Appreaciate the added info Darren! Thank you!!! On Tue, Oct 21, 2008 at 4:45 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: > Steve- > No problem. Yes, you can remove really anything you don't want in that GPO. > You just have to be aware of its effect. For any new systems that process > that GPO, they will not get those security settings that you remove. For any > existing systems that already have them, nothing will change. If you remove, > for example, a file or registry security entry, the existing permissions on > those resources simply remain the same as they are (i.e. they are not > "rolled back" since there is no known state to roll them back to). > > Hope that helps. > > Darren > > -----Original message----- > From: "Steve Chambers" schambers1969@xxxxxxxxx > Date: Tue, 21 Oct 2008 14:37:33 -0400 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Compatible Security Template applied twice? > > > Sorry about not being clear, im still very much a "newb" :) > > > > If I remove half of the entries that is still going to leave somewhere > > around 400+. I didn't know if I could remove anything further. > > > > For now ill just remove the duplicate entries. > > > > Thanks again for all of your help on this. > > > > Steve > > > > > > > > -----Original Message----- > > > > From: gptalk-bounce@xxxxxxxxxxxxx > > [*mailto:gptalk-bounce@xxxxxxxxxxxxx*<gptalk-bounce@xxxxxxxxxxxxx>] > > On Behalf Of Darren Mar-Elia > > > > Sent: Tuesday, October 21, 2008 3:16 PM > > > > To: gptalk@xxxxxxxxxxxxx > > > > Subject: [gptalk] Re: Compatible Security Template applied twice? > > > > Steve- > > > > Not sure I follow the question. If there is an entry in that file, then > by > > definition it is being applied through that GPO. So anything you see in > > there should be "active". > > > > Darren > > > > > > On Tue, Oct 21, 2008 at 11:12 AM, Steve Chambers < > schambers1969@xxxxxxxxx>wrote: > > > > > Thanks guys, > > > > > > One more question. If I am going to take the time to edit out the > > > duplicate entries, should I also remove the registry entries that are > not > > > being used? If so, how do I know which ones are being applied and which > > > ones are not? > > > > > > Steve > > > > > > > > > On Tue, Oct 21, 2008 at 2:57 PM, Darren Mar-Elia <darren@xxxxxxxxxx > >wrote: > > > > > >> Yes, that should do it. I would back up that file first. Also, just so > you > > >> know, when you change the file directly this way, the GPO won't know > that it > > >> has been updated, and thus won't re-apply to target computers right > away. > > >> So, if you want, just go into the GPO using GP editor, after changing > this > > >> file, and tweak a setting on/off to update the GPO version #. That > will > > >> jump-start its use by clients. > > >> > > >> Darren > > >> > > >> -----Original message----- > > >> From: "Steve Chambers" schambers1969@xxxxxxxxx > > >> Date: Tue, 21 Oct 2008 13:47:06 -0400 > > >> To: gptalk@xxxxxxxxxxxxx > > >> Subject: [gptalk] Re: Compatible Security Template applied twice? > > >> > > >> > I found the GPTTmpl.ini file, it has 890 (approx) entries listed and > > >> > everything is duplicated. > > >> > > > >> > I guess my question at this point is do I just remove all of the > > >> duplicate > > >> > entries? > > >> > > > >> > Steve > > >> > > > >> > > > >> > > > >> > On Sat, Oct 18, 2008 at 7:11 AM, Steve Chambers < > > >> schambers1969@xxxxxxxxx>wrote: > > >> > > > >> > > Is there an easy way to see what File and Registry settings are > being > > >> > > applied by the security policy? Guess if i knew that i could just > > >> delete > > >> > > everything else. > > >> > > > > >> > > Thanks! > > >> > > > > >> > > Steve > > >> > > > > >> > > > > >> > > > > >> > > On Fri, Oct 17, 2008 at 4:15 PM, Steve Chambers < > > >> schambers1969@xxxxxxxxx>wrote: > > >> > > > > >> > >> Tell me about it, this is something that was already in place > when I > > >> > >> started with the company. In fact I have a feeling it has been > this > > >> way for > > >> > >> quite some. Nobody seems to know anything about it and I don't > know > > >> if the > > >> > >> file and registry security policy is even being utilized. I will > make > > >> a > > >> > >> point of verifying that though. > > >> > >> > > >> > >> From what research I have done, it looks like it was imported > from > > >> the > > >> > >> Compatible (compatws.inf) Security Template? > > >> > >> > > >> > >> Steve > > >> > >> > > >> > >> > > >> > >> On Fri, Oct 17, 2008 at 3:54 PM, Darren Mar-Elia < > darren@xxxxxxxxxx > > >> >wrote: > > >> > >> > > >> > >>> 850? Ouch. Even half that number is a lot of keys to be > > >> re-permissioning > > >> > >>> using GP. Keep in mind that security policy re-applies itself > every > > >> 16 hours > > >> > >>> by default, not to mention at other times when it may refresh. > That > > >> means > > >> > >>> that every key is being re-permissioned each time GP refreshes. > > >> Generally > > >> > >>> speaking I recommend avoiding the use of File and Registry > security > > >> policy > > >> > >>> for large numbers of keys or files. What template did you deploy > > >> that uses > > >> > >>> all these permissions? > > >> > >>> > > >> > >>> In terms of cleaning it up, you can certainly do it manually > from > > >> the UI, > > >> > >>> or you can edit the underlying GPTTmpl.inf file that stores the > > >> settings > > >> > >>> within the SYSVOL part of that GPO. > > >> > >>> > > >> > >>> Darren > > >> > >>> > > >> > >>> -----Original Message----- > > >> > >>> From: "Steve Chambers" <schambers1969@xxxxxxxxx> > > >> > >>> To: gptalk@xxxxxxxxxxxxx > > >> > >>> Sent: 10/17/2008 3:40 PM > > >> > >>> Subject: [gptalk] Re: Compatible Security Template applied > twice? > > >> > >>> > > >> > >>> Thanks Darren, > > >> > >>> > > >> > >>> Kind of sounds dumb but what would the recommended method be for > > >> cleaning > > >> > >>> it > > >> > >>> up? Looks like there is approximately 850 Registry Keys listed > so > > >> cut > > >> > >>> that > > >> > >>> in half. > > >> > >>> > > >> > >>> Steve > > >> > >>> > > >> > >>> > > >> > >>> On Fri, Oct 17, 2008 at 3:35 PM, Darren Mar-Elia < > darren@xxxxxxxxxx > > >> > > > >> > >>> wrote: > > >> > >>> > > >> > >>> > Steve- > > >> > >>> > It does not sound normal to me and at the very least could > cause > > >> > >>> confusion > > >> > >>> > down the line and extra work on the client if its not cleaned > up. > > >> > >>> > > > >> > >>> > Darren > > >> > >>> > > > >> > >>> > -----Original Message----- > > >> > >>> > From: "Steve Chambers" <schambers1969@xxxxxxxxx> > > >> > >>> > To: gptalk@xxxxxxxxxxxxx > > >> > >>> > Sent: 10/17/2008 3:32 PM > > >> > >>> > Subject: [gptalk] Compatible Security Template applied twice? > > >> > >>> > > > >> > >>> > Hi! > > >> > >>> > > > >> > >>> > Upon reviewing our companies Default Domain Policy i noticed > that > > >> all > > >> > >>> > Registry Key entries are duplicated in Group Policy (Hope that > > >> makes > > >> > >>> > sense)*********************** > > >> > >>> > You can unsubscribe from gptalk by sending email to > > >> > >>> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the > Subject > > >> field > > >> > >>> OR by > > >> > >>> > logging into the freelists.org Web interface. Archives for > the > > >> list > > >> > >>> are > > >> > >>> > available at //www.freelists.org/archives/gptalk/ > > >> > >>> > ************************ > > >> > >>> > > > >> > >>> > > >> > >>> *********************** > > >> > >>> You can unsubscribe from gptalk by sending email to > > >> > >>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject > > >> field OR > > >> > >>> by logging into the freelists.org Web interface. Archives for > the > > >> list > > >> > >>> are available at //www.freelists.org/archives/gptalk/ > > >> > >>> ************************ > > >> > >>> > > >> > >> > > >> > >> > > >> > > > > >> > > > >> > > >> *********************** > > >> You can unsubscribe from gptalk by sending email to > > >> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > OR > > >> by logging into the freelists.org Web interface. Archives for the > list > > >> are available at //www.freelists.org/archives/gptalk/ > > >> ************************ > > >> > > > > > > > > > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ >