[gptalk] Re: Vista's Gpresult no longer showing Computer setttings?

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 15 Sep 2006 11:12:23 -0500

Is there a way to elevate your DOS privileges so you could run gpresult
/computer?  The new version of the "runas" command I noticed now has a
"trustLevel " parameter but even as an admin the DOS application runs in
"standard user" mode.   I also tried to use the Application
Compatibility Wizard to elevate my priviledges but it would not stating
it is a core system program.

 

 

Mark Mills 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, September 15, 2006 10:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista's Gpresult no longer showing Computer
setttings? 

 

Actually, as a follow up to this, you can use the /user parameter on
gpresult, as an elevated user, to get the RSOP info for the original
user you're logged in as. So you don't really have to run gpresult twice
if you do this.

 

Darren

 

________________________________

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Friday, September 15, 2006 8:52 AM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: RE: [gptalk] Vista's Gpresult no longer showing Computer
setttings? 

Mark-

In Vista, they removed the ability for a "regular" non-elevated user
from getting computer-specific RSOP. You have to start an elevated
command-prompt in order to get computer info. The pain about this is the
following. Let's say you're logged on as your normal, non-admin user
account. So you want to get RSOP info. You elevate your command prompt
to admin and then gpresult result. Well, it gives you the computer data
that you're after but then it gives you the user data of the elevated
account (e.g. local administrator). Bummer. So you really have to run
GPResult twice if you're not already an admin on a box. Part of the new
secure world we live in.

 

Darren

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Friday, September 15, 2006 8:13 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Vista's Gpresult no longer showing Computer setttings?


I ran a gpresult on VistaRC1 and gpresult doesn't show the Computer
settings section of GPResult?

 

 

 

Here is a capture of the Gpresult - Notice there is not a Computer
settings section:

 

 

U:\>psexec \\vistarc1_9-1-06 -u DA\Vista -p V1staOS cmd

 

PsExec v1.31 - execute processes remotely

Copyright (C) 2001-2002 Mark Russinovich

www.sysinternals.com

 

 

Microsoft Windows [Version 6.0.5600]

Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

 

C:\Windows\system32>hostname

VistaRC1_9-1-06

 

C:\Windows\system32>gpresult

 

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

Copyright (C) Microsoft Corp. 1981-2001

 

Created On 9/15/2006 at 9:45:08 AM

 

 

RSOP data for DA\Vista on VISTARC1_9-1-06 : Logging Mode

---------------------------------------------------------

 

OS Type:                     Microsoftr Windows VistaT Ultimate

OS Configuration:            Member Workstation

OS Version:                  6.0.5600

Site Name:                   N/A

Roaming Profile:             N/A

Local Profile:               C:\Users\Vista

Connected over a slow link?: No

 

 

USER SETTINGS  (here is the user settings - but no Computer settings
showed up?)

--------------

    CN=VistaTester,OU=IT Users,OU=User Policies,OU=Active Group

Policies,DC=mydomain,DC=com

    Last time Group Policy was applied: 9/15/2006 at 8:40:40 AM

    Group Policy was applied from:      domaincontroller.mydomain.com

    Group Policy slow link threshold:   500 kbps

    Domain Name:                        DA

    Domain Type:                        Windows 2000 (actually 2003
domain and forest)

 

    Applied Group Policy Objects

    -----------------------------

        User - Printer - These specific PCs get the 8000 and 8550
Printer 

        Default Domain Policy

        User -AD IT Group to added to Local Computer Admin Group

        User -All Mapped Drives

        User -Screen Saver Lock Computer after 1 hours inactivity

        User -IE Changes for IT

        User -Disable Offline Folder Synchronization

        User -My Documents Folder Redirection

        Default Domain Policy

 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        Computer -Disable Windows Security Center

            Filtering:  Disabled (GPO)

 

        Computer - Symantec Auto Install IT Group

            Filtering:  Not Applied (Empty)

 

        Computer -Disable OS Firewall while on Domain

            Filtering:  Disabled (GPO)

 

        Local Group Policy

            Filtering:  Not Applied (Empty)

 

        Local Group Policy

            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups

    ---------------------------------------------------

        Domain Users

        Everyone

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        This Organization

        LOCAL

        Medium Mandatory Level

 

 It doesn't matter if I am sitting in front of the pc or using psexec  I
can not get gpresult to show the computer settings portion of gpresult.
(psexec no longer works in interactive mode by the way, even using a
local username and password, it still works in default mode though)

 

 

 

Mark Mills 

Office Phone:  281-444-2300 x113

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 

 

Other related posts: