[THIN] Re: GPO Permissions
- From: "Rick Mack" <Rick.Mack@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Sat, 4 Sep 2004 08:26:58 +1000
Hi Bob,
"Should" work. :-(
Try changing permissions on a policy and watch the policy folder
permissions change accordingly.
How many domain controllers do you have?
Is dsa/gpedit connected to the same DC where you changed permissions?
Regards,
Rick
Ulrich Mack
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland, Australia
tel +61 7 32467704
rmack@xxxxxxxxxxxxxx
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Barrett
Sent: Friday, 3 September 2004 12:42 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: GPO Permissions
I tried just changing the perms on the Sysvol copy of the GPO and it did
not work. I will however, deny the apply setting in the future. Thanks
for the reply.
Bob Barrett
FVSD#52
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Rick Mack
Sent: Wednesday, September 01, 2004 6:20 PM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] GPO Permissions
Hi Robert,
The access permissions you're playing with are in large just file access
permissions, at least when you deny access.
If you look at the properties of your TS policy, will see it's get its
unique "name", (eg {5BF1F1C5-31A7-4AA7-9F87-2A7ACAB64FFE}). Write down
the first 5-6 digits.
Now go to %logonserver%\sysvol\%your_AD_domain_name%\policies. You'll
see a whole bunch of folders with what look like classids. Each one is a
group policy in your domain. If you highlight the folder with the same
name as your TS policy and look at its security properties, you'll be
able to re-enable domain admin access.
In future though, its far less dangerous to just to either untick the
"Apply Group Policy" box or tick the deny "Apply Group Policy" box for
user groups that don't want the policy applied.
regards,
Rick
Ulrich Mack
Volante Systems
_____
From: thin-bounce@xxxxxxxxxxxxx on behalf of Robert Barrett
Sent: Thu 2/09/2004 3:13 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] GPO Permissions
Okay I think we have screwed up big time and I am hoping someone can
help me fix it. We enabled loopback processing on the GPO for our TS
boxes. To prevent the admins from getting the policy we denied
permissions to the domain admins group. I had read somewhere that it
was the way to prevent the policy from being applied to the admins.
Anyway my worst fears were realized when I tried to edit said GPO,
denied! Listed as inaccessible. Is there any way for me to reset the
permissions and be able to edit this policy again without deleting it
and starting over (not even sure I can delete it)? Help
Robert Barrett MCSE, CCA
Enterprise Administrator
robertb@xxxxxxxxxx
Phone: (780) 927-3766
Fax: (780) 926-3037
http://www.fvsd.ab.ca <http://www.fvsd.ab.ca/>
########################################################################
#############
This e-mail, including all attachments, may be confidential or
privileged. Confidentiality or privilege is not waived or lost because
this email has been sent to you in error. If you are not the intended
recipient any use, disclosure or copying of this email is prohibited. If
you have received it in error please notify the sender immediately by
reply email and destroy all copies of this email and any attachments.
All liability for direct and indirect loss arising from this email and
any attachments is hereby disclaimed to the extent permitted by law.
########################################################################
#############
#####################################################################################
This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this email has been
sent to you in error. If you are not the intended recipient any use,
disclosure or copying of this email is prohibited. If you have received it in
error please notify the sender immediately by reply email and destroy all
copies of this email and any attachments. All liability for direct and
indirect loss arising from this email and any attachments is hereby disclaimed
to the extent permitted by law.
#####################################################################################
********************************************************
This Weeks Sponsor triCerat:
Have you had your fill of printing support calls, unauthorized apps running on
unsecured Terminal Servers, profile headaches, and application performance
problems? Join us and learn how you can have a less demanding on-demand
enterprise!
http://www.tricerat.com/?page=events#register
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
