[gptalk] Re: adding persistent route

  • From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 25 Jan 2008 17:20:49 +0530

We don't want to put the default gateway in any of the systems. As users in
this domain need to access only one or two systems from other networks.

That's why fixed on this method.

:-) Ananth.



On Jan 25, 2008 5:18 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

> In our scenario this seems to be the best method.... !!
>
>
> On Jan 25, 2008 3:03 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>
> wrote:
>
> >  Hi again,
> >
> >
> >
> > Well, I kinda like the approach – because it's cool to use GP and
> > Scripts together like that. BUT, In a "network point of view" the best thing
> > would probably be to add the network route on the clients default gateway
> > (then it will make sure to "redirect" the packages).
> >
> >
> >
> > However, I guess you have thought about that and maybe it's not
> > possible.
> >
> >
> >
> > Best regards
> >
> > /Jakob
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Ananth Rajagopal
> > *Sent:* 25. januar 2008 04:31
> >
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Re: adding persistent route
> >
> >
> >
> > I'll try like that. We actually want to do hit all systems and users in
> > the Domain.
> >
> > Thanks Jacob.
> >
> >
> >  On Jan 25, 2008 3:22 AM, Jakob H. Heidelberg < jakob@xxxxxxxxxxxxxxx>
> > wrote:
> >
> > Well,
> >
> >
> >
> > Isn't it possible to "hit" the computers instead? As you are trying to
> > add Persistent rules I guess these Users have their own computers - or else
> > every other user will be hit by the persistent rule.
> >
> >
> >
> > Computer Startup scripts are running in SYSTEM context – they will be
> > able to process the ROUTE ADD command successfully.
> >
> >
> >
> >
> >
> > Side note: You only need to use one type of filtering (in most cases) –
> > a) OU filtering or B) Security filtering. But, for now I think the most
> > important thing is to get the command up and running…
> >
> >
> >
> > /Jakob
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Ananth Rajagopal
> > *Sent:* 24. januar 2008 05:16
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Re: adding persistent route
> >
> >
> >
> > Thanks Jacob, That cleared a lot of doubts!
> >
> > What we have done so far is created an OU called Harmony Users, moves
> > some 120 users to this OU and linked some 16 GPO's which we have created in
> > Group Policy Objects, only the Domain Password Policy has been set at the
> > Domain level.
> >
> > I think, as you pointed out, we need to remove the "authenticated users"
> > from delegation. We will do that. All policies are set to hit Harmony Users
> > only.
> >
> > What we are trying to achieve is run a batch file which creates a
> > persistent route. in the batch file the  command is  "Route add
> > 192.168.3.240 MASK 255.255.255.255  192.168.2.254. -p"
> > As you said it needs administrator privileges!
> >
> > Intranet Mail Server Route
> >
> > Domain Tai2D.ent
> > Owner TAI2D\Domain Admins
> > User Revisions 2 (AD), 2 (sysvol)
> > Computer Revisions 2 (AD), 2 (sysvol)
> > Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011}
> > GPO Status Enabled
> >
> > Location Enforced Link Status Path
> > Harmony Users Yes Enabled Tai2D.ent/Harmony Users
> >
> > This list only includes links in the domain of the GPO.
> > Security Filteringhide
> > The settings in this GPO can only apply to the following groups, users,
> > and computers:Name
> > TAI2D\Harmony Users
> >
> > Delegationhide
> > These groups and users have the specified permission for this GPOName
> > Allowed Permissions Inherited
> > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
> > NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
> > TAI2D\Domain Admins Edit settings, delete, modify security No
> > TAI2D\Enterprise Admins Edit settings, delete, modify security No
> > TAI2D\Harmony Users Read (from Security Filtering) No
> >
> > Computer Configuration (Enabled)hide
> > Windows Settingshide
> > Scriptshide
> > Startuphide
> > Name Parameters
> >
> > \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat
> >
> > Thanks for writing :-)
> > regards
> > Ananth.
> >
> > On Jan 23, 2008 7:47 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>
> > wrote:
> >
> > Well, Ananth,
> >
> >
> >
> > Actually I think the answer is pretty straight forward: Startup (and
> > Shutdown) scripts can be setup for Computer objects – for User objects you
> > can choose Login or Logoff scripts.
> >
> >
> >
> > I'm not sure if a regular user is able to define a route (with ROUTE
> > ADD) – definitely not a persistent route? – but that can be tested by
> > running the script you have in regular user context. I (or better yet "we")
> > might be able to come up another solution for this (maybe by using GP
> > Preference which is soon to arrive) – but first let us know whether or not
> > it's correct what I think you are trying to do.
> >
> >
> >
> > BTW – the security permissions (delegation) set on the "Internal Mail
> > Server Rout" GPO is set to apply to both "Authenticated Users" and
> > "TAI2D\Harmony Users" – I believe you might want to remove "Authenticated
> > Users". But if you are "hitting" an OU with only the right users, then you
> > wouldn't need the "Harmony Users" group anyway. Well, just a side note –
> > only relevant if you have to "hit" user objects.
> >
> >
> >
> > Regards
> >
> > /Jakob
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Ananth Rajagopal
> > *Sent:* 23. januar 2008 12:20
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] adding persistent route
> >
> >
> >
> > Hi All,
> >
> > We are setting up a new domain and have added some policies and scripts.
> > For a particular group of users, we want to add a persistent route to a
> > server in another subnet. we created a bat file but the bat file is not
> > running! Everything seeme to be ok, but still...
> >
> > The file is set in this groups OU.  The bat file is copied to the
> > Scripts folder in SYSVOL. The starup script is set in......
> >
> > Intranet Mail Server Route
> >
> > Domain Tai2D.ent
> > Owner TAI2D\Domain Admins
> > User Revisions 2 (AD), 2 (sysvol)
> > Computer Revisions 2 (AD), 2 (sysvol)
> > Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011}
> > GPO Status Enabled
> >
> > Linkshide
> > Location Enforced Link Status Path
> > Harmony Users Yes Enabled Tai2D.ent/Harmony Users
> >
> > This list only includes links in the domain of the GPO.
> > Security Filteringhide
> > The settings in this GPO can only apply to the following groups, users,
> > and computers:Name
> > NT AUTHORITY\Authenticated Users
> > TAI2D\Harmony Users
> >
> > Computer Configuration (Enabled)hide
> > Windows Settingshide
> > Scriptshide
> > Startuphide
> > Name Parameters
> > \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat
> >
> >
> > Please advice....
> >
> > regards
> > Ananth :-)
> >
> >
> >
> >
> >
>
>

Other related posts: