|
Sounder posted:If you're referring to setting it to "Not Configured", I didn't... Er, sorry, got Disabled confused with Not Configured...
|
#
?
Jan 28, 2012 09:44
|
|
|
|
| # ? Jun 10, 2024 11:16 |
|
|
Other option is to apply deny permissions on GPO. Just drop anybody you want to exclude, into this group. Not always the best idea but it does work well in some situations.
|
|
#
?
Jan 28, 2012 12:01
|
|
|
Mierdaan posted:Somewhere in SHSC's history there was a guy who posted about his job, where everyone had laptops. If IT walked by your laptop and it was unlocked, they posted a note reminding you to lock it. There was no second note - IT would confiscate your laptop and you'd have to get it back from your manager after explaining why you couldn't follow simple instructions. We have a GPO to lock company wide at 7 minutes of idle, but they are still required to lock it if they leave their cube. My old boss (and co-worker) would leave nasty notes with notepad on workstations found unlocked.
|
|
#
?
Jan 28, 2012 22:50
|
|
|
Moey posted:We have a GPO to lock company wide at 7 minutes of idle, but they are still required to lock it if they leave their cube. My old boss (and co-worker) would leave nasty notes with notepad on workstations found unlocked. Watch Windows 8 have the option to automatically lock a screen if it detects no user in front of if, if the workstation has a webcam 
|
|
#
?
Jan 29, 2012 11:55
|
|
|
So I have a somewhat subtle question about loopback policy processing. I think I've got this correct in my head but I'm hoping someone with more experience in group policy can check my logic. Suppose there are two OUs, a "Users" and a "Workstations" that contain user objects and computer objects respectively (with no overlap). The Users OU has a policy linked that enables a screensaver, with a 15-minute timeout, that locks the workstation's screen and requires a password to log back in (logon.scr or whatever it is). This policy is linked to the Users OU and has an "Authenticated Users" security filter, so it applies to any user when they log in. I want to selectively disable that policy on a per-workstation basis, such that any user that logs into a particular list of workstations does not get a screensaver, and can therefore whack off all day long without touching the mouse, or whatever it is they need to override the policy for. So, I make a policy that sets loopback processing to "enabled" and "merge", and user policies that set the relevant screensaver settings to "disabled". I then link it to my "Workstations" OU, and add the computer objects that I want this to apply to to the security filter. My questions are: 1) In this scenario, when loopback is enabled and the workstation policy is applied to the users as they log on, does group policy re-check the security filters for each user, therefore requiring me to add some group that contains any user I would want this to apply to? (such as "Domain Users" or something else that doesn't contain any computer objects, so we don't accidentally apply it to every computer) 2) Would using "replace" mode instead of "merge" mode have the effect of nuking any and all user policies for users on that workstation, including stuff we'd maybe like to keep? And will "merge" have the correct effect of overriding the all users screensaver policy?
|
|
#
?
Feb 1, 2012 21:27
|
|
|
potato of destiny posted:So I have a somewhat subtle question about loopback policy processing. I think I've got this correct in my head but I'm hoping someone with more experience in group policy can check my logic. Yes, the users who log in need to have access to the policy or it won't be applied. potato of destiny posted:2) Would using "replace" mode instead of "merge" mode have the effect of nuking any and all user policies for users on that workstation, including stuff we'd maybe like to keep? And will "merge" have the correct effect of overriding the all users screensaver policy? Yes and yes. GPOs for the computer's OU will have a higher precedence, and so will override the user's OU's screensaver policy.
|
|
#
?
Feb 1, 2012 21:45
|
|
|
Just wanted to add a belated thanks for this thread. I finally got approval to convert our horrible no-domain, everyone's local admin abomination into a proper managed environment . Wasn't the smoothest project but this thread gave me a number of great ideas and pitfalls to watch for. Voted 5, Bangers owns.
|
|
#
?
Feb 2, 2012 21:36
|
|
|
Okay, so I've got a question that I hope you guys can help me out with. I've been given the keys to our domain controller in order to do some group policy things with a few labs that we've got set up. Simple things, like turning off the command line, making a whitelist of .exe files, and other little lock down things. The problem is that when I open Group Policy Management and create a new object, I don't have any 'options' as far as policy. If I edit the policy, I get the window that we all know and love, but underneath Administrative Templates, in both computer configuration and user configuration, the only thing that shows up is 'All Settings' which is blank. Older GPO's (even one created by a co-worker an hour ago using the Administrator login - the same one I used when I created mine) have a folder called 'Classic Administrative Templates (ADM)'. So, what am I doing wrong? Does it take 30 minutes or so for this folder to magically appear? Is there any way to force a refresh of the templates in order for them to show up on the policies once created, or is this something that's doled out by a central authentication server? Thanks.
|
|
#
?
Feb 2, 2012 22:34
|
|
|
Mecha-Tech posted:Okay, so I've got a question that I hope you guys can help me out with. Does the server you're connecting to have the newer Administrative Templates (admx) installed? It's been forever since I did it, but it sounds like you may still need to copy your templates to your domain controllers. http://support.microsoft.com/kb/929841 EDIT: if you right-click on "Administrative Templates", you can define a filter for viewing templates. Do you have a filter on? EDIT2: Are you trying to edit the GPO from an XP machine? capitalcomma fucked around with this message at 03:04 on Feb 3, 2012 |
|
#
?
Feb 3, 2012 02:14
|
|
|
On a follow-up note, does anyone know anything that might prevent a policy from taking effect, even if the GPO applied successfully? I'm dealing with a huge headache with removable storage. I previously set: User Config -> Admin Templates -> System -> Removable Storage Access -> "All Removable Storage Classes: Deny all access" to ENABLED. But several users need removable media to do their jobs, so I've set up a GPO for them (and set it to Enforced) that sets that policy to DISABLED. It applies: I can see it listed in the Event Logs. I see the GPO listed in gpresult. I've confirmed that users are restarting to make sure the policy gets applied. I even checked the loving registry key (HKCU->Software->Policies->Microsoft->Windows->Removable Storage Access|deny_all) and confirmed that the user has it and that it's set to 0. And still they're getting access errors. I don't know what else I can investigate or test, other than maybe obliterating NTUSER.DAT and starting them fresh. Any ideas?
|
|
#
?
Feb 3, 2012 02:41
|
|
|
Sounder posted:Does the server you're connecting to have the newer Administrative Templates (admx) installed? It's been forever since I did it, but it sounds like you may still need to copy your templates to your domain controllers. No to both. No filters are defined at all, and I'm trying to do the editing from a Windows 7 machine using remote desktop into the Server 2008 r2 box. I've created policies from my personal domain log in and the Administrator log in, and both give me no options at all on a new object. I just had my co-worker, using the same credentials and mine, create a policy that shows up as an object, but with nothing physically in the object to set. Pseudo-edit: Nothing shows up still. Looks like they never installed the newer .admx templates. Researching that now.
|
|
#
?
Feb 3, 2012 17:17
|
|
|
Sounder posted:On a follow-up note, does anyone know anything that might prevent a policy from taking effect, even if the GPO applied successfully? I'm dealing with a huge headache with removable storage. I'd set it to "not configured" rather then disable. When it comes to troubleshooting always apply the "deny" logic to every issue. (A deny is a far stronger response to rights and permissions than unchecking allow). incoherent fucked around with this message at 07:18 on Feb 9, 2012 |
|
#
?
Feb 9, 2012 07:09
|
|
|
Surely if you set it to not configured then you aren't enforcing it either way, and so the Enable set further up the OU tree will take precedence? I'm still learning this myself but that's how I understand it at the moment (prepared to be horribly wrong though).
|
|
#
?
Feb 9, 2012 20:17
|
|
|
We have some complicated GIS software on a few machines. It needs to run updates which prompts UAC. Is there a way to white-list this without prompting the user for elevation of an admin?
|
|
#
?
Feb 10, 2012 19:46
|
|
|
IT Guy posted:We have some complicated GIS software on a few machines. It needs to run updates which prompts UAC. Is there a way to white-list this without prompting the user for elevation of an admin? In cases like that, I would usually disable the updates and then push them some central way. Otherwise, you need to figure out exactly what this updater program is doing, and give it appropriate permissions so that it does not need to prompt to elevate. For example, an updater might be trying to change a registry key in HKLM. You could try giving the user running the update permissions to write to that part of the registry. You'll likely end up using procmon if you take the second approach.
|
|
#
?
Feb 10, 2012 20:39
|
|
|
quackquackquack posted:In cases like that, I would usually disable the updates and then push them some central way. That's what I figured. It looks like I'll have to do it that way because disabling the updates doesn't seem to be an option. Pushing them through GPOs might be too involved for this software.
|
|
#
?
Feb 10, 2012 20:56
|
|
|
Is there a way to dynamically map a drive for each branch? For example, I want one GPO to map each branches file server to the drive letter F. Instead of creating multiple GPOs for each branch, can you create one GPO to map each shared folder resource depending on which branch they're at? Another example: I have 14 branches. Each branch has a file server. Each branch is mapped to their respective file server with drive letter F. Can I dynamically map this for each branch with one GPO or am I stuck making 14 GPOs?
|
|
#
?
Feb 17, 2012 16:28
|
|
|
IT Guy posted:Is there a way to dynamically map a drive for each branch? You'll need a separate GPO for each branch.
|
|
#
?
Feb 17, 2012 17:17
|
|
|
That seems like a case where you'd actually want to resort to a login script. Put in a conditional based on the PC's IP address or however you distinguish between branches. Screw managing 14 GPO's.
|
|
#
?
Feb 17, 2012 17:25
|
|
|
Docjowles posted:That seems like a case where you'd actually want to resort to a login script. Put in a conditional based on the PC's IP address or however you distinguish between branches. Screw managing 14 GPO's. Yeah, I guess I'll end up doing this. I'm not making 14 GPOs to map a drive.
|
|
#
?
Feb 17, 2012 17:29
|
|
|
You could do one GPO with 14 F drive entries using item level targeting if you wanted, you can target by IP range, security group or whatever. sanchez fucked around with this message at 18:04 on Feb 17, 2012 |
|
#
?
Feb 17, 2012 17:57
|
|
|
I hope one of the wizards in here can help me out. For about a week we are having problems with our login scripts that map network drives for our users. Seemingly without any pattern to it the scripts will not run and we don't know why (Nobody in our branch of the company has any real knowledge about Active Directory. We know how to create GPOs and other every day stuff, but nobody has a deeper understanding of directory services.) Things that have changed before our problems began: Due to a migration of mail services we had to install GPOs which a) call some scripts, b) force scripts to run simultaneously at login and c) set the login script timeout to 30 mins. Only some users in one branch are reporting problems and only users for which the mail migration scripts won't run due to conditionals in the scripts. The scripts which map the drives are very simple, think three lines of "net use H: \\server\share\department". We are sure the scripts don't run because we included logging options as one of our troubleshooting steps. Our environment is shoddy, only held together by alcohol, swear words and prayers, so it's entirely possible that something else changed we don't know about. How would real pros begin to narrow the issue down? Or is it something simple like: "don't run login scripts simultaneously, dumbass"
|
|
#
?
Feb 17, 2012 18:04
|
|
|
sanchez posted:You could do one GPO with 14 F drive entries using item level targeting if you wanted, you can target by IP range, security group or whatever. Perfect! I've never hosed around with the item level targeting before but this looks like it will work and I can just filter it by security group. Thanks!
|
|
#
?
Feb 17, 2012 19:11
|
|
|
This is only tangentially related to GPOs (it's not), but it has to do with SCOM and the target audience for this thread seems a lot more likely to use SCOM than the general Windows threads. SO HERE GOES: I have a SCOM 2007 R2 install and I'm working on setting it up to send SNMP traps to our primary NMS. To make a long story short, I have a command notification channel set up that calls a PowerShell script I wrote and passes in all the different placeholder arguments, so that I can get a feel for what kind of values are present in each variable and then write the script that will actually send the SNMP trap. Some of the placeholders, like Alert Description, are replaced with strings that have spaces in them. This would be fine, except I cannot figure out how to get SCOM to stop stripping quotes from the parameter string I give it. This is a problem whether or not I use named arguments in my script; if I don't use named arguments, each word gets treated as its own argument, and if I do use named arguments, it just captures the first word of each parameter that SCOM inserts. HOW THE CRAP DO I ESCAPE A DOUBLE QUOTE IN SCOM
|
|
#
?
Feb 17, 2012 21:36
|
|
|
Is there any danger in or side effects from overwriting your ADMX central store with a newer batch of ADMX files? I was thinking of moving the central store folder out of SYSVOL and copying a new one in from Windows 7 SP1 (it looks like our central store is a few years out of date).
|
|
#
?
Feb 18, 2012 03:19
|
|
|
Does anyone know of some good auditing software to audit permission changes on the file server, changes to active directory and changes to group policy objects?
|
|
#
?
Feb 21, 2012 19:45
|
|
|
IT Guy posted:Does anyone know of some good auditing software to audit permission changes on the file server, changes to active directory and changes to group policy objects? Varonis. It's fantastic. edit: actually I don't know if it monitors changes to group policy. I mainly use it to audit permissions, log file events, and look for sensitive data that is exposed inappropriately. Erwin fucked around with this message at 19:52 on Feb 21, 2012 |
|
#
?
Feb 21, 2012 19:48
|
|
|
I'd recommend AGPM for more advanced GPO management. It works great. Even if you're only one guy working with GPOs. http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/agpm.aspx It's a part of the MS Desktop Optimization Pack. As for something that does all of that at once? Haven't had the use for that, so i don't know. Some good auditing policies and some filters with a powershell script to collect and aggregate the data from multiple servers might work for you?
|
|
#
?
Feb 21, 2012 20:47
|
|
|
Ifan posted:I'd recommend AGPM for more advanced GPO management. It works great. Even if you're only one guy working with GPOs. It would be great if MS had anything useful that didn't require dealing with their asinine legalese licensing and having to navigate a minefield of bullshits to find a download link to even a trial. Ugh. 
|
|
#
?
Feb 21, 2012 22:33
|
|
|
Think it's free as long as you have a Volume License Agreement with them. You should probably check with your licensing people :P
|
|
#
?
Feb 22, 2012 09:33
|
|
|
Awesome, I'll check those out, Varonis looks pretty good. Has anyone used Netwrix before? Netwrix is what my boss has her eye on. Unrelated, I'm having a heck of a time with something that this thread could probably help me with. I'm attempting to clean up the GPOs to get rid of local admins altogether, this means that I need to white-list some directories and registry keys for older apps because I don't want them writing to the VirtualStore. Anyway, one of the apps uses an ODBC connection. If the user is a local admin when the odbc connection is setup, the program can see it even when the user isn't a local admin. However, if the ODBC connection is setup while the user is not a local admin, the app can't see it. When the user isn't a local admin, the ODBC connection is being written to the registry under [HKEY_USERS\(SID)\Software\ODBC]. When the user is a local admin, I can't see it being written to the registry at all. I've done a full blown search for it and can't find any ODBC connections, yet they are somewhere because the app sees them. Does anyone know where these are being written so I can create the ODBC connection through GPOs? Edit: Nevermind, I was using User DSN instead of System DSN. IT Guy fucked around with this message at 18:10 on Feb 22, 2012 |
|
#
?
Feb 22, 2012 17:54
|
|
|
I want to modify some Office 2010 settings via GPO, so I downloaded the ADMX/ADML templates. These are the first ADMX files I've used, so I needed to create a central store. I followed these instructions: http://technet.microsoft.com/en-us/library/cc748955(WS.10).aspx So I created the store, copied over the local policy files, and added mine in. I created a GPO that changes some settings and applied it to my test OU, but the settings aren't changed. I ran "gpresult /scope computer /r" and it says the GPO wasn't applied because it's empty. So somehow my client isn't seeing the ADMX files like it should. Did I miss a step? What should I do?
|
|
#
?
Feb 24, 2012 16:21
|
|
|
FISHMANPET posted:I want to modify some Office 2010 settings via GPO, so I downloaded the ADMX/ADML templates. These are the first ADMX files I've used, so I needed to create a central store. I followed these instructions: http://technet.microsoft.com/en-us/library/cc748955(WS.10).aspx ADMX files only affect the group policy editing tools, not the actual group policy application on a client machine. So the central store would have nothing to do with it. Are you trying to apply a Group Policy Preferences setting to a client that doesn't have the Group Policy Preferences update installed?
|
|
#
?
Feb 24, 2012 20:22
|
|
|
FISHMANPET posted:I want to modify some Office 2010 settings via GPO, so I downloaded the ADMX/ADML templates. These are the first ADMX files I've used, so I needed to create a central store. I followed these instructions: http://technet.microsoft.com/en-us/library/cc748955(WS.10).aspx This might sound obvious, but are you applying a per user policy to a gpo that is applying per computer? Or vice versa?
|
|
#
?
Feb 24, 2012 20:44
|
|
|
Serfer posted:This might sound obvious, but are you applying a per user policy to a gpo that is applying per computer? Or vice versa? Welp, holy poo poo you're right. It's a user policy but I applied it to the computer, not my user.
|
|
#
?
Feb 24, 2012 20:51
|
|
|
I hosed something up. I overwrote the permissions on our users home directories thinking I could use ADmodify to relink the users to their respected homes. So I reset the security on the \\fileserver\homes$ share to Domain Admins - Full Control and didn't add anyone else into the ACL. I used ADmodify to relink the user profiles to their shares using \\fileserver\homes$\%'sAMAccountName'% which works except it didn't add the user to the file permissions like it does if you do it individually through ADUC. So, my question is, how do I bulk fix this? edit: this isn't really GPO discussion but I figured it was close enough for the thread. edit 2: I fixed it doing the following: 1. Un-shared the old share and renamed the folder. 2. Re-created the root homes share which is an empty directory. 3. Used ADModify again to relink 4. This caused all of users folders to be recreated with the user having full control. 5. Copied all of the users folders and merged it into the new share. It appears it was due to the folders already being there so ADModify didn't add the security. Whew, that scared me a little. IT Guy fucked around with this message at 00:11 on Feb 27, 2012 |
|
#
?
Feb 26, 2012 23:53
|
|
|
How many GPOs is typically too many? We currently have 22 GPOs but they don't always apply to everyone. I use security filtering and WMI filters where necessary to reduce the scope, in addition to disabling user or computer settings on certain GPOs. I'm assuming here that if the GPO is not scoped for the user/computer then it doesn't use network traffic, correct? I could condense the GPOs but I find it more organized to keep certain things separate. For example, for our Software security exception policy, I make a new policy for each software but I could be doing this all in one policy. Another example, I don't touch the Default Domain Policy at all. I deploy a "Global Domain Policy" that applies to all users and overrides certain things like the password policy and sets policies that aren't set in the default. However, I could always merge them both into one but I find it better organized when seperate. I just would rather have a default policy I can go back on if I decide to completely change over the GPO policy one day.
|
|
#
?
Mar 13, 2012 19:59
|
|
|
I asked the same question and was told that there is no real issue with having 100 gpos. Apart from the issue of managing them all. I have about 40 for 150 users.
|
|
#
?
Mar 13, 2012 22:46
|
|
|
Don't worry about having too many GPO's. Just name them well so they're easy to organize. I rather have things seperate and NEVER EVER EVER touch DDP. One guy that worked here before me messed up the DDP and managed to lock everyone out of the domain controllers or some poo poo.
|
|
#
?
Mar 13, 2012 23:27
|
|
|
|
| # ? Jun 10, 2024 11:16 |
|
|
I lump some things into the same GPO, Printer & Drive mappings for example. Software, especially weird software that needs a silent install followed by registry edits and other hacks gets a GPO by itself. I name all of mine starting with User: or Computer: and never put settings from one in the other if at all possible (loopback excepted). I had a coworker who would put both user and computer settings in the same policy and then link it in two different places. That gets confusing.
|
|
#
?
Mar 13, 2012 23:55
|
|