http://www.eventid.net/display.asp?eventid=4321&eventno=1822&source=NetBT&phase=1
"Simon Bembridge"
<[EMAIL PROTECTED]
ooops, sorry replied to the wrong one
[EMAIL PROTECTED]
p.com.br
Sent by:
http://www.eventid.net/display.asp?eventid=4321&eventno=1822&source=NetBT&phase=1
[EMAIL PROTECTED]
p.com.br
Not sure if this will work or not. I seem to remember something like this
a long time ago.
It was a registry key:
HKLM\System\CurrentcontrolSet\Control\Terminal Server\fDenyTSConnections
and set it to 0
Hi WIlliam
Computer Configuration/Windows Settings/Security Settings/Local
Policies/Security Options/Interactive Logon:Number of previous logons to
cache, setting that to 0 will turn off cached credientals.
Hope that helps,
John
Hi Larry...
http://technet2.microsoft.com/WindowsServer/en/Library/a834e844-8eb2-4ee2-927c-9989b4f55dd71033.mspx?mfr=true
You can easily use the GPMC to delegete where they can link them, just
click the OU, and the delegate tab.
HTH,
John
nbtstat - A ipaddress
John
"Harding, Devon"
<[EMAIL PROTECTED]
NWINE.com>
Hi Murtaza...
You can try computer configuration/administrative templates/windows
components/system/group policy/registry policy processing. Checking the
process even if group policy has not changed may help.
Could cause some performance issues though, unless you have those machines
seperated.
Hi Christine,
In a GPO you can set "always install with elevated privileges" to MSI's
It is in both the user, and computer settings. You may want to set those.
John
"Christine Allen"
Hi James...
There are a couple articles warning against using Domain Local groups for
policies.
Can you try having them put in a global group in their own domain, and
adding that directly to the read and apply section of the policy?
http://support.microsoft.com/kb/309172/en-us has some info.
Jo
Yep...Absoultely right you don't have to browse, and you can't choose from
there. Sorry for the confusion.
What I have seen people do by mistake though, is to add Domain Users to the
Domain group "Remote Desktop Users" instead of the local group, by not
paying attention.
It's a powerful piece of
Hi Jef...
I'm sure it works with 2003 also, was really a bug in XP that they had to
fix, that the additive part just plain didn't work.
I believe, but can't promise that 2000 SP4 works too.
John
"Jef Kaz
Hi Peter...
If the clients are SP2, you can use the bottom box, to use it additively.
They finally fixed it.
You use the bottom box, kinda backwards relative to the top...So, you would
say for the group Domain Users, then that it is always a member of the
local power users group. You can even ju
Hi Christine..
You can use the restricted groups function to add say domain users to the
power users group on the local machine. It's a little tricky as one
function of it will replace any other members of the power users group,
should there be any. As of XPSP2 though, you can do it additive, i
Hi Adeel, this setting:
-Enabled "Always wait for the network at computer startup and logon" in the
GPO
Will slow down an XP box pretty good, they usually login cached and let
things catch up with them.
HTH,
John
Hi Adam,
Not sure if anyone has mentioned it or not, You'll see this often if
someone has an RDP session open somewhere and changed his password
elsewhere. Or if he was logged into another computer in another way when
he changed it. Lots of times users "disconnect" instead of logging out.
HTH,
There's a ton in goggle about this:
http://groups.google.com/groups?q=The+system+administrator+has+set+policies+to+prevent+this+installation&start=0&hl=en&lr=lang_en&;
No one seems to know how, but it looks like the local policy, or registry.
John
Hi Noah..
I believe the 500 k is for group policy processing. Some parts of policies
will not process if the client thinks it's a slow link. Although, this is
not the most reliable thing in the world.
There's a separate setting for offline files: Under Computer
Configuration/Administrative T
Hi Bill...
Unless I'm misunderstanding you, you shouldn't need to write a query at
all, just give the group read and apply to the policy, and remove
authenticated users. If you're trying to write a WMI filter for this
purpose, I haven't had any luck at all trying to get that to work in this
way.
Policy setting even better, thought about it after I hit send.
John
<[EMAIL PROTECTED]
lcollins.com>
Please make it easy to turn off drag and drop? Advanced option perhaps?
Thanks,
John
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Sorry, I did forget one thing though. We have had situations where a
loginscript policy was misplaced, and in the scope of the loopback, it will
cause the "specified device is already in use" error. Which does
suspiciously sound like the login script ran twice, and does not dismount
first. I kno
Absolutely I'd love to know the answer also. I've seen this behavior for
years, and just figured it was the nature of loopbacks, and having other
policies in their scope.
The case in point as I said before, is that if your users are in a
different OU structure (scope) and you put say the login sc
Not to doubt your expertise Darren, but we use a worksation loopback here
for the screen saver. Not my idea, but in our situation, it is easier to
figure out machines that need to be exempt, rather than users. They could
run a certain test for weeks on one pc, but on their administrative pc, the
Hi Steve...
That's about the only way to apply user settings to computers, using the
loopback.
Not sure of your OU structure, if you had your users seperated, you could
apply the actual user policies (loginscripts etc.) at the "user OU" level.
As long as that was a different "scope" it would el
Hi Steve,...
Looks like you have a "loopback" policy.
That would be under computer configuration/administrative
templates/system/Group Policy/"User Group Policy loopback processing mode"
Hope this helps,
John
There are some things like this one that you don't see in the GUI when you
enable them.
It applies to XP and 2003, not 2000 The explanation text in the policy
specifies that.
John
"Rimmerman, Russ"
Hi Russ...We don't use dynamic update here, but you can see that it can be
set to enabled.
HTH,
John
Administrative Templates
Network/DNS Client
|---+-|
| |
Not sure if you ever got this going?
If not, do you have either of these policy settings set?
computer configuratin/windows settings/security settings/local
policies/user rights assignment/deny access to this computer from the
network
or access this computer from the network?
For sure, the den
Hi Bagus..
In the GPO, Computer Configuration, Windows Settings, Security Settings,
File System, you can browse to the directory there, and assign rights.
Probably to *.*, I don't remember what it needs to write to. You may even
have to give full control to Domain Users. Not sure. But you can d
Hello Bagus..
I believe Lotus Notes requires the user to have Modfiy rights to the
Notes\Data directory. You can assign this with a GPO, if you wish.
The sharing, I'm wondering if you have simple file sharing turned on? It's
in explorer, tools, folder options, view, uncheck the box that says "u
Well, using offline files on desktops is really not worth the hassles..On
laptops it's more than handy, on desktops, no real value we've found. So,
you could just have a policy that does turn it off for desktops, if the
machines they log into are desktops.
But
http://support.microsoft.com/de
Hi Jeff...
Might I suggest putting the sites you wish to be in the trusted sites on
your Internet Options on your administrative machine, then open the policy,
and tell it to import. It works fine here doing it that way.
John
I would probably try user configuration/administrative
templates/system/code signing for device drivers:
Determines how the system responds when a user tries to install device
driver files that are not digitally signed.
This setting establishes the least secure response permitted on the syste
Hi Noah..
I have not tested with SP2, but the hotfix is part of SP2. I did test it
on SP1 with the patch. The patch did not create the keys either. You need
to do it manually.
All of what they said I did find to work correctly with the additon of the
reg keys. It still isn't close to being pe
It sounds like a restricted groups policy being attempted wrong.But,
from what I've seen, it won't even let you try that.
John
Sudhir Kaushal
Well, that's why I said it' s not easy...You have to create the keys...
If you have SP2, adding the keys should work. I never tested it with SP2,
but did try it with the patch, pre-SP2.
Of course they want everyone to install SP2, and someday soon, will not
support anything less.
John
You can work around it, not really an easy fix though.
http://support.microsoft.com/default.aspx?scid=kb;en-us;811660
"steve patrick"
<[EMAIL PRO
User Configuration/Administrative Templates/Windows Explorer/Remove windows
explorer default context menu
Za Vue
<[EMAIL PROTECTED]>
Hi JakeNot sure if these have been mentioned or not?
The one we see the most is when someone disconnects from an RDP session,
rather than logs out, then changes their password.
Next to that, persistent mapped drives, then scheduled tasks with the old
password.
John
Hi Matt...
Stating the obvious, are the machines in the OU the policy is applied to?
I use that setting here very successfully, allowing training accounts to
only login to certain machines, but forbid them from all others.
And if the machines are in the correct OU, gpupdate /force and a reboot
m
OpppsYes, that is a GPO
John
"Cothern Jeff D.
Team EITC"
<[EMAIL PROTECTED]
In the Security Zones under Internet Explorer Maintanence under User
Configuration.
You can set the settings on your IE settings, and Import them. It will
import All of your settings though. So, be sure of what you set there.
John
Hi Jeff...
Up in the Computer Configuration\Windows Settings\Security settings\ Local
Policies\User Rights Assignments
There is both a "Deny access to this computer from the network" and an
allow. You may want to look there.
John
Hi Fred...
Try User Configuration/Administrative Templates/Windows
Components/Internet Explorer/Toolbars/Configure toolbar buttons.
You can choose what you wish to show there...I believe
John
"Freddie
Hey Jeff
If i understand you right, I think I'd do a variation of #2...
A seperate software restriction policy user basedThen a global group
that has deny apply set on the delegation. That way you only manage the
group.
Remember too, these only apply to XP+, and you have to restart expl
Hi Russ...
Enforced overrides Block Inheritance
Enforced means run always and last really. You shouldn't even need the
block. Should run last by default without the enforced.
John
"Rimmerman, Russ
Hi...
I 'm pretty sure you have to assign the SP to a machine, rather than a
user.
John
Tabs The Cat
<[EMAIL PROTECTED]
If I remember right.
There's a local group, network configuration operators that should do the
trick.
John
Jason Benway
<[EMAIL PROTECTED]
Hey Justin..
I use merge when they get user settings from other policies, like login
scripts, normal user settings...etc.
If you want them to get these settings only when on a terminal server, you
can use replace. Then these will be the only settings they get.
John
If you mean the user settings, you'll need to use a loopback policy.
John
"Salandra, Justin
A."
Hi John..
I've seen some very odd behavior sometimes as you describe, where even as
DA, and being in the local group, I've had to do a runas, and specify the
local user, Administrator, to install something.
Also, if it's an MSI, you can set it to always run at elevated privliges
with policy, whic
Hi James...
A policy shouldn't affect a subnet only, unless it's a "site" policy.
Unless I"m misunderstanding you?
Sounds more like private addressing actually. 169.245 ip range? At least
to me.
That would keep clients only accessing others on their perceived subnet.
John
Hey George..
Does the remote site have offline files turned on?
John
"George Arezina"
<[EMAIL PROTECTED]
http://support.microsoft.com/default.aspx?scid=kb;en-us;269075
Looks like the ced means nothing really...
John
"Kern, Tom"
<[EMAIL PROTECTED]
Hey Russ...
Loopbacks have two modes, merge and replace...They basically make computers
take user settings.
So, the short answer is yes, you can reverse the setting on the OU, set the
timeout to disabled...If you want them to get other user settings you have
defined, then merge may be what you're
I just have to ask...
Are you using folder redirection on these accounts?
Can the home drive be wronglike in oshkosh, and the user is in
timbuktu?
Any hints in event viewer?
John
"Salandra, Justin
Absolutely...
I personally just find OU's easier to manage than groups.
Must be the graphical representation..
John
"Beelders, Ivor"
<[EMAIL PROT
Hi Jeff
Probably the easiest way to do this, at least in my world. Is with seperate
OU's and loopbacks.
We faced a similar problem with laptops. We couldn't tell who a laptop
"user" was, as they could log into a desktop anytime, but we wanted to
apply settings to laptop users. So we have an
Hi Tom...
The article says you have to "enable" these settings:
Important: To view the group policy settings that are described in this
article in the Group Policy editor, first complete the following steps,
a
Hey Tom...
In W2k3, you can set the rights...
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
On 2000, and 2003 there is a policy setting in the local user rights
assingments "manage auditing and security log" Which can be set to a
global group. However, you have to be careful w
Hi Mark...
I've found that just by using the "older" policy setting.Prohibit use
of Internet Connection Firewall on your DNS domain network. That you get
pretty much the behavior you're looking for.
You can prove this by just pulling out the patch, the firewall will come
on...Reconnect the
One more thing, explorer needs to be restarted, logout and in, or reboot,
for it to take affect.
John
"Abbiss, Mark"
<[EMAIL PROTECTED]
Hi Mark..
This is a policy setting that you can set at the computer level
I haven't had to do this for SP2, but I'm sure it calls an MSI, If you put
a hash on that MSI, the machine shouldn't be able to run it. It's up in
the security settings, and you have to create rules and disallow that
s
Hi Mark...
You can just put a software restriction hash GPO on it, and disallow it
until you want it.
Then you can just remove it, when you wish.
John
<[EMAIL PROTECTED]
Hi Joe..
If I remember correctly, you need to enable active desktop, and the active
desktop wallpaper...But, put a bogus path to bogus file in there.
I think it comes up with the default blue that way, but not sure if you can
specify a different color.
John
Hi Michel...
Is MSN supposed to be MSN messenger? I dont think the policies are for
that, but for Windows Messenger.Or maybe I'm just not reading this
right.
Not that it would make applying them any differently, but you might be able
to just eliminate that policy, if that's the case.
John
Sorry if I missed it, didn't see a reply to this?
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655
John
"Cothern Jeff D.
Team EITC
Hi Mark...
I believe it's running at system level on startup, and i believe system has
no network rights.
John
"Mark Abbiss"
<[EMAIL PROTECTED
Thanks, we'll give it a try.
John
"Coleman, Hunter"
<[EMAIL PROTECTED]
t.us>
Hey allHope someone has the answer to this.
We consistently have problems with some admin dragging and dropping an OU
by mistake inside another, wreaking havoc with AD. Not to mention the
errors etc.
Politically, we have way too many admins, too much rights...etc. Slowly
approaching that on
Hey Noah..
That's a couple of the issues with offline files.
http://support.microsoft.com/?kbid=811660
John
"Noah Eiger"
<[EMAIL PROTECTED]>
Hi Rosen.
It'll probably work if you use an XP machine for the administrative policy
editing machine. Install GPMC on it, and edit the policy from there. Be
aware though, some of those settings work differently at the domain level,
than at an OU level. They decide they are the "boss" and if you
Well, it depends...
If you wish all your terminal servers to get the same policy, just put them
all in one OU...
Apply the policy there, and you're set.
If you have multiple different policies to apply, you may need more OU's.
Policies have a "scope" ...It's kind of like it has to be over the o
No, you can have layers of user policies, and OU's, and change settings
"later", filter by groups etc.
The problem with this approach is, once you set a setting, there's no way
to get them back to not configured. If you enable something, later on you
have to disable it. This is not desireable in
Loopbacks can be set on either merge or replace.
replace is probably what you need.
John
"Rosales, Mario"
<[EMAIL PROTECTED]
On terminal servers, loopbacks work well.
Makes the user settings apply to the computer.
John
"Rosales, Mario"
<[EMAIL PROTECTED]
Hey Justin,
There's a script you need to run.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_zscr.asp
John
Maybe you need to add builtin\backup operators to this one:
Allow log on through Terminal Services: BUILTIN\administrators
John
"Douglas M. Long"
<
Don't they have to be in the remote desktop users group on the DC?
John
"Douglas M. Long"
<[EMAIL PROTECTED]
Hey Mark...
You can try /computer configuration/administrative templates/system/group
policy/scripts policy processing
You can set to always process over slow connections, and even if the GPO
hasn't changed.
HTH
John
Yes, unless it's enforced
"Rosales, Mario"
<[EMAIL PROTECTED]
com>
cd /d drive:
cd /d c:\
have fun,
John
Jacob Stabl
<[EMAIL PROTECTED]
l.org>
Hey Michael...
Best thing to do is install the GPMC for free, and it's also a very good
tool..
You can save reports as html's and print themeven export to excel after
that, if you need to.
hth,
John
"
Well...you can It just has to be at a higher OU level, over both the
user, and computer objects.
John
"Jared Manhat"
Hey Jeff...If you can get them to use cached credentials on the laptops,
you can do a loopback policy. They'll cache it locally and get the
settings even when off the wire.
Not sure this fits your needsAnd it does make for some complaints,
travellers doing presentations etc.
John
|--
Hey Rick..
I'm not positive on this...but, i think this key controls that...
and you could write an adm file to do it.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Paramaters]
"AutoShareWks"=dword:0001
Have fun,
John
|-+--
Hey Rick...
You can turn off the server service, even with a GPO, but then no one gets
there, not even admins...as far as i know.
It's a bit awkwards...but, in computer configuration/windows
settings/security settings/local policies/user rights assignments/deny
access to this computer from th
Hey Daniel
I may be missing something here, but i don't think i've ever seen them work
correctly from a drive letter?
Even if i share something out from my local machine, for testing (like
SP2), i always end up doing \\computer\drive$\share\file
Might be something you want to try.
Have
Hey Debbie,
take a look here
http://support.microsoft.com/default.aspx?scid=kb;en-us;281923
|-+-->
| | "Ellis, Debbie"|
| | <[EMAIL PROTECTED]|
| | m> |
| |
Hey Edwin...
You can write the policy to only allow specified snap-ins
You can then write an adm file for the enterprise manager (you'll need the
guid for that)
Then you can explicitly allow it.
John
|-+-->
| | "Lou Vega"
Hey Edwin...
If you don't roam it, it will still use the local one, not go away. From
the way i understand it.
This is from the GPO...
Lets you add to the list of folders excluded from the user's roaming
profile.
This setting lets you exclude folders that are normally included in the
us
Hey Edwin...
Without looking at it, and i can't really test here...I have to assume it's
the path somehow. Would be odd for them to lose the file association, but
not impossible...heheheheh
Perhaps it's looking to the server for the program, which doesn't exist
there?
John
|-+--
Hey EdwinWe haven't been using roaming profiles here, but what i can
tell you is that the quick launch is in the Application Data directory. We
experminted with redirecting it here so the quicklaunch would "follow"
users around, but ran into many problems with it. Lots of slowness in
offi
You could probably put it into a gpo, might be a lot of work maintaining...
Probably a login script, using vbs or something...You can set them to run
silently in the GPO.
I was looking at the reg.exe command, doesn't seem to be a silent switch on
import.
I'm sure one of the scripters would h
There was an interesting article the other day :
http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120&ad=484520
Because of licensing issues we try to not let our users download adaware
etc
John
|-+-->
| |
Hey Daniel
I'd just look at the dups.see if they are members of each other...or of
another group that makes them members of each other...
It can get pretty complicated
Have fun,
John
|-+-->
| | "Rodriguez, Daniel
Hi Daniel..
I'm wondering if you have some groups "double-nested" one is a member of
the other, and the reverse also?
We use group nesting a lot here, running a gpresult enumerates all groups,
but i had no duplicates.
John
|-+-->
| |
Hi David...
I've seen behavior like this myself. I've defined a software restriction
policy at the domain level, for when we get a worm in house and i can get
my hands on code. This is processed before the default domain policy, and
we also have a modified domain policy at that level.
At th
You might try under computer configuration/administrative
templates/system/group policy "registry policy processing" "process even
if group policy objects have not changed"
Although you'll need to apply this at the computer object
John
|-+-->
|
1 - 100 of 108 matches
Mail list logo
