[gptalk] Re: Site to Zone Assignment locks all zones
- From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2008 07:56:03 +1100
I haven't used "Remove this item when it is no longer applied" extensively,
but what I have seen seems to work OK.
You are correct that in the case of registry values, it deletes them when
the preference is removed. It doesn’t “set it back to previous value”. The
way it actually works is that it keeps a record of all Preferences that have
the "Remove this item when it is no longer applied" setting and deletes them
at the start of GPP. The information is held in ProgramData\Microsoft\Group
Policy\History. This is why GPP doesn’t allow the CREATE or UPDATE options
when you set "Remove this item when it is no longer applied", you are forced
to use REPLACE.
This means that if you create a GPP which creates a User account and give it
a Password of “Fred” and set “User must change password”, the account will
be created with a password of “Fred”. If a user logs on to the account, they
will change the password to “Bill”. GPP processing will then replace the
account and set it back to “Fred” again.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter – including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
“
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of oyvind.sorbye@xxxxxxxxxxx
Sent: Wednesday, 3 December 2008 3:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Site to Zone Assignment locks all zones
Hi again everybody, thanks for your answers to my post about Site to
Zone-assignment. I am also a big fan of GPP-registry-extension, because it's
very easy to import settings from the computer or another machine in the
environment. But no matter which method you use to write directly to the
registry, there is always the well known problem of get rid of this settings
again. Policies do this automatically, because they write to a subset of the
registry tree, the Policy-folder. Not so if you write directly to the
registry with custom .adm, script or GPP-registry extension. It's of course
possible to make counter-policy in some way, deleting the settings directly,
but this delete-job must run for a long time before all users have been
redeemed from the old settings.
The only exception to this rule is using GPP-registry-extension, because
you can use the setting "Remove this item when it is no longer applied". But
how reliable is this, has anyone on this list tested this in large
environments? Do all registry settings disappear when you remove the
registry preferences?
>-----Original Message-----
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Alan & Margaret
>Sent: 21. november 2008 02:16
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>Hi Darren,
>
>I agree that I am fast… but I do use a commercial tool to do it :-)
>
>Alan Cuthbertson
>______________________________
>
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Darren Mar-Elia
>Sent: Friday, 21 November 2008 11:30 AM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>
>
>Alan-
>
>I don’t want to start a war :-), but ADMs are not less technical if you
>are in the position of having to author one. I agree that if you are an
>administrator re-using someone else’s ADMs, then you don’t have to worry
>about reg values—just pick and go. However, most folks I come across are
>trying to create their own and in that circumstance, they already know
>the reg values they need to tweak. That makes using GPP much easier than
>having to figure out how to author an ADM(x)—notwithstanding commercial
>tools for doing it. The one area where ADM(x) has an advantage is when
>you want to create options for a given value. Obviously, GPP doesn’t
>provide this feature—you just assign the value you want. However, in
>many circumstances this is sufficient.
>
>
>
>Also, your or my reference of speed is not most people’s :-)
>
>
>
>Darren
>
>
>
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Alan & Margaret
>Sent: Thursday, November 20, 2008 4:07 PM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>
>
>Hi Darren,
>
>
>
>I agree that Group Preferences are good, but ADM files have the
>advantage of making it less technical. An Administrator can understand
>“Add ?? to the trusted site list” easier than remembering the actual
>registry key. Also ADM templates encourage a better level of
>documentation and structure.
>
>
>
>As to speed, I can create an ADM template for a couple of keys within a
>couple of minutes. Most of the work is finding out the Registry key
>required.
>
>
>
>Of course ADM templates are most useful when you want the same think in
>multiple policies.
>
>
>
>Alan Cuthbertson
>
>
>
>
>
> Policy Management Software (Now with ADMX and Preference support):-
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
>
>
>ADM Template Editor(Now with ADMX support):-
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
>
>
>Policy Log Reporter – including Preference logging(Free)
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
>
>
>
>
>
>
>
>
>________________________________
>
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Darren Mar-Elia
>Sent: Friday, 21 November 2008 8:29 AM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>
>
>Or by the same token, it would be very simple to use GP Preferences
>registry extensions to do this. Frankly, if you have GP Prefs. in your
>environment, I don’t see a lot of value in continuing to use custom ADMs
>when GP Prefs. is simpler and quicker.
>
>
>
>Darren
>
>
>
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Alan & Margaret
>Sent: Thursday, November 20, 2008 1:27 PM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>
>
>Hi,
>
>
>
>The alternative is to write your own ADM file that creates the registry
>keys that you want. They all sit under
>
>
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
>Settings\ZoneMap
>
>
>
>I have attached a sample file. You could set it up to either add
>specific sites or delete sites that you don't want users to add.
>
>
>
>(Note: I haven't actually tested that it works...)
>
>
>
>Alan Cuthbertson
>
>
>
>
>
> Policy Management Software (Now with ADMX and Preference support):-
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
>
>
>ADM Template Editor(Now with ADMX support):-
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
>
>
>Policy Log Reporter – including Preference logging(Free)
>
>http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
>
>
>
>
>
>
>
>
>
>
>-----Original Message-----
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Øyvind Sørbye
>Sent: Friday, 21 November 2008 5:56 AM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>
>
>Hmm, Maintenance policy, i feared that :-) I have never properly
>understood
>
>that part of Group Policies. When opening "Security Zones and Content
>
>Ratings" it imports all IE-setting from my computer and presets _all_
>
>settings for my users. But I don't want to configure all settings in all
>
>zones, I only wont to configure a few settings. Most of the settings
>will I
>
>leave to the users to choose. Maintenance policy is in some sense not a
>
>"true" policy, because you can't choose to _not_ configure a value. Or
>is
>
>there a way to achieve this with Maintenance policy?
>
>
>
>>-----Original Message-----
>
>>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>
>>On Behalf Of Darren Mar-Elia
>
>>Sent: 20. november 2008 16:19
>
>>To: gptalk@xxxxxxxxxxxxx
>
>>Subject: [gptalk] Re: Site to Zone Assignment locks all zones
>
>>
>
>>Øyvind-
>
>>Welcome to the list! In order to do this non-exclusively, you need to
>
>>use the Site mapping feature in IE Maintenance policy instead of the
>one
>
>>in Admin Templates. The locking feature is expected behavior for this
>
>>policy.
>
>>
>
>>Darren
>
>>
>
>>-----Original Message-----
>
>>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>
>>On Behalf Of Øyvind Sørbye
>
>>Sent: Wednesday, November 19, 2008 11:27 PM
>
>>To: gptalk@xxxxxxxxxxxxx
>
>>Subject: [gptalk] Site to Zone Assignment locks all zones
>
>>
>
>>Hi everybody!
>
>>
>
>>I am setting up policies for IE7, and I want to assign some websites to
>
>>the Intranet Zone. I'm using the following Group Policy setting:
>
>>
>
>>User Configuration:
>
>>-Administrative Templates
>
>> -Windows Components/Internet Explorer/Internet Control Panel/Security
>
>>Page/Internet Zone
>
>> -Site to Zone Assignment List
>
>>
>
>>The websites are given the value of 1, and then they are added to the
>
>>intranet zone on the client computers. So far, so good. But when I use
>
>>this setting, _all_ zones in IE7 is locked down for the users. I want
>my
>
>>users to be able to add sites to the Trusted Sites zone, but this "Site
>
>>to Zone Assignment"-setting locks all zones.
>
>> So my question is: Is it possible to assign some sites to the
>intranet
>
>>zone, where the users still has the possibility to add their own sites
>
>>to the "Trusted Sites"-zone?
>
>>
>
>>
>
>>--
>
>>Øyvind Sørbye
>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
