Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«31 »
  • Post
  • Reply
BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Sock on a Fish posted:

What should I do if my predecessor checked off the 'Grant user exclusive rights to My Documents' on a Folder Redirection policy and I now want to give all domain admins full permissions on those folders but I can't even read the permissions?

Disable the option and give it a few days to make sure it propagates. Then have your domain admin (or whatever equivalent you may have) security group take ownership for the whole directory tree that the the redirect is to and add in the security permissions that your admins need to work with the directories.

And obviously do this with a test account and policy first unless you are crazy and change the ownership off peak hours because it will take a while.

Adbot
ADBOT LOVES YOU

Sock on a Fish
Jul 17, 2004

What if that thing I said?

Thanks, again.

Are there any pitfalls to watch out for if someone tries to perform administrative tasks with 2003 tools on a domain that you've upgraded to 2008 functional level?

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Sock on a Fish posted:

Thanks, again.

Are there any pitfalls to watch out for if someone tries to perform administrative tasks with 2003 tools on a domain that you've upgraded to 2008 functional level?

None that I know of, and that would me a massive oversight by Microsoft. It should just be that the newer features aren't available but it is worth googling to see if anyone is throwing a fit about adminpak compatibility with Server 2008.

Trekker
Apr 26, 2005
Move along.

Great thread - I've recently just started seriously tinkering with our SBS 2003 server at work and you've certainly helped out in regards to Group Policy and what not.

You've also helped in a completely unexpected way. I tried to install the BBC iPlayer recently (A UK-based on-demand tv shows over the internet type thing) and it refused to install claiming I don't have IE6. I clearly do, and had no idea how to fix it (as you can't simply un/reinstall like most other programs). The installer is an .exe, but as it just unpacks an .msi package I used that appEditor program to remove the check. Now it's installed and working fine. Thanks!

overseerbrian
Jun 25, 2005


BangersInMyKnickers posted:

They are optional updates and not bundled with SP3 or SP1, but with Vista it was flagged as an Important update instead of Optional so most systems should have it already (not sure about 2008 but I assume it would be classified as Important there as well). Look for KB943729 in XP, XP-64, Server 2003, and Server 2003-64 flavors depending on what you are running.

When I try to to use wsus to install KB943729 for Vista, I keep getting "The selected update has expired and cannot be approved for installation." Does anyone have any suggestions?

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



overseerbrian posted:

When I try to to use wsus to install KB943729 for Vista, I keep getting "The selected update has expired and cannot be approved for installation." Does anyone have any suggestions?

From what I am reading, the functionality is all provided through RSAT's group policy management applet and KB943729 was for Vista workstations that were using adminpak.msi before RSAT was released, which is why the update is now expired.

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Alright, Microsofy has re-released the client side extensions for Vista as of Tuesday and I honestly do not know what the gently caress they are doing any more. Hopefully updated XP ones for SP3 come soon as well.

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


I'm not exactly sure whats going on here, but this just happened to me yesterday.

I'm currently using GPOs to push out some software to machines. I went ahead and setup an application share where I can store/organize all the .msi and .mst files. Everything was working great until the other day when I added a new application for someone who needed a different version of Java. Now ALL of my GPO software installs give me the same error:

Policy Event Viewer posted:

Error Event ID: 102
The install of application Adobe Reader 9 from policy SFT: Adobe Reader failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.

My Google-fu only turned up the blatantly obvious answers: "Check to make sure people have read access to the share". Right now, Everyone has read access, Domain Computers have read access to the share. I can access the share via drive mapping, and can execute the msi file via the command prompt (e.g. msiexec /i \\<blah>\share\Adobe\acroread.msi), so I don't really see how this can be a permission issue.

Anyone have this problem before? I'm incredibly confused here

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Did you verify that read permissions exist for domain computers on the share and within the NTFS file structure itself? DNS or security permission problems are the more likely culprits for what you are describing. Are you supplying alternative credentials when you try to access the share with a drive mapping? Does anything change if you are navigating by direct UNC path? Are you using DFS?

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


BangersInMyKnickers posted:

Did you verify that read permissions exist for domain computers on the share and within the NTFS file structure itself? DNS or security permission problems are the more likely culprits for what you are describing. Are you supplying alternative credentials when you try to access the share with a drive mapping? Does anything change if you are navigating by direct UNC path? Are you using DFS?

The NTFS file structure for all folders within the share does list Domain Computers, and Everyone as having read + read & execute permissions.

No alternative credentials are supplied when I try to map the drive, just the current user context. The context I've been logging in as to verify the mappings is a simple domain user.

Direct navigation via the UNC path also works fine within this user context as well. I can access the share and launch the msi installers directly this way without any errors.

We're not using DFS at present, but we're planning on doing this probably at the end of the current semester.

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Is there existing copies of Acrobat 8 already deployed? It could be trying to uninstall 8 and can't find the source package for that.

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


I do have a copy of Adobe Pro 9 installed on my test box, but that was just an example. Completely unrelated GPO software installs are failing. For example, I have one that pushes out MySQL connector + some ODBC settings that fails with the same error. My JRE Software install exhibits the same behavior, unfortunately

Since I just started to do this stuff in AD, I'm not upgrading any previous packages at all. A fresh machine has little software installed except for Windows and Novell's Netware Client. I was planning to distribute common applications like Adobe and Java via AD so I could save myself a lot of trouble. For other programs we're using Microsoft's App Virt stuff so I only have to putz around with 1 single instance of an install/configuration.

The old dudes in the department didn't use this stuff at all (despite having the domain and everything setup for them already), and literally had a share setup so people could access it and install the stuff themselves, or someone would have to come down and manually install it on each machine. Screw that noise! As others were saying before, AD's Group Policy really is a god-send from an administrative standpoint.

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point.

e: As an after thought, if you want to try debugging this go in to a system that is having problems finding the package on the network and make a batch script similar to this:

code:
ping fileserver >> c:\gpdebug.txt

dir \\fileserver\packageshare\packagedir\ >> gpdebug.txt

exit /b
and attach that script on to the machine's local machine startup scripts in gpedit.msc. That should give you a rough idea of what the hell is going on and what the computer can see when you first boot it up.

BangersInMyKnickers fucked around with this message at Sep 26, 2008 around 18:29

Mierdaan
Sep 14, 2004



BangersInMyKnickers posted:

You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point.

Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around?

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Mierdaan posted:

Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around?

Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong.

Mierdaan
Sep 14, 2004



BangersInMyKnickers posted:

Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong.

Ahh. Click the checkbox, people!

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


BangersInMyKnickers posted:

You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point.

e: As an after thought, if you want to try debugging this go in to a system that is having problems finding the package on the network and make a batch script similar to this:

code:
ping fileserver >> c:\gpdebug.txt

dir \\fileserver\packageshare\packagedir\ >> gpdebug.txt

exit /b
and attach that script on to the machine's local machine startup scripts in gpedit.msc. That should give you a rough idea of what the hell is going on and what the computer can see when you first boot it up.

Haha, no no, none of that zaniness. All the workstations I manage are connected to a wired-network. Any staff that use laptops have to support it themselves, which is fine with me.

I went ahead and chucked in a debug startup script like you suggested. I was able to ping the file server without incident, and the directory for the file share displayed properly, so I'm seeing the file server and the appshare on startup. For shits and giggles, I ran cacls on it as well to make sure that permissions were set correctly, and it looks like I can absotively posilutely say that I'm stumped beyond all words. I'm wondering if it could have something to do with our network. Its been acting flaky lately, and they've been really dragging their asses around trying to fix it, which really sucks for me because an issue like that is totally out of my hands.

My only real alternative is to use config manager 2007, but that always has that slight delay when installing software since it has to be discovered by the SMS server before it can push any software out. I'd much rather have all this crap installed before the user can login for the first time.

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Frankly you have me stumped here. Group policy itself isn't too complex; it polls the domain sysvol share for updated policy and saves it locally and then executes msiexec for you to whatever .msi package you saved on the share. You're obviously getting the policy, you have network connectivity, and the permissions are good. The only thing left I can think of is that the actual paths to the packages in the policy are bad, as you should get a more descriptive error if it actually found the package and couldn't execute it. You're absolutely sure you navigated to the package via a UNC path instead of a drive mapping you might have had when you were adding them to the policy?

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


I've tried doing it both ways. One of our servers is running server 2008, which if you browse to the package on a share, it will automagically resolve the UNC path. Looking through the policy there shows that the UNC path is correct.

I also tried scrapping the GPO itself, and re-creating it on the actual server where the packages are, which is running 2003 R2. Manually inputting the UNC path into the GPO worked, but again I got the same error as before when it came down to distribution.

Thanks for all the feedback though, its comforting to know I can utilize my SA membership for more than GBS and the obamarama megathreads

kik2dagroin
Mar 23, 2007

I'm going to inflate him to thirty five pounds!


I just figured out what was going wrong with my gpo software installs. I wasn't using the fully resolved DNS name for the server. My laziness finally came back to bite me in the rear end! Anyway, changing the old GPO's to the full DNS name for the server worked like a charm.

Live and learn I guess

Ixian
Oct 9, 2001

Ex-Sweathog.

Being new to this I'm having trouble figuring out how to separate computers in to separate groups and apply different GPO's to each - which I assume is a pretty basic function.

I have a single top level domain in a small office (40 workstations, 30 servers, 4 or 5 printers). OS's are a mix of 2003 Server, XP SP3, and Vista business with two new 2008 servers we are testing. The two AD controllers are 2k3R2.

I want to be able to set it up so that, for example, all the workstations have one firewall policy enforced, and servers another.

I'd also like to be abbe to apply policies based on group membership. The problem I have is I think the default AD structure is laid out too simple. I have an OU called Accounts, then all users under that, and then security groups breaking out the users depending on department. For machines I have the default computer OU and have made two security groups, Workstations and Servers, for each type. Using Vista and the tools suggested here I cannot for the life of me figure out how to create GPO's that only apply to those security groups. Any GPO I create, such as the one I did for my WSUS server, is domain-wide.

I suspect I'm doing something fundamentally wrong so if anyone has any pointers they'd be much appreciated.

ozmunkeh
Feb 28, 2008

hey guys what is happening in this thread


So, I'm trying to fix years of haphazard software installation here and I've done quite a bit so far having to manually fix stuff before applying GPO-based software policies. It's a 2003 native AD domain with just less than 70 workstations and a handful of servers. I've tested this on a number of spare machines here and it seems to work fine but I'm curious about any performance hit of having this script run on each bootup. I'll probably run this for a while and then when I'm sure everyone is updated I'll remove the script from the GPO. I'm just wondering if this is the standard method or whether I'm going about this the wrong way.


code:
REM *****  This script is attached to the Java 6Update10 software installation Group Policy Object.
REM *****  Its purpose is to remove any previous versions of Java


REM *****  Removing Java 2 Runtime Environment, SE v1.4.2_04
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142040}"
IF ERRORLEVEL 0 msiexec /uninstall {7148F0A8-6813-11D6-A77B-00B0D0142040} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java 2 Runtime Environment, SE v1.4.2_06
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142060}"
IF ERRORLEVEL 0 msiexec /uninstall {7148F0A8-6813-11D6-A77B-00B0D0142060} /quiet /lv c:\java_uninstall.txt

REM *****  Removing J2SE Runtime Environment 5.0 Update 4
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150040}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0150040} /quiet /lv c:\java_uninstall.txt

REM *****  Removing J2SE Runtime Environment 5.0 Update 6
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0150060} /quiet /lv c:\java_uninstall.txt

REM *****  Removing J2SE Runtime Environment 5.0 Update 9
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150090}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0150090} /quiet /lv c:\java_uninstall.txt

REM *****  Removing J2SE Runtime Environment 5.0 Update 10
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150100}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0150100} /quiet /lv c:\java_uninstall.txt

REM *****  Removing J2SE Runtime Environment 5.0 Update 11
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150110}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0150110} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) SE Runtime Environment 6 Update 1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160010}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160010} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 2
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160020} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 3
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160030} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 4
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160040} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 5
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160050} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 6
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160060}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160060} /quiet /lv c:\java_uninstall.txt

REM *****  Removing Java(TM) 6 Update 7
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160070}"
IF ERRORLEVEL 0 msiexec /uninstall {3248F0A8-6813-11D6-A77B-00B0D0160070} /quiet /lv c:\java_uninstall.txt

EXIT /b

Richard Noggin
Jun 6, 2005
Redneck By Default


I wouldn't worry about it. There are logon scripts that do a fuckton more than that!

ozmunkeh
Feb 28, 2008

hey guys what is happening in this thread


That's good to know - I'm pretty new to this. Great thread!

da sponge
May 24, 2004

..and you've eaten your pen. simply stunning.

Fourteen posted:

GP is some incredibly, powerful stuff when you really get into it. People can rip on MS for a lot (and deservedly so), but GP deserves their utmost praise. You guys should check out the Jeremy Moskowitz books if you want to read more (Amazon search - the 2 new 2008 books are 1 and 2 on this page). Moskowitz really knows his stuff. If I could get my company to pay for it, I'd attend one of his workshops.

He's a friend of my boss. I've had lunch with him a couple of times, he's a good guy.

You've put together a nice thread Bangers and certainly have more wherewithal that I would to keep it going

da sponge fucked around with this message at Oct 29, 2008 around 17:21

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Just so people are aware, Microsoft released a revision to the Client-side Group Policy Extensions so they will now detect and install on XP SP3. Make sure you sync your wsus server to get the latest version. I will spend some time answering the questions in this thread and adding content.

Serfer
Mar 10, 2003

...I like the way they think

BangersInMyKnickers posted:

Just so people are aware, Microsoft released a revision to the Client-side Group Policy Extensions so they will now detect and install on XP SP3. Make sure you sync your wsus server to get the latest version. I will spend some time answering the questions in this thread and adding content.

I'm not really sure what this does. I thought these things worked on XP anyway, you just needed Vista to configure them in the first place?

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



Serfer posted:

I'm not really sure what this does. I thought these things worked on XP anyway, you just needed Vista to configure them in the first place?

The newest features like .admx templates, direct registry and file modification, and local printer configuration among other things only works if the PC has the client-side extensions installed, otherwise the machine has no idea how to interpret the policy you made.

Fourteen
Aug 15, 2002

No, no, no you imbecile! That's not talc, that's paprika!

Ixian posted:

Being new to this I'm having trouble figuring out how to separate computers in to separate groups and apply different GPO's to each - which I assume is a pretty basic function.

I have a single top level domain in a small office (40 workstations, 30 servers, 4 or 5 printers). OS's are a mix of 2003 Server, XP SP3, and Vista business with two new 2008 servers we are testing. The two AD controllers are 2k3R2.

I want to be able to set it up so that, for example, all the workstations have one firewall policy enforced, and servers another.

I'd also like to be abbe to apply policies based on group membership. The problem I have is I think the default AD structure is laid out too simple. I have an OU called Accounts, then all users under that, and then security groups breaking out the users depending on department. For machines I have the default computer OU and have made two security groups, Workstations and Servers, for each type. Using Vista and the tools suggested here I cannot for the life of me figure out how to create GPO's that only apply to those security groups. Any GPO I create, such as the one I did for my WSUS server, is domain-wide.

I suspect I'm doing something fundamentally wrong so if anyone has any pointers they'd be much appreciated.

Use the Security Filtering part of your GPO to get GPO's to apply to security groups. Check out the screenshot on this page. Security Filtering is in the lower right quadrant of the GPMC console when you're looking at a GPO. If your GPO is affecting Computer settings, put your security group with your computers in there; if it's User settings, put a security group with users in there. Remove Authenticated Users, too.

Filtering GPO's based on security groups can really help you flatten out and uncomplicate an AD structure since you can eliminate OU's if the only reason they exist is to separate objects for Group Policy purposes.

TheFlyingDutchman
May 26, 2005
Skyway wanderer

I'm not sure if this can be done via GPO or what, but here it goes.

Basically, I need a Domain Local group to have all the rights that the built-in Domain Admins group does. I've gone through the default domain controller GPO and have specified my new group everywhere where the Administrators group is. I have also delegated full control of the domain to my said group.

Problem is, is when I try to log into the PDC with credentials that belong to the group that I created. I get an error saying that I have to have terminal services user access. Since the PDC's access isn't controlled by local users/groups, but rather by AD, what would be the best way to fix this?

BangersInMyKnickers
Nov 3, 2004

I have an oral fixation and it's not the sexy kind



TheFlyingDutchman posted:

I'm not sure if this can be done via GPO or what, but here it goes.

Basically, I need a Domain Local group to have all the rights that the built-in Domain Admins group does. I've gone through the default domain controller GPO and have specified my new group everywhere where the Administrators group is. I have also delegated full control of the domain to my said group.

Problem is, is when I try to log into the PDC with credentials that belong to the group that I created. I get an error saying that I have to have terminal services user access. Since the PDC's access isn't controlled by local users/groups, but rather by AD, what would be the best way to fix this?

If you need a group to have identical access to that of the domain admin group, the easiest way to do that is by nesting the group memberships by making this new group a member of the domain admin group. If you don't feel like going back and re-doing your work to do it that way you will need to add this new group to the "Allow log on through Terminal Services" setting under Computer\Windows Settings\Security Settings\Local Policies\User Rights Assignment in your default domain policy.

TheFlyingDutchman
May 26, 2005
Skyway wanderer

BangersInMyKnickers posted:

If you need a group to have identical access to that of the domain admin group, the easiest way to do that is by nesting the group memberships by making this new group a member of the domain admin group. If you don't feel like going back and re-doing your work to do it that way you will need to add this new group to the "Allow log on through Terminal Services" setting under Computer\Windows Settings\Security Settings\Local Policies\User Rights Assignment in your default domain policy.

Here's the thing. I specified that in the GPO.

Also the reason why I can't simply just drop this group into the Domain Admins group, is because the group I created is, and has to be, a Domain Local group. For some hosed up reason, the trust I have setup will not recognize users when trying to add them to a universal group, but hey that's beside the point.

I mean if there's a way I can add a domain local group to a domain global group, I would like to hear that instead I guess.

vty
Nov 8, 2007

oh dott, oh dott!


Assuming that an entire domain is 2k3+, there are really no possibilities of upgrading from the default forest level of 2k to 2k3 going wrong, correct? I've done this before no problem, it took a bit to replicate, that was all.

haljordan
Oct 22, 2004

the corpse of god is love.


I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this?

Fryedegg
Jan 13, 2004
Everquest killed my libido (and my cat). 8(

haljordan posted:

I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this?

edit: whoops, dumb answer.

Can't you just modify the local policy for that TS? Why make a group policy if it's only going to be meant for one machine?

da sponge
May 24, 2004

..and you've eaten your pen. simply stunning.

haljordan posted:

I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this?

Loopback mode processing.

http://support.microsoft.com/kb/231287

Specifically on terminal servers
http://support.microsoft.com/kb/260370

TheFlyingDutchman
May 26, 2005
Skyway wanderer

haljordan posted:

I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this?

Link the GPO to the OU that this TS is in. Then from there, in the section where you can specify what user/group/computer the GPO is applied to, add your TS to there.

Loopback processing will work, sure, but to be honest it's as simple as what I just described.

haljordan
Oct 22, 2004

the corpse of god is love.


TheFlyingDutchman posted:

Link the GPO to the OU that this TS is in. Then from there, in the section where you can specify what user/group/computer the GPO is applied to, add your TS to there.

Loopback processing will work, sure, but to be honest it's as simple as what I just described.

Awesome...Thanks for the quick replies. I will test this out today.

Edit: TheFlyingDutchman's suggestion worked perfectly. Thanks again!

haljordan fucked around with this message at Nov 7, 2008 around 18:58

Cidrick
Jun 10, 2001

Praise the siamese


Is there a way to "save" a GPO file for local group policy processing and then switch between two different local group policies instantly?

What I'd like to do is lock down these workstations that we deploy at remote sites for ordinary usage, removing poo poo like internet explorer, windows explorer, the run prompt, and that kind of thing, but then be able to run a start menu program that will prompt for a password and then switch into "maintenance mode" which would basically unlock the workstation for anyone who knew the password.

I figure that I can pretty easily do this with .reg files that will immediately modify the registry for a regular user and an administrator, but I was unable to figure out how to make the changes apply immediately. If you open up gpedit.msc and enable/disable a policy, it takes effect immediately. However, if I manually add or edit the key in the registry, it doesn't. Anyone know if there's a way I can basically switch between to local group policy "profiles" so to speak?

Or am I going about this in completely the wrong way?

Adbot
ADBOT LOVES YOU

brc64
Mar 21, 2008

I wear my sunglasses at night.

Cidrick posted:

If you open up gpedit.msc and enable/disable a policy, it takes effect immediately. However, if I manually add or edit the key in the registry, it doesn't.
I could be way off base here, but would running gpupdate make registry changes take effect immediately?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«31 »