[gptalk] Re: Compatible Security Template applied twice?

  • From: Darren Mar-Elia <darren@xxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 21 Oct 2008 14:16:16 -0800

Steve-
Not sure I follow the question. If there is an entry in that file, then by 
definition it is being applied through that GPO. So anything you see in there 
should be "active". 

Darren

-----Original message-----
From: "Steve Chambers" schambers1969@xxxxxxxxx
Date: Tue, 21 Oct 2008 14:12:27 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Compatible Security Template applied twice?

> Thanks guys,
> 
> One more question. If I am going to take the time to edit out the duplicate
> entries, should I also remove the registry entries that are not being used?
> If so, how do I know which ones are being applied and which ones are not?
> 
> Steve
> 
> 
> On Tue, Oct 21, 2008 at 2:57 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
> 
> > Yes, that should do it. I would back up that file first. Also, just so you
> > know, when you change the file directly this way, the GPO won't know that it
> > has been updated, and thus won't re-apply to target computers right away.
> > So, if you want, just go into the GPO using GP editor, after changing this
> > file, and tweak a setting on/off to update the GPO version #. That will
> > jump-start its use by clients.
> >
> > Darren
> >
> > -----Original message-----
> > From: "Steve Chambers" schambers1969@xxxxxxxxx
> >  Date: Tue, 21 Oct 2008 13:47:06 -0400
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Compatible Security Template applied twice?
> >
> > > I found the GPTTmpl.ini file, it has 890 (approx) entries listed and
> > > everything is duplicated.
> > >
> > > I guess my question at this point is do I just remove all of the
> > duplicate
> > > entries?
> > >
> > > Steve
> > >
> > >
> > >
> > > On Sat, Oct 18, 2008 at 7:11 AM, Steve Chambers <schambers1969@xxxxxxxxx
> > >wrote:
> > >
> > > >  Is there an easy way to see what File and Registry settings are being
> > > > applied by the security policy? Guess if i knew that i could just
> > delete
> > > > everything else.
> > > >
> > > > Thanks!
> > > >
> > > > Steve
> > > >
> > > >
> > > >
> > > > On Fri, Oct 17, 2008 at 4:15 PM, Steve Chambers <
> > schambers1969@xxxxxxxxx>wrote:
> > > >
> > > >>  Tell me about it, this is something that was already in place when I
> > > >> started with the company. In fact I have a feeling it has been this
> > way for
> > > >> quite some. Nobody seems to know anything about it and I don't know if
> > the
> > > >> file and registry security policy is even being utilized. I will make
> > a
> > > >> point of verifying that though.
> > > >>
> > > >> From what research I have done, it looks like it was imported from the
> > > >> Compatible (compatws.inf) Security Template?
> > > >>
> > > >> Steve
> > > >>
> > > >>
> > > >> On Fri, Oct 17, 2008 at 3:54 PM, Darren Mar-Elia <darren@xxxxxxxxxx
> > >wrote:
> > > >>
> > > >>> 850? Ouch. Even half that number is a lot of keys to be
> > re-permissioning
> > > >>> using GP. Keep in mind that security policy re-applies itself every
> > 16 hours
> > > >>> by default, not to mention at other times when it may refresh. That
> > means
> > > >>> that every key is being re-permissioned each time GP refreshes.
> > Generally
> > > >>> speaking I recommend avoiding the use of File and Registry security
> > policy
> > > >>> for large numbers of keys or files. What template did you deploy that
> > uses
> > > >>> all these permissions?
> > > >>>
> > > >>> In terms of cleaning it up, you can certainly do it manually from the
> > UI,
> > > >>> or you can edit the underlying GPTTmpl.inf file that stores the
> > settings
> > > >>> within the SYSVOL part of that GPO.
> > > >>>
> > > >>> Darren
> > > >>>
> > > >>> -----Original Message-----
> > > >>> From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> > > >>> To: gptalk@xxxxxxxxxxxxx
> > > >>>  Sent: 10/17/2008 3:40 PM
> > > >>> Subject: [gptalk] Re: Compatible Security Template applied twice?
> > > >>>
> > > >>> Thanks Darren,
> > > >>>
> > > >>> Kind of sounds dumb but what would the recommended method be for
> > cleaning
> > > >>> it
> > > >>> up? Looks like there is approximately 850 Registry Keys listed so cut
> > > >>> that
> > > >>> in half.
> > > >>>
> > > >>> Steve
> > > >>>
> > > >>>
> > > >>> On Fri, Oct 17, 2008 at 3:35 PM, Darren Mar-Elia <darren@xxxxxxxxxx>
> > > >>> wrote:
> > > >>>
> > > >>> > Steve-
> > > >>> > It does not sound normal to me and at the very least could cause
> > > >>> confusion
> > > >>> > down the line and extra work on the client if its not cleaned up.
> > > >>> >
> > > >>> > Darren
> > > >>> >
> > > >>> > -----Original Message-----
> > > >>> > From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> > > >>> > To: gptalk@xxxxxxxxxxxxx
> > > >>> > Sent: 10/17/2008 3:32 PM
> > > >>> > Subject: [gptalk] Compatible Security Template applied twice?
> > > >>> >
> > > >>> > Hi!
> > > >>> >
> > > >>> > Upon reviewing our companies Default Domain Policy i noticed that
> > all
> > > >>> > Registry Key entries are duplicated in Group Policy (Hope that
> > makes
> > > >>> > sense)***********************
> > > >>> > You can unsubscribe from gptalk by sending email to
> > > >>> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
> > field
> > > >>> OR by
> > > >>> > logging into the freelists.org Web interface. Archives for the
> > list
> > > >>> are
> > > >>> > available at http://www.freelists.org/archives/gptalk/
> > > >>> > ************************
> > > >>> >
> > > >>>
> > > >>> ***********************
> > > >>> You can unsubscribe from gptalk by sending email to
> > > >>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> > OR
> > > >>> by logging into the freelists.org Web interface. Archives for the
> > list
> > > >>> are available at http://www.freelists.org/archives/gptalk/
> > > >>> ************************
> > > >>>
> > > >>
> > > >>
> > > >
> > >
> >
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> > logging into the freelists.org Web interface. Archives for the list are
> > available at http://www.freelists.org/archives/gptalk/
> > ************************
> >
> 

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: