[gptalk] Re: Disadvantages of Tattooing.
- From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 4 Jan 2008 15:19:47 -0600
I think you guys are talking about the same thing. The policy value
either exists or it doesn't. If it's there via a GPO, then the
application uses it. If not, it reverts to whatever is set in the
corresponding preference area. So technically it doesn't re-enable or
restore anything; it just appears that way by the presence/removal of
the policy key.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, January 04, 2008 2:52 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Alan-
Good points. However, I am not clear on one thing that you say below,
"removing these Policy keys will reenable what the user had in the
non-policy key". This implies that previous key values are somehow
cached which I have never seen. Typically if a policy key is removed,
its value is simply deleted. I have never seen any restoral of a key's
previous value (unless that value was to not exist!). What I have seen
get restored are security settings (i.e. non-Administrative Template
stuff) on the local machine when a policy no longer applies to the
machine. But that's specific to security settings.
Also, you're correct on the observation that making changes to policy
keys outside of GP effectively kills the non-tattooing behavior of those
keys. It's a subtle yet irritating behavior.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Friday, January 04, 2008 12:44 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Just a couple of minor points...
While Jamie is correct in that you need another policy to undo the
setting, the really annoying problem is that you can never get back to
what the user originally had. When the policy is first applied it
destroys the original setting. The use of the POLICY keys as described
by Darren's link, means that the original user settings are still
maintained, so removing these Policy keys will reenable what the user
had in the non-policy key.
The statement in Darren's link "the first thing that Windows does is
remove all registry values under our 4 magic keys" oversimplifies the
process slightly. Group Policy processing only deletes the entries that
were placed there via Group Policy. If you manually create an entry
under these "Magic keys" by some other method, it will stay there. This
can be a good thing, or a bad thing. The list of entries to be removed
from the user's registry is kept in a file called ntuser.pol in the
users profile. This is why (as discussed earlier in this group) you get
in trouble if your default policy has a version of ntuser.pol which is
not consistent with the registry in the default profile.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Saturday, 5 January 2008 1:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Couldn't have said it better. You can take at look at this page on my
site that I wrote a while ago, which explains the mechanics of it, if
you're interested: http://www.gpoguy.com/faqs/tattoo.htm.
BTW, as a humorous aside, when us GP MVPs were last up in Redmond the GP
team asked us about the word "Preferences" and what they meant to us.
Most of us, of course, responded that they were tattooing policy values
because that's what they've been called forever. But enough folks didn't
say that they decided to give the "Group Policy Preferences" name to the
upcoming DesktopStandard PolicyMaker product. I thought (and still
think) its confusing because Preferences == Tattooing but I guess I'm
not in marketing...
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Friday, January 04, 2008 6:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Well, when a preference is tattooed in the registry you can't undo it by
simply unlinking the policy. You would have to enforce that setting's
opposite value via another GPO.
It can be quite a pain in larger, more complex environments. However,
when a policy based setting does not exist, it may often times be your
only option.
Regards,
Jamie Nelson
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nidhi Garg
Sent: Friday, January 04, 2008 2:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Disadvantages of Tattooing.
Hi,
Wanted to know about disadvantages of Tattooing of registry based group
polices.
How can it affect the policy affect ?
Thanks
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).
**********************************************************************
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
Other related posts:
