[gptalk] Re: adding persistent route

  • From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 25 Jan 2008 17:18:45 +0530

In our scenario this seems to be the best method.... !!

On Jan 25, 2008 3:03 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

>  Hi again,
>
>
>
> Well, I kinda like the approach – because it's cool to use GP and Scripts
> together like that. BUT, In a "network point of view" the best thing would
> probably be to add the network route on the clients default gateway (then it
> will make sure to "redirect" the packages).
>
>
>
> However, I guess you have thought about that and maybe it's not possible.
>
>
>
> Best regards
>
> /Jakob
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 25. januar 2008 04:31
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: adding persistent route
>
>
>
> I'll try like that. We actually want to do hit all systems and users in
> the Domain.
>
> Thanks Jacob.
>
>
>  On Jan 25, 2008 3:22 AM, Jakob H. Heidelberg < jakob@xxxxxxxxxxxxxxx>
> wrote:
>
> Well,
>
>
>
> Isn't it possible to "hit" the computers instead? As you are trying to add
> Persistent rules I guess these Users have their own computers - or else
> every other user will be hit by the persistent rule.
>
>
>
> Computer Startup scripts are running in SYSTEM context – they will be able
> to process the ROUTE ADD command successfully.
>
>
>
>
>
> Side note: You only need to use one type of filtering (in most cases) – a)
> OU filtering or B) Security filtering. But, for now I think the most
> important thing is to get the command up and running…
>
>
>
> /Jakob
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 24. januar 2008 05:16
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: adding persistent route
>
>
>
> Thanks Jacob, That cleared a lot of doubts!
>
> What we have done so far is created an OU called Harmony Users, moves some
> 120 users to this OU and linked some 16 GPO's which we have created in Group
> Policy Objects, only the Domain Password Policy has been set at the Domain
> level.
>
> I think, as you pointed out, we need to remove the "authenticated users"
> from delegation. We will do that. All policies are set to hit Harmony Users
> only.
>
> What we are trying to achieve is run a batch file which creates a
> persistent route. in the batch file the  command is  "Route add
> 192.168.3.240 MASK 255.255.255.255  192.168.2.254. -p"
> As you said it needs administrator privileges!
>
> Intranet Mail Server Route
>
> Domain Tai2D.ent
> Owner TAI2D\Domain Admins
> User Revisions 2 (AD), 2 (sysvol)
> Computer Revisions 2 (AD), 2 (sysvol)
> Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011}
> GPO Status Enabled
>
> Location Enforced Link Status Path
> Harmony Users Yes Enabled Tai2D.ent/Harmony Users
>
> This list only includes links in the domain of the GPO.
> Security Filteringhide
> The settings in this GPO can only apply to the following groups, users,
> and computers:Name
> TAI2D\Harmony Users
>
> Delegationhide
> These groups and users have the specified permission for this GPOName
> Allowed Permissions Inherited
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
> NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
> TAI2D\Domain Admins Edit settings, delete, modify security No
> TAI2D\Enterprise Admins Edit settings, delete, modify security No
> TAI2D\Harmony Users Read (from Security Filtering) No
>
> Computer Configuration (Enabled)hide
> Windows Settingshide
> Scriptshide
> Startuphide
> Name Parameters
>
> \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat
>
> Thanks for writing :-)
> regards
> Ananth.
>
> On Jan 23, 2008 7:47 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>
> wrote:
>
> Well, Ananth,
>
>
>
> Actually I think the answer is pretty straight forward: Startup (and
> Shutdown) scripts can be setup for Computer objects – for User objects you
> can choose Login or Logoff scripts.
>
>
>
> I'm not sure if a regular user is able to define a route (with ROUTE ADD)
> – definitely not a persistent route? – but that can be tested by running the
> script you have in regular user context. I (or better yet "we") might be
> able to come up another solution for this (maybe by using GP Preference
> which is soon to arrive) – but first let us know whether or not it's correct
> what I think you are trying to do.
>
>
>
> BTW – the security permissions (delegation) set on the "Internal Mail
> Server Rout" GPO is set to apply to both "Authenticated Users" and
> "TAI2D\Harmony Users" – I believe you might want to remove "Authenticated
> Users". But if you are "hitting" an OU with only the right users, then you
> wouldn't need the "Harmony Users" group anyway. Well, just a side note –
> only relevant if you have to "hit" user objects.
>
>
>
> Regards
>
> /Jakob
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 23. januar 2008 12:20
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] adding persistent route
>
>
>
> Hi All,
>
> We are setting up a new domain and have added some policies and scripts.
> For a particular group of users, we want to add a persistent route to a
> server in another subnet. we created a bat file but the bat file is not
> running! Everything seeme to be ok, but still...
>
> The file is set in this groups OU.  The bat file is copied to the Scripts
> folder in SYSVOL. The starup script is set in......
>
> Intranet Mail Server Route
>
> Domain Tai2D.ent
> Owner TAI2D\Domain Admins
> User Revisions 2 (AD), 2 (sysvol)
> Computer Revisions 2 (AD), 2 (sysvol)
> Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011}
> GPO Status Enabled
>
> Linkshide
> Location Enforced Link Status Path
> Harmony Users Yes Enabled Tai2D.ent/Harmony Users
>
> This list only includes links in the domain of the GPO.
> Security Filteringhide
> The settings in this GPO can only apply to the following groups, users,
> and computers:Name
> NT AUTHORITY\Authenticated Users
> TAI2D\Harmony Users
>
> Computer Configuration (Enabled)hide
> Windows Settingshide
> Scriptshide
> Startuphide
> Name Parameters
> \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat
>
>
> Please advice....
>
> regards
> Ananth :-)
>
>
>
>
>

Other related posts: