[gptalk] Re: Custom ADM Issues

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 7 Feb 2008 07:04:41 -0800

The conversion happens automatically. The ADM is expecting a decimal value
so you are safe there with a Spin Control.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jonathan Finkbiner
Sent: Thursday, February 07, 2008 6:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues

 

The last policy has to be a REG_DWORD value but it has to be in decimal
format. When you create the key, you type the value (for example 60) and
when you bubble in "decimal" on the registry entry it changes the value from
60 to 0000003c. Is there a special way to provision for this? Or am I just
safe doing another spin control?

 

Jonathan Finkbiner

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, February 06, 2008 4:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues

 

That one's easy. The TXTCONVERT keywords converts those settings to REG_SZ

 

And, on the last policy, you're using an EDITTEXT Part, which automatically
makes it REG_SZ.

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jonathan Finkbiner
Sent: Wednesday, February 06, 2008 1:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues

 

I went through a couple different iterations trying to troubleshoot. You are
absolutely correct if you are saying I can consolidate this down into one
single policy. 

 

For some reason these are being written to the registry as REG_SZ and not
REG_DWORD values. Any ideas?

 

Jonathan Finkbiner

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Wednesday, February 06, 2008 4:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues

 

I also think you only need the first CATEGORY "NAC Options" and the last two
END CATEGORYs

 

Doug Delaney
EDS - Integration Engineering-GM
GM Desktop Engineering
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Cell: 248-210-4973
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 
Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 

 


  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Wednesday, February 06, 2008 3:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues

You don't need the HKEY_LOCAL_MACHINE in the KEYNAME.

 

Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jonathan Finkbiner
Sent: Wednesday, February 06, 2008 1:55 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Custom ADM Issues

 

Hey All,

I thought I sent this on Monday, but apparently with this "email" thing you
have to hit a send button to get it to work.

 

I was looking for a little feedback on a custom adm template I've been
working on. I am sure the problem is staring me right in the face but I am
completely missing it.

 

I want to generate and manage 3 keys on all computers across the domain. The
three keys are the following:

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"=dword:00000002

"SupplicantMode"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"GpNetworkStartTimeoutPolicyValue"=dword:0000003c (This should be a decimal
value)

 

I've created adm templates before, but it has been a while and so far all I
can do is get the event log to spit angry messages at me. Here is a sample
of the code I am using (I've left off the strings comments to keep this as
brief as possible):

 

CLASS MACHINE

CATEGORY "System"

      CATEGORY "NAC Options"

            POLICY !!AMode

                  EXPLAIN !!AMode_Exp

                  KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"

                  PART "Authentication Mode" NUMERIC

                        VALUENAME "AuthMode"

                        MIN   0

                        MAX   2

                        TXTCONVERT

                        DEFAULT 2

                        SPIN 1

                  END PART

            END POLICY

      END CATEGORY

 

      CATEGORY "NAC Options"

            POLICY !!SMode

                  EXPLAIN !!SMode_Exp

                  KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"

                  PART "Supplicant Mode" NUMERIC

                        VALUENAME "SupplicantMode"

                        MIN   1

                        MAX   3

                        TXTCONVERT

                        DEFAULT 3

                        SPIN 1

                  END PART

            END POLICY

      END CATEGORY

 

      CATEGORY "NAC Options"

            POLICY !!Timeout

                  EXPLAIN !!Timeout_Exp

                  KEYNAME "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon"

                  PART "Timeout for NAC Negotiation"

                        EDITTEXT REQUIRED

                        VALUENAME "GpNetworkStartTimeoutPolicyValue"

                        DEFAULT "0000003c"

                  END PART

            END POLICY

      END CATEGORY

END CATEGORY

 

There are 2 seemingly non specific errors that I am getting that may help.
These are both from the event log:

 

"Windows cannot create registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
(The parameter is incorrect. )."

 

"Windows cannot access the registry policy file,
\\domain.com\SysVol\domain.com\Policies\{BA8CA221-6DC1-4631-B838-4135A66DE87
2}\Machine\registry.pol. (The parameter is incorrect. )."

 

As always, thanks in advance.

 

 

Jonathan Finkbiner <mailto:jfinkbiner@xxxxxxx> 

Information Services

Support Analyst

Lifestyle Family Fitness <http://www.lff.com/> 

 

 


  _____  


This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).


  _____  


This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply). 

Other related posts: