Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Cidrick
Jun 10, 2001

Praise the siamese


And it only took you ten months

Adbot
ADBOT LOVES YOU

Cidrick
Jun 10, 2001

Praise the siamese


Is there a way to "save" a GPO file for local group policy processing and then switch between two different local group policies instantly?

What I'd like to do is lock down these workstations that we deploy at remote sites for ordinary usage, removing poo poo like internet explorer, windows explorer, the run prompt, and that kind of thing, but then be able to run a start menu program that will prompt for a password and then switch into "maintenance mode" which would basically unlock the workstation for anyone who knew the password.

I figure that I can pretty easily do this with .reg files that will immediately modify the registry for a regular user and an administrator, but I was unable to figure out how to make the changes apply immediately. If you open up gpedit.msc and enable/disable a policy, it takes effect immediately. However, if I manually add or edit the key in the registry, it doesn't. Anyone know if there's a way I can basically switch between to local group policy "profiles" so to speak?

Or am I going about this in completely the wrong way?

Cidrick
Jun 10, 2001

Praise the siamese


brc64 posted:

I could be way off base here, but would running gpupdate make registry changes take effect immediately?

It doesn't appear to, because gpedit.msc doesn't reflect the changes that have been made in the registry by hand.

Cidrick
Jun 10, 2001

Praise the siamese


TheFlyingDutchman posted:

Switching like that would be pretty difficult, really. The easiest way to do it, would be to log in as a different user, but that's not what you're asking for...

What I would do for this would be to write a script that moves the computer account from one OU into another. Obviously you'd have your GPO at the second OU in where you'd be moving your computer account to.

Anyway, from there, have the script invoke gpupdate /force and your GPO will take in effect immediately.

If you want to make changes to the registry, there's about a dozen (that I know of) locations where you'd have to make changes just for a single policy. Even then, that doesn't always work.

Anyway, yeah. Your program at the client level would look something like this:
-Authenticate password (if you're using batch scripting, just authenticate against a service user account in AD and continue processing based on error codes).
-Invoke script to move current computer account from one OU to another
-Execute gpupdate /force
-Exit

There might be an easier way, but who knows...

Oh yeah, I forgot to mention that these computers are remote sites would be on a workgroup

Thanks though, this is actually a pretty good way to do it inside a domain.

Cidrick
Jun 10, 2001

Praise the siamese


You got it dude

  • Locked thread