[gptalk] Re: Custom ADM Issues
- From: "Jonathan Finkbiner" <JFinkbiner@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 7 Feb 2008 10:11:46 -0500
Sweet. This effectively took off about ½ the time I would normally spend
managing our 802.1x solution. If we were on Vista I suppose I could get GPO to
do 100% (Authentication tab management under network connections) but this
definitely helps.
Thanks everyone for the input.
Jonathan Finkbiner
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, February 07, 2008 10:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
The conversion happens automatically. The ADM is expecting a decimal value so
you are safe there with a Spin Control.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jonathan Finkbiner
Sent: Thursday, February 07, 2008 6:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
The last policy has to be a REG_DWORD value but it has to be in decimal format.
When you create the key, you type the value (for example 60) and when you
bubble in "decimal" on the registry entry it changes the value from 60 to
0000003c. Is there a special way to provision for this? Or am I just safe doing
another spin control?
Jonathan Finkbiner
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, February 06, 2008 4:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
That one's easy. The TXTCONVERT keywords converts those settings to REG_SZ
And, on the last policy, you're using an EDITTEXT Part, which automatically
makes it REG_SZ.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jonathan Finkbiner
Sent: Wednesday, February 06, 2008 1:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
I went through a couple different iterations trying to troubleshoot. You are
absolutely correct if you are saying I can consolidate this down into one
single policy.
For some reason these are being written to the registry as REG_SZ and not
REG_DWORD values. Any ideas?
Jonathan Finkbiner
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Wednesday, February 06, 2008 4:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
I also think you only need the first CATEGORY "NAC Options" and the last two
END CATEGORYs
Doug Delaney
EDS - Integration Engineering-GM
GM Desktop Engineering
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Cell: 248-210-4973
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Wednesday, February 06, 2008 3:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom ADM Issues
You don't need the HKEY_LOCAL_MACHINE in the KEYNAME.
Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
http://www.integrisok.com <http://www.integrisok.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathan Finkbiner
Sent: Wednesday, February 06, 2008 1:55 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Custom ADM Issues
Hey All,
I thought I sent this on Monday, but apparently with this "email" thing
you have to hit a send button to get it to work.
I was looking for a little feedback on a custom adm template I've been
working on. I am sure the problem is staring me right in the face but I am
completely missing it.
I want to generate and manage 3 keys on all computers across the
domain. The three keys are the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
"SupplicantMode"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"GpNetworkStartTimeoutPolicyValue"=dword:0000003c (This should be a
decimal value)
I've created adm templates before, but it has been a while and so far
all I can do is get the event log to spit angry messages at me. Here is a
sample of the code I am using (I've left off the strings comments to keep this
as brief as possible):
CLASS MACHINE
CATEGORY "System"
CATEGORY "NAC Options"
POLICY !!AMode
EXPLAIN !!AMode_Exp
KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"
PART "Authentication Mode" NUMERIC
VALUENAME "AuthMode"
MIN 0
MAX 2
TXTCONVERT
DEFAULT 2
SPIN 1
END PART
END POLICY
END CATEGORY
CATEGORY "NAC Options"
POLICY !!SMode
EXPLAIN !!SMode_Exp
KEYNAME
"SOFTWARE\Microsoft\EAPOL\Parameters\General\Global"
PART "Supplicant Mode" NUMERIC
VALUENAME "SupplicantMode"
MIN 1
MAX 3
TXTCONVERT
DEFAULT 3
SPIN 1
END PART
END POLICY
END CATEGORY
CATEGORY "NAC Options"
POLICY !!Timeout
EXPLAIN !!Timeout_Exp
KEYNAME
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
PART "Timeout for NAC Negotiation"
EDITTEXT REQUIRED
VALUENAME "GpNetworkStartTimeoutPolicyValue"
DEFAULT "0000003c"
END PART
END POLICY
END CATEGORY
END CATEGORY
There are 2 seemingly non specific errors that I am getting that may
help. These are both from the event log:
"Windows cannot create registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (The
parameter is incorrect. )."
"Windows cannot access the registry policy file,
\\domain.com\SysVol\domain.com\Policies\{BA8CA221-6DC1-4631-B838-4135A66DE872}\Machine\registry.pol.
(The parameter is incorrect. )."
As always, thanks in advance.
Jonathan Finkbiner <mailto:jfinkbiner@xxxxxxx>
Information Services
Support Analyst
Lifestyle Family Fitness <http://www.lff.com/>
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If you
have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If you
have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
Other related posts:
