Password Protect Screen Saver: Enabled
Screen Saver Timeout: Enabled (1200 sec)

That config will allow the user to choose their own screen saver but not
allow them to change the lock screensaver feature or the timeout.  If no
screen saver is defined (none) then it uses a blank screen.

-Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, September 02, 2004 11:08 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

I have used WMI from pulling data.  Where can I read about doing this to
GPO's?  Is this through an external script?

Thanks,
Mario 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, September 02, 2004 1:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

I don't think that's possible through the available GPO settings. One
option would be to set up a second GPO that specified a particular
screen saver, and then use a WMI filter to only apply that GPO to users
who had not chosen anything for a screen saver.

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 02, 2004 10:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

Thanks!!! That helped out!

But now I have another question

In the Screen Saver Section of the GPO:

Screen Saver is enabled but no executable is specified, time is
set.

I know that if you do not have a screen saver specified in the
configuration, the screen saver setting will not be enabled unless there
is a selection made in the display properties

Question:   Is there a way to get the screen saver enabled where it
will
not override default screen savers already in place and/or get rid of
the NONE option in the Screen Saver so when we enable this through
policy it will be enabled

Please help!

Thanks,
Mario

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, August 31, 2004 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example
set it for 20 Minutes?  I know how to do it through the registry but I
still cannot see where I can do that through the GPO's.  Well I can see
where to add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario



***
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



***
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



***
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended

RE: [ActiveDir] GPO Question

[Coleman, Hunter]

I would expect there to be information about this on Microsoft's site.
Another starting point:
http://www.serverwatch.com/tutorials/article.php/2205741 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 02, 2004 12:08 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

I have used WMI from pulling data.  Where can I read about doing this to
GPO's?  Is this through an external script?

Thanks,
Mario 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, September 02, 2004 1:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

I don't think that's possible through the available GPO settings. One option
would be to set up a second GPO that specified a particular screen saver,
and then use a WMI filter to only apply that GPO to users who had not chosen
anything for a screen saver.

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 02, 2004 10:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

Thanks!!! That helped out!

But now I have another question

In the Screen Saver Section of the GPO:

Screen Saver is enabled but no executable is specified, time is set.

I know that if you do not have a screen saver specified in the
configuration, the screen saver setting will not be enabled unless there is
a selection made in the display properties

Question:   Is there a way to get the screen saver enabled where it will
not override default screen savers already in place and/or get rid of the
NONE option in the Screen Saver so when we enable this through policy it
will be enabled

Please help!

Thanks,
Mario

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, August 31, 2004 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO Question

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example set
it for 20 Minutes?  I know how to do it through the registry but I still
cannot see where I can do that through the GPO's.  Well I can see where to
add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor

RE: [ActiveDir] GPO Question

[Coleman, Hunter]

In your GPO, it's under User Configuration-Administrative
Templates-Control Panel-Display-Screen Saver timeout

Hunter 

-Original Message-
From: Rosales, Mario [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 31, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question

Is there a way to set the Screen Saver settings on a GPO?  For example set
it for 20 Minutes?  I know how to do it through the registry but I still
cannot see where I can do that through the GPO's.  Well I can see where to
add a registry entry but is there an easier way?

Any help would be appreciate it.

Thanks,
Mario


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[David Adner]

Coincidentally, I noticed this today.  Haven't used it before, but it sounds
like it might be what you're looking for.

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Robert Mezzone
 Sent: Friday, July 30, 2004 16:53
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] GPO Question
 
 Is it possible to control the power options, specifically for 
 the monitor, on WINXP and WIN2K boxes thru a GPO? Right now I 
 have to set it for each user. If I log in as admin, set it to 
 2 hours, then a user logs in his profile is set to 20 minutes 
 and that's when it powers down. Running 2003 server, if that 
 matters. Thanks.
 
 Robert
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO Question

[Robert Mezzone]

This might works. Thanks!!!

Robert


-Original Message-
From: [EMAIL PROTECTED]
[EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Fri Jul 30 18:10:14 2004
Subject: RE: [ActiveDir] GPO Question

Coincidentally, I noticed this today.  Haven't used it before, but it sounds
like it might be what you're looking for.

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Robert Mezzone
 Sent: Friday, July 30, 2004 16:53
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] GPO Question
 
 Is it possible to control the power options, specifically for 
 the monitor, on WINXP and WIN2K boxes thru a GPO? Right now I 
 have to set it for each user. If I log in as admin, set it to 
 2 hours, then a user logs in his profile is set to 20 minutes 
 and that's when it powers down. Running 2003 server, if that 
 matters. Thanks.
 
 Robert
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO question concerning LOCAL GPO

[jpsalemi]

Hey Jeff...If you can get them to use cached credentials on the laptops,
you can do a loopback policy.  They'll cache it locally and get the
settings even when off the wire.

Not sure this fits your needsAnd it does make for some complaints,
travellers doing presentations etc.

John




|-+--
| |   Cothern Jeff D. Team  |
| |   EITC  |
| |   [EMAIL PROTECTED]|
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   07/01/2004 05:48 PM|
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  |
  |
  |   To:   [EMAIL PROTECTED]
   |
  |   cc:  
  |
  |   Subject:  [ActiveDir] GPO question concerning LOCAL GPO  
  |
  
--|





We have identified an issue with a security policy (the paper kind)  that
conflicts with how our current build is set on our workstations.  The
workstations are running Windows 2000.  I need to see if there is a way to
change the LOCAL GPO on say 2000+ machines on the domain without having to
remotely or sneaker login.  Anyone know if a script could be written that
say changes the GPO so the screen saver activates in 600 seconds, password
protected and the user doesnt see the screen saver tab.  I have already
worked out the GPOs for users with these settings but the question was
posed to me what about if the machine is operating in a standalone mode
temporarily, IE laptop.

Any ideas or suggestions would be appreciated.

Jeff

.+-wi0-+YbmPi0-+bf.+-j!
0j!oryIV+v*

RE: [ActiveDir] GPO question concerning LOCAL GPO

[Edwin]

I just wanted to say that this is an
awesome reply!



Thank you Darren.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, July 01, 2004 7:38
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO





A user-driven script is not likely to
work. These policies are set in HKCU but the keysinvolvedare
permissioned away from normal users by default--to prevent a normal user from
undoing a policy. There are a couple of ways you could skin this. If you want
to pay money, Full Armor has a tool called GPAnywhere that lets you do mass
manipulation of the local GPO. If you want to do it on the cheap then there is
another way, but it is abit tricky. Essentially, all Admin. Template
policy for the local GPO is stored in two files on the local drive. Any
machine-specific Admin. Template policy is stored in
%windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy
is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver
policies you talk about below, these are user-specific and so would be stored
in the user-specific registry.pol file. If you are reasonably sure that all of
the affected machines have roughly the same local GPO, then you could pick one
of them, edit it to include your new screen saver settings, and then just copy
over that user registry.pol file on all the desired machines. Then, you have to
increment the version number of the local GPO, so that when the user logs on,
it knows there are new policy settings and it processes them. The version
number is stored in a file called GPT.ini, found in
%windir%\system32\grouppolicy. GPT.ini typically looks something like this:



[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}]

Version=917538
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}] 



You'll need to increment the Version= key
and, if there were no Admin Template policies formerly found in the local GPO,
you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in
the value gPCUserExtensionNames key, as it is above. The version number should
be incremented according to how many policy changes you make. If you want to
stick to Microsoft's byzantine versioning scheme for GPOs, then for each
user-specific change you make (which is what you'll be doing in this case), the
version number is increased by 65536. So three changes to user policy would
result in a version number increase of 65536 x 3 or 196608, which gets added to
the existing version number (so in the example above, 917538+196608=new version
number). So what you can do is copy the registry.pol file and an updated
gpt.ini (again this assumes thatall machines have the same
startinggpt.ini version number)to each of the target machines and
then the next time the user logs on, they should get the correct screen saver
policy. Like I said, tricky, but not impossible. 



Darren









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 3:57
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO



If the machine is standalone, you could
e-mail them a script that makes the proposed registry changes. How else are you
going to touch a machine that doesn't login regularly to have a GPO applied ?











Kevin Gent





Pearson Digital Learning





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC
Sent: Thursday, July 01, 2004 6:49
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO question
concerning LOCAL GPO

We have identified an issue with a security policy (the
paper kind) that conflicts with how our current build is set on our
workstations. The workstations are running Windows 2000. I need to
see if there is a way to change the LOCAL GPO on say 2000+ machines on the
domain without having to remotely or sneaker login. Anyone know if a script
could be written that say changes the GPO so the screen saver activates in 600
seconds, password protected and the user doesnt see the screen saver
tab. I have already worked out the GPOs for users with these settings but
the question was posed to me what about if the machine is operating in a
standalone mode temporarily, IE laptop. 



Any ideas or suggestions would be appreciated.



Jeff 

RE: [ActiveDir] GPO question concerning LOCAL GPO

[kevingent]

If the 
machine is standalone, you could e-mail them a script that makes the proposed 
registry changes. How else are you going to touch a machine that doesn't login 
regularly to have a GPO applied ?

Kevin 
Gent
Pearson Digital Learning

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. 
  Team EITCSent: Thursday, July 01, 2004 6:49 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] GPO question 
  concerning LOCAL GPO
  
  We have identified an issue with a 
  security policy (the paper kind) that conflicts with how our current 
  build is set on our workstations. The workstations are running Windows 
  2000. I need to see if there is a way to change the LOCAL GPO on say 
  2000+ machines on the domain without having to remotely or sneaker 
  login. Anyone know if a script could be written that say changes the GPO 
  so the screen saver activates in 600 seconds, password protected and the user 
  doesnt see the screen saver tab. I have already worked out the GPOs for 
  users with these settings but the question was posed to me what about if the 
  machine is operating in a standalone mode temporarily, IE laptop. 
  
  
  Any ideas or suggestions would be 
  appreciated.
  
  Jeff 
  

RE: [ActiveDir] GPO question concerning LOCAL GPO

[Darren Mar-Elia]

A user-driven script is not likely to work. These policies 
are set in HKCU but the keysinvolvedare permissioned away from 
normal users by default--to prevent a normal user from undoing a policy. There 
are a couple of ways you could skin this. If you want to pay money, Full Armor 
has a tool called GPAnywhere that lets you do mass manipulation of the local 
GPO. If you want to do it on the cheap then there is another way, but it is 
abit tricky. Essentially, all Admin. Template policy for the local GPO is 
stored in two files on the local drive. Any machine-specific Admin. Template 
policy is stored in %windir%\system32\grouppolicy\machine\registry.pol and any 
user-specific policy is stored in 
%windir%\system32\grouppolicy\user\registry.pol. For the screensaver policies 
you talk about below, these are user-specific and so would be stored in the 
user-specific registry.pol file. If you are reasonably sure that all of the 
affected machines have roughly the same local GPO, then you could pick one of 
them, edit it to include your new screen saver settings, and then just copy over 
that user registry.pol file on all the desired machines. Then, you have to 
increment the version number of the local GPO, so that when the user logs on, it 
knows there are new policy settings and it processes them. The version number is 
stored in a file called GPT.ini, found in %windir%\system32\grouppolicy. GPT.ini 
typically looks something like this:

[General]gPCFunctionalityVersion=2gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}] 
Version=917538gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}] 


You'll need to increment the Version= key and, if there 
were no Admin Template policies formerly found in the local GPO, you need to be 
sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in the value 
gPCUserExtensionNames key, as it is above. The version number should be 
incremented according to how many policy changes you make. If you want to stick 
to Microsoft's byzantine versioning scheme for GPOs, then for each user-specific 
change you make (which is what you'll be doing in this case), the version number 
is increased by 65536. So three changes to user policy would result in a version 
number increase of 65536 x 3 or 196608, which gets added to the existing version 
number (so in the example above, 917538+196608=new version number). So what you 
can do is copy the registry.pol file and an updated gpt.ini (again this assumes 
thatall machines have the same startinggpt.ini version 
number)to each of the target machines and then the next time the user logs 
on, they should get the correct screen saver policy. Like I said, tricky, but 
not impossible. 

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, July 01, 2004 3:57 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
GPO question concerning LOCAL GPO

If the 
machine is standalone, you could e-mail them a script that makes the proposed 
registry changes. How else are you going to touch a machine that doesn't login 
regularly to have a GPO applied ?

Kevin 
Gent
Pearson Digital Learning

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. 
  Team EITCSent: Thursday, July 01, 2004 6:49 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] GPO question 
  concerning LOCAL GPO
  
  We have identified an issue with a 
  security policy (the paper kind) that conflicts with how our current 
  build is set on our workstations. The workstations are running Windows 
  2000. I need to see if there is a way to change the LOCAL GPO on say 
  2000+ machines on the domain without having to remotely or sneaker 
  login. Anyone know if a script could be written that say changes the GPO 
  so the screen saver activates in 600 seconds, password protected and the user 
  doesnt see the screen saver tab. I have already worked out the GPOs for 
  users with these settings but the question was posed to me what about if the 
  machine is operating in a standalone mode temporarily, IE laptop. 
  
  
  Any ideas or suggestions would be 
  appreciated.
  
  Jeff 
  

RE: [ActiveDir] GPO Question

[Passo, Larry]

Use the GPO to run a logon script that creates the shortcut

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5
6/html/wsconcreatingshortcut.asp

-Original Message-
From: Christine Easton [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 28, 2004 11:09 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question


Running Windows 2k AD with sp3

Hi,

I'm trying to create a GPO for my users that will place a shortcut to
their
departmental folder that is on a NTFS network share to their desktop.
Has
anyone done this before? I'm not sure what GPO I should be using or what
proceedure I should follow.  Any help with be appriciated. Thanks!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Creamer, Mark]

How are the users organized? Is there some attribute populated already in your AD that 
can properly
match the user to the directory shortcut they should receive? I think I'd use a login 
script for
this...

mc
-Original Message-
From: Christine Easton [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 28, 2004 2:09 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO Question


Running Windows 2k AD with sp3

Hi,

I'm trying to create a GPO for my users that will place a shortcut to their
departmental folder that is on a NTFS network share to their desktop.  Has
anyone done this before? I'm not sure what GPO I should be using or what
proceedure I should follow.  Any help with be appriciated. Thanks!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Question

[Brian Desmond]

You'll need a logon script to do this. There's a CreateShortcut method in 
Wscript.Shell which you can use. If you need a code sample, let me know  I'll look up 
the syntax.
 
--Brian

-Original Message- 
From: Christine Easton [mailto:[EMAIL PROTECTED] 
Sent: Fri 5/28/2004 1:08 PM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: [ActiveDir] GPO Question




Running Windows 2k AD with sp3

Hi,

I'm trying to create a GPO for my users that will place a shortcut to their
departmental folder that is on a NTFS network share to their desktop.  Has
anyone done this before? I'm not sure what GPO I should be using or what
proceedure I should follow.  Any help with be appriciated. Thanks!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

RE: [ActiveDir] GPO Question

[Roger Seielstad]

The issue you'll run into is that the computer GPO and user GPO settings
aren't identical - there is some overlap but not significant enough to be
able to exclusively use one or the other.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Charles Carerros [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, July 30, 2003 5:49 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] GPO Question
 
 
 Hey all,
 
 For the past few years I have been doing my GPOs primarily based up on
 the user settings.  (We don't have a firewall on my campus so by
 disabling a lot of stuff using the security portion of the user GPO I
 can help reduce the security risk.)  However, I have just 
 been asked to
 only use computer based GPOs (a migration scheme will leave 
 me no access
 to user accounts).  
 
 1)  I was wondering if anyone has any suggestion (pro or con) to doing
 only computer based policies?
 
 2)  Are there any really good documents that might help clarify the
 process by which loopback (and troubleshooting loopback) is 
 utilized?  I
 will probably need to implement this in order to have a good policy.
 
 3) Does anyone here only do computer based policies?  What is your
 experience with them?
 
 I am going to re-read the Microsoft Group Policy white paper tonight,
 but if anyone knows of any additional documentation that is related to
 this and might discuss the issues (negative or positive) 
 about this type
 of organization scheme, it would be tremendously helpful.
 
 Just for a little more background, if I end up implementing the scheme
 that was suggested to me today it would consist of a five level OU
 structure with 1 OU at 1 tier, 1 OU at 2 tier, 35 OUs at 3 tier, 4 OUs
 at 4 tier and 2 OUs at 5 tier (not all of the 4th tier OUs will have a
 fifth, only about 40% of them.)
 
 Does anyone have any feedback of having a five level nested OU
 structure.  I would like to maintain my current 3 tier OU 
 structure, but
 I need some technical ammo to defend my structure with.
 
 Thanks,
 
 Chuck
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO Question

[rrutherford]

Hi,

1) Are you saying that you dont have any protection at all from the
internet, except your policies? If so then that is a dangerous situation to
be in have u had a decent port scan / vulnerability test done?

2) I know that it's good practice not to go deeper than 3 OUs down on most
environment and recommended on a wide scale mostly down to policy
processing time though if I remember... I guess it depends on the amount of
policies you are running... then again if you haven't got a firewall as u
say... u must be running a good few.

How are you accessing the Internet?

Best Regards,

Rob



   
  
  Charles Carerros   
  
  [EMAIL PROTECTED]To:   [EMAIL PROTECTED] 
   
  Sent by:   cc:   
  
  [EMAIL PROTECTED]Subject:  [ActiveDir] GPO Question  

  tivedir.org  
  
   
  
   
  
  30/07/2003 22:48 
  
  Please respond to
  
  ActiveDir
  
   
  
   
  




Hey all,

For the past few years I have been doing my GPOs primarily based up on
the user settings.  (We don't have a firewall on my campus so by
disabling a lot of stuff using the security portion of the user GPO I
can help reduce the security risk.)  However, I have just been asked to
only use computer based GPOs (a migration scheme will leave me no access
to user accounts).

1)  I was wondering if anyone has any suggestion (pro or con) to doing
only computer based policies?

2)  Are there any really good documents that might help clarify the
process by which loopback (and troubleshooting loopback) is utilized?  I
will probably need to implement this in order to have a good policy.

3) Does anyone here only do computer based policies?  What is your
experience with them?

I am going to re-read the Microsoft Group Policy white paper tonight,
but if anyone knows of any additional documentation that is related to
this and might discuss the issues (negative or positive) about this type
of organization scheme, it would be tremendously helpful.

Just for a little more background, if I end up implementing the scheme
that was suggested to me today it would consist of a five level OU
structure with 1 OU at 1 tier, 1 OU at 2 tier, 35 OUs at 3 tier, 4 OUs
at 4 tier and 2 OUs at 5 tier (not all of the 4th tier OUs will have a
fifth, only about 40% of them.)

Does anyone have any feedback of having a five level nested OU
structure.  I would like to maintain my current 3 tier OU structure, but
I need some technical ammo to defend my structure with.

Thanks,

Chuck
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






**
This E-mail and any files transmitted with it are in 
commercial confidence and intended solely for the use of
the individual or entity to whom they are addressed.
If you have received this E-mail in error please notify the 
Administrator by E-mail ([EMAIL PROTECTED]).
Any views or opinions expressed are solely those of the
author and do not necessarily represent those of 
DEK International., or its affiliates.
**
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.dek.com
**

List info   :