[gptalk] Re: Custom ADM Issues
- From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 6 Feb 2008 14:09:29 -0600
Also, the GpNetworkStartTimeountPolicyValue can be set as a policy
setting so you don't have to tattoo that into the registry (unless you
want to override anything that is currently assigned by policy as
discussed below).
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in
the registry in two locations:
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon
*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
You can do this by adding a DWORD value of
GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and
600.
Windows reads the Winlogon subkey first. Then, Windows reads the
Policies subkey. The value in the Policies subkey supersedes any value
in the Winlogon subkey. There is no user interface that you can use to
set this Group Policy object (GPO). Therefore, you have to deploy a
custom ADM file in order to set the GPO.
The value specified should be of sufficient duration to make sure that
the connection is made. During the timeout period, Windows examines the
connection status every two seconds and continues with system startup as
soon as the connection is confirmed. Therefore, setting the value larger
than the minimum value of 30 is recommended. However, be advised that if
the system is legitimately disconnected, Windows will stall for the
whole timeout period.
Note Examples of the system being legitimately disconnected include the
network cable being disconnected or if the server is offline.
This information is discussed in the MS KB Article 840669, "Group Policy
application fails on a computer that is running Windows 2000, Windows XP
Service Pack 1, or Windows XP Service Pack 2" located here
<http://support.microsoft.com/kb/840669> .
Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Wednesday, February 06, 2008 2:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
You don't need the HKEY_LOCAL_MACHINE in the KEYNAME.
Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathan Finkbiner
Sent: Wednesday, February 06, 2008 1:55 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Custom ADM Issues
Hey All,
I thought I sent this on Monday, but apparently with this "email" thing
you have to hit a send button to get it to work.
I was looking for a little feedback on a custom adm template I've been
working on. I am sure the problem is staring me right in the face but I
am completely missing it.
I want to generate and manage 3 keys on all computers across the domain.
The three keys are the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
"SupplicantMode"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"GpNetworkStartTimeoutPolicyValue"=dword:0000003c (This should be a
decimal value)
I've created adm templates before, but it has been a while and so far
all I can do is get the event log to spit angry messages at me. Here is
a sample of the code I am using (I've left off the strings comments to
keep this as brief as possible):
CLASS MACHINE
CATEGORY "System"
CATEGORY "NAC Options"
POLICY !!AMode
EXPLAIN !!AMode_Exp
KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"
PART "Authentication Mode" NUMERIC
VALUENAME "AuthMode"
MIN 0
MAX 2
TXTCONVERT
DEFAULT 2
SPIN 1
END PART
END POLICY
END CATEGORY
CATEGORY "NAC Options"
POLICY !!SMode
EXPLAIN !!SMode_Exp
KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"
PART "Supplicant Mode" NUMERIC
VALUENAME "SupplicantMode"
MIN 1
MAX 3
TXTCONVERT
DEFAULT 3
SPIN 1
END PART
END POLICY
END CATEGORY
CATEGORY "NAC Options"
POLICY !!Timeout
EXPLAIN !!Timeout_Exp
KEYNAME "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon"
PART "Timeout for NAC Negotiation"
EDITTEXT REQUIRED
VALUENAME "GpNetworkStartTimeoutPolicyValue"
DEFAULT "0000003c"
END PART
END POLICY
END CATEGORY
END CATEGORY
There are 2 seemingly non specific errors that I am getting that may
help. These are both from the event log:
"Windows cannot create registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon. (The parameter is incorrect. )."
"Windows cannot access the registry policy file,
\\domain.com\SysVol\domain.com\Policies\{BA8CA221-6DC1-4631-B838-4135A66
DE872}\Machine\registry.pol. (The parameter is incorrect. )."
As always, thanks in advance.
Jonathan Finkbiner <mailto:jfinkbiner@xxxxxxx>
Information Services
Support Analyst
Lifestyle Family Fitness <http://www.lff.com/>
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).
**********************************************************************
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
Other related posts:
