[gptalk] Re: GPO annoyances.. ?

  • From: "MONTGOMERY, RONALD [AG/1000]" <ronald.montgomery@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 6 Feb 2007 15:19:16 -0600

For certain reasons I can't link user policies in my OUs. If there's user
setting I have to manage (like screensaver settings), I have to use a policy
assigned to the computer and leverage the loopback setting in my loopback
policy to apply the policy to users who log in to that computer.

Early on, we didn't really understand how loopback worked. We tried to
manage exceptions to the user settings in these computer policies by
computer instead of by users (it actually worked most of the time too). So
in other words, I was managing screensaver settings exceptions by denying
the computer permissions to apply the policy, instead of denying the user
account (which makes more sense and is the correct method of management).

Now, if we have a user setting in a computer policy, we manage exceptions to
that user policy by user. Not by computer, even though it's a policy
assigned to a computer.

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of hboogz
Sent: Tuesday, February 06, 2007 2:24 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO annoyances.. ?

 

hey ronald -

could you explain what you mean by this "and manage user policy exception by
user."

I don't quite understand your setup and could use to some insight into it as
it may be applicable.

Thanks,




On 2/6/07, MONTGOMERY, RONALD [AG/1000] <ronald.montgomery@xxxxxxxxxxxx
<mailto:ronald.montgomery@xxxxxxxxxxxx> > wrote:

No, that answers the question. We manage our environment by computer, so
even user settings have to be applied through a computer policy. We use the
loopback in one policy for the other policies, and manage user policy
exception by user. 

It's fun!

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Darren Mar-Elia

Sent: Tuesday, February 06, 2007 2:09 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: GPO annoyances.. ?

 

I'm not sure I quite follow the question. Basically you can set user
loopback policy anywhere within the scope of the computer object. The only
reason I usually do it within the GPO that enables loopback is because its
just clearer when its all happening in one spot.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto: <mailto:gptalk-bounce@xxxxxxxxxxxxx>  gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of MONTGOMERY, RONALD [AG/1000]
Sent: Tuesday, February 06, 2007 11:56 AM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: GPO annoyances.. ?

 

What if you want other policies to utilize the loopback setting you've set
through another policy? Is there a best practice or preferred way, or should
you not do it at all? 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 06, 2007 1:51 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: GPO annoyances.. ?

 

Glad I could help. As for best practice, yes, I usually set the user
policies I want for loopback in the same GPO that enables loopback, so
you're ok there. 

 

As for the utility, it's a bit tricky because of what it's trying to do,
esp. if you need to clean user policies. Basically you need to install the
utility on the system where the user logs onto, and then logon onto to the
system as an administrator, and then run the utility against the target
user's profile. 

 

Let me know if you have any questions.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of hboogz
Sent: Tuesday, February 06, 2007 10:57 AM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: GPO annoyances.. ?

 

Hey Darren,

Thanks for responding -- you deserve a lot of credit for being so diligent
on this mailing list, on behalf of everyone -- Thank You.

i enabled loopback within the same GPO -- what's the best practice in a
classroom type scenario for GPO handling ? 

I Think your utility will work wonders -- i will give it a shot.

Thanks,

On 2/6/07, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx> >
wrote:

Hi there. So, you have merge mode loopback set-where were you setting the
lockdown policy? In the loopback GPO or in the user's normal GPO?

 

Also, just an FYI that I have a free utility that is meant to clean out
policies and preferences from computers and users. Its called
cleanregpol.exe and can be downloaded at www.sdmsoftware.com/products.php
<http://www.sdmsoftware.com/products.php>  (under the Freeware section). It
might help.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of hboogz
Sent: Tuesday, February 06, 2007 8:55 AM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] GPO annoyances.. ?

 

Hey All -

Windows 2003 R2 server.

Windows XP SP2 clients.

I have a GPO setting applied and enforced on an OU that contains one user
called LAB1.

I had some desktop settings such as, prohibit saving settings, prohibit
changing desktop, etc related to desktop lockdown) 

I've disabled some of these settings under the advise of management, but a
few of the lab machines that this user logs into, still retains these
settings and prevents me from changing wallpaper!

i've done an rsop.msc with none of those settings being applied. i've
checked the local computer policy (mmc/group policy object editor/local
computer) but still nothing.

i ahve the GPO's loopback processing mode set to merge right now. 

any ideas would be great as i'm stumped ?


is there a way to purge the gpt/gpc cache from the local machine ?

Thanks,

-- 
HBooGz:\> 




-- 
HBooGz:\> 

This e-mail message may contain privileged and/or confidential information,
and is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers,
hard drives or any other media. Other use of this e-mail by you is strictly
prohibited.

All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment.

This e-mail message may contain privileged and/or confidential information,
and is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers,
hard drives or any other media. Other use of this e-mail by you is strictly
prohibited. 

All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment. 




-- 
HBooGz:\> 


---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and 
is intended to be received only by persons entitled to receive such 
information. If you have received this e-mail in error, please notify the 
sender immediately. Please delete it and all attachments from any servers, hard 
drives or any other media. Other use of this e-mail by you is strictly 
prohibited.


All e-mails and attachments sent and received are subject to monitoring, 
reading and archival by Monsanto. The recipient of this e-mail is solely 
responsible for checking for the presence of "Viruses" or other "Malware". 
Monsanto accepts no liability for any damage caused by any such code 
transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

Other related posts: