[gptalk] Re: GP for IIS and SQL

  • From: "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 18 Apr 2007 12:27:42 +0530

Thanks LP and John,
 
Good Suggestion .I wiil revert to you after apply the GP as per suggestion.
 
-Ranjan

------------------------------

Subject: [gptalk] GP for IIS and SQL
Date: Tue, 17 Apr 2007 13:25:19 񩇂
From: "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx>

SGksDQoNCiANCg0KT25lIG9mIG15IGN1c3RvbWVyIGhhdmluZyBNdWx0aXBsZSBzZXJ2ZXIgcnVu
bmluZyBJSVMgYW5kIFNRTCAgdW5kZXIgSUlTIGFuZCBTUUwgT1UgLldoaWxlIGFwcGx5aW5nICAv
ZWRpdCBncm91cCBwb2xpY3kgaSBoYXZlIHRvIHNlbGVjdCBtYW51YWxseSBhbmQgYWRkIEFkbWlu
aXN0cmF0b3JzIGZvciBlYWNoIA0KDQpzZXJ2ZXIuDQoNCiANCg0KSE9XIHRvIHJlc29sdmUgdGhl
IGJlbG93IGlzc3VlLg0KDQogDQoNCiANCg0KIA0KDQoxLiBGb3IgZXg6IElmIGkgd2FudCB0byBh
ZGQgc3FsYWRtaW4gZm9yIGEgcG9saWN5IGkgaGF2ZSB0byBhZGQgDQoNCnNlcnZlcjFcc3FsYWRt
aW4sIHNlcnZlcjJcc3FsYWRtaW4gLi4uLg0KDQogDQoNCkluc3RlYWQgYWRkaW5nIGFsbCBzZXJ2
ZXIgbmFtZXMsIGFueSBzaG9ydGN1dCBtZXRob2QgDQoNCkF2YWlsYWJsZSB0byBhZGQgaW4gc2lu
Z2xlIGxpbmUgICAuDQoNCiANCg0KV2hhdCBoYXBwZW5pbmcgaW4gb3VyIGNhc2UgaWYgaW8gYWRk
IHVzZXIgIOKAnHNlcnZlcjFcc3FsYWRtaW7igJ0gaW4gZ3JvdXAgcG9saWN5IC5pdCBhcHBseWlu
ZyBzYW1lIHVzZXIgaW4gYWxsIHNlcnZlci4gd2hpY2ggd2lsbCBjcmVhdGluZyBwcm9ibGVtLg0K
DQogDQoNCk5vdGU6d2UgaGF2ZSAgY3JlYXRlZCBzaW1pbGFyIG5hbWUoIHNxbGFkbWluKSB1c2Vy
IGZvciB0aGlzIHB1cnBvc2UgLg0KDQogDQoNCiANCg0KMi5JbiAgZG9tYWluICBzZXJ2ZXIgZG9l
cyBub3QgaGF2ZSBJSVMgYW5kIFNRTCBzZXJ2ZXIgaW5zdGFsbGVkIC5JZiBpIHdhbnQgY3JlYXRl
IFxlZGl0IGEgDQoNCkdyb3VwIHBvbGljeSBmb3IgSUlTIGFuZCBTUUwgc2VydmVyIE9VLCBXaGlj
aCBpcyBiZXN0IG9wdGlvbiB0byBlZGl0IEdyb3VwIA0KDQpwb2xpY3kgZWRpdCAgZnJvbSBkb21h
aW4gc2VydmVyIEdQTUMgb3IgZnJvbSBvdGhlciBJSVMgL1NRTCA/Lg0KDQogDQoNCndlIGFyZSBm
YWNpbmcgdG8gYWRkIGZpbGUgc2VjdXJpdHkgYzpccHJvZ3JhbSBmaWxlcyBcTVMgU1FMIGZvcm0g
ZG9tYWluIEdQTUMgLml0IG5vdCBhbGxvd2luZyB0byBhZGQgZHVlIHRvIHBhdGggKCBTUUwgU0VS
VkVSICkgbm90IGF2YWlsYWJsZSBpbiB0aGF0IHNlcnZlci4NCg0KIA0KDQozLklmIGkgY3JlYXRl
IHN5c3RlbSB2YXJpYWJsZSBlOi4gJUJBQ0tVUCUgdGhhdCBnaXZlcyB0aGUgcGF0aCB0byBteSBv
bmUgb2YgDQoNCm15IGJhY2t1cCBkaXJlY3Rvcmllcy4gDQoNCiANCg0KSWYgaSBhZGQgdGhpcyBk
aXJlY3RvcnkgJUJBQ0tVUCUgaW4gZmlsZXMgc3lzdGVtIHNlY3VyaXR5IGluIGdyb3VwIHBvbGlj
eSANCg0KTGV2ZWwsIHdoZXRoZXIgYWxsIHNlcnZlciByZWZlciB0aGUgc2FtZSBwYXRoIHdoYXQg
d2UgZ2l2ZW4gaW4gc3lzdGVtIHZhcmlhYmxlIGFuZCANCg0KQXBwbHkgdGhlaXIgc2VjdXJpdHkg
c2V0dGluZyBnaXZlIGZvciB0aGUgZm9sZGVyICglQkFDS1VQJSkNCg0KIA0KDQpUaGFua3MgYW5k
IFJlZ2FyZHMsDQoNClJhbmphbg0KDQoJLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gDQoJRnJv
bTogRnJlZUxpc3RzIE1haWxpbmcgTGlzdCBNYW5hZ2VyIFttYWlsdG86ZWNhcnRpc0BmcmVlbGlz
dHMub3JnXSANCglTZW50OiBUdWUgNC8xNy8yMDA3IDE6MDUgUE0gDQoJVG86IFJhbmphbiBCYWJ1
IC5HIA0KCUNjOiANCglTdWJqZWN0OiBXZWxjb21lIHRvIGxpc3QgJ2dwdGFsaycNCgkNCgkNCg0K
CVdlbGNvbWUgdG8gdGhlIEdQT0dVWS5DT00gZ3B0YWxrIG1haWxpbmcgbGlzdCEgVGhlIHB1cnBv
c2Ugb2YgdGhpcyBsaXN0IGlzIHRvIGFzayAoYW5kIGFuc3dlcikgcXVlc3Rpb25zIHJlZ2FyZGlu
ZyBXaW5kb3dzIEdyb3VwIFBvbGljeS4gVGhpcyBsaXN0IHdhcyBjcmVhdGVkIGluIGNvbmp1bmN0
aW9uIHdpdGggdGhlIGdwb2d1eS5jb20gd2Vic2l0ZS4NCgkNCglUbyBzZW5kIGEgbWVzc2FnZSB0
byB0aGUgbGlzdCwgc2VuZCBlbWFpbCB0bzogZ3B0YWxrQGZyZWVsaXN0cy5vcmcNCgkNCglUaGUg
bGlzdCBhcmNoaXZlIGlzIGF0IGh0dHA6Ly93d3cuZnJlZWxpc3RzLm9yZy9hcmNoaXZlcy9ncHRh
bGsNCgkNCglHZW5lcmFsIGxpc3QgaW5mb3JtYXRpb24gaXMgYXQgaHR0cDovL3d3dy5mcmVlbGlz
dHMub3JnL2xpc3QvZ3B0YWxrDQoJDQoJVG8gdW5zdWJzY3JpYmUgc2VuZCBlbWFpbCB0byBncHRh
bGstcmVxdWVzdEBmcmVlbGlzdHMub3JnIHdpdGggYSBzdWJqZWN0IG9mICd1bnN1YnNjcmliZScN
CgkNCglXZSBhc2sgdGhhdCB5b3UgbWFpbnRhaW4gcHJvcGVyIGxpc3QgZXRpcXVldHRlIHdoZW4g
YXNraW5nIGFuZCBhbnN3ZXJpbmcgcXVlc3Rpb25zLiBUaGlzIGluY2x1ZGVzLCBidXQgaXMgbm90
IGxpbWl0ZWQgdG86DQoJDQoJLSBBc2sgb25seSBxdWVzdGlvbnMgdGhhdCBhcmUgcmVsZXZhbnQg
dG8gV2luZG93IEdyb3VwIFBvbGljeQ0KCS0gU3RhcnQgYSBuZXcgbGlzdCB0aHJlYWQgd2hlbiB5
b3UgaGF2ZSBhIGRpZmZlcmVudCBxdWVzdGlvbiB0aGFuIGluIHRoZSBvcmlnaW5hbCBwb3N0DQoJ
LSBCZSBwb2xpdGUhDQoJLSBObyBhZHZlcnRpc2luZyBvciBzaGFtZWxlc3MgcHJvbW90aW9uIG9m
IGNvbW1lcmNpYWwgcHJvZHVjdHMgb24gdGhlIGxpc3QuIEl0cyBvayB0byBtZW50aW9uIHByb2R1
Y3RzIGlmIGl0cyByZWxldmFudCB0byBhIHF1ZXN0aW9uIG9yIGlmIGhhdmUgcHJvZHVjdCBzdHVm
ZiBpbiB5b3VyIGVtYWlsIHNpZ25hdHVyZSwgYnV0IGRvbid0IGNyZWF0ZSBhIG5ldyBwb3N0IHNp
bXBseSBmb3IgdGhlIHB1cnBvc2VzIG9mIHBpdGNoaW5nIGEgcHJvZHVjdA0KCS0gRGlkIEkgbWVu
dGlvbiB0aGF0IHBvbGl0ZW5lc3MgaXMga2V5PyBXZSByZXNlcnZlIHRoZSByaWdodCB0byBib290
IGFueW9uZSBvZmYgdGhlIGxpc3QgaXMgcmVwZWF0ZWRseSBtaXMtYmVoYXZpbmcNCgktIEZpbmFs
bHksIHBsZWFzZSBzZXQgeW91ciBsaXN0IG1lbWJlcnNoaXAgb24gdmFjYXRpb24gbW9kZSB3aGVu
IHlvdSBhcmUgb3V0IG9mIHRoZSBvZmZpY2UgYW5kIGRvIG5vdCBzZW5kIE9PRiBtZXNzYWdlcyB0
byB0aGUgbGlzdC4NCgkNCglUaGFua3MgYW5kIGFnYWluLCBXZWxjb21lIQ0KCQ0KCURhcnJlbiAo
YWthIEdQT0dVWSkNCgkNCgkNCgkNCgkNCg0K

------------------------------

Date: Tue, 17 Apr 2007 08:57:51 񩀔 (BST)
From: Linux'o Mania <linuxomania@xxxxxxxxxxx>
Subject: [gptalk] Re: GP for IIS and SQL

Use a batch file with following contents & put it in Computer Startup Script 
section of GPO...
  net localgroup Administrators /add <domain\ID>
  
  replace <domain\ID> with your domain's NETBIOS name & domain account or 
group...
  
  Regds,
  LP
 
"Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote:
  Hi,



One of my customer having Multiple server running IIS and SQL under IIS and SQL 
OU .While applying /edit group policy i have to select manually and add 
Administrators for each

server.



HOW to resolve the below issue.







1. For ex: If i want to add sqladmin for a policy i have to add

server1\sqladmin, server2\sqladmin ....



Instead adding all server names, any shortcut method

Available to add in single line .



What happening in our case if io add user “server1\sqladmin” in group 
policy .it applying same user in all server. which will creating problem.



Note:we have created similar name( sqladmin) user for this purpose .





2.In domain server does not have IIS and SQL server installed .If i want create 
\edit a

Group policy for IIS and SQL server OU, Which is best option to edit Group

policy edit from domain server GPMC or from other IIS /SQL ?.



we are facing to add file security c:\program files \MS SQL form domain GPMC 
.it not allowing to add due to path ( SQL SERVER ) not available in that server.



3.If i create system variable e:. %BACKUP% that gives the path to my one of

my backup directories.



If i add this directory %BACKUP% in files system security in group policy

Level, whether all server refer the same path what we given in system variable 
and

Apply their security setting give for the folder (%BACKUP%)



Thanks and Regards,

Ranjan

-----Original Message-----
From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx]
Sent: Tue 4/17/2007 1:05 PM
To: Ranjan Babu .G
Cc:
Subject: Welcome to list 'gptalk'



Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list is to 
ask (and answer) questions regarding Windows Group Policy. This list was 
created in conjunction with the gpoguy.com website.

To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx

The list archive is at http://www.freelists.org/archives/gptalk

General list information is at http://www.freelists.org/list/gptalk

To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a subject of 
'unsubscribe'

We ask that you maintain proper list etiquette when asking and answering 
questions. This includes, but is not limited to:

- Ask only questions that are relevant to Window Group Policy
- Start a new list thread when you have a different question than in the 
original post
- Be polite!
- No advertising or shameless promotion of commercial products on the list. Its 
ok to mention products if its relevant to a question or if have product stuff 
in your email signature, but don't create a new post simply for the purposes of 
pitching a product
- Did I mention that politeness is key? We reserve the right to boot anyone off 
the list is repeatedly mis-behaving
- Finally, please set your list membership on vacation mode when you are out of 
the office and do not send OOF messages to the list.

Thanks and again, Welcome!

Darren (aka GPOGUY)





b‹œj{§²æìr¸›yúèš
mjYÊǧv)àzf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²ŠàÂ+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ 
Šx"žÚ-…çëyéb²Û(®žn)íz·Úqà+r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà &shy;祊Ël¢¸?j·!Š÷¬þ
mjY?

      
---------------------------------
 Yahoo! Answers - Got a question? Someone out there knows the answer. Tryit now.


------------------------------

Subject: [gptalk] Re: GP for IIS and SQL
Date: Tue, 17 Apr 2007 09:30:50 񩀔
From: "Blackshaw, Dave" <Dave.Blackshaw@xxxxxxxxxxxx>

Ranjan,


As LP says (without mentioning it), you need a domain account under which to 
run the SQL service.  You can then grant this “local administrator rights” 
using the batch file provided below.



However, the domain SQL service account will also require the following rights 
on each SQL server which can be achieved through GPO:



Act as part of the operating system (SeTcbPrivilege)

Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Lock pages in memory (SeLockMemoryPrivilege)

Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)



You’ll also need to enable the following services to run, if you’re 
restricting services:



MSSQLSERVER
MSSQLServerADHelper
SQLSERVERAGENT



For IIS, it’s a little more complicated due to the machine-specific 
“IUSR_xxxx” and “IWAM_xxxx” user accounts.  To get around this, each 
IIS server should have two local groups defined on it, e.g. “Local-IUSR” 
and “Local-IWAM”, which contain just these accounts, respectively.  You can 
then use these groups (without the machine-specific reference) in any GPO.  
Assigning rights and nesting groups using a “restricted group” policy 
allows free-form text entry.



Local-IWAM will require these rights:



Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Log on as a batch job (SeBatchLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)



Local-IUSR needs to be moved out of the local Guests group and will require:



Allow log on locally [Log on locally] (SeInteractiveLogonRight)

Log on as a batch job (SeBatchLogonRight)



You’ll need to allow the local group IIS_WPG:



Log on as a batch job (SeBatchLogonRight)



And ASPNET will need:



Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)



Hope that makes sense to all.



Dave

Directory & Messaging Services

Int:   824432

Ext:  (01784) 874432





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Linux'o Mania
Sent: 17 April 2007 08:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP for IIS and SQL



Use a batch file with following contents & put it in Computer Startup Script 
section of GPO...

net localgroup Administrators /add <domain\ID>



replace <domain\ID> with your domain's NETBIOS name & domain account or group...



Regds,

LP



"Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote:

        Hi,
       
       
       
        One of my customer having Multiple server running IIS and SQL under IIS 
and SQL OU .While applying /edit group policy i have to select manually and add 
Administrators for each
       
        server.
       
       
       
        HOW to resolve the below issue.
       
       
       
       
       
       
       
        1. For ex: If i want to add sqladmin for a policy i have to add
       
        server1\sqladmin, server2\sqladmin ....
       
       
       
        Instead adding all server names, any shortcut method
       
        Available to add in single line .
       
       
       
        What happening in our case if io add user 
“server1\sqladmin” in group policy .it applying same user in all 
server. which will creating problem.
       
       
       
        Note:we have created similar name( sqladmin) user for this purpose .
       
       
       
       
       
        2.In domain server does not have IIS and SQL server installed .If i 
want create \edit a
       
        Group policy for IIS and SQL server OU, Which is best option to edit 
Group
       
        policy edit from domain server GPMC or from other IIS /SQL ?.
       
       
       
        we are facing to add file security c:\program files \MS SQL form domain 
GPMC .it not allowing to add due to path ( SQL SERVER ) not available in that 
server.
       
       
       
        3.If i create system variable e:. %BACKUP% that gives the path to my 
one of
       
        my backup directories.
       
       
       
        If i add this directory %BACKUP% in files system security in group 
policy
       
        Level, whether all server refer the same path what we given in system 
variable and
       
        Apply their security setting give for the folder (%BACKUP%)
       
       
       
        Thanks and Regards,
       
        Ranjan
       
        -----Original Message-----
        From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx]
        Sent: Tue 4/17/2007 1:05 PM
        To: Ranjan Babu .G
        Cc:
        Subject: Welcome to list 'gptalk'
       
       
       
        Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list 
is to ask (and answer) questions regarding Windows Group Policy. This list was 
created in conjunction with the gpoguy.com website.
       
        To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx
       
        The list archive is at http://www.freelists.org/archives/gptalk
       
        General list information is at http://www.freelists.org/list/gptalk
       
        To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a 
subject of 'unsubscribe'
       
        We ask that you maintain proper list etiquette when asking and 
answering questions. This includes, but is not limited to:
       
        - Ask only questions that are relevant to Window Group Policy
        - Start a new list thread when you have a different question than in 
the original post
        - Be polite!
        - No advertising or shameless promotion of commercial products on the 
list. Its ok to mention products if its relevant to a question or if have 
product stuff in your email signature, but don't create a new post simply for 
the purposes of pitching a product
        - Did I mention that politeness is key? We reserve the right to boot 
anyone off the list is repeatedly mis-behaving
        - Finally, please set your list membership on vacation mode when you 
are out of the office and do not send OOF messages to the list.
       
        Thanks and again, Welcome!
       
        Darren (aka GPOGUY)
       
       
       
       
       
        b‹œj{§²æìr¸›yúèš
        mjYÊǧv)à zf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²Šà 
Â+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ Š
x"žÚ-…çëyéb²Û(®žn)íz·Úqà 
+r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà ­­ç¥ŠËl¢¸?j·!Š÷¬þ
        mjY?



 

________________________________

Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now 
<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>
 .


_____________________________________________________________________
The information contained in or attached to this email is intended only for the 
use of the individual or entity to which it is addressed. If you are not the 
intended recipient, or a person responsible for delivering it to the intended 
recipient, you are not authorised to and must not disclose, copy, distribute, 
or retain this message or any part of it. It may contain information which is 
confidential and/or covered by legal professional or other privilege (or other 
rules or laws with similar effect in jurisdictions outside England and Wales).
The views expressed in this email are not necessarily the views of Centrica 
plc, and the company, its directors, officers or employees make no 
representation or accept any liability for its accuracy or completeness unless 
expressly stated to the contrary.

Centrica plc

Registered office: Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD

Registered in England and Wales No 3033654


------------------------------

From: "Bob Coffman - Info From Data Corp." <bcoffman@xxxxxxxxxxxxxxxx>
Subject: [gptalk] Re: Restrict access to Drives (Windows 2000)
Date: Tue, 17 Apr 2007 08:23:39 -0400

Well if it were me....

I'd retain the original Notepad.exe and call something else.

I'd dump all computer objects in the domain(s) using ldifde or csvde and
script the copy of the new executable to each workstation, logging the
results so I could go back and get what was missed.

- Bob
  _____ 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Linux'o Mania
Sent: Tuesday, April 17, 2007 3:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restrict access to Drives (Windows 2000)


That's a very good option, thanks, but how do I replicate it to 500+
workstations then?
Are you recommding that I change the original Notepad.exe & then copy it to
all 500+ workstations using a batch/vbscript file in Computer Startup Event?

Regds,
LP

"Bob Coffman - Info From Data Corp." <bcoffman@xxxxxxxxxxxxxxxx> wrote:

> Are there any other viewpoints of the group?

You could try removing the save option or file menu from a copy of your
notepad.exe using Resource Hacker.







  _____ 

Yahoo! Answers - Got a question? Someone out there knows the answer. Try
<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA
21haWwEc2xrA3RhZ2xpbmU> it now.



------------------------------

Date: Tue, 17 Apr 2007 07:38:05 -0400
Subject: [gptalk] Re: gpupdate question
From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>

Are you, by any chance, accessing the server remotely?  Is there  policy
in place that denies remote admin rights?  Try blocking inheritance on the
OU to see if it a current policy that is giving you the issue.
Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx

gptalk@xxxxxxxxxxxxx writes:
>John-
>Sounds like two different issues. You will get the "Ok to reboot" message
>any time that certain client side extensions (e.g. Software Installation
>or
>Folder Redirection) need to run a foreground processing mode in order to
>apply.
>
>On the 2nd issue, I'm not familiar with fport, so not sure I can answer
>that
>but I it is very possible that if your server was getting security policy
>from a different OU, that moving it to the new OU would not automatically
>undo that policy. Normally, security policy "tattoos" a machine unless you
>explicitly countermand it with a new policy.
>
>Darren
>
>-----Original Message-----
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
>Behalf Of jfvanmeter@xxxxxxxxxxx
>Sent: Monday, April 16, 2007 10:52 AM
>To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] gpupdate question
>
>Hello Everyone, I have a question that I need help with.
>
>I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got
>my
>Windows XP Group Policy.
>
>Then it was moved to the correct OU, and recieves the member server
>policy.
>
>Every time I run "gpupdate /force" I get the following. Certain Computer
>policies are enabled that can only run during startup.
>ok to Reboot? (Y/N)
>
>Every time that I refresh group policy it wants to reboot, I see 1704
>events
>that security policy in the group policy object has been applied
>successfully.
>
>I've ran gpupdate as the local admin and as a domain admin.
>
>If I try to run fport on the server as either a local admin or a domain
>admin I get the following error "You must have administrator privileges to
>run fport - exiting......
>
>The local admin account is in the administrators group, and the domain
>admin
>group is in the administrators group.
>
>Could this be a registry tattoo from the xp policy that got applied? any
>thoughts?
>
>Thanks Everyone, take care and have fun --John
>
>
>
>
>***********************
>You can unsubscribe from gptalk by sending email to
>gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
>by logging into the freelists.org Web interface. Archives for the list
>are available at http://www.freelists.org/archives/gptalk/
>************************





------------------------------

Date: Tue, 17 Apr 2007 07:42:54 -0400
Subject: [gptalk] Re: Restrict access to Drives (Windows 2000)
From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>

Ah, I see, so they can save to network share?  How about folder redirect
and disable "save as" in Word (using ADMs), and don't allow any other
programs to run?
As far as the paper theft is concerned, you have to have trust in your
employees, you can't erase their minds when they walk out the door ;)

Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx

gptalk@xxxxxxxxxxxxx writes:
>The point is that as per client's policy they should not save anything on
>local desktop. Earlier they were using paper-pencil only, but that was
>vulnerable too. Imaging a situation where I can write confidential
>details on paper & take it out & sell it. (Recently there's been many
>cases like this).
>Regds,
>LP
>
>
>Martin Hugo <Martin_Hugo@xxxxxxxx> wrote:
>
> 
>Or you could have them use paper and pencil.  Sorry but I can't imagine
>using a computer as a glorified notepad.  If I am going to type something
>I darned well better be able to save it, otherwise what's the point?
>
>Martin T. Hugo
>Network Administrator
>Hilliard City Schools
>Tel: 614-921-7102
>Martin_Hugo@xxxxxxxx
>
>
>
>
> 
>---------------------------------------------------------------------------Yahoo!
>Answers - Got a question? Someone out there knows the answer. Try it now.




------------------------------

Date: Tue, 17 Apr 2007 07:54:38 -0400
Subject: [gptalk] General question about Machine and User Policy
From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>

Hello,
Just a general question; if a user policy and a machine policy are at
odds, who wins?

Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx




------------------------------

From: <tools@xxxxxxxxxx>
Subject: [gptalk] Re: General question about Machine and User Policy
Date: Tue, 17 Apr 2007 08:25:29 -0700

It generally depends upon the setting but in most cases where Admin.
Templates are concerned, the machine policy wins.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Martin Hugo
Sent: Tuesday, April 17, 2007 4:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] General question about Machine and User Policy



Hello,

Just a general question; if a user policy and a machine policy are at odds,
who wins?

Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx




------------------------------

From: jfvanmeter@xxxxxxxxxxx
Subject: [gptalk] Re: gpupdate question
Date: Tue, 17 Apr 2007 16:33:59 񨾰

Hello everyone, and thank you all for the help. So far I've been unable to find 
the solution for this issue.
the server is a Win2k3 server that was put in a OU that had my  XP Workstation 
policy link to it, that policy was applied to the server.

Then it was noted that the server was in the wrong OU and it was moved and it 
now is receiving the Win2k3 Server Policy.

I've logged onto the server with both the local admin account (LLLLL.AAAAA) and 
my domain account
(DDDDDD.AAAAAA) and it doesn't seam to matter.

There are settings and acl's that were applied from the XP Policy that are not 
correct for a Win2k3 server, and since the server policy doesn't replace them I 
believe this maybe causing strange problems.

When I run Process Monitor and try to run MBSA or Fport I'm not seening any 
access denied messages. The only thing to note is the following registry key.

When I run fport, proc mon logs the following
hklm\software\microsoft\windows nt\currentversion\imagefile execurion 
options\fport.exe name not found

When i run MBSA, proc mon logs the following
HKLM\SAM\SAM\Domains\account\Users\Names\LLLLLL.AAAAA (<--- the account of the 
renamed local admin that is applied from my XP Workstation policy) name not 
found

Could it be the user profile still being named LLLLLLL.AAAAAA that is causing 
the problem.

I'm getting ready to turn on more logging on the server and see what that find.

Take Care --John


-------------- Original message ----------------------
From: "Martin Hugo" <Martin_Hugo@xxxxxxxx>
> Are you, by any chance, accessing the server remotely?  Is there  policy
> in place that denies remote admin rights?  Try blocking inheritance on the
> OU to see if it a current policy that is giving you the issue.
>
> Martin T. Hugo
> Network Administrator
> Hilliard City Schools
> Tel: 614-921-7102
> Martin_Hugo@xxxxxxxx
>
> gptalk@xxxxxxxxxxxxx writes:
> >John-
> >Sounds like two different issues. You will get the "Ok to reboot" message
> >any time that certain client side extensions (e.g. Software Installation
> >or
> >Folder Redirection) need to run a foreground processing mode in order to
> >apply.
> >
> >On the 2nd issue, I'm not familiar with fport, so not sure I can answer
> >that
> >but I it is very possible that if your server was getting security policy
> >from a different OU, that moving it to the new OU would not automatically
> >undo that policy. Normally, security policy "tattoos" a machine unless you
> >explicitly countermand it with a new policy.
> >
> >Darren
> >
> >-----Original Message-----
> >From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> >Behalf Of jfvanmeter@xxxxxxxxxxx
> >Sent: Monday, April 16, 2007 10:52 AM
> >To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> >Subject: [gptalk] gpupdate question
> >
> >Hello Everyone, I have a question that I need help with.
> >
> >I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got
> >my
> >Windows XP Group Policy.
> >
> >Then it was moved to the correct OU, and recieves the member server
> >policy.
> >
> >Every time I run "gpupdate /force" I get the following. Certain Computer
> >policies are enabled that can only run during startup.
> >ok to Reboot? (Y/N)
> >
> >Every time that I refresh group policy it wants to reboot, I see 1704
> >events
> >that security policy in the group policy object has been applied
> >successfully.
> >
> >I've ran gpupdate as the local admin and as a domain admin.
> >
> >If I try to run fport on the server as either a local admin or a domain
> >admin I get the following error "You must have administrator privileges to
> >run fport - exiting......
> >
> >The local admin account is in the administrators group, and the domain
> >admin
> >group is in the administrators group.
> >
> >Could this be a registry tattoo from the xp policy that got applied? any
> >thoughts?
> >
> >Thanks Everyone, take care and have fun --John
> >
> >
> >
> >
> >***********************
> >You can unsubscribe from gptalk by sending email to
> >gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
> >by logging into the freelists.org Web interface. Archives for the list
> >are available at http://www.freelists.org/archives/gptalk/
> >************************
>
>




-- Attached file included as plaintext by Ecartis --

From:    "Martin Hugo" <Martin_Hugo@xxxxxxxx>
To:    gptalk@xxxxxxxxxxxxx
Subject:    [gptalk] Re: gpupdate question
Date:    Tue, 17 Apr 2007 15:22:10 񨾰
Content-Type: Multipart/alternative;
 boundary="NextPart_Webmail_9m3u9jl4l_1682_1176827639_1"

--NextPart_Webmail_9m3u9jl4l_1682_1176827639_1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<?xml version=3D=221.0=22 encoding=3D=22ISO-8859-1=22?>
<=21DOCTYPE HTML PUBLIC =22-//W3C//DTD HTML 4.0 Transitional//EN=22>
<html>
<head>
<meta http-equiv=3D=22Content-Type=22 content=3D=22text/html; charset=3DISO=
-8859-1=22 />
<title></title>
<style type=3D=22text/css=22>
<=21--
body=7Bmargin-left:10px;margin-right:10px;margin-top:10px;margin-bottom:10p=
x;=7D
-->
</style>
</head>
<body marginleft=3D=2210=22 marginright=3D=2210=22 margintop=3D=2210=22 mar=
ginbottom=3D=2210=22>
<font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 style=3D=
=22font-family:Arial;font-size:12pt;color:=23000000;=22>Are you, by any cha=
nce, accessing the server remotely? &nbsp;Is there &nbsp;policy in place th=
at denies remote admin rights? &nbsp;Try blocking inheritance on the OU to =
see if it a current policy that is giving you the issue.<br />
<br />
Martin T. Hugo<br />
Network Administrator<br />
Hilliard City Schools<br />
Tel: 614-921-7102<br />
Martin_Hugo=40hboe.org<br />
<br />
</font><font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 sty=
le=3D=22font-family:Arial;font-size:10pt;color:=23000000;=22><b>gptalk=40fr=
eelists.org&nbsp;writes:<br />
</b></font><span style=3D=22background-color:=23d0d0d0;=22><font face=3D=
=22Geneva=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 style=3D=22font-family=
:Geneva;font-size:10pt;color:=23000000;=22>John-<br />
Sounds like two different issues. You will get the &quot;Ok to reboot&quot;=
 message<br />
any time that certain client side extensions (e.g. Software Installation or=
<br />
Folder Redirection) need to run a foreground processing mode in order to<br=
 />
apply. <br />
<br />
On the 2nd issue, I'm not familiar with fport, so not sure I can answer tha=
t<br />
but I it is very possible that if your server was getting security policy<b=
r />
from a different OU, that moving it to the new OU would not automatically<b=
r />
undo that policy. Normally, security policy &quot;tattoos&quot; a machine u=
nless you<br />
explicitly countermand it with a new policy.<br />
<br />
Darren<br />
<br />
-----Original Message-----<br />
From: gptalk-bounce=40freelists.org&nbsp;=5B<a href=3D=22mailto:gptalk-boun=
ce=40freelists.org=22 target=3D=22_blank=22>mailto:gptalk-bounce=40freelist=
s.org</a>=5D On<br />
Behalf Of jfvanmeter=40comcast.net<br />
Sent: Monday, April 16, 2007 10:52 AM<br />
To: gptalk=40freelists.org; gptalk=40freelists.org<br />
Subject: =5Bgptalk=5D gpupdate question<br />
<br />
Hello Everyone, I have a question that I need help with.<br />
<br />
I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got m=
y<br />
Windows XP Group Policy. <br />
<br />
Then it was moved to the correct OU, and recieves the member server policy.=
<br />
<br />
Every time I run &quot;gpupdate /force&quot; I get the following. Certain C=
omputer<br />
policies are enabled that can only run during startup.<br />
ok to Reboot? (Y/N)<br />
<br />
Every time that I refresh group policy it wants to reboot, I see 1704 event=
s<br />
that security policy in the group policy object has been applied<br />
successfully.<br />
<br />
I've ran gpupdate as the local admin and as a domain admin.<br />
<br />
If I try to run fport on the server as either a local admin or a domain<br =
/>
admin I get the following error &quot;You must have administrator privilege=
s to<br />
run fport - exiting...... <br />
<br />
The local admin account is in the administrators group, and the domain admi=
n<br />
group is in the administrators group.<br />
<br />
Could this be a registry tattoo from the xp policy that got applied? any<br=
 />
thoughts? <br />
<br />
Thanks Everyone, take care and have fun --John<br />
<br />
&nbsp;<br />
<br />
<br />
***********************<br />
You can unsubscribe from gptalk by sending email to gptalk-request=40freeli=
sts.org&nbsp;with 'unsubscribe' in the Subject field OR by logging into the=
 freelists.org Web interface. Archives for the list are available at <a hre=
f=3D=22http://www.freelists.org/archives/gptalk/=22 target=3D=22_blank=22>h=
ttp://www.freelists.org/archives/gptalk/</a><br />
************************<br />
</font></span><font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000=
=22 style=3D=22font-family:Arial;font-size:12pt;color:=23000000;=22><br />
</font>
</body>
</html>

--NextPart_Webmail_9m3u9jl4l_1682_1176827639_1--



------------------------------

From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
Subject: [gptalk] Re: General question about Machine and User Policy
Date: Wed, 18 Apr 2007 07:04:01 񩎘

Hi Martin,
I would argue that from a group policy prospective neither wins.

If you have a machine policy, it will create registry keys in the Machine
area. If you have a User policy, it will create registry keys in the User
area. As such they are never at odds and both win.

It is then up to the application to decide which of the registry keys to
use, which really means the application designer decides which is more
likely to be correct.

Alan Cuthbertson





 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml



ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml



Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml





  _____ 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of tools@xxxxxxxxxx
Sent: Wednesday, 18 April 2007 1:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: General question about Machine and User Policy



It generally depends upon the setting but in most cases where Admin.
Templates are concerned, the machine policy wins.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Martin Hugo
Sent: Tuesday, April 17, 2007 4:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] General question about Machine and User Policy



Hello,

Just a general question; if a user policy and a machine policy are at odds,
who wins?

Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx




------------------------------

From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
Subject: [gptalk] Re: General question about Machine and User Policy
Date: Tue, 17 Apr 2007 14:12:07 -0700

Alan-
While this is strictly true, in practice if you look at most Admin Template
policy items that have representation under both computer and user, 9 times
out of ten ,the Explain text will mention that if both are set, the computer
configuration overrides the user configuration.



Darren





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Tuesday, April 17, 2007 2:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: General question about Machine and User Policy



Hi Martin,

I would argue that from a group policy prospective neither wins.

If you have a machine policy, it will create registry keys in the Machine
area. If you have a User policy, it will create registry keys in the User
area. As such they are never at odds and both win.

It is then up to the application to decide which of the registry keys to
use, which really means the application designer decides which is more
likely to be correct.

Alan Cuthbertson





 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml



ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml



Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml





  _____ 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of tools@xxxxxxxxxx
Sent: Wednesday, 18 April 2007 1:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: General question about Machine and User Policy



It generally depends upon the setting but in most cases where Admin.
Templates are concerned, the machine policy wins.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Martin Hugo
Sent: Tuesday, April 17, 2007 4:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] General question about Machine and User Policy



Hello,

Just a general question; if a user policy and a machine policy are at odds,
who wins?

Martin T. Hugo
Network Administrator
Hilliard City Schools
Tel: 614-921-7102
Martin_Hugo@xxxxxxxx




------------------------------

Date: Wed, 18 Apr 2007 10:14:52 񩇂
From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
Subject: [gptalk] USB storage block problem.

Hi all,
We have this script running in our Windows 2003 domain.

@echo off

:: *********DISABLE USB MASS STORAGE DEVICE********

regedit /s "\\Tai3dserver\SYSVOL\tai3d.com\scripts\disable.reg"

"\\Tai3dserver\SYSVOL\tai3d.com\scripts**\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system

the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what the
script does is, it modifies a registry value such that usb removable storage
devices are not read by the system, but new usb storage devices are getting
accessed, how do i block the modification of this registry value? Kindly
suggest methods, I'm a novice in this...

best regards
Ananth.



------------------------------

End of gptalk Digest V2 #74
***************************


Other related posts: