The other point here, that I missed, is that computers will get firewall policy updates in the background during those refresh intervals. If you need that to be more reliable (i.e. refreshes to happen at a certain time) you could already distribute gpupdate scheduled tasks to all those systems or use a tool like my rgprefresh or SpecOps GPUpdate Darren -----Original message----- From: "Delaney, Doug" doug.delaney@xxxxxxx Date: Wed, 19 Sep 2007 15:58:13 -0400 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Remote Policy > Darren, > > Understood, thank you. > > > Doug Delaney > EDS - Integration Engineering-GM > GM Desktop Engineering > 1075 W. Entrance Dr., MS 2B, Cube 2130 > Auburn Hills, MI 48326 > Lab: 248-365-9187 > Tel: 248-754-7917 > Pg: 248-870-0306 pager > Mail: Doug.Delaney@xxxxxxx > Note: The information in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you > are not the intended recipient, any disclosure, copying, distribution or > any action taken or omitted to be taken in reliance on it is prohibited. > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Darren Mar-Elia > Sent: Wednesday, September 19, 2007 7:51 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Remote Policy > > Doug, et al- > I will add that the other solution here that is a commercial one. My > company--SDM Software, has something called the GPExpert Scripting > Toolkit for PowerShell (www.sdmsoftware.com/products2.php). Essentially > what it is is a scripting interface into GP Settings, and it can effect > both domain and local GPOs and can be run remotely or on the local box. > > That being said, you can distribute reg. files but keep in mind that, > for reasons I won't go into now, if you don't use GP admin. template > policy to actually distribute the changes, then GP doesn't know that > they are there, and they would essentially be tattooing the registry, > even though they are on policy keys. THis has to do with the way GP > handles the removal of policies in the first place. > > Darren > > > -----Original message----- > From: "Nelson, Jamie R Contr 72 CS/SCBAF" Jamie.Nelson.ctr@xxxxxxxxxxxxx > Date: Wed, 19 Sep 2007 15:40:35 -0400 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Remote Policy > > > FYI. You can technically do this for any admin template configurable > > settings, as they are just registry entries. However, involving the > > end user in this process kind of defeats the entire purpose of Group > Policy. > > Some other means of distributing (SMS, PsExec) would make much more > > sense. > > > > Regards, > > Jamie Nelson > > > > > > -----Original Message----- > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > > On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF > > Sent: Wednesday, September 19, 2007 2:31 PM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Re: Remote Policy > > > > In that case there is not much you can do via Group Policy itself. If > > the firewall settings are the only thing you "really" need, just > > export the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall registry > > key from a LAN workstation that is receiving the policy and distribute > > > it via other means (e-mail, file share) to your remote users in the > > form of a .reg file. This would only work, though, if they have the > > local admin rights required to change that area of the registry. > > > > It's not really the proper way to do things, but it should work. > > > > Regards, > > Jamie > > > > > > -----Original Message----- > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > > On Behalf Of Delaney, Doug > > Sent: Wednesday, September 19, 2007 2:19 PM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Re: Remote Policy > > > > Understood, but General Motors will not allow replacement of the > msgina. > > Therefore, the VPN solution cannot change that approach > > > > > > Doug Delaney > > EDS - Integration Engineering-GM > > GM Desktop Engineering > > 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 > > Lab: 248-365-9187 > > Tel: 248-754-7917 > > Pg: 248-870-0306 pager > > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> > > Note: The information in this email is intended solely for the > > addressee. Access to this email by anyone else is unauthorized. If you > > > are not the intended recipient, any disclosure, copying, distribution > > or any action taken or omitted to be taken in reliance on it is > prohibited. > > > > > > > > > > ________________________________ > > > > From: gptalk-bounce@xxxxxxxxxxxxx > > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Odiorne, Derek > > Sent: Wednesday, September 19, 2007 3:13 PM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Re: Remote Policy > > > > > > > > Cisco, for example, has an option to start the vpn before logon. > > By doing it this way the users will run Group Policy Object's when > > logging on. > > > > > > > > ---------------------------- > > > > Derek A. Odiorne > > > > 574-245-1487 > > ----------------------------- > > Need help now? > > http://intranet/techserv/technologyserv.htm > > <http://intranet/techserv/technologyserv.htm> > > > > > > ________________________________ > > > > > > From: gptalk-bounce@xxxxxxxxxxxxx > > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug > > Sent: Wednesday, September 19, 2007 3:07 PM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Remote Policy > > > > > > > > Hi all, > > > > Is anyone aware of any free tools available for the remote > > distribution of a GPO policy? > > > > Here is our situation. We have a couple thousand users who > connect > > via VPN only. They connect after boot-up and cached credential logon > > to windows. Therefore, policies never apply during startup or logon. > > > We have a need to administer the XP firewall (among other things), and > > > are having a very difficult time finding a solution. Many of these > > users are 8 hours away from a building where they can connect via a > > local LAN to get policies. > > > > Any guidance is greatly appreciated. > > > > Doug Delaney > > EDS - Integration Engineering-GM > > GM Desktop Engineering > > 1075 W. Entrance Dr., MS 2B, Cube 2130 > > Auburn Hills, MI 48326 > > Lab: 248-365-9187 > > Tel: 248-754-7917 > > Pg: 248-870-0306 pager > > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> > > Note: The information in this email is intended solely for the > > addressee. Access to this email by anyone else is unauthorized. If you > > > are not the intended recipient, any disclosure, copying, distribution > > or any action taken or omitted to be taken in reliance on it is > prohibited. > > > > > > > > *********************** > > You can unsubscribe from gptalk by sending email to > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > > OR by logging into the freelists.org Web interface. Archives for the > > list are available at //www.freelists.org/archives/gptalk/ > > ************************ > > *********************** > > You can unsubscribe from gptalk by sending email to > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > > OR by logging into the freelists.org Web interface. Archives for the > > list are available at //www.freelists.org/archives/gptalk/ > > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the list > are available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************