[gptalk] Re: Remote Policy

  • From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 19 Sep 2007 15:05:10 -0500

Darren is correct...of course :)

I forgot to mention the tattooing effect it would have. Would be very
hard to keep up with changes when dealing with a large amount of
settings. Just doing it for Windows Firewall exceptions might not be too
bad, but I would still only do it as a last resort.

Enabling the "start before logon" option of your VPN client (if
applicable) is still the best bet if you can convince your management of
its necessity. Then policies would at the very least get applied during
regular background refreshes and at user logon.

Regards,
Jamie

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 19, 2007 6:51 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

Doug, et al-
I will add that the other solution here that is a commercial one. My
company--SDM Software, has something called the GPExpert Scripting
Toolkit for PowerShell (www.sdmsoftware.com/products2.php). Essentially
what it is is a scripting interface into GP Settings, and it can effect
both domain and local GPOs and can be run remotely or on the local box.

That being said, you can distribute reg. files but keep in mind that,
for reasons I won't go into now, if you don't use GP admin. template
policy to actually distribute the changes, then GP doesn't know that
they are there, and they would essentially be tattooing the registry,
even though they are on policy keys. THis has to do with the way GP
handles the removal of policies in the first place.

Darren


-----Original message-----
From: "Nelson, Jamie R Contr 72 CS/SCBAF" Jamie.Nelson.ctr@xxxxxxxxxxxxx
Date: Wed, 19 Sep 2007 15:40:35 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

> FYI. You can technically do this for any admin template configurable
> settings, as they are just registry entries. However, involving the
end
> user in this process kind of defeats the entire purpose of Group
Policy.
> Some other means of distributing (SMS, PsExec) would make much more
> sense.
> 
> Regards,
> Jamie Nelson
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
> Sent: Wednesday, September 19, 2007 2:31 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> In that case there is not much you can do via Group Policy itself. If
> the firewall settings are the only thing you "really" need, just
export
> the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall registry key from
a
> LAN workstation that is receiving the policy and distribute it via
other
> means (e-mail, file share) to your remote users in the form of a .reg
> file. This would only work, though, if they have the local admin
rights
> required to change that area of the registry.
> 
> It's not really the proper way to do things, but it should work.
> 
> Regards,
> Jamie
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Delaney, Doug
> Sent: Wednesday, September 19, 2007 2:19 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> Understood, but General Motors will not allow replacement of the
msgina.
> Therefore, the VPN solution cannot change that approach
>  
> 
> Doug Delaney
> EDS - Integration Engineering-GM
> GM Desktop Engineering
> 1075 W. Entrance Dr., MS 2B, Cube 2130
> Auburn Hills, MI 48326
> Lab: 248-365-9187
> Tel: 248-754-7917
> Pg: 248-870-0306 pager
> Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  
> Note: The information in this email is intended solely for the
> addressee. Access to this email by anyone else is unauthorized. If you
> are not the intended recipient, any disclosure, copying, distribution
or
> any action taken or omitted to be taken in reliance on it is
prohibited.
> 
>  
> 
> 
> ________________________________
> 
>       From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
>       Sent: Wednesday, September 19, 2007 3:13 PM
>       To: gptalk@xxxxxxxxxxxxx
>       Subject: [gptalk] Re: Remote Policy
>       
>       
> 
>       Cisco, for example, has an option to start the vpn before logon.
> By doing it this way the users will run Group Policy Object's when
> logging on.
> 
>        
> 
>       ----------------------------
> 
>       Derek A. Odiorne
> 
>       574-245-1487
>       -----------------------------
>       Need help now?
>       http://intranet/techserv/technologyserv.htm
> <http://intranet/techserv/technologyserv.htm> 
> 
>       
> ________________________________
> 
> 
>       From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
>       Sent: Wednesday, September 19, 2007 3:07 PM
>       To: gptalk@xxxxxxxxxxxxx
>       Subject: [gptalk] Remote Policy
> 
>        
> 
>       Hi all, 
> 
>       Is anyone aware of any free tools available for the remote
> distribution of a GPO policy? 
> 
>       Here is our situation.  We have a couple thousand users who
> connect via VPN only.  They connect after boot-up and cached
credential
> logon to windows.  Therefore, policies never apply during startup or
> logon.  We have a need to administer the XP firewall (among other
> things), and are having a very difficult time finding a solution.
Many
> of these users are 8 hours away from a building where they can connect
> via a local LAN to get policies.
> 
>       Any guidance is greatly appreciated. 
> 
>       Doug Delaney
>       EDS - Integration Engineering-GM
>       GM Desktop Engineering
>       1075 W. Entrance Dr., MS 2B, Cube 2130
>       Auburn Hills, MI 48326
>       Lab: 248-365-9187
>       Tel: 248-754-7917
>       Pg: 248-870-0306 pager
>       Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  
>       Note: The information in this email is intended solely for the
> addressee. Access to this email by anyone else is unauthorized. If you
> are not the intended recipient, any disclosure, copying, distribution
or
> any action taken or omitted to be taken in reliance on it is
prohibited.
> 
>        
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at //www.freelists.org/archives/gptalk/
> ************************
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/

> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at //www.freelists.org/archives/gptalk/
************************

Other related posts: