Ah, site based group policies. I have intentionally ignored them. We don't use them at the moment (bear in mind we have a fair number of GPO admins) and I wanted to avoid them because: A) They introduce an extra level of complexity when diagnosing GPO problems. B) They reside on DC's for the domain they were created in and do not have representation on DC's from other domains in the same forest, meaning they are copied across the WAN unless you have a DC locally, which we don't. Thus in turn creates GPO timeout problems (I wonder if Paul Snell's "Login Time Issues" thread is related to this btw) that I don't want to introduce. I know that I could rule out applying them by using GPO filtering, but have steered clear of them because as soon as I permit it for one reason, the flood gates will open and every business request will want a site based GPO for something or other. I have stood by these principles for refusing Site Based GPO since Beta testing W2K, but am always willing to revisit any opinion of mine on such matters. So All, do you happily and readily deploy Site based GPO's? Eager to hear thoughts on this one....... ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: 11 March 2008 17:36 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... Actually, this is not necessary if you link at the AD Site level. You would have to have 2 GPOs (1 to enable, 1 to disable). Link each "disable" GPO to every AD Site, and the "enable" GPO (with security filtering) to only the AD Sites you want. You will of course have to change the link order so that the enable GPO wins out if it passes security filtering. Don't know why that didn't hit me at first, but it is an option. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Tuesday, March 11, 2008 12:23 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... You might be able to do something like that by querying Win32_Environment and looking at the %LOGONSERVER% variable. You wouldn't directly be able to get the site name, but you check and see which DC they are authenticated to. SELECT * FROM Win32_Environment WHERE Name = "LOGONSERVER" AND (VariableValue = "DC1" OR VariableValue="DC2") Something like that may work for you. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 12:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... What I want to achieve is to enable LCS Video conferencing for a limited group of users (simple enough application of security filtering) but only when they are authenticated to a site from a list of appropriate sites. So the logic would be: if the user is in "Enable LCS Group" <-- Handled by security filtering AND the user has logged into "Site_Permitted_For_LCS_Video" <- Handled by vbscript then enable it, <- Here lies the problem, as the user doesn't have permission to this key (quite rightfully so I agree) Else leave it as it is. The perfect solution would be to evaluate the site via WQL and filter the GPO on that, is getting the site name back from a WQL query possible? ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 11 March 2008 16:49 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... Right. That's on purpose! Users should not be able to modify their policy settings, otherwise Group Policy would be fairly useless J I'm curious why you want users to be able to modify these settings? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 9:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... I would of thought so too, and thought this task would be a no brainer, check HCU\Software\Policies\Microsoft\Communicator on a XP SP2 build, it is definitely set to read only for the user. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: 11 March 2008 15:54 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... That doesn't sound right. If it is in HKCU the user should (by default) be able to modify it. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 10:49 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] User Hive settings set during logon.... All, Is there a way to configure permissions on registry key in the HKCU hive? I want to run a startup script that modifies a key in this hive from the user portion of the GPO, but the user only has read only access to it by default. Any ideas? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772> ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772> This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772> ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx Consider the environment. Please don't print this e-mail unless you really need to.