|
brc64 posted:I could be way off base here, but would running gpupdate make registry changes take effect immediately? It doesn't appear to, because gpedit.msc doesn't reflect the changes that have been made in the registry by hand.
|
#
?
Nov 12, 2008 22:41
|
|
|
|
| # ? Apr 26, 2024 13:27 |
|
|
Cidrick posted:Is there a way to "save" a GPO file for local group policy processing and then switch between two different local group policies instantly? Switching like that would be pretty difficult, really. The easiest way to do it, would be to log in as a different user, but that's not what you're asking for... What I would do for this would be to write a script that moves the computer account from one OU into another. Obviously you'd have your GPO at the second OU in where you'd be moving your computer account to. Anyway, from there, have the script invoke gpupdate /force and your GPO will take in effect immediately. If you want to make changes to the registry, there's about a dozen (that I know of) locations where you'd have to make changes just for a single policy. Even then, that doesn't always work. Anyway, yeah. Your program at the client level would look something like this: -Authenticate password (if you're using batch scripting, just authenticate against a service user account in AD and continue processing based on error codes). -Invoke script to move current computer account from one OU to another -Execute gpupdate /force -Exit There might be an easier way, but who knows...
|
|
#
?
Nov 13, 2008 00:22
|
|
|
So I have these perfectly working VBS logon scripts going on, and suddenly decided to try doing the printer bits in GP Preferences. Now there's a small problem with default printers and I'm lost. Each printer is mapped according to the user's group, and each one is the default printer for at least one person. I figured, hey, let's just set "Set this printer as default printer" for all of them since security group filtering handles the rest. Of course this didn't work as planned on my account since I have multiple printers available, and the last one is now the default. I can't change the printers' order even if there's a tempting "Order" heading and a number for each one on the list. What I'd like to know is if there's a way to reorder the printers, or even better, somehow make setting the default printer work according to users' group membership. That last one is what I'd actually need to start deploying printers this way. It's so easy with VBS. 
|
|
#
?
Nov 13, 2008 10:52
|
|
|
TheFlyingDutchman posted:Switching like that would be pretty difficult, really. The easiest way to do it, would be to log in as a different user, but that's not what you're asking for... Oh yeah, I forgot to mention that these computers are remote sites would be on a workgroup Thanks though, this is actually a pretty good way to do it inside a domain.
|
|
#
?
Nov 13, 2008 14:19
|
|
|
Ooh, I have a question. I understand that there is overhead for every GPO deployed to a computer. If I set the GPO to be disable User Configuration or Computer configuration, would that cut back on the overhead it takes to process the GPO since it would only be deploying certain settings? EDIT: Sorry, hit post accidentally.
|
|
#
?
Nov 13, 2008 18:11
|
|
|
We recently linked our headquarters and a remote office with a dedicated intranet link. I disabled folder redirection for the users in the remote office, since that would've been quite painful over our 3.0Mbps link. However, I'm still getting some complaints of slowness in Office 2007 apps. Every now and then one of my users will have an Office app hang so long that she has to kill it, and this behavior coincided with her machine getting a route to our domain controllers. Any theories on why this might be happening? I only had folder redirection setup on the My Documents folder, and I've verified that her My Docs is now local.
|
|
#
?
Nov 13, 2008 18:59
|
|
|
Great thread - with XP, GPO's were great and powerful but not always the easiest way to accomplish something. For anyone who is familiar with the registry or with the old NT POLEDIT, but who might be intimidated by GPO's - try opening up some of the .adm templates in notepad. It will give you some great visibility into how these things actually work (they're basically just re-formatted .reg files). No reason to be intimidated.
|
|
#
?
Nov 13, 2008 20:38
|
|
|
I don't really have anything relevant to say, but did you just say 'leveraging' because you could, or because it seems to be the next annoying trend in businesspeak?
|
|
#
?
Nov 13, 2008 20:48
|
|
|
Cohesively synergizing efficiency paradigms by leveraging group policies
|
|
#
?
Nov 13, 2008 21:05
|
|
|
What's the best way to exclude a set of users from a folder redirection policy? Right now I've got a folder redirection policy to redirect My Documents to the user's home directory on our fileserver applied to the OU that houses a user OU, and at the user OU level I've got a policy that redirects My Documents to the local user profile and only gets applied to users in a specified group.
|
|
#
?
Nov 18, 2008 21:30
|
|
|
Sock on a Fish posted:What's the best way to exclude a set of users from a folder redirection policy? Right now I've got a folder redirection policy to redirect My Documents to the user's home directory on our fileserver applied to the OU that houses a user OU, and at the user OU level I've got a policy that redirects My Documents to the local user profile and only gets applied to users in a specified group. You could move that group of users to a sub OU and then apply a GPO canceling out the folder redirection policy. Or you could dump the users in a group, create the GPO to cancel the folder redirection policy, link it to the base users OU, then have only the group the users belong to in the security application section of the GPO.
|
|
#
?
Nov 20, 2008 06:23
|
|
|
So, I'm going to be deploying a domain controller at that remote office soon. Are there any drawbacks to just letting it operate as a domain controller for our current domain, or should it get its own domain in the forest?
|
|
#
?
Nov 21, 2008 21:26
|
|
|
Sock on a Fish posted:So, I'm going to be deploying a domain controller at that remote office soon. Are there any drawbacks to just letting it operate as a domain controller for our current domain, or should it get its own domain in the forest? Then I went into Active Directory Sites and Services to define a new site and made sure to set it up so that it knows that other domain controller is at the other site. This helps it conserve some bandwidth, so it's not treating it like it's on a LAN. This is also about the time I started using DFS with replication which really helped, since there's now no direct opening of files across the VPN (automatically accessed the local copy and replicates later). So yeah, after this experience, for us, I don't think I would create another domain even if that office was bigger.
|
|
#
?
Nov 21, 2008 22:01
|
|
|
I looked through the thread for this; sorry if I missed it... I started a new job as a SysAdmin at a small college earlier this year. We've got a bunch of group policies in place (a mix of things I've done, and things that were here when I got here). Is there a way (either with the Group Policy Management tool or some other tool) to see only the modified parts of a particular policy (filter out everything that's not configured)? Currently, if I want to know what a vaguely named policy does, I have to dig into every setting until I find what's been changed.
|
|
#
?
Dec 2, 2008 17:35
|
|
|
Phearson posted:I looked through the thread for this; sorry if I missed it... I skipped work today but I'm pretty sure that the GPMC will show you only the non-default settings if you look on the "settings" tab from within the console (not from within the editor).
|
|
#
?
Dec 2, 2008 17:51
|
|
|
Spamtron7000 posted:I skipped work today but I'm pretty sure that the GPMC will show you only the non-default settings if you look on the "settings" tab from within the console (not from within the editor). Wow, I feel dumb for not noticing that. Thanks!
|
|
#
?
Dec 2, 2008 18:50
|
|
|
I've got an issue that would be so much easier if it cold be solved through GPO... We have about 400 laptops deployed in various schools throughout the school system. It turns out that we need to change the power settings on every one of them, but currently the only way to do so is to log on, disable Deep Freeze, log on as local Administrator, give the user admin rights, log into the student user account, and manually change the power settings to where they need to be before enabling Deep Freeze and shutting it back down. Without changing the power settings, these computers won't boot into maintenance mode correctly to run updates. Is there a way to push out these changes without having to grant student accounts admin rights and manually have to change every laptop?
|
|
#
?
Dec 2, 2008 19:22
|
|
|
If you're using the new group policy extensions you can just use group policy editor in Vista/Server 2008 to make a GPO for whatever power settings you want. All of the power management settings are contained in the registry, so if you're not using the new extensions, you can push a registry change.
|
|
#
?
Dec 2, 2008 19:30
|
|
|
Sock on a Fish posted:If you're using the new group policy extensions you can just use group policy editor in Vista/Server 2008 to make a GPO for whatever power settings you want. http://technet.microsoft.com/en-us/library/bb742499.aspx Here's an example of what I used to force file extensions to be shown (yeah it's stupid, but I was playing): code:
|
|
#
?
Dec 2, 2008 19:38
|
|
|
Serfer posted:Something I discovered recently, if you want to push out a registry change, rather than using a batch file, you can use just group policy (even without the new extensions/a vista computer to set it up on). It involves building your own ADM templates though. Out of curiosity, wouldn't a batch file run at logon do the exact same thing?
|
|
#
?
Dec 2, 2008 20:28
|
|
|
TheFlyingDutchman posted:Out of curiosity, wouldn't a batch file run at logon do the exact same thing? You could make a batch file do the same thing, but this does it with group policy.
|
|
#
?
Dec 2, 2008 22:38
|
|
|
Most of the software we use is now being controlled with Group Policy. I just set up a new workstation for one of the engineers here and aside from the few manual things like joining it to the domain and removing some of the pre-installed apps (no, Dell, I don't need 15 different Roxio apps, thanks), all my setup consisted of was figuring out what software is needed and just adding the computer account to about 15 security groups. One reboot later and everything is installed and working. So much easier than what I used to do, and much of it stemmed from stumbling onto this thread. Thanks! One question. I've upgraded one of the apps by adding another package to the GPO and configuring it to upgrade the previous version. Do I have to leave the old package in the GPO? What's best practices with this situation? I've noticed that new computers just install the latest version which is nice.
|
|
#
?
Dec 3, 2008 18:33
|
|
|
ozmunkeh posted:Most of the software we use is now being controlled with Group Policy. I just set up a new workstation for one of the engineers here and aside from the few manual things like joining it to the domain and removing some of the pre-installed apps (no, Dell, I don't need 15 different Roxio apps, thanks), all my setup consisted of was figuring out what software is needed and just adding the computer account to about 15 security groups. One reboot later and everything is installed and working. So much easier than what I used to do, and much of it stemmed from stumbling onto this thread. Thanks! Personally, I would leave it in there just for legacy support. The newer package "should" be used now regardless, but you never know sometimes unless you can verify everything is using the new package. In that case, I'd remove it. But yeah, check, check, check. If you're unsure, leave it.
|
|
#
?
Dec 3, 2008 20:00
|
|
|
Voted 5 and bookmarked. I need to get more into using this at my workplace, awesome post 
|
|
#
?
Dec 4, 2008 00:22
|
|
|
Sock on a Fish posted:So, I'm going to be deploying a domain controller at that remote office soon. Are there any drawbacks to just letting it operate as a domain controller for our current domain, or should it get its own domain in the forest? What functionality level is your domain currently at? Server 2008, server 2003 etc? If the domain is at the 2008 functionality level and the DC will be server 2008 based you could deploy it as a read only dc or RODC. Here's a link about it http://technet.microsoft.com/en-us/library/cc732801.aspx and step by step guide.
|
|
#
?
Dec 4, 2008 02:12
|
|
|
I'm so glad this thread hasn't died. I would like get some discussion going on the special configuration needs for mobile/laptop users. Right now, I'm struggling with how to manage some of these systems. We've got techs who might never come into the office for a month or more, because they go directly to jobs from home, and go right back home afterward. Since they aren't connected to the domain for long stretches of time they don't get group policy changes, software updates, etc. I am working on a way for them to get virus updates with NOD32 without them having to connect to he VPN, but it isn't fleshed out yet (I know you can have NOD32 mobile users update directly from the internet, but I'm trying to avoid that just to avoid embedding our credentials on portable computers). I'd love to hear how some other administrators handle issues unique to mobile users.
|
|
#
?
Dec 4, 2008 05:38
|
|
|
I think you meant to say "using"
|
|
#
?
Jan 29, 2009 20:12
|
|
|
I don't care if I'm replying to an old thread, this is too good information to go into archives. Helped me a lot. Also, I have a problem that's related to Active Directory and Group Policy. Hopefully someone here has an idea towards a solution. You see, when I was creating the domain for this AD (tiny company, first time administering Windows, learning as I go, etc.) I figured it would be a good idea to name the domain the same as the URL for the company. As in companyname.is. So the domain is called companyname.is and the url for the website (hosted elsewhere) is companyname.is. This was all well and good until I realized that this meant that all users trying to access companyname.is from a browser on a domain computer were redirected to the web server on the domain controller, instead of accessing the actual website on the Internet. After looking around I found an A Record in the DNS settings on the domain controller pointing companyname.is to the domain controller IP. Thinking I had found the problem, I deleted the record, but now no machine can even ping companyname.is. Can I tell the DNS server to forward requests for companyname.is just like any other requests that get translated to an IP? Or do I need to rename the domain?
|
|
#
?
Feb 27, 2009 03:57
|
|
|
Don't mess with DNS records of domain controllers or anything created by active directory because you could break many things. AD is dependent on DNS to work. What you could do is make a www. A record that points to the IP of the external site or turn on IIS on the DC and create a simple page that redirects to the external IP
|
|
#
?
Feb 27, 2009 04:27
|
|
|
taiyoko posted:Is there a way to push out these changes without having to grant student accounts admin rights and manually have to change every laptop? I realize this is an old question, but in case anyone else is interested, yes there is a way to push GPO settings remotely. XP doesn't have settings for GPO based power management, but Energy Star has released some packages to make this possible. I just pitched doing some power saving things at work yesterday, and they went over fairly well. Most everyone wanted to just disable sleep modes altogether but I was like  save some green.
|
|
#
?
Feb 27, 2009 14:46
|
|
|
JackBoCracken posted:I don't really have anything relevant to say, but did you just say 'leveraging' because you could, or because it seems to be the next annoying trend in businesspeak? Because I didn't want to name it "You could be using group policy for that you big idiot", which tends to be my initial reaction to a lot of the Windows domain admin questions that get posted here. Suspicious posted:Cohesively synergizing efficiency paradigms by leveraging group policies Cidrick I need a thread rename over here Briantist posted:I'm so glad this thread hasn't died. Here is how I would handle it: Run your Nod32 RAS in a DMZ and have it publicly accessible on TCP 2221 and 2222 for updates and console reporting. Enable authentication on the mirror (basic will use an internal account, NTLM will use local windows credentials you set on the server) and set a password on console communication as well. Credentials as hashed out when saved to a client's registry, so the actual password getting stolen isn't a huge risk. What you need to worry about is someone exporting out the XML config and distributing that, but setting the client password takes care of that situation. Configure an update profile for every single computer you have to use your RAS as the primary source and then configure the secondary profile to ESET's servers with the EAV-whatever username/pass. As for the laptops, I can see two viable ways of doing it. First would be is that you don't join the laptops to the domain, give users admin rights, and let them do whatever the hell they want. When they want access to internal resources, you force them to use VPN access through a product that does client integrity checking (patches, AV defs, running exploits, stuff like that), and once they pass they can get access either to a terminal server that gives them a standard desktop environment or just direct access to network shares or whatever they need. The other option would be join the machines to the domain by don't configure them to have the local users group be a member of domain users. Give them a local admin account on the laptop to use. That way, when they do get on the VPN or bring it in to the office you can push down configuration changes for whatever policy changes. Software installation would be tricky since you most likely don't want the computer creating a VPN link back to your network every time it boots up. In that situation, I would make it company policy that every 6 months laptops have to come in for maintenance and once they are on the local lan they can pull in the latest software packages, then send them back out in the field. You would want a seperate vlan set up for doing that, since it would be possible that the machine could be carrying a trojan that would get blasted out to the subnet it is on. LoKout posted:I realize this is an old question, but in case anyone else is interested, yes there is a way to push GPO settings remotely. XP doesn't have settings for GPO based power management, but Energy Star has released some packages to make this possible. I just pitched doing some power saving things at work yesterday, and they went over fairly well. Most everyone wanted to just disable sleep modes altogether but I was like Install the group policy client-side extensions on your XP machines and use a Vista/2008 machine to create a policy that modifies your power profile. Your XP workstations can apply that policy and you should be all set.  Just a reminder that the default Home/Office power profile that XP uses disables speedstep on XP. I recommend setting it to Minimal Power Savings which, despite the name, does user speedstep and then tweaking the exact values from there.
|
|
#
?
Feb 27, 2009 15:31
|
|
|
BangersInMyKnickers posted:Install the group policy client-side extensions on your XP machines and use a Vista/2008 machine to create a policy that modifies your power profile. Your XP workstations can apply that policy and you should be all set. But as far as I could tell, the preferences I set for power and local users and groups would never get applied. Everything else worked great, but those just never seemed to apply. I skimmed the event logs but nothing jumped out at me. Those were probably the two least important preferences I set, so I didn't spend much time looking into them, but I would like to know if I did something wrong.
|
|
#
?
Feb 27, 2009 15:48
|
|
|
brc64 posted:I did the group policy preferences for the 2008 install I did a couple weeks ago, and by and large, everything worked out great. The INI and ODBC editors are a loving godsend! There are some weird bugs in them still. Like I had a scheduled startup task fail if I unchecked the "do not run on battery" option and the clients complained about the policy being malformed. There is also a known issue with the changes you make in some of the preferences not saving out until completely close out the mmc client. I would recommend playing around with it and going step by step when you have free time. I'm sure there are still more little gotchas sitting around that I'm not aware of.
|
|
#
?
Feb 27, 2009 16:19
|
|
|
You got it dude
|
|
#
?
Feb 27, 2009 16:50
|
|
|
Suspicious posted:Don't mess with DNS records of domain controllers or anything created by active directory because you could break many things. AD is dependent on DNS to work. Thanks, this worked perfectly. Now I'm having another problem: GPO-enabled drive maps don't map at all on laptops. The setting is enabled under User Configuration -> Preferences -> Windows Settings -> Drive Maps and is set to Replace (that is, create if not there, else replace. I've also tried Update, and toggling the Reconnect switch) a drive map giving each user access to a central share. This GPO is linked to an OU containing all users. This works perfectly on all desktops in the domain. Drive gets mapped every time, no problems. On the laptops it doesn't do anything. Nothing is mapped, no events are logged telling me why nothing did. It just doesn't work. Mapping it manually in Windows Explorer works fine. Now, since the laptops and desktops are currently operating under the exact same GPOs, that is obviously not the issue. So it must be something related to some laptop-specific feature which brings us to the most likely culprit: Wireless. With that in mind, I enabled "Always wait for the network before logging on" but still nothing. I'm completely empty and have no idea why the laptops can't just loving map this single drive. Help.
|
|
#
?
Mar 3, 2009 00:48
|
|
|
Are the laptops XP, and do they have group policy preference client side extensions update installed?
|
|
#
?
Mar 3, 2009 02:53
|
|
|
murk posted:Are the laptops XP, and do they have group policy preference client side extensions update installed? The laptops are Vista, just like the desktops. Not sure about this update, but WSUS is running on the GP controller and all the clients are more or less up to date. (Edit: All other GPO's work perfectly fine on the laptops too). Actually I'm also having a tiny problem with that, where I have a hundred approved updates and a GPO that tells all computers to auto-update at 03:00 even when asleep/in hibernation but then I log on the next day to see all hundred updates still needed for all the computers. Can I force feed updates? Zedlic fucked around with this message at 10:50 on Mar 3, 2009 |
|
#
?
Mar 3, 2009 10:33
|
|
|
What kind of security are you using with your wireless? I think the always wait for network before logging on will only work if it is an open AP, and you need to go through some hoops to get the wireless to pre-authenticate during system startup before you can get drive mappings to work over wireless.
|
|
#
?
Mar 3, 2009 14:58
|
|
|
Yes, this sounds like authentication problems.
|
|
#
?
Mar 3, 2009 15:52
|
|
|
|
| # ? Apr 26, 2024 13:27 |
|
|
BangersInMyKnickers posted:What kind of security are you using with your wireless? I think the always wait for network before logging on will only work if it is an open AP, and you need to go through some hoops to get the wireless to pre-authenticate during system startup before you can get drive mappings to work over wireless. I'm using WEP-PSK right now but I could switch to WPA if necessary. I actually tried setting up a GPO for only the laptops telling them to connect to the AP using WPA-PSK but it didn't give me the option of specifying the key itself. Maybe I'm missing something. Do you know what hoops I need to jump through to fix this?
|
|
#
?
Mar 3, 2009 15:57
|
|