Thanks LP and John, Good Suggestion .I wiil revert to you after apply the GP as per suggestion. -Ranjan ------------------------------ Subject: [gptalk] GP for IIS and SQL Date: Tue, 17 Apr 2007 13:25:19 From: "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> SGksDQoNCiANCg0KT25lIG9mIG15IGN1c3RvbWVyIGhhdmluZyBNdWx0aXBsZSBzZXJ2ZXIgcnVu bmluZyBJSVMgYW5kIFNRTCAgdW5kZXIgSUlTIGFuZCBTUUwgT1UgLldoaWxlIGFwcGx5aW5nICAv ZWRpdCBncm91cCBwb2xpY3kgaSBoYXZlIHRvIHNlbGVjdCBtYW51YWxseSBhbmQgYWRkIEFkbWlu aXN0cmF0b3JzIGZvciBlYWNoIA0KDQpzZXJ2ZXIuDQoNCiANCg0KSE9XIHRvIHJlc29sdmUgdGhl IGJlbG93IGlzc3VlLg0KDQogDQoNCiANCg0KIA0KDQoxLiBGb3IgZXg6IElmIGkgd2FudCB0byBh ZGQgc3FsYWRtaW4gZm9yIGEgcG9saWN5IGkgaGF2ZSB0byBhZGQgDQoNCnNlcnZlcjFcc3FsYWRt aW4sIHNlcnZlcjJcc3FsYWRtaW4gLi4uLg0KDQogDQoNCkluc3RlYWQgYWRkaW5nIGFsbCBzZXJ2 ZXIgbmFtZXMsIGFueSBzaG9ydGN1dCBtZXRob2QgDQoNCkF2YWlsYWJsZSB0byBhZGQgaW4gc2lu Z2xlIGxpbmUgICAuDQoNCiANCg0KV2hhdCBoYXBwZW5pbmcgaW4gb3VyIGNhc2UgaWYgaW8gYWRk IHVzZXIgIOKAnHNlcnZlcjFcc3FsYWRtaW7igJ0gaW4gZ3JvdXAgcG9saWN5IC5pdCBhcHBseWlu ZyBzYW1lIHVzZXIgaW4gYWxsIHNlcnZlci4gd2hpY2ggd2lsbCBjcmVhdGluZyBwcm9ibGVtLg0K DQogDQoNCk5vdGU6d2UgaGF2ZSAgY3JlYXRlZCBzaW1pbGFyIG5hbWUoIHNxbGFkbWluKSB1c2Vy IGZvciB0aGlzIHB1cnBvc2UgLg0KDQogDQoNCiANCg0KMi5JbiAgZG9tYWluICBzZXJ2ZXIgZG9l cyBub3QgaGF2ZSBJSVMgYW5kIFNRTCBzZXJ2ZXIgaW5zdGFsbGVkIC5JZiBpIHdhbnQgY3JlYXRl IFxlZGl0IGEgDQoNCkdyb3VwIHBvbGljeSBmb3IgSUlTIGFuZCBTUUwgc2VydmVyIE9VLCBXaGlj aCBpcyBiZXN0IG9wdGlvbiB0byBlZGl0IEdyb3VwIA0KDQpwb2xpY3kgZWRpdCAgZnJvbSBkb21h aW4gc2VydmVyIEdQTUMgb3IgZnJvbSBvdGhlciBJSVMgL1NRTCA/Lg0KDQogDQoNCndlIGFyZSBm YWNpbmcgdG8gYWRkIGZpbGUgc2VjdXJpdHkgYzpccHJvZ3JhbSBmaWxlcyBcTVMgU1FMIGZvcm0g ZG9tYWluIEdQTUMgLml0IG5vdCBhbGxvd2luZyB0byBhZGQgZHVlIHRvIHBhdGggKCBTUUwgU0VS VkVSICkgbm90IGF2YWlsYWJsZSBpbiB0aGF0IHNlcnZlci4NCg0KIA0KDQozLklmIGkgY3JlYXRl IHN5c3RlbSB2YXJpYWJsZSBlOi4gJUJBQ0tVUCUgdGhhdCBnaXZlcyB0aGUgcGF0aCB0byBteSBv bmUgb2YgDQoNCm15IGJhY2t1cCBkaXJlY3Rvcmllcy4gDQoNCiANCg0KSWYgaSBhZGQgdGhpcyBk aXJlY3RvcnkgJUJBQ0tVUCUgaW4gZmlsZXMgc3lzdGVtIHNlY3VyaXR5IGluIGdyb3VwIHBvbGlj eSANCg0KTGV2ZWwsIHdoZXRoZXIgYWxsIHNlcnZlciByZWZlciB0aGUgc2FtZSBwYXRoIHdoYXQg d2UgZ2l2ZW4gaW4gc3lzdGVtIHZhcmlhYmxlIGFuZCANCg0KQXBwbHkgdGhlaXIgc2VjdXJpdHkg c2V0dGluZyBnaXZlIGZvciB0aGUgZm9sZGVyICglQkFDS1VQJSkNCg0KIA0KDQpUaGFua3MgYW5k IFJlZ2FyZHMsDQoNClJhbmphbg0KDQoJLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gDQoJRnJv bTogRnJlZUxpc3RzIE1haWxpbmcgTGlzdCBNYW5hZ2VyIFttYWlsdG86ZWNhcnRpc0BmcmVlbGlz dHMub3JnXSANCglTZW50OiBUdWUgNC8xNy8yMDA3IDE6MDUgUE0gDQoJVG86IFJhbmphbiBCYWJ1 IC5HIA0KCUNjOiANCglTdWJqZWN0OiBXZWxjb21lIHRvIGxpc3QgJ2dwdGFsaycNCgkNCgkNCg0K CVdlbGNvbWUgdG8gdGhlIEdQT0dVWS5DT00gZ3B0YWxrIG1haWxpbmcgbGlzdCEgVGhlIHB1cnBv c2Ugb2YgdGhpcyBsaXN0IGlzIHRvIGFzayAoYW5kIGFuc3dlcikgcXVlc3Rpb25zIHJlZ2FyZGlu ZyBXaW5kb3dzIEdyb3VwIFBvbGljeS4gVGhpcyBsaXN0IHdhcyBjcmVhdGVkIGluIGNvbmp1bmN0 aW9uIHdpdGggdGhlIGdwb2d1eS5jb20gd2Vic2l0ZS4NCgkNCglUbyBzZW5kIGEgbWVzc2FnZSB0 byB0aGUgbGlzdCwgc2VuZCBlbWFpbCB0bzogZ3B0YWxrQGZyZWVsaXN0cy5vcmcNCgkNCglUaGUg bGlzdCBhcmNoaXZlIGlzIGF0IGh0dHA6Ly93d3cuZnJlZWxpc3RzLm9yZy9hcmNoaXZlcy9ncHRh bGsNCgkNCglHZW5lcmFsIGxpc3QgaW5mb3JtYXRpb24gaXMgYXQgaHR0cDovL3d3dy5mcmVlbGlz dHMub3JnL2xpc3QvZ3B0YWxrDQoJDQoJVG8gdW5zdWJzY3JpYmUgc2VuZCBlbWFpbCB0byBncHRh bGstcmVxdWVzdEBmcmVlbGlzdHMub3JnIHdpdGggYSBzdWJqZWN0IG9mICd1bnN1YnNjcmliZScN CgkNCglXZSBhc2sgdGhhdCB5b3UgbWFpbnRhaW4gcHJvcGVyIGxpc3QgZXRpcXVldHRlIHdoZW4g YXNraW5nIGFuZCBhbnN3ZXJpbmcgcXVlc3Rpb25zLiBUaGlzIGluY2x1ZGVzLCBidXQgaXMgbm90 IGxpbWl0ZWQgdG86DQoJDQoJLSBBc2sgb25seSBxdWVzdGlvbnMgdGhhdCBhcmUgcmVsZXZhbnQg dG8gV2luZG93IEdyb3VwIFBvbGljeQ0KCS0gU3RhcnQgYSBuZXcgbGlzdCB0aHJlYWQgd2hlbiB5 b3UgaGF2ZSBhIGRpZmZlcmVudCBxdWVzdGlvbiB0aGFuIGluIHRoZSBvcmlnaW5hbCBwb3N0DQoJ LSBCZSBwb2xpdGUhDQoJLSBObyBhZHZlcnRpc2luZyBvciBzaGFtZWxlc3MgcHJvbW90aW9uIG9m IGNvbW1lcmNpYWwgcHJvZHVjdHMgb24gdGhlIGxpc3QuIEl0cyBvayB0byBtZW50aW9uIHByb2R1 Y3RzIGlmIGl0cyByZWxldmFudCB0byBhIHF1ZXN0aW9uIG9yIGlmIGhhdmUgcHJvZHVjdCBzdHVm ZiBpbiB5b3VyIGVtYWlsIHNpZ25hdHVyZSwgYnV0IGRvbid0IGNyZWF0ZSBhIG5ldyBwb3N0IHNp bXBseSBmb3IgdGhlIHB1cnBvc2VzIG9mIHBpdGNoaW5nIGEgcHJvZHVjdA0KCS0gRGlkIEkgbWVu dGlvbiB0aGF0IHBvbGl0ZW5lc3MgaXMga2V5PyBXZSByZXNlcnZlIHRoZSByaWdodCB0byBib290 IGFueW9uZSBvZmYgdGhlIGxpc3QgaXMgcmVwZWF0ZWRseSBtaXMtYmVoYXZpbmcNCgktIEZpbmFs bHksIHBsZWFzZSBzZXQgeW91ciBsaXN0IG1lbWJlcnNoaXAgb24gdmFjYXRpb24gbW9kZSB3aGVu IHlvdSBhcmUgb3V0IG9mIHRoZSBvZmZpY2UgYW5kIGRvIG5vdCBzZW5kIE9PRiBtZXNzYWdlcyB0 byB0aGUgbGlzdC4NCgkNCglUaGFua3MgYW5kIGFnYWluLCBXZWxjb21lIQ0KCQ0KCURhcnJlbiAo YWthIEdQT0dVWSkNCgkNCgkNCgkNCgkNCg0K ------------------------------ Date: Tue, 17 Apr 2007 08:57:51 (BST) From: Linux'o Mania <linuxomania@xxxxxxxxxxx> Subject: [gptalk] Re: GP for IIS and SQL Use a batch file with following contents & put it in Computer Startup Script section of GPO... net localgroup Administrators /add <domain\ID> replace <domain\ID> with your domain's NETBIOS name & domain account or group... Regds, LP "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote: Hi, One of my customer having Multiple server running IIS and SQL under IIS and SQL OU .While applying /edit group policy i have to select manually and add Administrators for each server. HOW to resolve the below issue. 1. For ex: If i want to add sqladmin for a policy i have to add server1\sqladmin, server2\sqladmin .... Instead adding all server names, any shortcut method Available to add in single line . What happening in our case if io add user “server1\sqladmin†in group policy .it applying same user in all server. which will creating problem. Note:we have created similar name( sqladmin) user for this purpose . 2.In domain server does not have IIS and SQL server installed .If i want create \edit a Group policy for IIS and SQL server OU, Which is best option to edit Group policy edit from domain server GPMC or from other IIS /SQL ?. we are facing to add file security c:\program files \MS SQL form domain GPMC .it not allowing to add due to path ( SQL SERVER ) not available in that server. 3.If i create system variable e:. %BACKUP% that gives the path to my one of my backup directories. If i add this directory %BACKUP% in files system security in group policy Level, whether all server refer the same path what we given in system variable and Apply their security setting give for the folder (%BACKUP%) Thanks and Regards, Ranjan -----Original Message----- From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx] Sent: Tue 4/17/2007 1:05 PM To: Ranjan Babu .G Cc: Subject: Welcome to list 'gptalk' Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list is to ask (and answer) questions regarding Windows Group Policy. This list was created in conjunction with the gpoguy.com website. To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx The list archive is at //www.freelists.org/archives/gptalk General list information is at //www.freelists.org/list/gptalk To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a subject of 'unsubscribe' We ask that you maintain proper list etiquette when asking and answering questions. This includes, but is not limited to: - Ask only questions that are relevant to Window Group Policy - Start a new list thread when you have a different question than in the original post - Be polite! - No advertising or shameless promotion of commercial products on the list. Its ok to mention products if its relevant to a question or if have product stuff in your email signature, but don't create a new post simply for the purposes of pitching a product - Did I mention that politeness is key? We reserve the right to boot anyone off the list is repeatedly mis-behaving - Finally, please set your list membership on vacation mode when you are out of the office and do not send OOF messages to the list. Thanks and again, Welcome! Darren (aka GPOGUY) b‹œj{§²æìr¸›yúèš mjYÊǧv)àzf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²ŠàÂ+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ Šx"žÚ-…çëyéb²Û(®žn)íz·Úqà+r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà ­ç¥ŠËl¢¸?j·!Š÷¬þ mjY? --------------------------------- Yahoo! Answers - Got a question? Someone out there knows the answer. Tryit now. ------------------------------ Subject: [gptalk] Re: GP for IIS and SQL Date: Tue, 17 Apr 2007 09:30:50 From: "Blackshaw, Dave" <Dave.Blackshaw@xxxxxxxxxxxx> Ranjan, As LP says (without mentioning it), you need a domain account under which to run the SQL service. You can then grant this “local administrator rights†using the batch file provided below. However, the domain SQL service account will also require the following rights on each SQL server which can be achieved through GPO: Act as part of the operating system (SeTcbPrivilege) Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege) Lock pages in memory (SeLockMemoryPrivilege) Log on as a batch job (SeBatchLogonRight) Log on as a service (SeServiceLogonRight) Replace a process level token (SeAssignPrimaryTokenPrivilege) You’ll also need to enable the following services to run, if you’re restricting services: MSSQLSERVER MSSQLServerADHelper SQLSERVERAGENT For IIS, it’s a little more complicated due to the machine-specific “IUSR_xxxx†and “IWAM_xxxx†user accounts. To get around this, each IIS server should have two local groups defined on it, e.g. “Local-IUSR†and “Local-IWAMâ€, which contain just these accounts, respectively. You can then use these groups (without the machine-specific reference) in any GPO. Assigning rights and nesting groups using a “restricted group†policy allows free-form text entry. Local-IWAM will require these rights: Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege) Log on as a batch job (SeBatchLogonRight) Replace a process level token (SeAssignPrimaryTokenPrivilege) Local-IUSR needs to be moved out of the local Guests group and will require: Allow log on locally [Log on locally] (SeInteractiveLogonRight) Log on as a batch job (SeBatchLogonRight) You’ll need to allow the local group IIS_WPG: Log on as a batch job (SeBatchLogonRight) And ASPNET will need: Log on as a batch job (SeBatchLogonRight) Log on as a service (SeServiceLogonRight) Hope that makes sense to all. Dave Directory & Messaging Services Int: 824432 Ext: (01784) 874432 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Linux'o Mania Sent: 17 April 2007 08:58 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP for IIS and SQL Use a batch file with following contents & put it in Computer Startup Script section of GPO... net localgroup Administrators /add <domain\ID> replace <domain\ID> with your domain's NETBIOS name & domain account or group... Regds, LP "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote: Hi, One of my customer having Multiple server running IIS and SQL under IIS and SQL OU .While applying /edit group policy i have to select manually and add Administrators for each server. HOW to resolve the below issue. 1. For ex: If i want to add sqladmin for a policy i have to add server1\sqladmin, server2\sqladmin .... Instead adding all server names, any shortcut method Available to add in single line . What happening in our case if io add user “server1\sqladmin†in group policy .it applying same user in all server. which will creating problem. Note:we have created similar name( sqladmin) user for this purpose . 2.In domain server does not have IIS and SQL server installed .If i want create \edit a Group policy for IIS and SQL server OU, Which is best option to edit Group policy edit from domain server GPMC or from other IIS /SQL ?. we are facing to add file security c:\program files \MS SQL form domain GPMC .it not allowing to add due to path ( SQL SERVER ) not available in that server. 3.If i create system variable e:. %BACKUP% that gives the path to my one of my backup directories. If i add this directory %BACKUP% in files system security in group policy Level, whether all server refer the same path what we given in system variable and Apply their security setting give for the folder (%BACKUP%) Thanks and Regards, Ranjan -----Original Message----- From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx] Sent: Tue 4/17/2007 1:05 PM To: Ranjan Babu .G Cc: Subject: Welcome to list 'gptalk' Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list is to ask (and answer) questions regarding Windows Group Policy. This list was created in conjunction with the gpoguy.com website. To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx The list archive is at //www.freelists.org/archives/gptalk General list information is at //www.freelists.org/list/gptalk To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a subject of 'unsubscribe' We ask that you maintain proper list etiquette when asking and answering questions. This includes, but is not limited to: - Ask only questions that are relevant to Window Group Policy - Start a new list thread when you have a different question than in the original post - Be polite! - No advertising or shameless promotion of commercial products on the list. Its ok to mention products if its relevant to a question or if have product stuff in your email signature, but don't create a new post simply for the purposes of pitching a product - Did I mention that politeness is key? We reserve the right to boot anyone off the list is repeatedly mis-behaving - Finally, please set your list membership on vacation mode when you are out of the office and do not send OOF messages to the list. Thanks and again, Welcome! Darren (aka GPOGUY) b‹œj{§²æìr¸›yúèš mjY悤v)à zf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²Šà Â+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ Å x"žÚ-…çëyéb²Û(®žn)Ãz·Úqà +r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà ÂÂ祊Ël¢¸?j·!Š÷¬þ mjY? ________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now <http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU> . _____________________________________________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales). The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. Centrica plc Registered office: Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD Registered in England and Wales No 3033654 ------------------------------ From: "Bob Coffman - Info From Data Corp." <bcoffman@xxxxxxxxxxxxxxxx> Subject: [gptalk] Re: Restrict access to Drives (Windows 2000) Date: Tue, 17 Apr 2007 08:23:39 -0400 Well if it were me.... I'd retain the original Notepad.exe and call something else. I'd dump all computer objects in the domain(s) using ldifde or csvde and script the copy of the new executable to each workstation, logging the results so I could go back and get what was missed. - Bob _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Linux'o Mania Sent: Tuesday, April 17, 2007 3:03 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Restrict access to Drives (Windows 2000) That's a very good option, thanks, but how do I replicate it to 500+ workstations then? Are you recommding that I change the original Notepad.exe & then copy it to all 500+ workstations using a batch/vbscript file in Computer Startup Event? Regds, LP "Bob Coffman - Info From Data Corp." <bcoffman@xxxxxxxxxxxxxxxx> wrote: > Are there any other viewpoints of the group? You could try removing the save option or file menu from a copy of your notepad.exe using Resource Hacker. _____ Yahoo! Answers - Got a question? Someone out there knows the answer. Try <http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA 21haWwEc2xrA3RhZ2xpbmU> it now. ------------------------------ Date: Tue, 17 Apr 2007 07:38:05 -0400 Subject: [gptalk] Re: gpupdate question From: "Martin Hugo" <Martin_Hugo@xxxxxxxx> Are you, by any chance, accessing the server remotely? Is there policy in place that denies remote admin rights? Try blocking inheritance on the OU to see if it a current policy that is giving you the issue. Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx gptalk@xxxxxxxxxxxxx writes: >John- >Sounds like two different issues. You will get the "Ok to reboot" message >any time that certain client side extensions (e.g. Software Installation >or >Folder Redirection) need to run a foreground processing mode in order to >apply. > >On the 2nd issue, I'm not familiar with fport, so not sure I can answer >that >but I it is very possible that if your server was getting security policy >from a different OU, that moving it to the new OU would not automatically >undo that policy. Normally, security policy "tattoos" a machine unless you >explicitly countermand it with a new policy. > >Darren > >-----Original Message----- >From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On >Behalf Of jfvanmeter@xxxxxxxxxxx >Sent: Monday, April 16, 2007 10:52 AM >To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx >Subject: [gptalk] gpupdate question > >Hello Everyone, I have a question that I need help with. > >I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got >my >Windows XP Group Policy. > >Then it was moved to the correct OU, and recieves the member server >policy. > >Every time I run "gpupdate /force" I get the following. Certain Computer >policies are enabled that can only run during startup. >ok to Reboot? (Y/N) > >Every time that I refresh group policy it wants to reboot, I see 1704 >events >that security policy in the group policy object has been applied >successfully. > >I've ran gpupdate as the local admin and as a domain admin. > >If I try to run fport on the server as either a local admin or a domain >admin I get the following error "You must have administrator privileges to >run fport - exiting...... > >The local admin account is in the administrators group, and the domain >admin >group is in the administrators group. > >Could this be a registry tattoo from the xp policy that got applied? any >thoughts? > >Thanks Everyone, take care and have fun --John > > > > >*********************** >You can unsubscribe from gptalk by sending email to >gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR >by logging into the freelists.org Web interface. Archives for the list >are available at //www.freelists.org/archives/gptalk/ >************************ ------------------------------ Date: Tue, 17 Apr 2007 07:42:54 -0400 Subject: [gptalk] Re: Restrict access to Drives (Windows 2000) From: "Martin Hugo" <Martin_Hugo@xxxxxxxx> Ah, I see, so they can save to network share? How about folder redirect and disable "save as" in Word (using ADMs), and don't allow any other programs to run? As far as the paper theft is concerned, you have to have trust in your employees, you can't erase their minds when they walk out the door ;) Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx gptalk@xxxxxxxxxxxxx writes: >The point is that as per client's policy they should not save anything on >local desktop. Earlier they were using paper-pencil only, but that was >vulnerable too. Imaging a situation where I can write confidential >details on paper & take it out & sell it. (Recently there's been many >cases like this). >Regds, >LP > > >Martin Hugo <Martin_Hugo@xxxxxxxx> wrote: > > >Or you could have them use paper and pencil. Sorry but I can't imagine >using a computer as a glorified notepad. If I am going to type something >I darned well better be able to save it, otherwise what's the point? > >Martin T. Hugo >Network Administrator >Hilliard City Schools >Tel: 614-921-7102 >Martin_Hugo@xxxxxxxx > > > > > >---------------------------------------------------------------------------Yahoo! >Answers - Got a question? Someone out there knows the answer. Try it now. ------------------------------ Date: Tue, 17 Apr 2007 07:54:38 -0400 Subject: [gptalk] General question about Machine and User Policy From: "Martin Hugo" <Martin_Hugo@xxxxxxxx> Hello, Just a general question; if a user policy and a machine policy are at odds, who wins? Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx ------------------------------ From: <tools@xxxxxxxxxx> Subject: [gptalk] Re: General question about Machine and User Policy Date: Tue, 17 Apr 2007 08:25:29 -0700 It generally depends upon the setting but in most cases where Admin. Templates are concerned, the machine policy wins. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Martin Hugo Sent: Tuesday, April 17, 2007 4:55 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] General question about Machine and User Policy Hello, Just a general question; if a user policy and a machine policy are at odds, who wins? Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx ------------------------------ From: jfvanmeter@xxxxxxxxxxx Subject: [gptalk] Re: gpupdate question Date: Tue, 17 Apr 2007 16:33:59 Hello everyone, and thank you all for the help. So far I've been unable to find the solution for this issue. the server is a Win2k3 server that was put in a OU that had my XP Workstation policy link to it, that policy was applied to the server. Then it was noted that the server was in the wrong OU and it was moved and it now is receiving the Win2k3 Server Policy. I've logged onto the server with both the local admin account (LLLLL.AAAAA) and my domain account (DDDDDD.AAAAAA) and it doesn't seam to matter. There are settings and acl's that were applied from the XP Policy that are not correct for a Win2k3 server, and since the server policy doesn't replace them I believe this maybe causing strange problems. When I run Process Monitor and try to run MBSA or Fport I'm not seening any access denied messages. The only thing to note is the following registry key. When I run fport, proc mon logs the following hklm\software\microsoft\windows nt\currentversion\imagefile execurion options\fport.exe name not found When i run MBSA, proc mon logs the following HKLM\SAM\SAM\Domains\account\Users\Names\LLLLLL.AAAAA (<--- the account of the renamed local admin that is applied from my XP Workstation policy) name not found Could it be the user profile still being named LLLLLLL.AAAAAA that is causing the problem. I'm getting ready to turn on more logging on the server and see what that find. Take Care --John -------------- Original message ---------------------- From: "Martin Hugo" <Martin_Hugo@xxxxxxxx> > Are you, by any chance, accessing the server remotely? Is there policy > in place that denies remote admin rights? Try blocking inheritance on the > OU to see if it a current policy that is giving you the issue. > > Martin T. Hugo > Network Administrator > Hilliard City Schools > Tel: 614-921-7102 > Martin_Hugo@xxxxxxxx > > gptalk@xxxxxxxxxxxxx writes: > >John- > >Sounds like two different issues. You will get the "Ok to reboot" message > >any time that certain client side extensions (e.g. Software Installation > >or > >Folder Redirection) need to run a foreground processing mode in order to > >apply. > > > >On the 2nd issue, I'm not familiar with fport, so not sure I can answer > >that > >but I it is very possible that if your server was getting security policy > >from a different OU, that moving it to the new OU would not automatically > >undo that policy. Normally, security policy "tattoos" a machine unless you > >explicitly countermand it with a new policy. > > > >Darren > > > >-----Original Message----- > >From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On > >Behalf Of jfvanmeter@xxxxxxxxxxx > >Sent: Monday, April 16, 2007 10:52 AM > >To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx > >Subject: [gptalk] gpupdate question > > > >Hello Everyone, I have a question that I need help with. > > > >I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got > >my > >Windows XP Group Policy. > > > >Then it was moved to the correct OU, and recieves the member server > >policy. > > > >Every time I run "gpupdate /force" I get the following. Certain Computer > >policies are enabled that can only run during startup. > >ok to Reboot? (Y/N) > > > >Every time that I refresh group policy it wants to reboot, I see 1704 > >events > >that security policy in the group policy object has been applied > >successfully. > > > >I've ran gpupdate as the local admin and as a domain admin. > > > >If I try to run fport on the server as either a local admin or a domain > >admin I get the following error "You must have administrator privileges to > >run fport - exiting...... > > > >The local admin account is in the administrators group, and the domain > >admin > >group is in the administrators group. > > > >Could this be a registry tattoo from the xp policy that got applied? any > >thoughts? > > > >Thanks Everyone, take care and have fun --John > > > > > > > > > >*********************** > >You can unsubscribe from gptalk by sending email to > >gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > >by logging into the freelists.org Web interface. Archives for the list > >are available at //www.freelists.org/archives/gptalk/ > >************************ > > -- Attached file included as plaintext by Ecartis -- From: "Martin Hugo" <Martin_Hugo@xxxxxxxx> To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: gpupdate question Date: Tue, 17 Apr 2007 15:22:10 Content-Type: Multipart/alternative; boundary="NextPart_Webmail_9m3u9jl4l_1682_1176827639_1" --NextPart_Webmail_9m3u9jl4l_1682_1176827639_1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <?xml version=3D=221.0=22 encoding=3D=22ISO-8859-1=22?> <=21DOCTYPE HTML PUBLIC =22-//W3C//DTD HTML 4.0 Transitional//EN=22> <html> <head> <meta http-equiv=3D=22Content-Type=22 content=3D=22text/html; charset=3DISO= -8859-1=22 /> <title></title> <style type=3D=22text/css=22> <=21-- body=7Bmargin-left:10px;margin-right:10px;margin-top:10px;margin-bottom:10p= x;=7D --> </style> </head> <body marginleft=3D=2210=22 marginright=3D=2210=22 margintop=3D=2210=22 mar= ginbottom=3D=2210=22> <font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 style=3D= =22font-family:Arial;font-size:12pt;color:=23000000;=22>Are you, by any cha= nce, accessing the server remotely? Is there policy in place th= at denies remote admin rights? Try blocking inheritance on the OU to = see if it a current policy that is giving you the issue.<br /> <br /> Martin T. Hugo<br /> Network Administrator<br /> Hilliard City Schools<br /> Tel: 614-921-7102<br /> Martin_Hugo=40hboe.org<br /> <br /> </font><font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 sty= le=3D=22font-family:Arial;font-size:10pt;color:=23000000;=22><b>gptalk=40fr= eelists.org writes:<br /> </b></font><span style=3D=22background-color:=23d0d0d0;=22><font face=3D= =22Geneva=22 size=3D=22Ʈ=22 color=3D=22=23000000=22 style=3D=22font-family= :Geneva;font-size:10pt;color:=23000000;=22>John-<br /> Sounds like two different issues. You will get the "Ok to reboot"= message<br /> any time that certain client side extensions (e.g. Software Installation or= <br /> Folder Redirection) need to run a foreground processing mode in order to<br= /> apply. <br /> <br /> On the 2nd issue, I'm not familiar with fport, so not sure I can answer tha= t<br /> but I it is very possible that if your server was getting security policy<b= r /> from a different OU, that moving it to the new OU would not automatically<b= r /> undo that policy. Normally, security policy "tattoos" a machine u= nless you<br /> explicitly countermand it with a new policy.<br /> <br /> Darren<br /> <br /> -----Original Message-----<br /> From: gptalk-bounce=40freelists.org =5B<a href=3D=22mailto:gptalk-boun= ce=40freelists.org=22 target=3D=22_blank=22>mailto:gptalk-bounce=40freelist= s.org</a>=5D On<br /> Behalf Of jfvanmeter=40comcast.net<br /> Sent: Monday, April 16, 2007 10:52 AM<br /> To: gptalk=40freelists.org; gptalk=40freelists.org<br /> Subject: =5Bgptalk=5D gpupdate question<br /> <br /> Hello Everyone, I have a question that I need help with.<br /> <br /> I have a memberserver Win2k3 SP1, that was placed in the wrong OU and got m= y<br /> Windows XP Group Policy. <br /> <br /> Then it was moved to the correct OU, and recieves the member server policy.= <br /> <br /> Every time I run "gpupdate /force" I get the following. Certain C= omputer<br /> policies are enabled that can only run during startup.<br /> ok to Reboot? (Y/N)<br /> <br /> Every time that I refresh group policy it wants to reboot, I see 1704 event= s<br /> that security policy in the group policy object has been applied<br /> successfully.<br /> <br /> I've ran gpupdate as the local admin and as a domain admin.<br /> <br /> If I try to run fport on the server as either a local admin or a domain<br = /> admin I get the following error "You must have administrator privilege= s to<br /> run fport - exiting...... <br /> <br /> The local admin account is in the administrators group, and the domain admi= n<br /> group is in the administrators group.<br /> <br /> Could this be a registry tattoo from the xp policy that got applied? any<br= /> thoughts? <br /> <br /> Thanks Everyone, take care and have fun --John<br /> <br /> <br /> <br /> <br /> ***********************<br /> You can unsubscribe from gptalk by sending email to gptalk-request=40freeli= sts.org with 'unsubscribe' in the Subject field OR by logging into the= freelists.org Web interface. Archives for the list are available at <a hre= f=3D=22//www.freelists.org/archives/gptalk/=22 target=3D=22_blank=22>h= ttp://www.freelists.org/archives/gptalk/</a><br /> ************************<br /> </font></span><font face=3D=22Arial=22 size=3D=22Ʈ=22 color=3D=22=23000000= =22 style=3D=22font-family:Arial;font-size:12pt;color:=23000000;=22><br /> </font> </body> </html> --NextPart_Webmail_9m3u9jl4l_1682_1176827639_1-- ------------------------------ From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx> Subject: [gptalk] Re: General question about Machine and User Policy Date: Wed, 18 Apr 2007 07:04:01 Hi Martin, I would argue that from a group policy prospective neither wins. If you have a machine policy, it will create registry keys in the Machine area. If you have a User policy, it will create registry keys in the User area. As such they are never at odds and both win. It is then up to the application to decide which of the registry keys to use, which really means the application designer decides which is more likely to be correct. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of tools@xxxxxxxxxx Sent: Wednesday, 18 April 2007 1:25 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: General question about Machine and User Policy It generally depends upon the setting but in most cases where Admin. Templates are concerned, the machine policy wins. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Martin Hugo Sent: Tuesday, April 17, 2007 4:55 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] General question about Machine and User Policy Hello, Just a general question; if a user policy and a machine policy are at odds, who wins? Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx ------------------------------ From: "Darren Mar-Elia" <darren@xxxxxxxxxx> Subject: [gptalk] Re: General question about Machine and User Policy Date: Tue, 17 Apr 2007 14:12:07 -0700 Alan- While this is strictly true, in practice if you look at most Admin Template policy items that have representation under both computer and user, 9 times out of ten ,the Explain text will mention that if both are set, the computer configuration overrides the user configuration. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Tuesday, April 17, 2007 2:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: General question about Machine and User Policy Hi Martin, I would argue that from a group policy prospective neither wins. If you have a machine policy, it will create registry keys in the Machine area. If you have a User policy, it will create registry keys in the User area. As such they are never at odds and both win. It is then up to the application to decide which of the registry keys to use, which really means the application designer decides which is more likely to be correct. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of tools@xxxxxxxxxx Sent: Wednesday, 18 April 2007 1:25 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: General question about Machine and User Policy It generally depends upon the setting but in most cases where Admin. Templates are concerned, the machine policy wins. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Martin Hugo Sent: Tuesday, April 17, 2007 4:55 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] General question about Machine and User Policy Hello, Just a general question; if a user policy and a machine policy are at odds, who wins? Martin T. Hugo Network Administrator Hilliard City Schools Tel: 614-921-7102 Martin_Hugo@xxxxxxxx ------------------------------ Date: Wed, 18 Apr 2007 10:14:52 From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx> Subject: [gptalk] USB storage block problem. Hi all, We have this script running in our Windows 2003 domain. @echo off :: *********DISABLE USB MASS STORAGE DEVICE******** regedit /s "\\Tai3dserver\SYSVOL\tai3d.com\scripts\disable.reg" "\\Tai3dserver\SYSVOL\tai3d.com\scripts**\subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /deny=system the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what the script does is, it modifies a registry value such that usb removable storage devices are not read by the system, but new usb storage devices are getting accessed, how do i block the modification of this registry value? Kindly suggest methods, I'm a novice in this... best regards Ananth. ------------------------------ End of gptalk Digest V2 #74 ***************************