[gptalk] Re: Compatible Security Template applied twice?
- From: "Steve Chambers" <schambers1969@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Tue, 21 Oct 2008 17:19:46 -0700
Appreaciate the added info Darren!
Thank you!!!
On Tue, Oct 21, 2008 at 4:45 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
> Steve-
> No problem. Yes, you can remove really anything you don't want in that GPO.
> You just have to be aware of its effect. For any new systems that process
> that GPO, they will not get those security settings that you remove. For any
> existing systems that already have them, nothing will change. If you remove,
> for example, a file or registry security entry, the existing permissions on
> those resources simply remain the same as they are (i.e. they are not
> "rolled back" since there is no known state to roll them back to).
>
> Hope that helps.
>
> Darren
>
> -----Original message-----
> From: "Steve Chambers" schambers1969@xxxxxxxxx
> Date: Tue, 21 Oct 2008 14:37:33 -0400
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Compatible Security Template applied twice?
>
> > Sorry about not being clear, im still very much a "newb" :)
> >
> > If I remove half of the entries that is still going to leave somewhere
> > around 400+. I didn't know if I could remove anything further.
> >
> > For now ill just remove the duplicate entries.
> >
> > Thanks again for all of your help on this.
> >
> > Steve
> >
> >
> >
> > -----Original Message-----
> >
> > From: gptalk-bounce@xxxxxxxxxxxxx
> > [*mailto:gptalk-bounce@xxxxxxxxxxxxx*<gptalk-bounce@xxxxxxxxxxxxx>]
> > On Behalf Of Darren Mar-Elia
> >
> > Sent: Tuesday, October 21, 2008 3:16 PM
> >
> > To: gptalk@xxxxxxxxxxxxx
> >
> > Subject: [gptalk] Re: Compatible Security Template applied twice?
> >
> > Steve-
> >
> > Not sure I follow the question. If there is an entry in that file, then
> by
> > definition it is being applied through that GPO. So anything you see in
> > there should be "active".
> >
> > Darren
> >
> >
> > On Tue, Oct 21, 2008 at 11:12 AM, Steve Chambers <
> schambers1969@xxxxxxxxx>wrote:
> >
> > > Thanks guys,
> > >
> > > One more question. If I am going to take the time to edit out the
> > > duplicate entries, should I also remove the registry entries that are
> not
> > > being used? If so, how do I know which ones are being applied and which
> > > ones are not?
> > >
> > > Steve
> > >
> > >
> > > On Tue, Oct 21, 2008 at 2:57 PM, Darren Mar-Elia <darren@xxxxxxxxxx
> >wrote:
> > >
> > >> Yes, that should do it. I would back up that file first. Also, just so
> you
> > >> know, when you change the file directly this way, the GPO won't know
> that it
> > >> has been updated, and thus won't re-apply to target computers right
> away.
> > >> So, if you want, just go into the GPO using GP editor, after changing
> this
> > >> file, and tweak a setting on/off to update the GPO version #. That
> will
> > >> jump-start its use by clients.
> > >>
> > >> Darren
> > >>
> > >> -----Original message-----
> > >> From: "Steve Chambers" schambers1969@xxxxxxxxx
> > >> Date: Tue, 21 Oct 2008 13:47:06 -0400
> > >> To: gptalk@xxxxxxxxxxxxx
> > >> Subject: [gptalk] Re: Compatible Security Template applied twice?
> > >>
> > >> > I found the GPTTmpl.ini file, it has 890 (approx) entries listed and
> > >> > everything is duplicated.
> > >> >
> > >> > I guess my question at this point is do I just remove all of the
> > >> duplicate
> > >> > entries?
> > >> >
> > >> > Steve
> > >> >
> > >> >
> > >> >
> > >> > On Sat, Oct 18, 2008 at 7:11 AM, Steve Chambers <
> > >> schambers1969@xxxxxxxxx>wrote:
> > >> >
> > >> > > Is there an easy way to see what File and Registry settings are
> being
> > >> > > applied by the security policy? Guess if i knew that i could just
> > >> delete
> > >> > > everything else.
> > >> > >
> > >> > > Thanks!
> > >> > >
> > >> > > Steve
> > >> > >
> > >> > >
> > >> > >
> > >> > > On Fri, Oct 17, 2008 at 4:15 PM, Steve Chambers <
> > >> schambers1969@xxxxxxxxx>wrote:
> > >> > >
> > >> > >> Tell me about it, this is something that was already in place
> when I
> > >> > >> started with the company. In fact I have a feeling it has been
> this
> > >> way for
> > >> > >> quite some. Nobody seems to know anything about it and I don't
> know
> > >> if the
> > >> > >> file and registry security policy is even being utilized. I will
> make
> > >> a
> > >> > >> point of verifying that though.
> > >> > >>
> > >> > >> From what research I have done, it looks like it was imported
> from
> > >> the
> > >> > >> Compatible (compatws.inf) Security Template?
> > >> > >>
> > >> > >> Steve
> > >> > >>
> > >> > >>
> > >> > >> On Fri, Oct 17, 2008 at 3:54 PM, Darren Mar-Elia <
> darren@xxxxxxxxxx
> > >> >wrote:
> > >> > >>
> > >> > >>> 850? Ouch. Even half that number is a lot of keys to be
> > >> re-permissioning
> > >> > >>> using GP. Keep in mind that security policy re-applies itself
> every
> > >> 16 hours
> > >> > >>> by default, not to mention at other times when it may refresh.
> That
> > >> means
> > >> > >>> that every key is being re-permissioned each time GP refreshes.
> > >> Generally
> > >> > >>> speaking I recommend avoiding the use of File and Registry
> security
> > >> policy
> > >> > >>> for large numbers of keys or files. What template did you deploy
> > >> that uses
> > >> > >>> all these permissions?
> > >> > >>>
> > >> > >>> In terms of cleaning it up, you can certainly do it manually
> from
> > >> the UI,
> > >> > >>> or you can edit the underlying GPTTmpl.inf file that stores the
> > >> settings
> > >> > >>> within the SYSVOL part of that GPO.
> > >> > >>>
> > >> > >>> Darren
> > >> > >>>
> > >> > >>> -----Original Message-----
> > >> > >>> From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> > >> > >>> To: gptalk@xxxxxxxxxxxxx
> > >> > >>> Sent: 10/17/2008 3:40 PM
> > >> > >>> Subject: [gptalk] Re: Compatible Security Template applied
> twice?
> > >> > >>>
> > >> > >>> Thanks Darren,
> > >> > >>>
> > >> > >>> Kind of sounds dumb but what would the recommended method be for
> > >> cleaning
> > >> > >>> it
> > >> > >>> up? Looks like there is approximately 850 Registry Keys listed
> so
> > >> cut
> > >> > >>> that
> > >> > >>> in half.
> > >> > >>>
> > >> > >>> Steve
> > >> > >>>
> > >> > >>>
> > >> > >>> On Fri, Oct 17, 2008 at 3:35 PM, Darren Mar-Elia <
> darren@xxxxxxxxxx
> > >> >
> > >> > >>> wrote:
> > >> > >>>
> > >> > >>> > Steve-
> > >> > >>> > It does not sound normal to me and at the very least could
> cause
> > >> > >>> confusion
> > >> > >>> > down the line and extra work on the client if its not cleaned
> up.
> > >> > >>> >
> > >> > >>> > Darren
> > >> > >>> >
> > >> > >>> > -----Original Message-----
> > >> > >>> > From: "Steve Chambers" <schambers1969@xxxxxxxxx>
> > >> > >>> > To: gptalk@xxxxxxxxxxxxx
> > >> > >>> > Sent: 10/17/2008 3:32 PM
> > >> > >>> > Subject: [gptalk] Compatible Security Template applied twice?
> > >> > >>> >
> > >> > >>> > Hi!
> > >> > >>> >
> > >> > >>> > Upon reviewing our companies Default Domain Policy i noticed
> that
> > >> all
> > >> > >>> > Registry Key entries are duplicated in Group Policy (Hope that
> > >> makes
> > >> > >>> > sense)***********************
> > >> > >>> > You can unsubscribe from gptalk by sending email to
> > >> > >>> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the
> Subject
> > >> field
> > >> > >>> OR by
> > >> > >>> > logging into the freelists.org Web interface. Archives for
> the
> > >> list
> > >> > >>> are
> > >> > >>> > available at //www.freelists.org/archives/gptalk/
> > >> > >>> > ************************
> > >> > >>> >
> > >> > >>>
> > >> > >>> ***********************
> > >> > >>> You can unsubscribe from gptalk by sending email to
> > >> > >>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
> > >> field OR
> > >> > >>> by logging into the freelists.org Web interface. Archives for
> the
> > >> list
> > >> > >>> are available at //www.freelists.org/archives/gptalk/
> > >> > >>> ************************
> > >> > >>>
> > >> > >>
> > >> > >>
> > >> > >
> > >> >
> > >>
> > >> ***********************
> > >> You can unsubscribe from gptalk by sending email to
> > >> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> OR
> > >> by logging into the freelists.org Web interface. Archives for the
> list
> > >> are available at //www.freelists.org/archives/gptalk/
> > >> ************************
> > >>
> > >
> > >
> >
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at //www.freelists.org/archives/gptalk/
> ************************
>
Other related posts:
