RE: GPO Question
One advantage to using group policy to install MSI based applications is the ability to automatically uninstall when the GPO no longer applies. However, your installing via a script, so the install is only tangentially related to group policy. At this point, if you want to uninstall the app, you'll have to change the script to do that instead of install. You can usually find the uninstall string in the registry of computer that has the app installed. It will generally look something like this msiexec /u {1234-1234-1234-1234}. Change the script to check if its installed, and if so, run the uninstall string. From: Troy Adkins [mailto:tadk...@house.virginia.gov] Sent: Friday, April 20, 2012 12:24 PM To: NT System Admin Issues Subject: GPO Question I have a GPO (computer config) defined that runs a script from the 'netlogon' folder. The vendor has the vbs script calling an .msi file to install an app, per their instructions. Not the way I would've preferred, but I assume it was done that way to allow for a registry configuration based on 32-bit or 64-bit OS. I want remove that script and remove the software/app that the script installed. I found the below, but not sure if this will do what I want. http://www.winvistatips.com/delete-logon-script-all-users-t695675.html Just by removing the GPO from the OU doesn't uninstall the app. -Troy Troy Adkins Network Administrator Virginia House of Delegates General Assembly Bldg. Room 815 804.698.1567 (O) 804.771.7917 (F) tadk...@house.virginia.govmailto:tadk...@house.virginia.gov http://legis.virginia.govhttp://legis.virginia.gov/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: GPO Question
I have just discovered the wmic /node commands that can uninstall software. Check out this description here: http://community.spiceworks.com/how_to/show/179 You could use this to uninstall the software you want to get rid of. I just used it to uninstall a program in a lab. --Matt Ross Ephrata School District - Original Message - From: Troy Adkins [mailto:tadk...@house.virginia.gov] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 20 Apr 2012 10:24:28 -0700 Subject: GPO Question I have a GPO (computer config) defined that runs a script from the 'netlogon' folder. The vendor has the vbs script calling an .msi file to install an app, per their instructions. Not the way I would've preferred, but I assume it was done that way to allow for a registry configuration based on 32-bit or 64-bit OS. I want remove that script and remove the software/app that the script installed. I found the below, but not sure if this will do what I want. http://www.winvistatips.com/delete-logon-script-all-users-t695675.html Just by removing the GPO from the OU doesn't uninstall the app. -Troy Troy Adkins Network Administrator Virginia House of Delegates General Assembly Bldg. Room 815 804.698.1567 (O) 804.771.7917 (F) tadk...@house.virginia.gov http://legis.virginia.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
Once we realized the reason, we were going to create a new ADMX template, but found that what were were looking to do could be accomplished through Drive Maps in Preferences. Thanks, Chris Bodnar, MCSE Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Miller Bonnie L. mille...@mukilteo.wednet.edu To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 03/16/2011 03:27 PM Subject:RE: GPO question Interesting--so, did you simply rename the old adm file and re-import into the affected GPO? -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, March 16, 2011 7:55 AM To: NT System Admin Issues Subject: re: GPO question If anyone is interested I found out why this is happening. From here: http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools. In our situation, we modified the existing system.adm file, so it won't be seen by GPMC on W2K8R2 or W7. Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
I wasn't the author of this particular modification. But my guess is that he was trying to modify an entry in an existing GPO option, not add something that didn't already exist. Chris Bodnar, MCSE Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Brian Desmond br...@briandesmond.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 03/16/2011 07:27 PM Subject:RE: GPO question Why are you modifying an in-box ADM as opposed to using your own? Thanks, Brian Desmond br...@briandesmond.com w – 312.625.1438 | c – 312.731.3132 -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, March 16, 2011 7:55 AM To: NT System Admin Issues Subject: re: GPO question If anyone is interested I found out why this is happening. From here: http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools. In our situation, we modified the existing system.adm file, so it won't be seen by GPMC on W2K8R2 or W7. Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
re: GPO question
If anyone is interested I found out why this is happening. From here: http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools. In our situation, we modified the existing system.adm file, so it won't be seen by GPMC on W2K8R2 or W7. Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
Interesting--so, did you simply rename the old adm file and re-import into the affected GPO? -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, March 16, 2011 7:55 AM To: NT System Admin Issues Subject: re: GPO question If anyone is interested I found out why this is happening. From here: http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools. In our situation, we modified the existing system.adm file, so it won't be seen by GPMC on W2K8R2 or W7. Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
Why are you modifying an in-box ADM as opposed to using your own? Thanks, Brian Desmond br...@briandesmond.com w – 312.625.1438 | c – 312.731.3132 -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, March 16, 2011 7:55 AM To: NT System Admin Issues Subject: re: GPO question If anyone is interested I found out why this is happening. From here: http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools. In our situation, we modified the existing system.adm file, so it won't be seen by GPMC on W2K8R2 or W7. Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
Looks to me like the registry entries that are being modified are not in the same location in W2k8. Don Guyer Windows Systems Engineer Datasafe Platform Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-293-4499 www.fiserv.com http://www.fiserv.com/ From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Tuesday, March 15, 2011 9:33 AM To: NT System Admin Issues Subject: GPO question W2K3 DFL FFL: We created a GPO using a Windows 2003 GPMC. And modified the system.adm file with the following: POLICY !!NoViewOnDrive #if version = 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!NoViewOnDrive_Help PART !!NoDrivesDropdownDROPDOWNLIST NOSORT REQUIRED VALUENAME NoViewOnDrive ITEMLIST NAME !!ABOnly VALUE NUMERIC3 NAME !!COnlyVALUE NUMERIC4 NAME !!DOnlyVALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC15 NAME !!ALLDrivesnoABCVZ VALUE NUMERIC35651591 NAME !!ALLDrivesVALUE NUMERIC67108863 DEFAULT ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC0 END ITEMLIST END PART END POLICY It works fine, and looks fine on a W2K3 machine running the GPMC. But from a W2K8 machine running GPM, it shows up under Extra registry Settings. And you see this right below it in the report: Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management I've also read KB873449 which seems to address the topic, but I still don't understand why it's not being correctly interpreted in the W2K8 GPM. I would expect this to show up under the normal location in the GPM on W2K8. Anyone else run into this type of issue? Thanks, Chris Bodnar, MCSE Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO question
Splunk .. It's even free if you don't hit the 500MB limit in smaller environments. The power of post-incident search ability plus the fact that it can take input from most sources, Windows or otherwise, has made it invaluable to me in the past in assisting with investigations. I think it's been mentioned already, but please do pay attention to what you're actually logging on a system too! You should define it by GPO for the class of server you're supporting and only log what you need/can deal with. Ticking everything is not usually a good idea! I've always found under 100MB for the security log to be adequate as that's usually at the very least a day (on busy DCs) and, as I mentioned above, is passed back to Splunk immediately for archiving. 512kb would be utterly useless and take mere seconds to ovewrite (which would be a problem if your log arching solution wasn't responding for a few seconds, as most of these systems queue events based on row pointers, not re-storing the event in a queue that could lead to a disk DOS). a -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 04 June 2010 19:32 To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker's activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log. There are a few settings under that. For the security log specifically, the ones that I believe you are looking for are: Maximum Security Log Size and Retention Method for Security Log From: Bill Lambert [mailto:blamb...@concuity.com] Sent: Friday, June 04, 2010 10:46 AM To: NT System Admin Issues Subject: GPO question All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
RE: GPO question
Wow. Just wow. And you said that the WSJ article on IT people disappearing was a load of crap From: Bill Lambert [mailto:blamb...@concuity.com] Sent: Friday, 4 June 2010 10:45 PM To: NT System Admin Issues Subject: GPO question All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 [concuity_logo_bigC_email size] The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.gif
RE: GPO question
I'm not sure I understand the correlation. Bill Lambert Concuity Phone 847-941-9206 The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Friday, June 04, 2010 10:05 AM To: NT System Admin Issues Subject: RE: GPO question Wow. Just wow. And you said that the WSJ article on IT people disappearing was a load of crap From: Bill Lambert [mailto:blamb...@concuity.com] Sent: Friday, 4 June 2010 10:45 PM To: NT System Admin Issues Subject: GPO question All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
Re: GPO question
You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! *Bill Lambert* *Windows System Administrator* *Concuity* *Phone 847-941-9206* *Fax 847-465-9147* [image: concuity_logo_bigC_email size] *The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. *** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
RE: GPO question
Binged it: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 11:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 concuity_logo_bigC_email size The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
RE: GPO question
I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.commailto:blamb...@concuity.com wrote: All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 [concuity_logo_bigC_email size] The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.gif
RE: GPO question
I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.commailto:blamb...@concuity.com wrote: All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 [cid:image001.gif@01CB03CA.EE848350] The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.gif
Re: GPO question
See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave *From:* Brian Desmond [mailto:br...@briandesmond.com] *Sent:* Friday, June 04, 2010 9:25 AM *To:* NT System Admin Issues *Subject:* RE: GPO question *I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well.* * * *Also note that the policy will not shrink logs if you have them bigger than your new maximum. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Friday, June 04, 2010 10:35 AM *To:* NT System Admin Issues *Subject:* Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! *Bill Lambert* *Windows System Administrator* *Concuity* *Phone 847-941-9206* *Fax 847-465-9147* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Any server actually not just DCs. Short answer, in the older OSs the event logs are memory mapped and need contiguous portion of memory. Depending on the system, as they near 300MB total, bad things can happen. That is from memory (pun intended) better details can be found J From: David Lum [mailto:david@nwea.org] Sent: Friday, June 04, 2010 9:47 AM To: NT System Admin Issues Subject: RE: GPO question I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc's are displaying a message on the login window that the security log is full and only an administrator can correct this. I'm trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can't find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 The information contained in this e-mail message, including any attached files, is intended only for the personal and confidential use of the recipient(s) named above. If you are not the intended recipient (or authorized to receive information for the recipient) you are hereby notified that you have received this communication in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and delete all copies of this message. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
Re: GPO question
A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
SysLogging is well advisable, as is any other eventlog capturing tool. Even something as simple as daily log dumps have been helpful for me to catch things where people were trying to cover their tracks. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 2:32 PM, Kurt Buff kurt.b...@gmail.com wrote: A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
Yup. The nice thing is that I've been able to centralize my firewall and switch logs, my squid logs, my Windows servers' event logs, my postfix logs for my email gateway, my FreeBSD syslogs, IIS logs, etc., etc., etc. I've been able to show HR people surfing porn, and illuminate other situations as well, like diagnosing that the mail servers at the other end were the issue, and not mine. I keep logs for a full year, then discard. Perhaps the most satisfying one recently was just last week when I showed that someone *wasn't* surfing porn. HR asked me to investigate two three-month periods from the first of this year and last summer and I had the logs to show that he had hit the front page of three sites, but didn't proceed any further, and that it only happened last summer, not in the first of the year. He was warned about surfing questionable (and non-business-related) sites that led to the front pages of porn sites, especially on company time, but was not fired for doing actual porn surfing. I consider that a save, and it pleases me no end. Many of us - including me from time to time - come across as BOFHs, but it's actually much cooler to show that someone is innocent. Kurt On Fri, Jun 4, 2010 at 11:47, Andrew S. Baker asbz...@gmail.com wrote: SysLogging is well advisable, as is any other eventlog capturing tool. Even something as simple as daily log dumps have been helpful for me to catch things where people were trying to cover their tracks. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 2:32 PM, Kurt Buff kurt.b...@gmail.com wrote: A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T
Re: GPO question
My servers certainly don't experience that kind of load. If the environment were that big, I'd hope that they'd have the hardware to handle it, and the money to get a commercial solution as well. Kurt On Fri, Jun 4, 2010 at 12:23, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security
Re: GPO question
I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ http://code.google.com/p/eventlog-to-syslog/Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.comwrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint
Re: GPO question
I'd forgotten about that one. I must evaluate it. Kurt On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker asbz...@gmail.com wrote: I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business
Re: GPO question
BTW - what syslog server do you use? On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker asbz...@gmail.com wrote: I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings are? I want to set it to 512kb and overwrite as necessary. Thanks in advance! Bill Lambert Windows System Administrator Concuity Phone 847-941-9206 Fax 847-465-9147 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
Re: GPO question
Kiwi. Currently on version 8.2.8 of the licensed code. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 4:27 PM, Kurt Buff kurt.b...@gmail.com wrote: BTW - what syslog server do you use? On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker asbz...@gmail.com wrote: I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window that the security log is full and only an administrator can correct this. I’m trying to find where the properties of the Event Viewer security logs are set in GP. I think another admin has set this up but I can’t find it. Can someone direct me to where these settings
Re: GPO question
OK - My install is 7.2, from 2005. Also, what do you use to cast things like IIS and Exchange logs to syslog, or do you? I use the sibling of SNARE - Epilog. Kurt On Fri, Jun 4, 2010 at 13:30, Andrew S. Baker asbz...@gmail.com wrote: Kiwi. Currently on version 8.2.8 of the licensed code. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 4:27 PM, Kurt Buff kurt.b...@gmail.com wrote: BTW - what syslog server do you use? On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker asbz...@gmail.com wrote: I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, June 04, 2010 10:35 AM To: NT System Admin Issues Subject: Re: GPO question You're going to want to make it larger than 512K, btw. 8MB or 16MB will be more useful numbers. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert blamb...@concuity.com wrote: All my domain pc’s are displaying a message on the login window
Re: GPO question
I don't do anything with IIS logs in most places. I have sent them to SQL on occasion. I leave Exchange logs alone. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 4:44 PM, Kurt Buff kurt.b...@gmail.com wrote: OK - My install is 7.2, from 2005. Also, what do you use to cast things like IIS and Exchange logs to syslog, or do you? I use the sibling of SNARE - Epilog. Kurt On Fri, Jun 4, 2010 at 13:30, Andrew S. Baker asbz...@gmail.com wrote: Kiwi. Currently on version 8.2.8 of the licensed code. -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 4:27 PM, Kurt Buff kurt.b...@gmail.com wrote: BTW - what syslog server do you use? On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker asbz...@gmail.com wrote: I've seen that before. In fact, that's why I went with the EvtSys agent instead. http://code.google.com/p/eventlog-to-syslog/ Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond br...@briandesmond.com wrote: No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond br...@briandesmond.com wrote: I was on a customer box the other day and the snare agent was using more CPU time than AD collecting the logs. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 1:57 PM To: NT System Admin Issues Subject: Re: GPO question True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's good enough - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires... Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer k...@adopenstatic.com wrote: The only issue with syslog is that can be unreliable. As you scale up, you may find things are missing from your central syslog store, unless you have a client on your servers that provides for guaranteed delivery of events. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, 5 June 2010 2:32 AM To: NT System Admin Issues Subject: Re: GPO question A very key item: Ideally, all specifically monitored events will be sent to a server by using Microsoft Operations Manager (MOM) or some other automated monitoring tool. This is particularly important because an attacker who successfully compromises a server could clear the security log. If all events are sent to a monitoring server, you will be able to gather post-incident forensic information about the attacker’s activities. I happen to use a syslogging setup, but something that collects logs centrally is incredibly useful. Kurt On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker asbz...@gmail.com wrote: See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx -ASB: http://XeeSM.com/AndrewBaker On Fri, Jun 4, 2010 at 12:47 PM, David Lum david@nwea.org wrote: I usually run 128MB on the sec logs. What happens if cumulative is over 300MB on a DC? Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, June 04, 2010 9:25 AM To: NT System Admin Issues Subject: RE: GPO question I usually go with around 150MB. Keep in mind that on a 32bit box you want the cumulative size of all your event logs to be =300MB. You should size your app and system logs accordingly as well. Also note that the policy will not shrink logs if you have them bigger than your new maximum. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday
RE: GPO question
We use GPP for this and the icon displays correctly. You are just using GPP shortcuts? From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Friday, 12 February 2010 7:24 AM To: NT System Admin Issues Subject: GPO question I want to provide some users Office (Word, Excel) desktop icons via GPO Preferences. The icon works, but none of them are the application icon - they are generic shortcut icons. For my other apps I copy down *.ico files and point to them. But for office the bitmap is embedded within the exe. Suggestions? Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Yes, file system object and I point to the local .exe for the app and the icon. Should I not? James Hill james.h...@superamart.com.au 2/11/2010 4:29 PM We use GPP for this and the icon displays correctly. You are just using GPP shortcuts? From:Tom Miller [mailto:tmil...@hnncsb.org] Sent: Friday, 12 February 2010 7:24 AM To: NT System Admin Issues Subject: GPO question I want to provide some users Office (Word, Excel) desktop icons via GPO Preferences. The icon works, but none of them are the application icon - they are generic shortcut icons. For my other apps I copy down *.ico files and point to them. But for office the bitmap is embedded within the exe. Suggestions? Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
All of our Office stuff gives the correct icon too. Have you tried anything like rebuilding the icon cache (Googling may help, I am rebuilding a PC here and it's well slow.) On 11 February 2010 21:23, Tom Miller tmil...@hnncsb.org wrote: I want to provide some users Office (Word, Excel) desktop icons via GPO Preferences. The icon works, but none of them are the application icon - they are generic shortcut icons. For my other apps I copy down *.ico files and point to them. But for office the bitmap is embedded within the exe. Suggestions? Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
I don't think it's that - this is the same on all PCs. Can you show me a snap of you GPP settings? James Rankin kz2...@googlemail.com 2/11/2010 4:47 PM All of our Office stuff gives the correct icon too. Have you tried anything like rebuilding the icon cache (Googling may help, I am rebuilding a PC here and it's well slow.) On 11 February 2010 21:23, Tom Miller tmil...@hnncsb.org wrote: I want to provide some users Office (Word, Excel) desktop icons via GPO Preferences. The icon works, but none of them are the application icon - they are generic shortcut icons. For my other apps I copy down *.ico files and point to them. But for office the bitmap is embedded within the exe. Suggestions? Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Please unsubscribe? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: 23 September 2009 14:41 To: NT System Admin Issues Subject: GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Sending the same message 3 times isn't enough. You have to increase the font size too. -sc From: Wayne Thomas [mailto:w.tho...@gidani.co.za] Sent: Wednesday, September 23, 2009 9:20 AM To: NT System Admin Issues Subject: RE: GPO question Please unsubscribe? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: 23 September 2009 14:41 To: NT System Admin Issues Subject: GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
And don't forget this list is on left-foot protocol. Hitting send while standing on your right foot may produce unexpected results. On Wed, Sep 23, 2009 at 7:30 AM, Steven M. Caesare scaes...@caesare.comwrote: Sending the same message 3 times isn’t enough. You have to increase the font size too. -sc *From:* Wayne Thomas [mailto:w.tho...@gidani.co.za] *Sent:* Wednesday, September 23, 2009 9:20 AM *To:* NT System Admin Issues *Subject:* RE: GPO question Please unsubscribe? *Regards* * * *Wayne Thomas* *P** **Please consider the environment before printing this email and/or any related attachments*** *From:* Tom Miller [mailto:tmil...@hnncsb.org] *Sent:* 23 September 2009 14:41 *To:* NT System Admin Issues *Subject:* GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- -- Gregory Waleed Kavalec - What matters?... Only the flicker of light within the darkness, the feeling of warmth within the cold, the knowledge of love within the void. — Joan Walsh Anglund ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Unsubscribe please? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: 23 September 2009 15:31 To: NT System Admin Issues Cc: admin_m...@ultratech-llc.com Subject: RE: GPO question Sending the same message 3 times isn't enough. You have to increase the font size too. -sc From: Wayne Thomas [mailto:w.tho...@gidani.co.za] Sent: Wednesday, September 23, 2009 9:20 AM To: NT System Admin Issues Subject: RE: GPO question Please unsubscribe? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: 23 September 2009 14:41 To: NT System Admin Issues Subject: GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Not sure... Perhaps he is asking us all to unsubscribe? I mean, someone posts an ON topic request, and it threatens his world. -- richard Steven M. Caesare scaes...@caesare.com wrote on 09/23/2009 08:30:45 AM: Sending the same message 3 times isn?t enough. You have to increase the font size too. -sc From: Wayne Thomas [mailto:w.tho...@gidani.co.za] Sent: Wednesday, September 23, 2009 9:20 AM To: NT System Admin Issues Subject: RE: GPO question Please unsubscribe? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: 23 September 2009 14:41 To: NT System Admin Issues Subject: GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
Don't think he took the hint when I sent it to him direct - following his lead, I will repost as this will no doubt make it work :-) http://www.faqs.org/faqs/mail/miss-mailers/ 2009/9/23 Wayne Thomas w.tho...@gidani.co.za Unsubscribe please? *Regards* * * *Wayne Thomas* *P** **Please consider the environment before printing this email and/or any related attachments*** *From:* Steven M. Caesare [mailto:scaes...@caesare.com] *Sent:* 23 September 2009 15:31 *To:* NT System Admin Issues *Cc:* admin_m...@ultratech-llc.com *Subject:* RE: GPO question Sending the same message 3 times isn’t enough. You have to increase the font size too. -sc *From:* Wayne Thomas [mailto:w.tho...@gidani.co.za] *Sent:* Wednesday, September 23, 2009 9:20 AM *To:* NT System Admin Issues *Subject:* RE: GPO question Please unsubscribe? *Regards* * * *Wayne Thomas* *P** **Please consider the environment before printing this email and/or any related attachments*** *From:* Tom Miller [mailto:tmil...@hnncsb.org] *Sent:* 23 September 2009 14:41 *To:* NT System Admin Issues *Subject:* GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
http://lyris.sunbelt-software.com/read/all_forums/ From: Wayne Thomas [mailto:w.tho...@gidani.co.za] Sent: Wednesday, September 23, 2009 9:40 AM To: NT System Admin Issues Cc: admin_m...@ultratech-llc.com Subject: RE: GPO question Unsubscribe please? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: 23 September 2009 15:31 To: NT System Admin Issues Cc: admin_m...@ultratech-llc.com Subject: RE: GPO question Sending the same message 3 times isn't enough. You have to increase the font size too. -sc From: Wayne Thomas [mailto:w.tho...@gidani.co.za] Sent: Wednesday, September 23, 2009 9:20 AM To: NT System Admin Issues Subject: RE: GPO question Please unsubscribe? Regards Wayne Thomas P Please consider the environment before printing this email and/or any related attachments From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: 23 September 2009 14:41 To: NT System Admin Issues Subject: GPO question I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? Regards, Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
No, you rarely if ever need to copy GPO components to sysvol. I would venture to say never in normal use cases. There are very specific KBs on how adm files are handled but it depends on what version you are running. From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:16 AM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From:Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c9 6482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20 Guide.doc The above was blatantly plagiarized from Kurt Roggen's blog, he's an MVP in Management Infrastructure from Belgium. http://trycatch.be/blogs/roggenk/ From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:42 AM To: NT System Admin Issues Subject: RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
Central store was exactly where I was going with that question. Just make sure that once you deploy the central store (and clean up all your ADM files) that you no longer use downlevel GP Editors. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, September 23, 2009 2:59 PM To: NT System Admin Issues Subject: RE: GPO question In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20Guide.doc The above was blatantly plagiarized from Kurt Roggen's blog, he's an MVP in Management Infrastructure from Belgium. http://trycatch.be/blogs/roggenk/ From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:42 AM To: NT System Admin Issues Subject: RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
I figured that was the logical reason for your question so I thought I'd pinch-hit the answer, at least in generalities. J For Tom, I 'd recommend http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.asp x as a good entry point to grasp the specifics in his environment as there are now 3 different versions of AGPM each with its own specific considerations. As a bonus that link also leads to the new GPO reference spreadsheet updated for WS08 R2 WIN7. I've been meaning to mention here that it was out as prior versions have been rather popular. Direct link to the Group Policy Settings References for Windows and Windows Server: http://www.microsoft.com/downloads/details.aspx?FamilyID=18c90c80-8b0a-4 906-a4f5-ff24cc2030fbdisplaylang=en From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, September 23, 2009 1:33 PM To: NT System Admin Issues Subject: RE: GPO question Central store was exactly where I was going with that question. Just make sure that once you deploy the central store (and clean up all your ADM files) that you no longer use downlevel GP Editors. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, September 23, 2009 2:59 PM To: NT System Admin Issues Subject: RE: GPO question In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c9 6482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20 Guide.doc The above was blatantly plagiarized from Kurt Roggen's blog, he's an MVP in Management Infrastructure from Belgium. http://trycatch.be/blogs/roggenk/ From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:42 AM To: NT System Admin Issues Subject: RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s
RE: GPO question
Nope you said exactly what I was going to :) Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, September 23, 2009 4:20 PM To: NT System Admin Issues Subject: RE: GPO question I figured that was the logical reason for your question so I thought I'd pinch-hit the answer, at least in generalities. :) For Tom, I 'd recommend http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx as a good entry point to grasp the specifics in his environment as there are now 3 different versions of AGPM each with its own specific considerations. As a bonus that link also leads to the new GPO reference spreadsheet updated for WS08 R2 WIN7. I've been meaning to mention here that it was out as prior versions have been rather popular. Direct link to the Group Policy Settings References for Windows and Windows Server: http://www.microsoft.com/downloads/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fbdisplaylang=en From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, September 23, 2009 1:33 PM To: NT System Admin Issues Subject: RE: GPO question Central store was exactly where I was going with that question. Just make sure that once you deploy the central store (and clean up all your ADM files) that you no longer use downlevel GP Editors. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, September 23, 2009 2:59 PM To: NT System Admin Issues Subject: RE: GPO question In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20Guide.doc The above was blatantly plagiarized from Kurt Roggen's blog, he's an MVP in Management Infrastructure from Belgium. http://trycatch.be/blogs/roggenk/ From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:42 AM To: NT System Admin Issues Subject: RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you
RE: GPO question
Posts like this is why I find this list so valuable, thanks Bob! David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, September 23, 2009 12:59 PM To: NT System Admin Issues Subject: RE: GPO question In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20Guide.doc The above was blatantly plagiarized from Kurt Roggen's blog, he's an MVP in Management Infrastructure from Belgium. http://trycatch.be/blogs/roggenk/ From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 11:42 AM To: NT System Admin Issues Subject: RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.com 9/23/2009 2:21 PM Tom what version of the GPMC are you using? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, September 23, 2009 1:16 PM To: NT System Admin Issues Subject: Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO question
Bob just about instantly gets a star on his posts from me. Because I know that when I am searching my Gmail archives, I'm going to want to hone-in on his topic replies. -- ME2 On Wed, Sep 23, 2009 at 5:38 PM, David Lum david@nwea.org wrote: Posts like this is why I find this list so valuable, thanks Bob! *David Lum** **// *SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 *// *(Cell) 503.267.9764 *From:* Free, Bob [mailto:r...@pge.com] *Sent:* Wednesday, September 23, 2009 12:59 PM *To:* NT System Admin Issues *Subject:* RE: GPO question In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat. Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted. For more information on How to create the central store: Q929841 http://support.microsoft.com/kb/929841 and Managing Group Policy ADMX Files Step-by-Step Guide http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20Guide.doc The above was blatantly plagiarized from Kurt Roggen’s blog, he’s an MVP in Management Infrastructure* *from Belgium. http://trycatch.be/blogs/roggenk/ *From:* Tom Miller [mailto:tmil...@hnncsb.org] *Sent:* Wednesday, September 23, 2009 11:42 AM *To:* NT System Admin Issues *Subject:* RE: GPO question 6.0.0.1 - Windows 2008 (not R2) Brian Desmond br...@briandesmond.com 9/23/2009 2:21 PM *Tom what version of the GPMC are you using?* * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c - 312.731.3132* * * *From:* Tom Miller [mailto:tmil...@hnncsb.org] *Sent:* Wednesday, September 23, 2009 1:16 PM *To:* NT System Admin Issues *Subject:* Re: GPO question Thanks, now I know. If I wanted to be able to edit the GPOs across all DCs I guess it would be okay to copy to sysvol and allow to replicate and point to that folder (or the actual replicated GPO folder)? Ben Scott mailvor...@gmail.com 9/23/2009 9:01 AM On Wed, Sep 23, 2009 at 8:41 AM, Tom Miller tmil...@hnncsb.org wrote: I'm adding the MS Office 2008 adm files to my Terminal Server GPO to set some Office items. Regarding the *.adm files, I copied them to the server I created the GPO on, but do they need to be copied to every DC so each DC can read them? No. The ADM files simply provide the interface which appears in the Administrative Template section of the GPEDIT GUI. Once you've got things set in the GPO, those settings can exist without a user interface. You won't be able to view/change them without the ADM template, of course. You technically don't even need the ADM files on the DC. If you run GPEDIT on a client, you can load the ADM files into GPEDIT there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original
Re: GPO question
Thanks for the pointers I have managed to get this working using a combo of dsquery, net user, and a good ol' fashioned scheduled task Cheers, 2009/3/2 Carl Houseman c.house...@gmail.com User account restrictions are not manipulated via GPO. You (or someone) could construct a script that runs periodically to scan an OU and make sure all accounts in the OU have a certain configuration of log on to. So there is a way to do this, it just might not be the way you wanted... Carl *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, March 02, 2009 5:53 AM *To:* NT System Admin Issues *Subject:* GPO question Mornin' all I don't think this is possible, but...is there a way to set a GPO so that users in a particular OU are restricted to logging on to a few servers? I am looking really for something to manipulate the user's Log On To settings in Active Directory rather than the Allow log on locally user right on the machine itself. I don't think there is a way to do this, but does anyone have any ideas? TIA, JRR ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question
User account restrictions are not manipulated via GPO. You (or someone) could construct a script that runs periodically to scan an OU and make sure all accounts in the OU have a certain configuration of log on to. So there is a way to do this, it just might not be the way you wanted... Carl From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, March 02, 2009 5:53 AM To: NT System Admin Issues Subject: GPO question Mornin' all I don't think this is possible, but...is there a way to set a GPO so that users in a particular OU are restricted to logging on to a few servers? I am looking really for something to manipulate the user's Log On To settings in Active Directory rather than the Allow log on locally user right on the machine itself. I don't think there is a way to do this, but does anyone have any ideas? TIA, JRR ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO question...
Title: Message You could link an existing GPO to another OU. -Original Message-From: Bob Chyka [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 11:10 AMTo: NT System Admin IssuesSubject: GPO question... Hello alljust trying to get out of a state of disbelief and trying to break back into work state of mind. my prayers are with any of you who were affected in any way by what took place yesterday on a less important note: is there any way to copy a group policy from one OU to another...(instead of going through the settings again). i know there is a pretty good third party toll out there, but is there any way of doing it with windows 2000 builtin functions? thank you.. Bob Chykahttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm