[gptalk] Re: User Hive settings set during logon....

  • From: "Smith, Brad " <Brad.Smith@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 11 Mar 2008 18:09:57 -0000

Ah, site based group policies. I have intentionally ignored them. We
don't use them at the moment (bear in mind we have a fair number of GPO
admins) and I wanted to avoid them because:
 
A) They introduce an extra level of complexity when diagnosing GPO
problems.
B) They reside on DC's for the domain they were created in and do not
have representation on DC's from other domains in the same forest,
meaning they are copied across the WAN unless you have a DC locally,
which we don't.  Thus in turn creates GPO timeout problems (I wonder if
Paul Snell's "Login Time Issues" thread is related to this btw) that I
don't want to introduce. I know that I could rule out applying them by
using GPO filtering, but have steered clear of them because as soon as I
permit it for one reason, the flood gates will open and every business
request will want a site based GPO for something or other.
 
I have stood by these principles for refusing Site Based GPO since Beta
testing W2K, but am always willing to revisit any opinion of mine on
such matters.
 
So All, do you happily and readily deploy Site based GPO's? Eager to
hear thoughts on this one.......
 
 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: 11 March 2008 17:36
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....




Actually, this is not necessary if you link at the AD Site level. You
would have to have 2 GPOs (1 to enable, 1 to disable). Link each
"disable" GPO to every AD Site, and the "enable" GPO (with security
filtering) to only the AD Sites you want. You will of course have to
change the link order so that the enable GPO wins out if it passes
security filtering.

Don't know why that didn't hit me at first, but it is an option.

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Tuesday, March 11, 2008 12:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....

You might be able to do something like that by querying
Win32_Environment and looking at the %LOGONSERVER% variable. You
wouldn't directly be able to get the site name, but you check and see
which DC they are authenticated to.

SELECT * FROM Win32_Environment WHERE Name = "LOGONSERVER" AND
(VariableValue = "DC1" OR VariableValue="DC2")

Something like that may work for you.

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Smith, Brad 
Sent: Tuesday, March 11, 2008 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....

What I want to achieve is to enable LCS Video conferencing for a limited
group of users (simple enough application of security filtering) but
only when they are authenticated to a site from a list of appropriate
sites.  So the logic would be:

if the user is in "Enable LCS Group"  <-- Handled by security filtering

AND the user has logged into "Site_Permitted_For_LCS_Video" <- Handled
by vbscript

then enable it, <- Here lies the problem, as the user doesn't have
permission to this key (quite rightfully so I agree)

Else

leave it as it is.

The perfect solution would be to evaluate the site via WQL and filter
the GPO on that, is getting the site name back from a WQL query
possible? 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 11 March 2008 16:49
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....

Right. That's on purpose! Users should not be able to modify their
policy settings, otherwise Group Policy would be fairly useless J

I'm curious why you want users to be able to modify these settings?

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Smith, Brad 
Sent: Tuesday, March 11, 2008 9:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....

I would of thought so too, and thought this task would be a no brainer,
check HCU\Software\Policies\Microsoft\Communicator on a XP SP2 build, it
is definitely set to read only for the user.

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: 11 March 2008 15:54
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....





That doesn't sound right. If it is in HKCU the user should (by default)
be able to modify it.

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Smith, Brad 
Sent: Tuesday, March 11, 2008 10:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User Hive settings set during logon....

All, 

Is there a way to configure permissions on registry key in the HKCU
hive?  I want to run a startup script that modifies a key in this hive
from the user portion of the GPO, but the user only has read only access
to it by default. Any ideas?

TIA, 

Brad 

This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed
in writing, nothing stated in this communication shall be legally
binding. 

The ultimate parent company of the Atkins Group is WS Atkins plc.
Registered in England No. 1885586. Registered Office Woodcote Grove,
Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group
companies registered in the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.
<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>  

P Consider the environment. Please don't print this e-mail unless you
really need to. 

This message has been scanned for viruses by MailControl
<http://bluepages.wsatkins.co.uk/?6875772> 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 

________________________________

This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed
in writing, nothing stated in this communication shall be legally
binding. 

The ultimate parent company of the Atkins Group is WS Atkins plc.
Registered in England No. 1885586. Registered Office Woodcote Grove,
Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group
companies registered in the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.
<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>  

P Consider the environment. Please don't print this e-mail unless you
really need to. 

This message has been scanned for viruses by MailControl
<http://bluepages.wsatkins.co.uk/?6875772> 

This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed
in writing, nothing stated in this communication shall be legally
binding. 

The ultimate parent company of the Atkins Group is WS Atkins plc.
Registered in England No. 1885586. Registered Office Woodcote Grove,
Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group
companies registered in the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.
<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>  

P Consider the environment. Please don't print this e-mail unless you
really need to. 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).

________________________________



This message has been scanned for viruses by MailControl
<http://bluepages.wsatkins.co.uk/?6875772> 


________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 
________________________________



This email and any attached files are confidential and copyright protected. If 
you are not the addressee, any dissemination of this communication is strictly 
prohibited. Unless otherwise expressly agreed in writing, nothing stated in 
this communication shall be legally binding.

The ultimate parent company of the Atkins Group is WS Atkins plc.  Registered 
in England No. 1885586.  Registered Office Woodcote Grove, Ashley Road, Epsom, 
Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in 
the United Kingdom can be found at 
http://www.atkinsglobal.com/terms_and_conditions/index.aspx

Consider the environment. Please don't print this e-mail unless you really need 
to.

Other related posts: