Actually, this is not necessary if you link at the AD Site level. You would have to have 2 GPOs (1 to enable, 1 to disable). Link each "disable" GPO to every AD Site, and the "enable" GPO (with security filtering) to only the AD Sites you want. You will of course have to change the link order so that the enable GPO wins out if it passes security filtering. Don't know why that didn't hit me at first, but it is an option. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Tuesday, March 11, 2008 12:23 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... You might be able to do something like that by querying Win32_Environment and looking at the %LOGONSERVER% variable. You wouldn't directly be able to get the site name, but you check and see which DC they are authenticated to. SELECT * FROM Win32_Environment WHERE Name = "LOGONSERVER" AND (VariableValue = "DC1" OR VariableValue="DC2") Something like that may work for you. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 12:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... What I want to achieve is to enable LCS Video conferencing for a limited group of users (simple enough application of security filtering) but only when they are authenticated to a site from a list of appropriate sites. So the logic would be: if the user is in "Enable LCS Group" <-- Handled by security filtering AND the user has logged into "Site_Permitted_For_LCS_Video" <- Handled by vbscript then enable it, <- Here lies the problem, as the user doesn't have permission to this key (quite rightfully so I agree) Else leave it as it is. The perfect solution would be to evaluate the site via WQL and filter the GPO on that, is getting the site name back from a WQL query possible? ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 11 March 2008 16:49 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... Right. That's on purpose! Users should not be able to modify their policy settings, otherwise Group Policy would be fairly useless J I'm curious why you want users to be able to modify these settings? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 9:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... I would of thought so too, and thought this task would be a no brainer, check HCU\Software\Policies\Microsoft\Communicator on a XP SP2 build, it is definitely set to read only for the user. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: 11 March 2008 15:54 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User Hive settings set during logon.... That doesn't sound right. If it is in HKCU the user should (by default) be able to modify it. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Smith, Brad Sent: Tuesday, March 11, 2008 10:49 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] User Hive settings set during logon.... All, Is there a way to configure permissions on registry key in the HKCU hive? I want to run a startup script that modifies a key in this hive from the user portion of the GPO, but the user only has read only access to it by default. Any ideas? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772> ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772> This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at: http://www.atkinsglobal.com/terms_and_conditions/index.aspx. <http://www.atkinsglobal.com/terms_and_conditions/index.aspx> P Consider the environment. Please don't print this e-mail unless you really need to. ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________