[gptalk] Re: User Hive settings set during logon....
- From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
- To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 11 Mar 2008 22:37:37 +0100
Lol, yes, a gotcha on the gotcha :)
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: den 11 mars 2008 22:32
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
Thanks Thorbjorn. Of course, Win2K has other issues with WMI filters besides
not supporting this class :)
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: Tuesday, March 11, 2008 2:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
A small gotcha here that I once myself run into is that Win32_NTDomain is not
supported in W2K. But who uses W2K anyway now that we have Vista with SP1 ;)
Thorbjörn Sjövold
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: den 11 mars 2008 22:14
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
An even better filter might be the following:
Select * from Win32_NTDomain WHERE Caption=<Netbios domain Name> and DCSiteName
= <your Site>
Or maybe not better but different. :)
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Tuesday, March 11, 2008 11:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
You point out some valid concerns. I usually try to avoid them myself, but it
is an option if you can't make things work any other way.
I would try the WMI filter I suggested below. You might also look into what the
GPP CSE can do for you. I think there are some registry match targeting options
in there you could use to read the AD Site from the registry before enabling
the setting.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Smith, Brad
Sent: Tuesday, March 11, 2008 1:10 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
Ah, site based group policies. I have intentionally ignored them. We don't use
them at the moment (bear in mind we have a fair number of GPO admins) and I
wanted to avoid them because:
A) They introduce an extra level of complexity when diagnosing GPO problems.
B) They reside on DC's for the domain they were created in and do not have
representation on DC's from other domains in the same forest, meaning they are
copied across the WAN unless you have a DC locally, which we don't. Thus in
turn creates GPO timeout problems (I wonder if Paul Snell's "Login Time Issues"
thread is related to this btw) that I don't want to introduce. I know that I
could rule out applying them by using GPO filtering, but have steered clear of
them because as soon as I permit it for one reason, the flood gates will open
and every business request will want a site based GPO for something or other.
I have stood by these principles for refusing Site Based GPO since Beta testing
W2K, but am always willing to revisit any opinion of mine on such matters.
So All, do you happily and readily deploy Site based GPO's? Eager to hear
thoughts on this one.......
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: 11 March 2008 17:36
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
Actually, this is not necessary if you link at the AD Site level. You would
have to have 2 GPOs (1 to enable, 1 to disable). Link each "disable" GPO to
every AD Site, and the "enable" GPO (with security filtering) to only the AD
Sites you want. You will of course have to change the link order so that the
enable GPO wins out if it passes security filtering.
Don't know why that didn't hit me at first, but it is an option.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Tuesday, March 11, 2008 12:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
You might be able to do something like that by querying Win32_Environment and
looking at the %LOGONSERVER% variable. You wouldn't directly be able to get the
site name, but you check and see which DC they are authenticated to.
SELECT * FROM Win32_Environment WHERE Name = "LOGONSERVER" AND (VariableValue =
"DC1" OR VariableValue="DC2")
Something like that may work for you.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Smith, Brad
Sent: Tuesday, March 11, 2008 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
What I want to achieve is to enable LCS Video conferencing for a limited group
of users (simple enough application of security filtering) but only when they
are authenticated to a site from a list of appropriate sites. So the logic
would be:
if the user is in "Enable LCS Group" <-- Handled by security filtering
AND the user has logged into "Site_Permitted_For_LCS_Video" <- Handled by
vbscript
then enable it, <- Here lies the problem, as the user doesn't have permission
to this key (quite rightfully so I agree)
Else
leave it as it is.
The perfect solution would be to evaluate the site via WQL and filter the GPO
on that, is getting the site name back from a WQL query possible?
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 11 March 2008 16:49
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
Right. That's on purpose! Users should not be able to modify their policy
settings, otherwise Group Policy would be fairly useless :)
I'm curious why you want users to be able to modify these settings?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Smith, Brad
Sent: Tuesday, March 11, 2008 9:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
I would of thought so too, and thought this task would be a no brainer, check
HCU\Software\Policies\Microsoft\Communicator on a XP SP2 build, it is
definitely set to read only for the user.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: 11 March 2008 15:54
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User Hive settings set during logon....
That doesn't sound right. If it is in HKCU the user should (by default) be able
to modify it.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Smith, Brad
Sent: Tuesday, March 11, 2008 10:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User Hive settings set during logon....
All,
Is there a way to configure permissions on registry key in the HKCU hive? I
want to run a startup script that modifies a key in this hive from the user
portion of the GPO, but the user only has read only access to it by default.
Any ideas?
TIA,
Brad
This email and any attached files are confidential and copyright protected. If
you are not the addressee, any dissemination of this communication is strictly
prohibited. Unless otherwise expressly agreed in writing, nothing stated in
this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in
England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom,
Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in
the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you really
need to.
This message has been scanned for viruses by
MailControl<http://bluepages.wsatkins.co.uk/?6875772>
________________________________
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
________________________________
This email and any attached files are confidential and copyright protected. If
you are not the addressee, any dissemination of this communication is strictly
prohibited. Unless otherwise expressly agreed in writing, nothing stated in
this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in
England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom,
Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in
the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you really
need to.
This message has been scanned for viruses by
MailControl<http://bluepages.wsatkins.co.uk/?6875772>
This email and any attached files are confidential and copyright protected. If
you are not the addressee, any dissemination of this communication is strictly
prohibited. Unless otherwise expressly agreed in writing, nothing stated in
this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in
England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom,
Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in
the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you really
need to.
________________________________
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
________________________________
This message has been scanned for viruses by
MailControl<http://bluepages.wsatkins.co.uk/?6875772>
________________________________
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
________________________________
This email and any attached files are confidential and copyright protected. If
you are not the addressee, any dissemination of this communication is strictly
prohibited. Unless otherwise expressly agreed in writing, nothing stated in
this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in
England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom,
Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in
the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you really
need to.
________________________________
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
________________________________
Other related posts:
