Thanks Jacob! :-) Will write once I'm back in office tomorrow. Thanks for clearing a lot of things! Greatly appreciated. On Jan 31, 2008 7:45 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: > Allright – I don't have a link right here, but I can list the 4 > "exceptions". These are, like account/lockout settings, all taken from the > highest precedence GPO linked to the domain (typically "Default Domain > Policy"). > > > > Computer Configuration | Windows Settings | Security Settings | Local > Policies | Security Options: > > > > 1. Accounts: Rename Administrator Account > Renames all built-in Administrator accounts in the domain (logon name) > > > > 2. Accounts: Rename Guest Account > Renames all built-in Administrator accounts in the domain (logon name) > > > > 3. Network Security: Force Logoff When Logon Hours Expire > Force logoff from the domain when logon hours are expired > > > > 4. Network Access: Allow Anonymous SID/Name Translation > Main reason why this is enabled is when old Windows systems needs to > communicate with AD. > > > > These are what you could call "domain wide security settings". > > > > Best regards > > /Jakob H. Heidelberg > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *TAZAMAL HUSSAIN > *Sent:* 31. januar 2008 14:47 > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Running a Batch file at user logon. > > > > Jakob, > > Thanks for the quick reply and confirmation.Yes, I agree with you, as to > why this need would arise. However, it certainly exists out there, for some > reason or another! :) perhaps misunderstanding during implemetation phase... > > Without taking this discussion off to another direction, a useful bit of > knowledge would be the 'few other exceptions' If you have a link for > reading, that would great... > ------------------------------ > > From: jakob@xxxxxxxxxxxxxxx > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Running a Batch file at user logon. > Date: Thu, 31 Jan 2008 14:36:20 +0100 > > Well, yes – that's another story J > > > > It's correct that you can place account policies on other OUs - or filter > them in other ways if you like – but the thing is, AD users will still have > to comply with the policy set as the Highest Priority on the Domain Level > (actually this is decided by the DCs - or forced on to the DCs - not the > member computers). Not necessarily the Default Domain Policy – though IMHO > it should be kept there! There are a few other exceptions where settings are > taken from the GPO with the Highest Priority on the Domain Level only, but > that a bit off topic. > > > > Account policies in GPOs set on OUs will, as you say, apply to creation of > Local Accounts on the computers in scope – but I've never seen an > environment where this was important (can't even imagine why this would be > part of a design). Also, with third party utilities it is actually possible > to have multiple account policies in a single AD – but, that doesn't really > count, we're talking default functionality here. > > > > As we all know multiple password policies will be available in WS 2008 > domain environment "out of the box" – the Default Domain Policy (highest > priority GPO in the domain) will still be "the last stop", but Global > Security Groups can force other password policies on to the users. > > > > Regards > > /Jakob H. Heidelberg > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *TAZAMAL HUSSAIN > *Sent:* 31. januar 2008 14:20 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Running a Batch file at user logon. > > > > Guys, > > I have actually come across multiple account/password policies in certain > big AD implementations targeted to specific OUs... what happens here? I'm > guessing they are all ignored and the one set on the defdompol overides, and > have been told these extra policies targeted to specific OUs will apply > to locally created user accounts on the machines in those OUs... if that > makes sense?can anyone confirm this? never got round to testing it.... > ------------------------------ > > From: jakob@xxxxxxxxxxxxxxx > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Running a Batch file at user logon. > Date: Thu, 31 Jan 2008 13:27:03 +0100 > > Hi Ananth, > > > > I think you first need to accept and understand this: > > > > 1. The Computer Configuration part of a policy applies to Computers only > > 2. The User Configuration part of a policy applies to Users only > > > > You do mention an "exception", which is account/password policies – it > does **seem** like that is a Computer Configuration that actually hits > Users, but it's not. You can have 1 account policy in a default AD > (2000/2003) – it should be set in the Default Domain Policy (highest > priority GPO on the Domain level) – and it can be set _*nowhere*_ else!!! > > > > For your second question – if you have a GPO with BOTH Computer and User > Configuration policy settings defined – you could apply that on the domain > level. And, as it has been said previously, the policy setting will "flow > down" the OU hierarchy in your domain. So, all Computer AND User objects > below will take on their respective part of the GPO (Computers will take the > Comp. Conf. and Users will take the User Conf.). Basically, it doesn't > matter how your OU structure is, you can have a single OU with all your > Computer and User objects in it – and then link a single GPO with both > Computer and Users settings in it, and it works. > > > > However, GPO filtering is needed in most cases. You can filter on several > levels – Site, Domain, Ou + WMI filters + Security filtering (AD security > groups). You can choose one filtering method, or combine them all. > > > > There are "advanced" policy processing options available, like Loopback > processing etc. – but let's keep that out of the picture so far ;-) > > > > > > Did that help? > > > > > > Regards > > /Jakob H. Heidelberg > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* 31. januar 2008 11:29 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Running a Batch file at user logon. > > > > Two more queries, I seem to be confused here... > > Consider this scenario..... > > We have an Account lockout policy.. set at 5 invalid logons. This is in > Computer configuration. > > What happens if I link this policy to the OU containing Users? If I give > the Domain Computers in the scope will the policy work for only these users? > > or > > Should I create another OU of computers and link this policy and in the > scope give the user group? > > For a set of "user and computer configurations" to work for a "set of > users and computers" of a particular department should there be 2 OU's? one > for users with user configuration policies linked and the other OU with > Computers with computer configuration policies linked?? > > hmm.... :-) > > > On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: > > Thanks again :-) > > > > On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote: > > if you have a OU structure and no block inheritance etc configured the > policy will flow down. > > OU domain Computers (GPO computer policy apply desktop blabla) > OU Site Computers (will get the policy) > OU Site KioskComputers (will get the policy) > > as long as they are nested under the main OU :) > But you can do a RSOP planning to see if the OU get's the policy (RSOP in > GPMC) > ------------------------------ > > Date: Thu, 31 Jan 2008 15:21:24 +0530 > > > From: ananth.rg@xxxxxxxxx > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Running a Batch file at user logon. > > If the policies are linked at the domain level, irrespective of whether > its a user configuration or computer configuration will it run? > > On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: > > Thanks Hans! :-) > > > > On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote: > > Anath, > > Computer configuration policies should be applied on the OU the computers > you target are located in. > > Like User policies should be applied to the OU the targetted users reside > in. > > regards, > Hans Straat > www.datacrash.net > > ------------------------------ > > Date: Thu, 31 Jan 2008 09:15:41 +0530 > From: ananth.rg@xxxxxxxxx > > > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Running a Batch file at user logon. > > Hi Jacob, > > From the event viewer we got only the RSoP error, "RSoP could not be run" > anyway we manually ran that script in some 50 systems and now its fine as > internet explorer homepage was set to this mail server, so its coming fine > now! We didn't get time to test further, sorry about that, the domain had to > be up yesterday, its running fine now... > > Kindly send any more links of your articles! it was great > reading....cleared a lot of things for us.... > > One basic question.... Should Computer Configuration policies be applied > on Domain Computers or OU of Computers? > > regards > Ananth :-) > > > On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: > > Hi Jacob, > > Thanks once again for your great support. > > We are actually testing this in a test environment of 6 systems. Except > for this one script the rest all are working fine. > > We will do the Gpresult at the earliest and will let you know. > > I haven't checked the event viewer either, will do that right away. > > regards > Ananth. > > > > On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> > wrote: > > Hi, > > It does sound like you did everything needed to make this work – a restart > is of course needed, but you took care of that you say. > > As this point it could be great if you checked the event viewer for any > error on the clients that happens during startup. Later you might have to do > advanced troubleshooting. > > You should perform the GPRESULT command to see if the computer "picked up" > the policy at all. > > Note – you should probably test such a policy isolated the first time > (limited to an OU with only one computer system within it or alike). > > /Jakob > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* 29. januar 2008 09:17 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Running a Batch file at user logon. > > > > Hi Jacob, > > Thanks for the article. It cleared a lot of doubts. > > We did as you said, but we still couldn't make it work! This how we did > it... please go through it and advice on where we went wrong! > > In the Group Policy Objects we created a new policy called " Intranet Mail > Srv Route" > We edited the policy, we set it as Computer Configuration>Windows > Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to the > script. > > The scripts is stored in > "\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this > share is accessible from all systems in the domain. The permission to this > share is "Authenticated Users Read and Execute" > > Next, at the domain level we gave "Link an existing GPO" gave this GPO and > enabled enforced and link enabled. > > In the Security Filter windows we added "Authenticated Users" and "Domain > Computers" > > Next we gave gpupdate /force > > We restarted the systems several times but still the new route is not > getting added. > > Please analyze the steps and kindly inform us where we have gone wrong. > Have we missed anything that you have told us? :-) > > Thanks for the help! > regards > Ananth :-) > > On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> > wrote: > > Hi again Ananth, > > As stated before it would, in most cases, be better to add the route once > and for all on the clients default gateway. But, you probably have your > reasons J > > I think there are some basic things about GP processing and filtering you > should take a look at. Maybe this blog will help you: > > http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-group.html > > Earlier you told me you want to "hit" all systems in the domain – in that > case all you have to do is: > > > 1. Have the script file in a shared directory where Authenticated > User or Domain Computers have Read access > > 2. Create the GPO and point the Startup script to the shared script > file (Computer Configuration part on the GPO) > > 3. Link the GPO to the Domain Level (you don't have to change > Permissions or anything in this case) > > 4. Reboot all machines for the script to be executed (could take 2 > reboots) > > > However – I must warn you a bit: this will execute the script during the > next startup (or two) on ALL domain computers (including servers). > > Note to #3: If all of your computers are in the "My Computers OU" you > could just link the GPO here (except computers in the Domain Controllers OU > would not be hit – if they should be hit too you could link the policy to > that OU too and restart them one after the other perhaps). > > If this doesn't execute on the clients you must start troubleshooting. > Look in the client eventlog to spot for any errors, use GPRESULT to be sure > the GPO applies to the computers etc. However, I do expect this to work. > > Regards > /Jakob > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* 25. januar 2008 08:27 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Running a Batch file at user logon. > > > Hi All, > > We want to add a persistent route to all systems in 192.168.2.x network to > a server having IP 192.168.3.240. > > We created a route.bat batch file and copied this command > > Route Add 192.168.3.240 MASK 255.255.255.255 192.168.2.254 -p > > This batch file was copied to > \\Server.com\SysVol\Server.com\scripts\route.bat folder. > > The batch file was placed in Computer Configuration/Windows Settings/ > Scripts/Startup > > We created a new group called Harmony_Sys in Builtin folder in that > Domain. Created a new OU called Harmony Systems, moved systems on which this > batch file has to be run to this OU. Made the computer a member of the group > Harmony_Sys group. > > >From GPMC, We applied this route policy to this Harmony Systems OU. > > But the new route is not getting created. Where have we gone wrong, is the > procedure correct. > > regards > Ananth. > > > > > > > > > > > > > > > > > ------------------------------ > > Sounds like? How many syllables? Guess and win prizes with Search > Charades! <http://www.searchcharades.com/> > > > ------------------------------ > > Sounds like? How many syllables? Guess and win prizes with Search > Charades! <http://www.searchcharades.com> >