[gptalk] Re: How to Apply Policy for system in workgroup or standalone

  • From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 3 May 2007 14:19:58 +0200

Ranjan,

 

I see that you have answered Alan, but unfortunately mails from you are being 
stripped as (false positive) exploits by our anti-spam, so I can only see 
messages where someone has replied, perhaps you have something in your 
signature or something that triggers it or we just have a crappy anti-spam 
system ;)

 

Anyway, I really agree with Alan, is there a reason why you cannot go for a 
domain instead, managing workgroups are not really a cost effective solution. 
But if you still want to manually edit remote local GPOs (one at a time) you 
can do it this way with GPOE: 

 

gpedit.msc /gpcomputer:  mycomputer.mydomain.local

 

 

But if you really want to perform stuff in a more automated way, you’ll need to 
use IGroupPolicyObject::OpenRemoteMachineGP() from a language that supports COM 
vtables, i.e not scripts and VB6,  and do not bother doing it from a Vista box, 
since it has been removed and replaced with the undocumented 
IGroupPolicyObject2 to support multiple local GPOs. And when you have opened 
the GPO, you can edit the registry policy, but besides that, the rest of the GP 
extensions are pretty much a black boxes.  So after saying that, you should 
really go for Alan’s suggestion and either create a script that you can run 
somehow, or even better add the computers to a domain. You’ll definitively 
benefit from it in the long run :) 

 

 

HTH,

 

 

Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com> 

thorbjorn.sjovold a t specopssoft.com

 

Download our free tool for remote Gpupdate with graphical reporting, 
http://www.specopssoft.com/products/specopsgpupdate/ 
<http://www.specopssoft.com/products/specopsgpupdate/> 

 

 

 

 

 

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
Sent: den 3 maj 2007 00:59
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: How to Apply Policy for system in workgroup or standalone

 

Hi Ranjan,

 

Sorry... I don't think I can be a lot of help. As I have said, I haven't had 
much experience in a non domain environment and not much script work either. I 
tend to do everything in VB6.

 

As to running Local Policy remotely, I don't think you can. You may need to 
open a terminal session on the machine and then run it from there.

 

If you have scripted the Registry key settings for the machine, you can try 
running it from the start up directory (assuming the users have sufficient 
authority and you trust them not to delete it), otherwise you will have to get 
it to run from Local Group Policy, either by manually adding it on each machine 
or scripting up the process.  

 

Be aware that if you do it via a script, any changes will require a reboot of 
the machine. If you were using normal Group policy on a domain, and implemented 
it via Admin templates you can get it to refresh regularly.

 

I would question why you don't just make your life a lot simpler by creating a 
domain controller and using that rather than a work group. Your machine 
maintenance and User maintenance suddenly becomes a lot easier. I suspect it 
would be less work than trying to get local policies doing it for you.

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ranjan Babu .G
Sent: Tuesday, 1 May 2007 4:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: How to Apply Policy for system in workgroup or standalone

 

Hi Alan Cuthbertson,

 

Very useful.

 

 

Is there is any way to open Local policy of remote system ( 2000 ,2003 
servers)in workgroup .In the senior if I have common admin username /password 
across the workgroup ?.Same way how to take report of all system in WG

 

If you have any script for this please help.

 

               

*          Do you want to do different things on different machines?

 

               Yes, We have different application (Application ,SQL ,IIS 
Servers) running on 2000 and 2003 environment 

 

*          Can you easily visit each machine

         Hope ,But nearly 50 can not. We can not reboot the system most of time.

 

 

*       How much effort are you willing to put in up front

Ready to put effort .If you guide me I can do it fast.

As of now I created script to adding registry keys and setting  security based 
on CIS recommendation for system context.

  

Regards,

Ranjan

 

gptalk] Re: How to Apply Policy for system in workgroup or standalone

 

*     From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> 

*     To: <gptalk@xxxxxxxxxxxxx> 

*     Date: Mon, 30 Apr 2007 22:28:52 +1000 

 

Hi Ranjan,

 

 

 

It’s a long time since I have worked in a non-domain area, but I suspect the 

answer depends on several things such as:-

 

 

 

*          Do you trust the user to not try and circumvent what you are doing

 

*          Do you want to do different things on different machines

 

*          Can you easily visit each machine

 

*          How much effort are you willing to put in up front

 

 

 

Probably the easiest way is to write a script that runs from the startup 

folder. However, if you want to go beyond just adding registry keys and setting 

security, using Local Group Policy may be the go, but it is rather tedious 

manually running Local Group Policy on each machines. You can write code to 

configure Local Group Policy, but that is a lot of up front work. You mention 

ADM files. They are really a component within Local Group Policy and so are not 

really relevant.

 

 

 

If you are setting security, you may need to run it in the Machine context 

rather than the user context. This means that you need to run the script at 

machine start time not logon time. This can be done from Local Group Policy, 

but requires some programming work unless you manually set it up on each 

machine.

 

 

 

Hope that helps…

 

 

 

Alan Cuthbertson

 

 

 

 

 

-----Original Message-----

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 

Behalf Of Ranjan Babu .G

Sent: Monday, 30 April 2007 3:25 PM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] How to Apply Policy for system in workgroup or standalone

 

 

 

Hello Everyone ,

 

 

 

 

 

 

 

 

 

 

 

Our Client having 100 + server in workgroup (Mixed OS 2000 and 2003 Servers)  

and  would like to apply  policy (As per CIS benchmark )using any method   .And 

also need to add additional registry entry and secure the permission for 

registry key.

 

 

 

 

 

 

 

I want know in which  is best method to apply poliocy ? .

 

 

 

Using Script/ Local POlicy editor/ADM file ?

 

 

 

 

 

 

 

And how to proceed and looking forward to hearing from you.

 

 

 

 

 

 

 

Type of servers in workgroup.

 

 

 

 

 

 

 

1.Applictaion Server

 

 

 

2.Web Server

 

 

 

3.SQL DB server

 

 

 

 

 

 

 

Regards,

 

 

 

Ranjan

 

 

آ칻&~&ZF݊x‑)d-zX
"­˛m^Jy_]9 x"-ybyi[1]!~b֫yڊV歆i߭祊l܆+޳)d

Other related posts: