[gptalk] Re: adding persistent route

  • From: "Jakob H. Heidelberg" <jakob@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 25 Jan 2008 10:33:56 +0100

Hi again,

 

Well, I kinda like the approach - because it's cool to use GP and Scripts
together like that. BUT, In a "network point of view" the best thing would
probably be to add the network route on the clients default gateway (then it
will make sure to "redirect" the packages).

 

However, I guess you have thought about that and maybe it's not possible.

 

Best regards

/Jakob

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 25. januar 2008 04:31
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: adding persistent route

 

I'll try like that. We actually want to do hit all systems and users in the
Domain.

Thanks Jacob.




On Jan 25, 2008 3:22 AM, Jakob H. Heidelberg < jakob@xxxxxxxxxxxxxxx
<mailto:jakob@xxxxxxxxxxxxxxx> > wrote:

Well,

 

Isn't it possible to "hit" the computers instead? As you are trying to add
Persistent rules I guess these Users have their own computers - or else
every other user will be hit by the persistent rule.

 

Computer Startup scripts are running in SYSTEM context - they will be able
to process the ROUTE ADD command successfully.

 

 

Side note: You only need to use one type of filtering (in most cases) - a)
OU filtering or B) Security filtering. But, for now I think the most
important thing is to get the command up and running.

 

/Jakob

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 24. januar 2008 05:16
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: adding persistent route

 

Thanks Jacob, That cleared a lot of doubts!

What we have done so far is created an OU called Harmony Users, moves some
120 users to this OU and linked some 16 GPO's which we have created in Group
Policy Objects, only the Domain Password Policy has been set at the Domain
level. 

I think, as you pointed out, we need to remove the "authenticated users"
from delegation. We will do that. All policies are set to hit Harmony Users
only.

What we are trying to achieve is run a batch file which creates a persistent
route. in the batch file the  command is  "Route add  192.168.3.240 MASK
255.255.255.255  192.168.2.254. -p"
As you said it needs administrator privileges! 

Intranet Mail Server Route 

Domain Tai2D.ent 
Owner TAI2D\Domain Admins 
User Revisions 2 (AD), 2 (sysvol) 
Computer Revisions 2 (AD), 2 (sysvol) 
Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011} 
GPO Status Enabled 

Location Enforced Link Status Path 
Harmony Users Yes Enabled Tai2D.ent/Harmony Users 

This list only includes links in the domain of the GPO. 
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and
computers:Name 
TAI2D\Harmony Users 

Delegationhide 
These groups and users have the specified permission for this GPOName
Allowed Permissions Inherited 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 
TAI2D\Domain Admins Edit settings, delete, modify security No 
TAI2D\Enterprise Admins Edit settings, delete, modify security No 
TAI2D\Harmony Users Read (from Security Filtering) No 

Computer Configuration (Enabled)hide
Windows Settingshide
Scriptshide 
Startuphide
Name Parameters 
\\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}
\Machine\Scripts\mailsrv_route.bat  

Thanks for writing :-)
regards
Ananth.

On Jan 23, 2008 7:47 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

Well, Ananth,

 

Actually I think the answer is pretty straight forward: Startup (and
Shutdown) scripts can be setup for Computer objects - for User objects you
can choose Login or Logoff scripts.

 

I'm not sure if a regular user is able to define a route (with ROUTE ADD) -
definitely not a persistent route? - but that can be tested by running the
script you have in regular user context. I (or better yet "we") might be
able to come up another solution for this (maybe by using GP Preference
which is soon to arrive) - but first let us know whether or not it's correct
what I think you are trying to do.

 

BTW - the security permissions (delegation) set on the "Internal Mail Server
Rout" GPO is set to apply to both "Authenticated Users" and "TAI2D\Harmony
Users" - I believe you might want to remove "Authenticated Users". But if
you are "hitting" an OU with only the right users, then you wouldn't need
the "Harmony Users" group anyway. Well, just a side note - only relevant if
you have to "hit" user objects.

 

Regards

/Jakob

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 23. januar 2008 12:20
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] adding persistent route

 

Hi All,

We are setting up a new domain and have added some policies and scripts. For
a particular group of users, we want to add a persistent route to a server
in another subnet. we created a bat file but the bat file is not running!
Everything seeme to be ok, but still... 

The file is set in this groups OU.  The bat file is copied to the Scripts
folder in SYSVOL. The starup script is set in......

Intranet Mail Server Route 

Domain Tai2D.ent 
Owner TAI2D\Domain Admins 
User Revisions 2 (AD), 2 (sysvol) 
Computer Revisions 2 (AD), 2 (sysvol) 
Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011} 
GPO Status Enabled 

Linkshide
Location Enforced Link Status Path 
Harmony Users Yes Enabled Tai2D.ent/Harmony Users 

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and
computers:Name 
NT AUTHORITY\Authenticated Users 
TAI2D\Harmony Users 

Computer Configuration (Enabled)hide
Windows Settingshide
Scriptshide
Startuphide
Name Parameters 
\\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}
\Machine\Scripts\mailsrv_route.bat 

Please advice....

regards
Ananth :-)

 

 

Other related posts: