[gptalk] Re: Remote Policy

  • From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 19 Sep 2007 15:09:54 -0500

Darren,

Please correct me if I'm wrong, but if logging on with a cached
credential, will new/changed computer policies still get applied
correctly during background refresh? I didn't think that was the case,
but I've been wrong before... :)

Regards,
Jamie


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 19, 2007 7:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

The other point here, that I missed, is that computers will get firewall
policy updates in the background during those refresh intervals. If you
need that to be more reliable (i.e. refreshes to happen at a certain
time) you could already distribute gpupdate scheduled tasks to all those
systems or use a tool like my rgprefresh or SpecOps GPUpdate

Darren


-----Original message-----
From: "Delaney, Doug" doug.delaney@xxxxxxx
Date: Wed, 19 Sep 2007 15:58:13 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

> Darren,
> 
> Understood, thank you. 
> 
> 
> Doug Delaney
> EDS - Integration Engineering-GM
> GM Desktop Engineering
> 1075 W. Entrance Dr., MS 2B, Cube 2130
> Auburn Hills, MI 48326
> Lab: 248-365-9187
> Tel: 248-754-7917
> Pg: 248-870-0306 pager
> Mail: Doug.Delaney@xxxxxxx 
> Note: The information in this email is intended solely for the
> addressee. Access to this email by anyone else is unauthorized. If you
> are not the intended recipient, any disclosure, copying, distribution
or
> any action taken or omitted to be taken in reliance on it is
prohibited.
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, September 19, 2007 7:51 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> Doug, et al-
> I will add that the other solution here that is a commercial one. My
> company--SDM Software, has something called the GPExpert Scripting
> Toolkit for PowerShell (www.sdmsoftware.com/products2.php).
Essentially
> what it is is a scripting interface into GP Settings, and it can
effect
> both domain and local GPOs and can be run remotely or on the local
box.
> 
> That being said, you can distribute reg. files but keep in mind that,
> for reasons I won't go into now, if you don't use GP admin. template
> policy to actually distribute the changes, then GP doesn't know that
> they are there, and they would essentially be tattooing the registry,
> even though they are on policy keys. THis has to do with the way GP
> handles the removal of policies in the first place.
> 
> Darren
> 
> 
> -----Original message-----
> From: "Nelson, Jamie R Contr 72 CS/SCBAF"
Jamie.Nelson.ctr@xxxxxxxxxxxxx
> Date: Wed, 19 Sep 2007 15:40:35 -0400
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> > FYI. You can technically do this for any admin template configurable

> > settings, as they are just registry entries. However, involving the 
> > end user in this process kind of defeats the entire purpose of Group
> Policy.
> > Some other means of distributing (SMS, PsExec) would make much more 
> > sense.
> > 
> > Regards,
> > Jamie Nelson
> > 
> > 
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
> > Sent: Wednesday, September 19, 2007 2:31 PM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Remote Policy
> > 
> > In that case there is not much you can do via Group Policy itself.
If 
> > the firewall settings are the only thing you "really" need, just 
> > export the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall registry

> > key from a LAN workstation that is receiving the policy and
distribute
> 
> > it via other means (e-mail, file share) to your remote users in the 
> > form of a .reg file. This would only work, though, if they have the 
> > local admin rights required to change that area of the registry.
> > 
> > It's not really the proper way to do things, but it should work.
> > 
> > Regards,
> > Jamie
> > 
> > 
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Delaney, Doug
> > Sent: Wednesday, September 19, 2007 2:19 PM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Remote Policy
> > 
> > Understood, but General Motors will not allow replacement of the
> msgina.
> > Therefore, the VPN solution cannot change that approach
> >  
> > 
> > Doug Delaney
> > EDS - Integration Engineering-GM
> > GM Desktop Engineering
> > 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326
> > Lab: 248-365-9187
> > Tel: 248-754-7917
> > Pg: 248-870-0306 pager
> > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
> > Note: The information in this email is intended solely for the 
> > addressee. Access to this email by anyone else is unauthorized. If
you
> 
> > are not the intended recipient, any disclosure, copying,
distribution 
> > or any action taken or omitted to be taken in reliance on it is
> prohibited.
> > 
> >  
> > 
> > 
> > ________________________________
> > 
> >     From: gptalk-bounce@xxxxxxxxxxxxx
> > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
> >     Sent: Wednesday, September 19, 2007 3:13 PM
> >     To: gptalk@xxxxxxxxxxxxx
> >     Subject: [gptalk] Re: Remote Policy
> >     
> >     
> > 
> >     Cisco, for example, has an option to start the vpn before logon.
> > By doing it this way the users will run Group Policy Object's when 
> > logging on.
> > 
> >      
> > 
> >     ----------------------------
> > 
> >     Derek A. Odiorne
> > 
> >     574-245-1487
> >     -----------------------------
> >     Need help now?
> >     http://intranet/techserv/technologyserv.htm
> > <http://intranet/techserv/technologyserv.htm>
> > 
> >     
> > ________________________________
> > 
> > 
> >     From: gptalk-bounce@xxxxxxxxxxxxx
> > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
> >     Sent: Wednesday, September 19, 2007 3:07 PM
> >     To: gptalk@xxxxxxxxxxxxx
> >     Subject: [gptalk] Remote Policy
> > 
> >      
> > 
> >     Hi all,
> > 
> >     Is anyone aware of any free tools available for the remote 
> > distribution of a GPO policy?
> > 
> >     Here is our situation.  We have a couple thousand users who
> connect 
> > via VPN only.  They connect after boot-up and cached credential
logon 
> > to windows.  Therefore, policies never apply during startup or
logon.
> 
> > We have a need to administer the XP firewall (among other things),
and
> 
> > are having a very difficult time finding a solution.  Many of these 
> > users are 8 hours away from a building where they can connect via a 
> > local LAN to get policies.
> > 
> >     Any guidance is greatly appreciated. 
> > 
> >     Doug Delaney
> >     EDS - Integration Engineering-GM
> >     GM Desktop Engineering
> >     1075 W. Entrance Dr., MS 2B, Cube 2130
> >     Auburn Hills, MI 48326
> >     Lab: 248-365-9187
> >     Tel: 248-754-7917
> >     Pg: 248-870-0306 pager
> >     Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  
> >     Note: The information in this email is intended solely for the 
> > addressee. Access to this email by anyone else is unauthorized. If
you
> 
> > are not the intended recipient, any disclosure, copying,
distribution 
> > or any action taken or omitted to be taken in reliance on it is
> prohibited.
> > 
> >      
> > 
> > ***********************
> > You can unsubscribe from gptalk by sending email to 
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field

> > OR by logging into the freelists.org Web interface. Archives for the

> > list are available at http://www.freelists.org/archives/gptalk/
> > ************************
> > ***********************
> > You can unsubscribe from gptalk by sending email to 
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field

> > OR by logging into the freelists.org Web interface. Archives for the

> > list are available at http://www.freelists.org/archives/gptalk/
> > ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at http://www.freelists.org/archives/gptalk/
> ************************
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/

> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: