[gptalk] Re: Disadvantages of Tattooing.
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 4 Jan 2008 12:52:01 -0800
Alan-
Good points. However, I am not clear on one thing that you say below,
"removing these Policy keys will reenable what the user had in the
non-policy key". This implies that previous key values are somehow cached
which I have never seen. Typically if a policy key is removed, its value is
simply deleted. I have never seen any restoral of a key's previous value
(unless that value was to not exist!). What I have seen get restored are
security settings (i.e. non-Administrative Template stuff) on the local
machine when a policy no longer applies to the machine. But that's specific
to security settings.
Also, you're correct on the observation that making changes to policy keys
outside of GP effectively kills the non-tattooing behavior of those keys.
It's a subtle yet irritating behavior.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Friday, January 04, 2008 12:44 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Just a couple of minor points.
While Jamie is correct in that you need another policy to undo the setting,
the really annoying problem is that you can never get back to what the user
originally had. When the policy is first applied it destroys the original
setting. The use of the POLICY keys as described by Darren's link, means
that the original user settings are still maintained, so removing these
Policy keys will reenable what the user had in the non-policy key.
The statement in Darren's link "the first thing that Windows does is remove
all registry values under our 4 magic keys" oversimplifies the process
slightly. Group Policy processing only deletes the entries that were placed
there via Group Policy. If you manually create an entry under these "Magic
keys" by some other method, it will stay there. This can be a good thing, or
a bad thing. The list of entries to be removed from the user's registry is
kept in a file called ntuser.pol in the users profile. This is why (as
discussed earlier in this group) you get in trouble if your default policy
has a version of ntuser.pol which is not consistent with the registry in the
default profile.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Saturday, 5 January 2008 1:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Couldn't have said it better. You can take at look at this page on my site
that I wrote a while ago, which explains the mechanics of it, if you're
interested: http://www.gpoguy.com/faqs/tattoo.htm.
BTW, as a humorous aside, when us GP MVPs were last up in Redmond the GP
team asked us about the word "Preferences" and what they meant to us. Most
of us, of course, responded that they were tattooing policy values because
that's what they've been called forever. But enough folks didn't say that
they decided to give the "Group Policy Preferences" name to the upcoming
DesktopStandard PolicyMaker product. I thought (and still think) its
confusing because Preferences == Tattooing but I guess I'm not in marketing.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Friday, January 04, 2008 6:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disadvantages of Tattooing.
Well, when a preference is tattooed in the registry you can't undo it by
simply unlinking the policy. You would have to enforce that setting's
opposite value via another GPO.
It can be quite a pain in larger, more complex environments. However, when a
policy based setting does not exist, it may often times be your only option.
Regards,
Jamie Nelson
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nidhi Garg
Sent: Friday, January 04, 2008 2:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Disadvantages of Tattooing.
Hi,
Wanted to know about disadvantages of Tattooing of registry based group
polices.
How can it affect the policy affect ?
Thanks
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
Other related posts:
