[gptalk] Re: ADM problem

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 22 Aug 2006 10:32:23 -0700

Doug-
I'm with you all the way up to, "will be applied only once and are not
enforced via refresh or reboot". This isn't the case. Admin. Template
preferences act like policies with respect to refreshes (foreground or
background). If I change a preference from enabled to disabled, then that
change will get picked up on the next GP refresh. I think what you are
referring to is that if I change a preference from enabled or disabled to
"Not Configured", then that registry value won't be removed from the
registry like a policy value would. That is the phenomenon we all know and
love called 'tattooing". 
 
IE Maintenance preferences are a bit different than Admin. Template
preferences. IE Maintenance preferences say, "set this IE preference once on
a given user and then never set it again". 
 
Darren
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Tuesday, August 22, 2006 10:26 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: ADM problem


Darren,
 
I was actually referring to the user preference settings that are not
visible by default in GPMC. In the Group Policy Object Editor | View |
Filtering, turn off the check mark in "Only show policy settings that can be
fully managed".  This typically applies to any setting that is not in one of
the "policies" areas of the registry (HKLM\Software\Policies or
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies) and as such, the
settings are considered unmanaged.  The IE Maintenance settings are an
example of this kind of setting, the office adm templates, and any custom
ADM templates that do not store their values in the policies areas are
preferences. Those will remain if you remove the GPO, and will be applied
only once and are not enforced via refresh or reboot.
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 


  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, August 22, 2006 1:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: ADM problem


I don't see anything wrong in that ADM that would explain why the value is
not getting properly enabled. Also, just because its a preference does not
mean that you can't switch it from enabled to disabled without it getting
picked up by the client. I suspect Doug is thinking of IE Maintenance
preferences, where that is the case.
 
Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Gray Troutman
Sent: Tuesday, August 22, 2006 8:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: ADM problem


So if I have

VALUEON NUMERICAL 1
VALUEOFF NUMERICAL 0

Having it enabled should have put 1 into the value, but it didn't, and the
key didn't exist before the GPO was created.

But, more importantly, what you're telling me is that if I switch the policy
between enabled and disabled, it's not going to update the key to the
appropriate value?  If that's the case, I might as well just write a script
that imports the appropriate registry value during logon. 






On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote: 

If the value does not exist (previously) it should work.  This is considered
a "user preference" and a GPO will only apply it once.  It will not be
"managed".
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 


  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Gray Troutman
Sent: Tuesday, August 22, 2006 11:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: ADM problem




The thing is that if I create the key/dword and put in the value 1 in
manually, it works fine, write access to USB devices is disallowed.  If I
use the ADM, though, it creates the key and dword, but doesn't put the
correct value in, it stays 0. 




On 8/22/06, Tim Bolton <jsclmedave@xxxxxxxxx> wrote: 

We tried this numerous times, but certain USB sticks were still able
to load and were accessible.

hopefully Darren has the magic bullet for this.  I have heard of shops
actually putting epoxy in the ports...

We use a product that took care of this.  If you want info on it
please email me direct.

I am very curious to see if there is a workable solution in GP...

TB

On 8/22/06, Gray Troutman <  <mailto:jgraytroutman@xxxxxxxxx>
jgraytroutman@xxxxxxxxx> wrote:
> Hey folks,
> I've implemented a few custom ADMs without any difficulty.  I have one,
> however, that doesn't seem to want to work properly.  It's one I found it
> over at thelazyadmin.com .  The ADM is supposed to disable write access to
> USB devices.  When I manually create the key and dword, everything works
> fine, but when I try to implement it through a GPO, it creates the key and

> dword, but doesn't place the appropriate value (1) into the registry.
Here
> are the contents of the ADM:
>
> CLASS MACHINE
> CATEGORY "Removeable Storage Write Access"
>  POLICY "USB Write Access" 
>   KEYNAME
> "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
>    VALUENAME "WriteProtect"
>    VALUEON NUMERIC 1
>    VALUEOFF NUMERIC 0
>  END POLICY
> END CATEGORY;
>
> As an additional note, I'll mention that this is the only machine specific
> policy I'm trying to enforce within this GPO, everything else is on the
user
> side.  I had thought that maybe I had instituted a policy that was keeping

> the key from being generated, but everything show up except for the
> appropriate value.
>
> Thanks in advance,
> Gray
>


--
Genius may have its limitations, but stupidity is not thus 
handicapped. - Elbert Hubbard
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************ 




Other related posts: