[gptalk] Re: Compatible Security Template applied twice?
- From: Darren Mar-Elia <darren@xxxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Tue, 21 Oct 2008 15:45:34 -0800
Steve-
No problem. Yes, you can remove really anything you don't want in that GPO. You
just have to be aware of its effect. For any new systems that process that GPO,
they will not get those security settings that you remove. For any existing
systems that already have them, nothing will change. If you remove, for
example, a file or registry security entry, the existing permissions on those
resources simply remain the same as they are (i.e. they are not "rolled back"
since there is no known state to roll them back to).
Hope that helps.
Darren
-----Original message-----
From: "Steve Chambers" schambers1969@xxxxxxxxx
Date: Tue, 21 Oct 2008 14:37:33 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Compatible Security Template applied twice?
> Sorry about not being clear, im still very much a "newb" :)
>
> If I remove half of the entries that is still going to leave somewhere
> around 400+. I didn't know if I could remove anything further.
>
> For now ill just remove the duplicate entries.
>
> Thanks again for all of your help on this.
>
> Steve
>
>
>
> -----Original Message-----
>
> From: gptalk-bounce@xxxxxxxxxxxxx
> [*mailto:gptalk-bounce@xxxxxxxxxxxxx*<gptalk-bounce@xxxxxxxxxxxxx>]
> On Behalf Of Darren Mar-Elia
>
> Sent: Tuesday, October 21, 2008 3:16 PM
>
> To: gptalk@xxxxxxxxxxxxx
>
> Subject: [gptalk] Re: Compatible Security Template applied twice?
>
> Steve-
>
> Not sure I follow the question. If there is an entry in that file, then by
> definition it is being applied through that GPO. So anything you see in
> there should be "active".
>
> Darren
>
>
> On Tue, Oct 21, 2008 at 11:12 AM, Steve Chambers
> <schambers1969@xxxxxxxxx>wrote:
>
> > Thanks guys,
> >
> > One more question. If I am going to take the time to edit out the
> > duplicate entries, should I also remove the registry entries that are not
> > being used? If so, how do I know which ones are being applied and which
> > ones are not?
> >
> > Steve
> >
> >
> > On Tue, Oct 21, 2008 at 2:57 PM, Darren Mar-Elia <darren@xxxxxxxxxx>wrote:
> >
> >> Yes, that should do it. I would back up that file first. Also, just so you
> >> know, when you change the file directly this way, the GPO won't know that
> >> it
> >> has been updated, and thus won't re-apply to target computers right away.
> >> So, if you want, just go into the GPO using GP editor, after changing this
> >> file, and tweak a setting on/off to update the GPO version #. That will
> >> jump-start its use by clients.
> >>
> >> Darren
> >>
> >> -----Original message-----
> >> From: "Steve Chambers" schambers1969@xxxxxxxxx
> >> Date: Tue, 21 Oct 2008 13:47:06 -0400
> >> To: gptalk@xxxxxxxxxxxxx
> >> Subject: [gptalk] Re: Compatible Security Template applied twice?
> >>
> >> > I found the GPTTmpl.ini file, it has 890 (approx) entries listed and
> >> > everything is duplicated.
> >> >
> >> > I guess my question at this point is do I just remove all of the
> >> duplicate
> >> > entries?
> >> >
> >> > Steve
> >> >
> >> >
> >> >
> >> > On Sat, Oct 18, 2008 at 7:11 AM, Steve Chambers <
> >> schambers1969@xxxxxxxxx>wrote:
> >> >
> >> > > Is there an easy way to see what File and Registry settings are being
> >> > > applied by the security policy? Guess if i knew that i could just
> >> delete
> >> > > everything else.
> >> > >
> >> > > Thanks!
> >> > >
> >> > > Steve
> >> > >
> >> > >
> >> > >
> >> > > On Fri, Oct 17, 2008 at 4:15 PM, Steve Chambers <
> >> schambers1969@xxxxxxxxx>wrote:
> >> > >
> >> > >> Tell me about it, this is something that was already in place when I
> >> > >> started with the company. In fact I have a feeling it has been this
> >> way for
> >> > >> quite some. Nobody seems to know anything about it and I don't know
> >> if the
> >> > >> file and registry security policy is even being utilized. I will make
> >> a
> >> > >> point of verifying that though.
> >> > >>
> >> > >> From what research I have done, it looks like it was imported from
> >> the
> >> > >> Compatible (compatws.inf) Security Template?
> >> > >>
> >> > >> Steve
> >> > >>
> >> > >>
> >> > >> On Fri, Oct 17, 2008 at 3:54 PM, Darren Mar-Elia <darren@xxxxxxxxxx
> >> >wrote:
> >> > >>
> >> > >>> 850? Ouch. Even half that number is a lot of keys to be
> >> re-permissioning
> >> > >>> using GP. Keep in mind that security policy re-applies itself every
> >> 16 hours
> >> > >>> by default, not to mention at other times when it may refresh. That
> >> means
> >> > >>> that every key is being re-permissioned each time GP refreshes.
> >> Generally
> >> > >>> speaking I recommend avoiding the use of File and Registry security
> >> policy
> >> > >>> for large numbers of keys or files. What template did you deploy
> >> that uses
> >> > >>> all these permissions?
> >> > >>>
> >> > >>> In terms of cleaning it up, you can certainly do it manually from
> >> the UI,
> >> > >>> or you can edit the underlying GPTTmpl.inf file that stores the
> >> settings
> >> > >>> within the SYSVOL part of that GPO.
> >> > >>>
> >> > >>> Darren
> >> > >>>
> >> > >>> -----Original Message-----
> >> > >>> From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> >> > >>> To: gptalk@xxxxxxxxxxxxx
> >> > >>> Sent: 10/17/2008 3:40 PM
> >> > >>> Subject: [gptalk] Re: Compatible Security Template applied twice?
> >> > >>>
> >> > >>> Thanks Darren,
> >> > >>>
> >> > >>> Kind of sounds dumb but what would the recommended method be for
> >> cleaning
> >> > >>> it
> >> > >>> up? Looks like there is approximately 850 Registry Keys listed so
> >> cut
> >> > >>> that
> >> > >>> in half.
> >> > >>>
> >> > >>> Steve
> >> > >>>
> >> > >>>
> >> > >>> On Fri, Oct 17, 2008 at 3:35 PM, Darren Mar-Elia <darren@xxxxxxxxxx
> >> >
> >> > >>> wrote:
> >> > >>>
> >> > >>> > Steve-
> >> > >>> > It does not sound normal to me and at the very least could cause
> >> > >>> confusion
> >> > >>> > down the line and extra work on the client if its not cleaned up.
> >> > >>> >
> >> > >>> > Darren
> >> > >>> >
> >> > >>> > -----Original Message-----
> >> > >>> > From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> >> > >>> > To: gptalk@xxxxxxxxxxxxx
> >> > >>> > Sent: 10/17/2008 3:32 PM
> >> > >>> > Subject: [gptalk] Compatible Security Template applied twice?
> >> > >>> >
> >> > >>> > Hi!
> >> > >>> >
> >> > >>> > Upon reviewing our companies Default Domain Policy i noticed that
> >> all
> >> > >>> > Registry Key entries are duplicated in Group Policy (Hope that
> >> makes
> >> > >>> > sense)***********************
> >> > >>> > You can unsubscribe from gptalk by sending email to
> >> > >>> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
> >> field
> >> > >>> OR by
> >> > >>> > logging into the freelists.org Web interface. Archives for the
> >> list
> >> > >>> are
> >> > >>> > available at //www.freelists.org/archives/gptalk/
> >> > >>> > ************************
> >> > >>> >
> >> > >>>
> >> > >>> ***********************
> >> > >>> You can unsubscribe from gptalk by sending email to
> >> > >>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
> >> field OR
> >> > >>> by logging into the freelists.org Web interface. Archives for the
> >> list
> >> > >>> are available at //www.freelists.org/archives/gptalk/
> >> > >>> ************************
> >> > >>>
> >> > >>
> >> > >>
> >> > >
> >> >
> >>
> >> ***********************
> >> You can unsubscribe from gptalk by sending email to
> >> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
> >> by logging into the freelists.org Web interface. Archives for the list
> >> are available at //www.freelists.org/archives/gptalk/
> >> ************************
> >>
> >
> >
>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
