Darren is correct...of course :) I forgot to mention the tattooing effect it would have. Would be very hard to keep up with changes when dealing with a large amount of settings. Just doing it for Windows Firewall exceptions might not be too bad, but I would still only do it as a last resort. Enabling the "start before logon" option of your VPN client (if applicable) is still the best bet if you can convince your management of its necessity. Then policies would at the very least get applied during regular background refreshes and at user logon. Regards, Jamie -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 19, 2007 6:51 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Remote Policy Doug, et al- I will add that the other solution here that is a commercial one. My company--SDM Software, has something called the GPExpert Scripting Toolkit for PowerShell (www.sdmsoftware.com/products2.php). Essentially what it is is a scripting interface into GP Settings, and it can effect both domain and local GPOs and can be run remotely or on the local box. That being said, you can distribute reg. files but keep in mind that, for reasons I won't go into now, if you don't use GP admin. template policy to actually distribute the changes, then GP doesn't know that they are there, and they would essentially be tattooing the registry, even though they are on policy keys. THis has to do with the way GP handles the removal of policies in the first place. Darren -----Original message----- From: "Nelson, Jamie R Contr 72 CS/SCBAF" Jamie.Nelson.ctr@xxxxxxxxxxxxx Date: Wed, 19 Sep 2007 15:40:35 -0400 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Remote Policy > FYI. You can technically do this for any admin template configurable > settings, as they are just registry entries. However, involving the end > user in this process kind of defeats the entire purpose of Group Policy. > Some other means of distributing (SMS, PsExec) would make much more > sense. > > Regards, > Jamie Nelson > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF > Sent: Wednesday, September 19, 2007 2:31 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Remote Policy > > In that case there is not much you can do via Group Policy itself. If > the firewall settings are the only thing you "really" need, just export > the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall registry key from a > LAN workstation that is receiving the policy and distribute it via other > means (e-mail, file share) to your remote users in the form of a .reg > file. This would only work, though, if they have the local admin rights > required to change that area of the registry. > > It's not really the proper way to do things, but it should work. > > Regards, > Jamie > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Delaney, Doug > Sent: Wednesday, September 19, 2007 2:19 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Remote Policy > > Understood, but General Motors will not allow replacement of the msgina. > Therefore, the VPN solution cannot change that approach > > > Doug Delaney > EDS - Integration Engineering-GM > GM Desktop Engineering > 1075 W. Entrance Dr., MS 2B, Cube 2130 > Auburn Hills, MI 48326 > Lab: 248-365-9187 > Tel: 248-754-7917 > Pg: 248-870-0306 pager > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> > Note: The information in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you > are not the intended recipient, any disclosure, copying, distribution or > any action taken or omitted to be taken in reliance on it is prohibited. > > > > > ________________________________ > > From: gptalk-bounce@xxxxxxxxxxxxx > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Odiorne, Derek > Sent: Wednesday, September 19, 2007 3:13 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Remote Policy > > > > Cisco, for example, has an option to start the vpn before logon. > By doing it this way the users will run Group Policy Object's when > logging on. > > > > ---------------------------- > > Derek A. Odiorne > > 574-245-1487 > ----------------------------- > Need help now? > http://intranet/techserv/technologyserv.htm > <http://intranet/techserv/technologyserv.htm> > > > ________________________________ > > > From: gptalk-bounce@xxxxxxxxxxxxx > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug > Sent: Wednesday, September 19, 2007 3:07 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Remote Policy > > > > Hi all, > > Is anyone aware of any free tools available for the remote > distribution of a GPO policy? > > Here is our situation. We have a couple thousand users who > connect via VPN only. They connect after boot-up and cached credential > logon to windows. Therefore, policies never apply during startup or > logon. We have a need to administer the XP firewall (among other > things), and are having a very difficult time finding a solution. Many > of these users are 8 hours away from a building where they can connect > via a local LAN to get policies. > > Any guidance is greatly appreciated. > > Doug Delaney > EDS - Integration Engineering-GM > GM Desktop Engineering > 1075 W. Entrance Dr., MS 2B, Cube 2130 > Auburn Hills, MI 48326 > Lab: 248-365-9187 > Tel: 248-754-7917 > Pg: 248-870-0306 pager > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> > Note: The information in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you > are not the intended recipient, any disclosure, copying, distribution or > any action taken or omitted to be taken in reliance on it is prohibited. > > > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the list > are available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ > ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************