|
Yaos posted:As do we and it works exactly as it is supposed to work, however you can't pick and choose what you want to freeze or not freeze; the whole computer is frozen or nothing is frozen. SteadyState let's you log in as an administrator and make changes without turning off SteadyState. SteadyState only works on Windows XP though, while Deep Freeze works on 7. Well there is a thaw space.  And SteadyState has stop being supported, so it is nice to be using software the the developers still care about.
|
#
?
Sep 30, 2011 22:11
|
|
|
|
| # ? Jun 10, 2024 15:25 |
|
|
The version we are using let's you create another partition or something that you can put stuff into without thawing the computer. They have added a ton of stuff to it though since our version. I just found this software on there. http://www.faronics.com/enterprise/insight/ Here you go girls and boys, monitor an entire lab from one computer. You can even use your iPhone to do it. Now nobody has to make a thread again asking about software that can do this.
|
|
#
?
Sep 30, 2011 22:15
|
|
|
Going back to the last page and the discussion about NICs and FastPort, etc. I was having this same situation on a new machine and remembered this discussion. I tried the first suggestion, which was adding the DisableDHCPMediaSense option to the registry. That solved my immediate problem. But then I was reading further and saw the post about the GpNetworkStartTimeoutPolicyValue option. Is there any opinions on which one is the better option to use? I am in the middle of putting together a new workstation image and would like to apply the appropriate fix ahead of time.
|
|
#
?
Oct 13, 2011 22:00
|
|
|
I'm trying to map printers on terminal services based on the users client.code:The problem is if I run this script as a GPO login script the printers don't get mapped and every login provides the popup with "Debug, client name: %CLIENTNAME%". Does anyone have any ideas how I can get around this, or an alternative method of mapping printers like this? Terminal servers are both Server 2008.
|
|
#
?
Oct 16, 2011 00:07
|
|
|
I'm still stumped by update vs replace for group policy preferences. The help file doesn't really explain the difference. What does update do that replace doesn't, and vice versa. Why would I use one over the other?
|
|
#
?
Oct 19, 2011 16:18
|
|
|
I think update only applies if there's already an existing file, replace will put it there if it doesn't already exist. But I'd rather someone more competent answers
|
|
#
?
Oct 19, 2011 22:04
|
|
|
Honey Im Homme posted:The problem is if I run this script as a GPO login script the printers don't get mapped and every login provides the popup with "Debug, client name: %CLIENTNAME%". Does anyone have any ideas how I can get around this, or an alternative method of mapping printers like this? It sounds like when this is run via a GPO it's not converting the %CLIENTNAME% environment variable into a real value? See this article on pulling the local machine name with WMI.
|
|
#
?
Oct 19, 2011 22:42
|
|
|
Caged posted:I think update only applies if there's already an existing file, replace will put it there if it doesn't already exist. Other way around. Replace will modify value data only if the specified registry value is already present, update will create the registry value if it isn't present and assign it the specified data. E: I said that for registry keys, but the same concept applies for files.
|
|
#
?
Oct 20, 2011 14:30
|
|
|
Honey Im Homme posted:I'm trying to map printers on terminal services based on the users client. Isn't VBScript case sensitive? You're checking the variable leftstring for a value, although you wrote to the variable Leftstring. If your script also includes "On Error Resume Next" that might explain the behaviour. You also might want to change the line in the if clause to "... & Leftstring" Nvm: I'm an idiot. Try inserting a pause (100ms) at the beginning of the script. ZeitGeits fucked around with this message at 15:32 on Oct 20, 2011 |
|
#
?
Oct 20, 2011 15:30
|
|
|
BangersInMyKnickers posted:Other way around. Replace will modify value data only if the specified registry value is already present, update will create the registry value if it isn't present and assign it the specified data. Replace will create it if it doesn't exist. According to the help, update will change only what's defined in the setting, and replace will delete and recreate every time. Where I got confused is with printer and driver letter mappings. Should I be updating or replacing? I was replacing printers, but someone told me that every time she logs on her default printer gets reset (even though none of the printers in the preference have set as default enabled). So I changed them to update, and we'll see how that goes.
|
|
#
?
Oct 20, 2011 15:33
|
|
|
Looks like we're both a little bit wrong: http://blogs.technet.com/b/grouppol...-windows-7.aspx quote:Replace – Remove whatever drive mapping exists for this share, and create a new one with these settings. If there isn’t one, just create it. No matter what, you’re getting this drive mapping, whether something existed there or not. It’s very insistent, like the bully of the CRUD options, so it gets a Red icon. That's for drive mappings though. I wouldn't be surprised if the behavior differs for what you are targeting. Feel free to hit F1 in the editor. The help files are pretty good in this case. Another way you could potentially fix the problem with user settings getting cleaned out is by setting the policy preference to only apply once, but I agree that update is generally the best solution regardless. I can't think of the last time I used replace. BangersInMyKnickers fucked around with this message at 15:44 on Oct 20, 2011 |
|
#
?
Oct 20, 2011 15:42
|
|
|
I've decided to use UAC to control what a user can and cannot do on their machine. It works great as they can't touch anything on the computer that isn't per-user. However, I've noticed I can open regedit on Windows XP still. I can't change anything in HKLM which is fine, but the user can still edit HKCU. Basically my question is, is this a problem, can they do any damage in the HKCU? Second question, can you change the default home page for IE but still allow a user to change it? I hate having MSN as the default home page for a new user profile but any setting I've found in the GPOs seems to force the homepage and not allow it to be changed.
|
|
#
?
Nov 1, 2011 13:34
|
|
|
User policy settings get stored in the HKCU hive, so they could potentially override or modify those settings until a policy refresh if they knew what they were doing. But user policies are primarily for ease of use and not so much security, so they'd only be shooting themselves in the foot by doing it. If you're still worried, you could always throw in a software restriction policy to stop them from launching regedit. As for the homepage, unfortunately standard group policies are not good at one shot applications like that. Your best bet is to configure a default new user profile with the settings you want and then give that out to people. If you've already deployed and it's too late for that, you could either set up a schedule task for users that executes a registry merge to change the homepage and then deletes itself after executing or use the group policy extensions to configure IE homepages and then use the advanced options to mark that policy to only apply once.
|
|
#
?
Nov 1, 2011 14:05
|
|
|
BangersInMyKnickers posted:Awesome, thanks.
|
|
#
?
Nov 1, 2011 14:22
|
|
|
Can't you set an initial homepage with a preference item for your given version of IE?
|
|
#
?
Nov 1, 2011 15:06
|
|
|
I've been working for a firm that has been very old school in the way that they have set up networks in the past (using VB scripts, Logon scripts only) and I have just recently turned them onto the magic that is group policy. I'm in charge of a brand new Server 2008 R2 deployment, and I'm already doing some cool things like - - Removing the stupid Internet Explorer "Run Once" setup thing - Deploying 7zip to each machine - Installing the firewall single sign on client on every machine by default - Deploying printers/shared drives What else should I look at doing? I already have a blank slate as far the network goes, and I'm under no real pressure to get it up and running any time soon (the company deploys in January.) I've got different levels of users set up with different permissions, but is there anything else sweet I could be doing?
|
|
#
?
Nov 2, 2011 19:48
|
|
|
IT Guy posted:I've decided to use UAC to control what a user can and cannot do on their machine. It works great as they can't touch anything on the computer that isn't per-user. In my IE settings I used Computer > Policies > Admin Templates > Windows Components > Internet Explorer and set "Prevent performance of First Run Settings" to enabled and chose "Go directly to home page" Then in User > Policies > Windows Settings > Internet Explorer Maintenance (Preference Mode) > URLs > Important URLs I set Home page. That applies the setting but lets users change it.
|
|
#
?
Nov 2, 2011 21:42
|
|
|
Gyshall posted:I've been working for a firm that has been very old school in the way that they have set up networks in the past (using VB scripts, Logon scripts only) and I have just recently turned them onto the magic that is group policy.
|
|
#
?
Nov 3, 2011 02:03
|
|
|
How do I deny policies with user-settings from running on certain computer objects? We are in the process of replacing our Novell domain with a Windows one, and have set up some policies for our users. Thing is, their AD users are also used to log into various terminal servers that host completely unrelated stuff. Right now, when a user logs onto a terminal server in the same domain, it tries to do undesired things like mapping up the user's printers. Because the server typically does not have the required drivers, the logon process will hang while attempting to map the printers. I've tried denying the servers in the security filtering for the affected policies, but it doesn't seem to be working. Am I right in assuming that denying a machine from a policy will only apply to the machine-specific settings in that policy? edit: Some coworker mentioned using WMI filtering to filter out the computer names of the terminal servers. Could this be the way to go? edit2: I think we figured it out. We made an empty GPO with loopback processing set to "replace", and applied it to the terminal servers. odd2k fucked around with this message at 16:18 on Nov 4, 2011 |
|
#
?
Nov 4, 2011 09:41
|
|
|
I've done something similar with the filter 'select name from Win32_Computersystem where name != "blahblahblah"' so that could be a quick and dirty fix to slap on to your printer policy. Another possible solution would be to create a loopback policy for these terminal servers that completely disables the user's ability to add printers which might then cause the application to silently be denied in a much quicker manner.
|
|
#
?
Nov 4, 2011 16:24
|
|
|
Apologies if this has already been covered, but is there a way to prevent users from writing to the C drive except for places I want them to write to (My Docs, Desktop)? It looks like, by default, even unprivileged users can create folders in C:\, and that just won't fly in a company where everything MUST be backed up regularly from our file servers.
|
|
#
?
Nov 5, 2011 01:54
|
|
|
Sounder posted:Apologies if this has already been covered, but is there a way to prevent users from writing to the C drive except for places I want them to write to (My Docs, Desktop)? It looks like, by default, even unprivileged users can create folders in C:\, and that just won't fly in a company where everything MUST be backed up regularly from our file servers. I've yet to do this with complete success due to many users having local admin, but for a starting point, we do the following: 1. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory - set this to what you want the user's default directory to be 2. Admin Templates-> Windows Components -> Hide C drive from explorer (you can restrict access to it as well, but Office will complain.) This took care of a majority of our issues with this. It doesn't take care of someone going into Docs and Settings/Users and saving in there. mute fucked around with this message at 07:26 on Nov 6, 2011 |
|
#
?
Nov 6, 2011 07:20
|
|
|
Sounder posted:Apologies if this has already been covered, but is there a way to prevent users from writing to the C drive except for places I want them to write to (My Docs, Desktop)? It looks like, by default, even unprivileged users can create folders in C:\, and that just won't fly in a company where everything MUST be backed up regularly from our file servers. All our system images go out the door with removing the special permissions from the root of C: to stop this. If it's too late for you to do that, a system startup script using cacls that replaces the user group special permissions with just read permissions should do the job.
|
|
#
?
Nov 6, 2011 09:01
|
|
|
Here's a head-scratcher. I'm converting our printer deployments from the XP-style "printer connections" list to preference items and on some machines - but not others in the same OU, with the same GPOs applied - it fails with an error in the event log: "The user '<printer name>' preference item in the 'D230 printer {<guid>}' Group Policy object did not apply because it failed with error code '0x8007000a The environment is incorrect.' This error was suppressed." On the machines with that error, the printer ends up deployed, but not set to default, which is rather important in our environment. Machines that end up with it set to default do not exhibit that error. They are all running Windows 7. The most useful information I could find online suggested disabling background processing for printer items, and that didn't help. I can only think of one difference between the machines - they're all locked up with SmartShield (a Deep Freeze-like program) and it's possible that the failing machines got locked up with different versions of the policy already on the system. I don't think that would have any effect though, since the policy is re-downloaded at boot time. At any rate, in my testing, it didn't seem to make a difference if I logged out and logged back in as the same user or a different one, the printer would be present but not default. Any ideas? I'd like to avoid using logon scripts if possible. edit: Just found an old reference to one of the printers I need to deploy in the default domain policy, under Computer\Windows\Deployed Printers. It didn't show up at all on the DC when I went to edit the GPO  I had to use a Windows 7 workstation to even find that that setting existed.
Quebec Bagnet fucked around with this message at 03:13 on Nov 9, 2011 |
|
#
?
Nov 9, 2011 02:29
|
|
|
Check what ADMX files exist on the DC. Does the DC have Deployed Printers at all when you look at a policy? It only shows up if the print console feature is installed (I think that's what it's called).
|
|
#
?
Nov 9, 2011 04:36
|
|
|
Yep, adding the print server feature made the deployed printers show up in GP Management. Looks like I had gotten the last settings when I went from the Windows 7 machine, I'll see what the impact is on the clients next time I'm in.
|
|
#
?
Nov 9, 2011 07:33
|
|
|
How can I set a script that requires elevated privileges to run on every user logoff on Windows 7, preferably without using domain-applied GPOs (since our central IT overlords control them)? This needs to run after all users log off a machine, and nearly all users are limited users, so a simple logoff script via GP will not directly work. I've tried creating a Scheduled Task that is set to "run on local disconnect from user session" in the context of an admin account, but I can't get it to fire. Any ideas?
|
|
#
?
Nov 14, 2011 16:24
|
|
|
Megiddo posted:How can I set a script that requires elevated privileges to run on every user logoff on Windows 7, preferably without using domain-applied GPOs (since our central IT overlords control them)? I think you could accomplish it through a scheduled task the executes when it sees the logoff event in the event log, and then making the command execute with an alternative set of credentials that have administrative or system rights, depending on what works in your case.
|
|
#
?
Nov 15, 2011 17:05
|
|
|
I'm attempting to set it so that a users favorites folder gets redirected to the users root folder of the currently redirected documents folder. When I hit ok to process the change to the policy, I get this message.  Does that mean that it will break the currently working documents redirect or am I reading this incorrectly?
|
|
#
?
Nov 15, 2011 18:30
|
|
|
BangersInMyKnickers posted:I think you could accomplish it through a scheduled task the executes when it sees the logoff event in the event log, and then making the command execute with an alternative set of credentials that have administrative or system rights, depending on what works in your case. I think we're just going to do a startup script and have our IT overlords add a logoff script GPO that forces a restart on logoff.
|
|
#
?
Nov 15, 2011 19:08
|
|
|
I have a question regarding when GPO settings gets re-applied. Sorry in advance for the incoherent writing. The computer part of GPOs are initially processed at computer startup and the user part of GPOs at user logon. Then you have the background processing (by default at every 90-120 minutes). But the background processing will only apply if the GPO itself has been updated by an admin. In this example the GPO is unchanged. If I locally on a client change or remove a registry key that has been set by GPO, when will the registry key get reset by a GPO refresh? - At next computer boot (if computer setting)? - At next user login (if user setting)? - Never (or until the GPO is changed by an admin?) (And does it matter if this key is a policy, a group policy preference or an (old school) preference key?) Also, please disregard the 16 hour mandatory background reset of security settings in this example. StrikerJ fucked around with this message at 22:47 on Nov 16, 2011 |
|
#
?
Nov 16, 2011 22:44
|
|
|
StrikerJ posted:- At next computer boot (if computer setting)? So assuming you have permissions to edit those registry keys your GPO is affecting, these would be true. Unless you did a gpupdate /force on the client machine, that would trigger a reprocessing of the GPO. Also after digging around on technet there are group policy settings under Computer Configuration\Administrative Templates\System\Group Policy you can set on a per extension basis to force it to reprocess every time GP is refreshed. So enabling the policy in the screenshot below and selecting "process even if the Group Policy objects have not changed" would have the machine re-apply any security policies being pushed by GPO every refresh interval even if they haven't changed on the server. 
|
|
#
?
Nov 16, 2011 23:51
|
|
|
skipdogg posted:So assuming you have permissions to edit those registry keys your GPO is affecting, these would be true. I set some stuff in HKLM\Software\Policies and HKCU\Software\Policies with a GPO (to be specific it was the Windows Update settings and some settings for Office 2010). Then as a local administrator I removed the registry keys with regedit. The settings did not come back after rebooting the computer so they won't be applied again until a gpupdate /force or a change in the GPO. I wasn't sure that they wouldn't get applied at reboot/relogin so that might be good to know.
|
|
#
?
Nov 18, 2011 10:09
|
|
|
I have had to reimage and deploy a few computers this week and have had some issues with my GPO software deployments not pushing to the new computers and when I install it by hand on the next reboot the policy triggers and removes the software that was deployed. No errors are being reported to the event viewer. Any idea of what is happening? Do I need to have some version of Firefox/flash/etc. baked into my images before GPO will deploy correctly?
|
|
#
?
Nov 18, 2011 16:59
|
|
|
Naramyth posted:I have had to reimage and deploy a few computers this week and have had some issues with my GPO software deployments not pushing to the new computers and when I install it by hand on the next reboot the policy triggers and removes the software that was deployed. No errors are being reported to the event viewer. Any idea of what is happening? Do I need to have some version of Firefox/flash/etc. baked into my images before GPO will deploy correctly? Did you try gpupdate to the machines before manually installing the apps?
|
|
#
?
Nov 18, 2011 17:05
|
|
|
madmaan posted:Did you try gpupdate to the machines before manually installing the apps? Yeah. The machines display each software install for a second or so with verbose logins selected, it just doesn't actually deploy the software. The Event Viewer shows software install start and end for each one but they are events that show up are on the same second.
|
|
#
?
Nov 18, 2011 17:49
|
|
|
Naramyth posted:Yeah. The machines display each software install for a second or so with verbose logins selected, it just doesn't actually deploy the software. The Event Viewer shows software install start and end for each one but they are events that show up are on the same second. Have you changed your imaging process at all? Is the software deployment locations still fully available to the users who login?
|
|
#
?
Nov 18, 2011 19:06
|
|
|
madmaan posted:Have you changed your imaging process at all? Is the software deployment locations still fully available to the users who login? We split the network into two different address pools over the summer to remove the public machines from the staff IP pool but the problem I am having is with staff machines(whose network didn't change). However, I am still able to access the share from the computers I am having issue with and the computers that are currently deployed get their Java/Flash/whatever updates as expected.
|
|
#
?
Nov 18, 2011 19:55
|
|
|
Which runs first, a User GPO login script, or a script in the startup directory?
|
|
#
?
Nov 21, 2011 07:04
|
|
|
|
| # ? Jun 10, 2024 15:25 |
|
|
Swink posted:Which runs first, a User GPO login script, or a script in the startup directory? As in the Start Menu directory? Pretty sure the GP scripts run as part of GP application and therefore are executed before Explorer is started, but depending on how long GP processing takes, they could be still be running by the time Explorer is done with the Startup directory. Remember that you can change the order of execution of GP scripts and of processing the GPOs themselves.
|
|
#
?
Nov 21, 2011 10:06
|
|