[gptalk] Re: Ignoring local group policy

Sorry for the delayed response on this. I actually tried to take advantage of 
the 3-day weekend :)

Anyway, it is possible to disable the local GPO. Actually, Vista ships with an 
Admin Template policy to do this but assuming you are not using Vista, you can 
do it, though its not altogether obvious. Basically you have to set a flag on 
the LGPO's GPT.INI file to accomplish this. I've created a vbscript that you 
could run as a startup script in GP to do this. You would have to run it as 
either a startup script or as an admin. because the file it writes to doesn't 
grant access to normal users.

Also, you might want to precede running this script by copying the gpt.ini file 
that is there to a backup file, just in case.

Here is the VBScript. I will also post it on my GPOGUY Tools site:


'==========================================================================
'
' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 4.0
'
' NAME: disableLGPO.vbs
'
' AUTHOR: Darren Mar-Elia , SDM Software, Inc.
' DATE  : 2/20/2007
'
' COMMENT: This script disables the local GPO in pre-Vista systems
'
'==========================================================================
On Error Resume Next
Const ForReading = 1
Const ForWriting = 2
Set WshShell = WScript.CreateObject("WScript.Shell")
' get the current system folder
sysDir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If Err.Number <>0 Then
        WScript.Echo "Unable to create FileSystemObject"
        Err.Clear
        WScript.Quit(1)
End If
Set objFile = objFSO.OpenTextFile(sysDir+"\system32\grouppolicy\gpt.ini", 
ForReading)
If Err.Number <>0 Then
        WScript.Echo "Unable to open gpt.ini for reading"
        Err.Clear
        WScript.Quit(1)
End If
counter = 0
Do Until objFile.AtEndOfStream
    strLine = objFile.ReadLine
    If InStr(strLine,"Options=") > 0 Then
        strLine = "Options=3"
        counter=counter+1
    End If
    strContents = strContents & strLine & VbCrLf
Loop
'if we didn't find options= in the file then append it
If counter =0 Then
        strContents=strContents+"Options=3"+VbCrLf
End If

objFile.Close

Set objFile = objFSO.OpenTextFile(sysDir+"\system32\grouppolicy\gpt.ini", 
ForWriting)
If Err.Number <>0 Then
        WScript.Echo "Unable to open gpt.ini for writing"
        Err.Clear
        WScript.Quit(1)
End If
objFile.Write(strContents)
objFile.Close
WScript.Echo "Local GPO Disabled Successfully"


        

        



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jeremy Saunders
Sent: Monday, February 19, 2007 8:08 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Ignoring local group policy

I think you can modify NTFS permissions on it, which will prevent it from
applying to whom ever you don't want it to apply to.

Cheers.
                                                                
 Kind regards,                                                  
                                                                
 Jeremy Saunders                                                
 Senior Technical Specialist                                    
                                                                
 Infrastructure Technology Services                             
 (ITS) & Cerulean                                               
 Global Technology Services (GTS)                               
 IBM Australia                                                  
 Level 1, 1060 Hay Street                                       
 West Perth� WA� 6005                                           
                                                                
 Postal: PO Box 525, West Perth WA                              
 6872                                                           
                                                                
 Visit us at                                                    
 http://www.ibm.com/services/au/its                             
                                                                
 P:� +61 8 9261 8412                F:� +61 8 9261 8486         
 P:� (Reception) +61 8 9261 8420    E-mail:                     
 M:� TBA                            jeremy.saunders@xxxxxxxxxxx 
                                                                
                                                                








                                                                           
             "Alan & Margaret"                                             
             <syspro@optushome                                             
             .com.au>                                                   To 
             Sent by:                  <gptalk@xxxxxxxxxxxxx>              
             gptalk-bounce@fre                                          cc 
             elists.org                                                    
                                                                   Subject 
                                       [gptalk] Re: Ignoring local group   
             20/02/2007 05:31          policy                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             gptalk@freelists.                                             
                    org                                                    
                                                                           
                                                                           




Hi Nathan,

I don�t believe there is a way in Group Policy to turn off Local Policy. If
there was, you could get interesting behavior if you used Local Group
Policy to disable Local Group Policy processing�.

However one way that you could achieve the desired result is to have a
script that runs that removes all of the settings. It is all held under
C:\WINDOWS\system32\GroupPolicy, so if your script was to replace that
structure with a �clean� structure it should have the desired effect.

If there was only a few machines, you should be able to just do it as a
once off.

Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nathan
Sent: Monday, 19 February 2007 9:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Ignoring local group policy

Hi,

We have some PC's running XP that have some local policy settings
enabled/configured.

Is it possible using GP, to setup a computer to ignore local policy and
only apply GP?

Thanks

Nathanb??j{????r??y??
mjY?gv)?zf??? ???????-~???+-????+a?{.n?+?????^J??y?_??]9? 
?x"??-???y?b??(??n)?z??q?+r?z???^?+-j?????i?^j?m????
???l???j?!????
mjY?

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: