From: Paul Glickenhaus <PaulGlickenhaus@discussions.microsoft.com>
To:
none
Subject:
Re: force without reboot and logoff
Date:
09/19/2007 07:52:03
Thanks
that was the solution.
Paul
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: force without reboot and logoff
Date:
09/18/2007 13:42:36
Howdie
Paul!
Paul
Glickenhaus schrieb:
>
I have a policy to manage the IE proxy exceptions. It seems that this
can
>
only be applied via a /force. This will require a reboot / or
logoff. Id
>
there a way to apply policies that need to be forced without the reboot?
Is
it just about IE proxy exceptions? See the following Group Policy,
that
may help:
CompConf\AdmTemp\System\Group
Policy\ - "Internet Explorer Maintenance
policy
processing" - "Process even if the Group Policy objects
have
not changed"
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: ejmichaud@hotmail.com
To:
none
Subject:
Re: Folder Redirection / Offline Files / Synchronization manager
....Ahhhhh!
Date:
09/27/2007 13:52:13
After
further testing I was able to determine that the necessary GPO
setting
to prevent the synchronization manager from appearing on
desktops
is: "Allow or Disallow use of the Offline Files feature".
For
those who might be curious, here is an explanation of the approach
I
have chosen:
Goals:
1.
Redirect My Documents to a network location (DFS Namespace). DFS
Namespace
provides greater flexibility for the future since there is
no
hard coded server names or share names in the redirected path.
2.
Be able to roll out the folder redirection for small groups of
users
at a time, instead of all the users immediately
3.
Do not make the My Documents available offline for all devices
except
mobile devices (laptops/tablets). For mobile devices, the end
users
on the devices may work disconnected from the network from time
to
time, when they are disconnected we still want those users to have
access
to their "My Documents" when disconnected from the network.
4.
Make the implementation as seamless as possible for the end user.
5.
Have separate policies to turn on offline files for mobile devices,
but
not have separate policies that are required to disable offline
files
for desktops/laptops. In other words, top level policy disables
offline
folders for all devices (setting turn off offline files as the
default),
but have separate policies that can enable offline files for
mobile
devices. If we create an OU, we don't want to have to link a
policy
to that OU to disable automatic caching of the redirected My
Documents
folder.
6.
Do not have offline files automatically cache files for those who
support
end users but still allow them the ability to manually set My
Documents
to be set as offline. When support personnel log into other
laptops,
we don't want the support personnel's My Documents to be
cached
as offline on that device. However, for those support personnel
who
have mobile devices, we still want to allow them the ability to
set
their "My Documents" as offline files.
To
implement My Documents folder redirection four GPOs will be used.
The
four GPOs and their settings are listed below, explanation of the
approach
taken and explanations of why particular GPO settings were
used
can be found below the listed settings.
Disable
Offline Files
General
Links
Root
of domain
Computer
Configuration
Administrative
Templates
Network/Offline
Files
Allow
or Disallow use of the Offline Files feature--------------
Disabled
My
Documents Redirection
General
Links
(OU
with users who will receive My Documents redirection, eventually
root
of domain)
User
Configuration
Folder
Redirection
My
Documents
Setting:
Advanced (Specify locations for various user groups)
GROUP1----------------------------------------------------------
Location1
Options
Grant
user exclusive rights to My Documents---------------------
Disabled
Move
the contents of My Documents to the new location-----------
Enabled
Policy
Removal Behavior-----------------------------------------
Restore
Contents
Configure
Offline Files (1 of 2)
General
Links
(All
Laptop-Tablet OUs)
Delegation
(Support
people group(s) will have Apply Group Policy=Deny)
Computer
Configuration
Administrative
Templates
Network/Offline
Files
Allow
or Disallow use of the Offline Files Feature--------------
Enabled
System/Group
Policy
User
Group Policy loopback processing mode----------------------
Enabled
Mode:----------------------------------------------------------Merge
User
Configuration
Administrative
Templates
Network/Offline
Files
Event
Logging Level---------------------------------------------
Enabled
(3)
Synchronize
all offline files before logging off-----------------
Enabled
Synchronize
offline files before suspend-------------------------
Enabled
Type
of sync to perform when suspending-------------------------Full
Configure
Offline Files (2 of 2)
General
Links
(All
Laptop-Tablet OUs)
Delegation
(Authenticated
Users removed)
Security
Filtering
(Support
people group(s), only those in these group(s) will receive
this
policy)
Computer
Configuration
Administrative
Templates
System/Group
Policy
User
Group Policy loopback processing mode----------------------
Enabled
Mode:----------------------------------------------------------Merge
User
Configuration
Administrative
Templates
Network/Offline
Files
Do
not automatically make redirected folders available offline--
Enabled
The
first question after reviewing the group policies likely is why
four
GPOs to accomplish this. The answer is simply that after
significant
testing that number of GPOs was the least number that
could
be used to accomplish all my goals. Below you will find
descriptions
of each of the policies:
Disable
Offline Files
The
essential purpose of this GPO is to disable offline files. This
GPO
will be linked to the root of the domain.
Q.
Why disable offline files?
A.
Testing has shown that this is the only Group Policy setting that
could
be used to prevent the synchronization manager from appearing on
desktops/servers
(during a logoff) after folder redirection was
implemented.
Since we want to make folder redirection as seamless as
possible,
we didn't want end users of desktops or Citrix/Terminal
servers
to be seeing the synchronization manager running at logoff,
even
though the synchronization manager isn't syncing anything.
Q.
Why link this policy at the root?
A.
We want to make sure that all devices (desktops/servers/special
project
machines/test computers/etc.) receive this policy. This will
eliminate
the synchronization manager from automatically being
displayed
on any device in which it is not indented to run on.
Q.
What about mobile devices, don't we want them to have offline files
available?
A.
Another policy linked at each of the Laptops-Tablets OU will
override
this policy making Offline Files available for mobile
devices.
Q.
Why not use the "Do not automatically make redirected folders
available
offline" setting instead?
A.
Although the "Do not automatically make redirected folders
available
offline" GPO setting will prevent the redirected "My
Documents"
folder from automatically being made available offline, it
will
not prevent the synchronization manager from running, even though
there
are no offline files to synchronize. The "Allow or Disallow use
of
the Offline Files feature" setting serves both purposes; it
prevents
offline files from automatically being made available
offline,
and it prevents the synchronization manager from running.
My
Documents Redirection
The
essential purpose of this GPO is to redirect the end user's "My
Documents"
folder to an appropriate network location. This policy uses
group
membership to determine the appropriate network location the
user's
"My Documents" folder should be redirected too.
Q.
What happens if a user isn't a member of any of the groups defined
in
the policy, but the user is receiving the policy?
A.
The user's "My Documents" folder will not be redirected.
Q.
What happens if a user is a member of multiple groups, likely a
result
of being employed for multiple affiliates?
A.
The top most group that the user is a member of listed in the "My
Documents
Redirection" GPO will be the winning location for the user's
My
Documents folder to be redirected to.
Q.
What happens if the user's group membership changes?
A.
When group membership changes from one group to another, the user's
data
will be transferred from the old location to the location
specified
by the new group membership.
Q.
What happens to the user's data if they are removed from the group
that
is used to determine the appropriate location to re-direct the My
Documents
folder?
A.
When a user is removed from the group that is used to re-direct "My
Documents"
that data will be transferred back to the default "My
Documents"
path on the user's local computer. The user's data will
then
only be available from that one computer. The user's folder will
still
exist on the network, however it will be empty.
Configure
Offline Files (1 of 2)
The
essential purpose of this GPO is to make "My Documents" available
offline
for users of mobile devices; this is done so that the user's
"My
Documents" is still available when the user isn't connected to the
network.
This policy is linked to each of the Laptops-Tablets OUs.
Through
delegation, this policy is denied to Support Personnel; note
however
that only the user configuration side is denied, the computer
configuration
side still applies regardless of who logs in.
In
the Computer Configuration side of the GPO, "Allow or Disallow use
of
the Offline Files Feature" is enabled which overrides the Disabled
setting
from the "Disable Offline Files" GPO.
Loopback
processing is enabled, to allow the user configuration
settings
to apply to almost all users who log into the laptops.
Q.
Why use loopback processing, the user configuration settings that
are
applied in this policy are also available in the computer
configuration
side. Why not just use the computer configuration
settings?
A.
We don't want these settings to apply to all users, we want to deny
the
settings (deny setting the redirected My Documents folder to
automatically
be setup as an offline folder) for support personnel. If
we
were to use the computer configuration side settings, there would
be
no way to deny these settings for some users since it would be
applied
at the computer level for all users. By denying the "Apply
Group
Policy" permission VIA delegation, we can prevent support
personnel
from automatically setting My Documents as an offline
folder.
Configure
Offline Files (2 of 2)
The
essential purpose of this GPO is to aid in the prevention of
automatically
setting the user's "My Documents" folder as offline for
support
personnel. Since the default for Windows XP is to
automatically
make redirected folders available offline, we need this
policy
to disable the default action for Windows XP. Using Security
Filtering,
only support personnel will receive this policy. This
policy
is linked to each of the Laptops-Tablets OUs.
Loopback
processing is enabled; this is done to allow the user
configuration
setting to apply to support personnel who log into the
laptops.
Q.
Can't "Configure Offline Files (1 of 2)" and "Configure
Offline
Files
(2 of 2)" be combined?
A.
No, because the setting in "Configure Offline Files (2 of 2)"
contradicts
the settings in "Configure Offline Files (1 of 2)". Normal
end
users will only receive the "Configure Offline Files (1 of 2)"
GPO
where
as support personnel will only receive the "Configure Offline
Files
(2 of 2)".
Q.
Why can't the "Do not automatically make redirected folders
available
offline" setting be disabled in the "Disable Offline Files"
GPO,
then in the "Configure Offline Files (1 of 2)" the setting be
enabled?
A.
In theory you would expect this combination to work properly. You
would
expect that "automatically make redirected folders offline"
would
be disabled for all users/devices, but would then be enabled for
all
users of laptops except for support personnel. Testing has shown
that
with this GPO settings configuration, for some unknown reason,
when
laptop users reboot or shutdown the synchronization manager
doesn't
run, interestingly enough though during a logoff the
synchronization
manager works as expected. By applying the GPO
settings
in the fashion documented, i.e. using "Configure Offline
Files
(2 of 2)" we can get everything to work as expected.
Q.
For support personnel with mobile devices, how can their redirected
My
Documents folder be made available offline since the "Configure
Offline
Files (1 of 2)" and "Configure Offline Files (2 of 2)"
prevent
this
from happening automatically.
A.
Right click on "My Documents" and select "Make Available
Offline"
Top
From: ejmichaud@hotmail.com
To:
none
Subject:
Re: Folder Redirection / Offline Files / Synchronization
manager ....Ahhhhh!
Date:
09/25/2007 11:48:53
I
am sorry, that wasn't very clear. #2 should have read:
2.
All desktops will not have My Documents available offline
For
desktops, I do not want offline files enabled by default for the
redirected
My Documents folder. I only want offline files enabled by
default
on the redirected My Documents folder for mobile devices.
Of
course the issue I have is that even when I enable the "Do not
automatically
make redirected folders available offline" the
synchronization
manager still appears at logoff. The My Documents
folder,
which has been redirected, is not made available offline.
However,
even though the redirected My Documents isn't being made
available
offline, when the computer/user receives the GPO to redirect
My
Documents, synchronization manager is turned on, which obviously
isn't
syncing anything because no files are being made available
offline,
but the synchronization manager is still being displayed at
logoff.
What
I want to do is prevent the synchronization manager from being
displayed
on the desktops when I enable My Documents folder
redirection.
In addition, I don't want to break the synchronization
manager
for anyone who may have previously manually set some files
offline
and depend on synchronization manager running.
So
to sum up what I want on desktop computers:
1.
Redirect my documents to a network location
2.
Do not make the my documents available offline
3.
If synchronization manager was not previously enabled, do not
enable
it / do not show the synchronization manager during user
logoff.
4.
If synchronization manager was previously being used to make other
files
available offline, do not disable it.
I
am still testing so none of this has been implemented yet except in
my
test lab.
Thanks,
Eric
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Folder Redirection / Offline Files / Synchronization
manager ....Ahhhhh!
Date:
09/24/2007 15:52:41
Hello,
if
nobody needs the desktop synced offline, you may disable the offline
feature
at the share level
what
about an rsop.msc result?
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
<ejmichaud@hotmail.com>
wrote in message
news:1190661864.051523.322590@k79g2000hse.googlegroups.com...
>
Well let me start of by describing my goals with folder redirection
>
and offline files
>
1. All users will have there My Documents redirected to a folder with
>
a DFS Namespace based on group membership.
>
2. All desktops will not have offline files disabled
>
3. All mobile devices (laptops/tablets) will have offline files
>
enabled
>
>
Working with Windows XP SP2 computers.
>
>
Interesting enough, the issue/concern I am having is with item #2. I
>
have created two GPOs. The first GPO "My Documents
Re-Direction" will
>
be applied to all users. This GPO sets the My Document Redirection
>
settings and also sets the "Do not automatically make redirected
>
folders available offline" setting to enabled. The second GPO
>
"Offline Files" will be applied to OUs that contain mobile
devices
>
(laptops/tablets). This GPO has the "Do not automatically make
>
redirected folders available offline" disabled (user Configuration)
>
with loopback enabled.
>
>
The two GPOs do everything I expected except on the desktop side.
>
When a users log off a desktop they see the Synchronization Manager.
>
The synchronization manager states it's syncing the root of the DFS
>
Namespace, shows a status of Succeeded, but there are no files stored
>
in the offline cache.
>
>
It appears that even though I have specifically enabled the "Do not
>
automatically make redirected folders available offline", the
>
synchronization manager gets enabled when Folder Redirection is turned
>
on even though there are no offline files to sync. Does anyone know
>
of a way to set redirected folders VIA GPO(s), to not have the files
>
available offline, and to not have the synchronization manager show up
>
at logoff?
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 14:00:47
From
GPMC, trace all GPO GUID to find what is this one...If you can post
what
it should do.
This
GPO may be corrupted
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in message
news:47373EFB-45AD-4FC0-99A0-38092ED0E6B7@microsoft.com...
>I
just ran the 'gpupdate /force' & the errors are still logging.
>
Yes, this has been happening since the restarts of both DC's.
>
Should I try restarting them both again but this time allowing the PDC to
>
fully boot back up before restarting the DC?
>
>
>
>
"Mathieu CHATEAU" wrote:
>
>>
yes it's the syntax and yes you can safely do it while running on
>>
production
>>
mode.
>>
It is done regulary anyway. Did you get these message since reboot?
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"bsbm525" <bsbm525@discussions.microsoft.com> wrote in
message
>>
news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...
>>
> To be honest I wouldn't know if it looks correct because this is the
>>
> first
>>
> time I have ever opened that file. It only has the following two
>>
> lines:
>>
>
>>
> [General]
>>
> Version=65539
>>
>
>>
> Are you stating to do a START - RUN - 'gpupdate /force'?
>>
>
>>
> If so, is the syntax correct and can I do this while still in
>>
> production
>>
> mode?
>>
>
>>
> Thanks....
>>
>
>>
>
>>
> "Mathieu CHATEAU" wrote:
>>
>
>>
>> If you open it, does it look correct ?
>>
>> gpupdate /force on DC make the error coming back ?
>>
>>
>>
>>
>>
>> --
>>
>> Cordialement,
>>
>> Mathieu CHATEAU
>>
>> http://lordoftheping.blogspot.com
>>
>>
>>
>>
>>
>> "bsbm525" <bsbm525@discussions.microsoft.com>
wrote in message
>>
>> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...
>>
>> > Yes.
>>
>> >
>>
>> >
>>
>> > "Mathieu CHATEAU" wrote:
>>
>> >
>>
>> >> Hello,
>>
>> >>
>>
>> >> Does this file really exist ?
>>
>> >>
>>
>> >>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
>>
>> >>
CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
>>
>> >> <bsbm525@discussions.microsoft.com> wrote in
>>
>> >>
messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
>>
>> >> Hello,>> I'm running a Windows 2003 Server domain
with two servers
>>
>> >> (PDC &
>>
>> >> DC).> A few days ago I restarted both servers by
restarting the PDC
>>
>> >> first
>>
>> >> andthen> the DC and now I keep getting the following
two errors in
>>
>> >> the
>>
>> >> event log:>> Event ID 1030> 'Windows cannot
query for the list of
>>
>> >> Group
>>
>> >> Policy objects. Check theevent> log for possible
messages
>>
>> >> previously
>>
>> >> logged by the policy engine that> describes the reason
for this.'>>
>>
>> >> Event
>>
>> >> ID 1058> Description: Windows cannot access the file
gpt.ini for
>>
>> >>
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
>>
>> >> . The file must be present at the
>>
>> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
>>
>> > F9}\gpt.ini>. (Error_Message). Group Policy processing
aborted. For
>>
>> > more>
>>
>> > information, see Help and Support Center at
>>
>> > http://support.microsoft.com.>> This only starting happening
after
>>
>> > the
>>
>> > restarts.> Should I attempt to restart both servers again
to
>>
>> > resolve?>>
>>
>> > Thanks....>
>>
>> >>
>>
>>
>>
>>
>>
>>
Top
From: bsbm525 <bsbm525@discussions.microsoft.com>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 13:54:02
I
just ran the 'gpupdate /force' & the errors are still logging.
Yes,
this has been happening since the restarts of both DC's.
Should
I try restarting them both again but this time allowing the PDC to
fully
boot back up before restarting the DC?
"Mathieu
CHATEAU" wrote:
>
yes it's the syntax and yes you can safely do it while running on
production
>
mode.
>
It is done regulary anyway. Did you get these message since reboot?
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
"bsbm525" <bsbm525@discussions.microsoft.com> wrote in
message
>
news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...
>
> To be honest I wouldn't know if it looks correct because this is the
first
>
> time I have ever opened that file. It only has the following two
lines:
>
>
>
> [General]
>
> Version=65539
>
>
>
> Are you stating to do a START - RUN - 'gpupdate /force'?
>
>
>
> If so, is the syntax correct and can I do this while still in
production
>
> mode?
>
>
>
> Thanks....
>
>
>
>
>
> "Mathieu CHATEAU" wrote:
>
>
>
>> If you open it, does it look correct ?
>
>> gpupdate /force on DC make the error coming back ?
>
>>
>
>>
>
>> --
>
>> Cordialement,
>
>> Mathieu CHATEAU
>
>> http://lordoftheping.blogspot.com
>
>>
>
>>
>
>> "bsbm525" <bsbm525@discussions.microsoft.com>
wrote in message
>
>> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...
>
>> > Yes.
>
>> >
>
>> >
>
>> > "Mathieu CHATEAU" wrote:
>
>> >
>
>> >> Hello,
>
>> >>
>
>> >> Does this file really exist ?
>
>> >>
>
>> >>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
>
>> >>
CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
>
>> >> <bsbm525@discussions.microsoft.com> wrote in
>
>> >>
messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
>
>> >> Hello,>> I'm running a Windows 2003 Server domain
with two servers
>
>> >> (PDC &
>
>> >> DC).> A few days ago I restarted both servers by
restarting the PDC
>
>> >> first
>
>> >> andthen> the DC and now I keep getting the following
two errors in the
>
>> >> event log:>> Event ID 1030> 'Windows cannot
query for the list of
>
>> >> Group
>
>> >> Policy objects. Check theevent> log for possible
messages previously
>
>> >> logged by the policy engine that> describes the reason
for this.'>>
>
>> >> Event
>
>> >> ID 1058> Description: Windows cannot access the file
gpt.ini for
>
>> >>
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
>
>> >> . The file must be present at the
>
>> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
>
>> > F9}\gpt.ini>. (Error_Message). Group Policy processing
aborted. For
>
>> > more>
>
>> > information, see Help and Support Center at
>
>> > http://support.microsoft.com.>> This only starting
happening after the
>
>> > restarts.> Should I attempt to restart both servers again
to resolve?>>
>
>> > Thanks....>
>
>> >>
>
>>
>
>>
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 13:37:54
yes
it's the syntax and yes you can safely do it while running on production
mode.
It
is done regulary anyway. Did you get these message since reboot?
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in message
news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...
>
To be honest I wouldn't know if it looks correct because this is the first
>
time I have ever opened that file. It only has the following two
lines:
>
>
[General]
>
Version=65539
>
>
Are you stating to do a START - RUN - 'gpupdate /force'?
>
>
If so, is the syntax correct and can I do this while still in production
>
mode?
>
>
Thanks....
>
>
>
"Mathieu CHATEAU" wrote:
>
>>
If you open it, does it look correct ?
>>
gpupdate /force on DC make the error coming back ?
>>
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"bsbm525" <bsbm525@discussions.microsoft.com> wrote in message
>>
news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...
>>
> Yes.
>>
>
>>
>
>>
> "Mathieu CHATEAU" wrote:
>>
>
>>
>> Hello,
>>
>>
>>
>> Does this file really exist ?
>>
>>
>>
>> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
>>
>> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
>>
>> <bsbm525@discussions.microsoft.com> wrote in
>>
>> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
>>
>> Hello,>> I'm running a Windows 2003 Server domain with two
servers
>>
>> (PDC &
>>
>> DC).> A few days ago I restarted both servers by restarting the
PDC
>>
>> first
>>
>> andthen> the DC and now I keep getting the following two errors
in the
>>
>> event log:>> Event ID 1030> 'Windows cannot query for the
list of
>>
>> Group
>>
>> Policy objects. Check theevent> log for possible messages
previously
>>
>> logged by the policy engine that> describes the reason for
this.'>>
>>
>> Event
>>
>> ID 1058> Description: Windows cannot access the file gpt.ini
for
>>
>>
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
>>
>> . The file must be present at the
>>
> location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
>>
> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For
>>
> more>
>>
> information, see Help and Support Center at
>>
> http://support.microsoft.com.>> This only starting happening
after the
>>
> restarts.> Should I attempt to restart both servers again to
resolve?>>
>>
> Thanks....>
>>
>>
>>
>>
Top
From: bsbm525 <bsbm525@discussions.microsoft.com>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 12:50:02
To
be honest I wouldn't know if it looks correct because this is the first
time
I have ever opened that file. It only has the following two lines:
[General]
Version=65539
Are
you stating to do a START - RUN - 'gpupdate /force'?
If
so, is the syntax correct and can I do this while still in production mode?
Thanks....
"Mathieu
CHATEAU" wrote:
>
If you open it, does it look correct ?
>
gpupdate /force on DC make the error coming back ?
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
"bsbm525" <bsbm525@discussions.microsoft.com> wrote in
message
>
news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...
>
> Yes.
>
>
>
>
>
> "Mathieu CHATEAU" wrote:
>
>
>
>> Hello,
>
>>
>
>> Does this file really exist ?
>
>>
>
>>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
>
>> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
>
>> <bsbm525@discussions.microsoft.com> wrote in
>
>>
messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
>
>> Hello,>> I'm running a Windows 2003 Server domain with two
servers (PDC &
>
>> DC).> A few days ago I restarted both servers by restarting the
PDC first
>
>> andthen> the DC and now I keep getting the following two errors
in the
>
>> event log:>> Event ID 1030> 'Windows cannot query for the
list of Group
>
>> Policy objects. Check theevent> log for possible messages
previously
>
>> logged by the policy engine that> describes the reason for
this.'>> Event
>
>> ID 1058> Description: Windows cannot access the file gpt.ini
for
>
>>
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
>
>> . The file must be present at the
>
>
location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
>
> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For
more>
>
> information, see Help and Support Center at
>
> http://support.microsoft.com.>> This only starting happening
after the
>
> restarts.> Should I attempt to restart both servers again to
resolve?>>
>
> Thanks....>
>
>>
>
>
Top
From: Adrian Grigorof
<adi@replace_with_my_last_name.com>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 11:55:19
See
this link:
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
--
Regards,
Adrian
Grigorof
www.eventid.net
- Information for over 9000 Windows event IDs
www.altairtech.ca/evlog
- Free event log monitoring
"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in message
news:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...
>
Hello,
>
>
I'm running a Windows 2003 Server domain with two servers (PDC & DC).
>
A few days ago I restarted both servers by restarting the PDC first and
>
then
>
the DC and now I keep getting the following two errors in the event log:
>
>
Event ID 1030
>
'Windows cannot query for the list of Group Policy objects. Check the
>
event
>
log for possible messages previously logged by the policy engine that
>
describes the reason for this.'
>
>
Event ID 1058
>
Description: Windows cannot access the file gpt.ini for GPO
>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com
>
. The file must be present at the location
>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984
>
F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more
>
information, see Help and Support Center at
http://support.microsoft.com.
>
>
This only starting happening after the restarts.
>
Should I attempt to restart both servers again to resolve?
>
>
Thanks....
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 11:37:47
If
you open it, does it look correct ?
gpupdate
/force on DC make the error coming back ?
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in message
news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...
>
Yes.
>
>
>
"Mathieu CHATEAU" wrote:
>
>>
Hello,
>>
>>
Does this file really exist ?
>>
>>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
>>
CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
>>
<bsbm525@discussions.microsoft.com> wrote in
>>
messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
>>
Hello,>> I'm running a Windows 2003 Server domain with two servers
(PDC &
>>
DC).> A few days ago I restarted both servers by restarting the PDC
first
>>
andthen> the DC and now I keep getting the following two errors in the
>>
event log:>> Event ID 1030> 'Windows cannot query for the list of
Group
>>
Policy objects. Check theevent> log for possible messages
previously
>>
logged by the policy engine that> describes the reason for
this.'>> Event
>>
ID 1058> Description: Windows cannot access the file gpt.ini for
>>
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
>>
. The file must be present at the
>
location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
>
F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For
more>
>
information, see Help and Support Center at
>
http://support.microsoft.com.>> This only starting happening after
the
>
restarts.> Should I attempt to restart both servers again to
resolve?>>
>
Thanks....>
>>
Top
From: bsbm525
<bsbm525@discussions.microsoft.com>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 11:34:04
Yes.
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
Does this file really exist ?
>
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
Hello,>> I'm running a Windows 2003 Server domain with two servers
(PDC & DC).> A few days ago I restarted both servers by restarting
the PDC first andthen> the DC and now I keep getting the following two
errors in the event log:>> Event ID 1030> 'Windows cannot query
for the list of Group Policy objects. Check theevent> log for
possible messages previously logged by the policy engine that> describes
the reason for this.'>> Event ID 1058> Description: Windows cannot
access the file gpt.ini for
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
. The file must be present at the
location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For
more> information, see Help and Support Center at
http://support.microsoft.com.>> This only starting happening after
the restarts.> Should I attempt to restart both servers again to
resolve?>> Thanks....>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Event ID 1030 & 1058
Date:
09/19/2007 11:24:14
Hello,
Does
this file really exist ?
<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu
CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"
<bsbm525@discussions.microsoft.com> wrote in messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>
Hello,>> I'm running a Windows 2003 Server domain with two servers
(PDC & DC).> A few days ago I restarted both servers by restarting
the PDC first andthen> the DC and now I keep getting the following two
errors in the event log:>> Event ID 1030> 'Windows cannot query
for the list of Group Policy objects. Check theevent> log for
possible messages previously logged by the policy engine that> describes
the reason for this.'>> Event ID 1058> Description: Windows cannot
access the file gpt.ini for
GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>
. The file must be present at the
location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>
F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For
more> information, see Help and Support Center at
http://support.microsoft.com.>> This only starting happening after
the restarts.> Should I attempt to restart both servers again to
resolve?>> Thanks....>
Top
From: Mark Barratt
(remsup[remove]@gmail.com )
<MarkBarrattremsupremovegmailcom@discussions.microsoft.com>
To:
none
Subject:
Re: Enabling Content Advisor through Group Policy
Date:
09/28/2007 03:43:00
Hi
Meinolf
maybe
I'm not making myself particularly clear here
I
have already defined the settings in the relevant security zones and
content
ratings section
but
on the client it still shows as disabled in IE7 ( but it works in IE6 )
email
directly if you need any further clarification
Thanks
Mark
"Meinolf
Weber" wrote:
>
Hello Mark Barratt )
MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
>
>
You enable it not with the .adm file. Go to userer configuration>
windows
>
settings> internet explorer maintenance>security and double click
security
>
yones and content ratings.
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Thanks for that,
>
>
>
> however I already have that inetres adm file anyway, I just seem to be
>
> 'missing' the option that says "enable content ratings"
>
>
>
> i can see the part where iimport them from the current machines
>
> settings but it stays 'disabled'
>
>
>
> any more advice??
>
>
>
> Regards
>
>
>
> Mark
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Mark Barratt )
>
>> MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
>
>>
>
>> Check this out:
>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-646
>
>> 2-4fda-8ee5-fcb8264c44b1&DisplayLang=en
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Hi All, hope you can help. I'm probably missing
something galringly
>
>>> obvious here but let me provide some background first.
>
>>>
>
>>> SBS2003 - server
>
>>> XP Pro SP2 - clients
>
>>> IE7
>
>>> We have a GP that had the content advisor enabled and certain
sites
>
>>> blocked with IE6, but since the 'upgrade' to IE7 the asme
policy has
>
>>> stopped working.
>
>>> The sites do not appear to be 'rolling out' to the clients and
on
>
>>> the content page the Content Advisor is showing as 'disabled'
( an
>
>>> option that the end user doesn't get to change )
>
>>>
>
>>> Is there a new ADM template for IE7 that I have overlooked?
>
>>> Is there a setting to "Switch On Content Advisor in
IE7"
>
>>> I know the policy itself works as the one PC with IE6 is still
>
>>> having
>
>>> the
>
>>> required sites blocked
>
>>> Thanks in advance for any and all assistance in this matter
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Enabling Content Advisor through Group Policy
Date:
09/28/2007 03:26:36
Hello
Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
You
enable it not with the .adm file. Go to userer configuration> windows
settings>
internet explorer maintenance>security and double click security
yones
and content ratings.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Thanks for that,
>
>
however I already have that inetres adm file anyway, I just seem to be
>
'missing' the option that says "enable content ratings"
>
>
i can see the part where iimport them from the current machines
>
settings but it stays 'disabled'
>
>
any more advice??
>
>
Regards
>
>
Mark
>
>
"Meinolf Weber" wrote:
>
>>
Hello Mark Barratt )
>>
MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
>>
>>
Check this out:
>>
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-646
>>
2-4fda-8ee5-fcb8264c44b1&DisplayLang=en
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Hi All, hope you can help. I'm probably missing something galringly
>>>
obvious here but let me provide some background first.
>>>
>>>
SBS2003 - server
>>>
XP Pro SP2 - clients
>>>
IE7
>>>
We have a GP that had the content advisor enabled and certain sites
>>>
blocked with IE6, but since the 'upgrade' to IE7 the asme policy has
>>>
stopped working.
>>>
The sites do not appear to be 'rolling out' to the clients and on
>>>
the content page the Content Advisor is showing as 'disabled' ( an
>>>
option that the end user doesn't get to change )
>>>
>>>
Is there a new ADM template for IE7 that I have overlooked?
>>>
Is there a setting to "Switch On Content Advisor in IE7"
>>>
I know the policy itself works as the one PC with IE6 is still
>>>
having
>>>
the
>>>
required sites blocked
>>>
Thanks in advance for any and all assistance in this matter
Top
From: Mark Barratt
(remsup[remove]@gmail.com )
<MarkBarrattremsupremovegmailcom@discussions.microsoft.com>
To:
none
Subject:
Re: Enabling Content Advisor through Group Policy
Date:
09/27/2007 03:58:02
Thanks
for that,
however
I already have that inetres adm file anyway, I just seem to be
'missing'
the option that says "enable content ratings"
i
can see the part where iimport them from the current machines
settings
but
it stays 'disabled'
any
more advice??
Regards
Mark
"Meinolf
Weber" wrote:
>
Hello Mark Barratt )
MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
>
>
Check this out:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&DisplayLang=en
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi All, hope you can help. I'm probably missing something
galringly
>
> obvious here but let me provide some background first.
>
>
>
> SBS2003 - server
>
> XP Pro SP2 - clients
>
> IE7
>
> We have a GP that had the content advisor enabled and certain sites
>
> blocked with IE6, but since the 'upgrade' to IE7 the asme policy has
>
> stopped working.
>
>
>
> The sites do not appear to be 'rolling out' to the clients and on the
>
> content page the Content Advisor is showing as 'disabled' ( an option
>
> that the end user doesn't get to change )
>
>
>
> Is there a new ADM template for IE7 that I have overlooked?
>
> Is there a setting to "Switch On Content Advisor in IE7"
>
> I know the policy itself works as the one PC with IE6 is still having
>
> the
>
> required sites blocked
>
> Thanks in advance for any and all assistance in this matter
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Enabling Content Advisor through Group Policy
Date:
09/26/2007 14:47:32
Hello
Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,
Check
this out:
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&DisplayLang=en
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi All, hope you can help. I'm probably missing something galringly
>
obvious here but let me provide some background first.
>
>
SBS2003 - server
>
XP Pro SP2 - clients
>
IE7
>
We have a GP that had the content advisor enabled and certain sites
>
blocked with IE6, but since the 'upgrade' to IE7 the asme policy has
>
stopped working.
>
>
The sites do not appear to be 'rolling out' to the clients and on the
>
content page the Content Advisor is showing as 'disabled' ( an option
>
that the end user doesn't get to change )
>
>
Is there a new ADM template for IE7 that I have overlooked?
>
Is there a setting to "Switch On Content Advisor in IE7"
>
I know the policy itself works as the one PC with IE6 is still having
>
the
>
required sites blocked
>
Thanks in advance for any and all assistance in this matter
>
Top
From: Anthony <anthony.spam@spammedout.com>
To:
none
Subject:
Re: DST 2007
Date:
09/24/2007 02:59:37
Scripts
run each time. You can add some logic to the script to check the key first,
but the script still has to run.
If
you only run the script once (i.e not in Group Policy) then you have the
question of what happens when you add a new computer.
Anthony,
http://www.airdesk.com
"el" <drop_msg -@- hotmail -DOT- com> wrote in message
news:%23TeqH2m$HHA.1168@TK2MSFTNGP02.phx.gbl...
Hi all,
I am new to deploy changes on registry through group policy.
I followed the suggestion in KB 914387 to change time zone setting on
multiple networked computers by created a DST2007Update_Win2k.cmd file in
\\[AD]\netlogon folder. I had also created a new group policy in
Active Directory Users and Computers and put that .cmd file in Computer
Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup. I
had test it on a test machine and everything looked ok.
But I have a question to ask. If this test machine restart again,
will that group policy (startup script) runs to the test machine
again? If yes, is there any way to stop it from running again after
the first run?
TIA,
el
Top
From: Lanwench [MVP - Exchange]
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com>
To:
none
Subject:
Re: Disable Volume Shadow Copy with Group Policy
Date:
09/21/2007 09:02:54
Olivier
<Olivier@discussions.microsoft.com> wrote:
>
Dear all,
>
>
Currently every user in our organization has the right to restore
>
files using the volume shadow copy functionality. We want to restrict
>
these rights so that only the administrators group has this
>
functionality. Can this be done through Group Policy. If so, how?
>
>
Thanks in advance,
>
>
Olivier
Do
you want to deny them the ability to do *any* kind of activity with the
previous
versions tab? Or just keep them from clicking Restore, which can
overwrite
the "good" files of other users?
Most
companies don't mind people having access to Previous Versions, as it
means
users don't have to call the helpdesk for file restores. The users can
open/view
the previous versions, and copy individual files where they like.
However,
the "Restore" button can have serious and unexpectedly bad
consequences.
See
the following:
http://support.microsoft.com/kb/888603
(you'll need to call for the hotfix)
and
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10906
If
you don't want them to have *any* access to the previous versions tab,
simply
uninstall the Volume Shadow Copy Client from the workstations.
However,
I wouldn't, as I find it very useful.
Top
From: Eduardo Nazato
<EduardoNazato@discussions.microsoft.com>
To:
none
Subject:
Re: Disable Terminal Services through User Configs
Date:
10/01/2007 07:16:00
Thanks
moncho, but I did another way:
-
Created two security groups: one for the specific computers, and one for
the
users that need TS access
-
Created a new GPO giving access through TS, but only for the security
group
containing the right users
-
Linked the GPO to the computers OU, but applied it only to the security
group
with the specific computers, and put it as the last GPO to be applied
Simple,
and worked well... I had to do some work, but no problem here :)
Thanks
all for the try!
"moncho"
wrote:
>
Eduardo Nazato wrote:
>
> Ok. It's because here in our AD all the users are in an OU, and all
the
>
> computers are on a different OU. Some weeks ago we had to block the
access
>
> through TS on all computers, using domain policies. But now some of
the
>
> computers need to be accessed through TS again, and they are too much.
>
>
>
> Because just a certain group of users need TS access on these
computers, I
>
> could re-enabled TS for this group of users only. But then they could
access
>
> every computer in the domain through TS, and I don't want this to
happen.
>
>
>
> So, there is a way to re-enable access through TS, but only for
certain
>
> users (to any computer where they log in) ?
>
>
You could create multiple security groups, add specific users to each
>
group, then assign the specific group to allow access on the specific TS
>
server. This may not be the most efficient way but it is possible.
>
>
Example -
>
SG A - john, tom
>
SG B - dave, jane
>
>
On local TS1 in Remote Desktop Users group add SG A
>
On local TS2 in Remote Desktop Users group add SG B
>
>
moncho
>
>
>
>
>
> "Florian Frommherz [MVP]" wrote:
>
>
>
>> Howdie!
>
>>
>
>> Eduardo Nazato schrieb:
>
>>> I know I can restrict Terminal Services connections to a
computer through
>
>>> Computer Configuration\Windows Settings\Security
Settings\Local Policies\User
>
>>> Rights\Allow log on through TS
>
>>> But I'd like to know if there is a way to do the same, but
using User
>
>>> Configuration section
>
>> Why would you need such a thing? I cannot imagine, at the moment,
what
>
>> you're trying to do. Could you please elaborate?
>
>>
>
>> cheers,
>
>>
>
>> Florian
>
>> --
>
>> Microsoft MVP - Windows Server - Group Policy.
>
>> eMail: prename [at] frickelsoft [dot] net.
>
>> blog: http://www.frickelsoft.net/blog.
>
>>
>
Top
From: moncho
<moncho@NOspmanywhere.com>
To:
none
Subject:
Re: Disable Terminal Services through User Configs
Date:
09/29/2007 07:09:43
Eduardo
Nazato wrote:
>
Ok. It's because here in our AD all the users are in an OU, and all the
>
computers are on a different OU. Some weeks ago we had to block the access
>
through TS on all computers, using domain policies. But now some of the
>
computers need to be accessed through TS again, and they are too much.
>
>
Because just a certain group of users need TS access on these computers, I
>
could re-enabled TS for this group of users only. But then they could
access
>
every computer in the domain through TS, and I don't want this to happen.
>
>
So, there is a way to re-enable access through TS, but only for certain
>
users (to any computer where they log in) ?
You
could create multiple security groups, add specific users to each
group,
then assign the specific group to allow access on the specific TS
server.
This may not be the most efficient way but it is possible.
Example
-
SG
A - john, tom
SG
B - dave, jane
On
local TS1 in Remote Desktop Users group add SG A
On
local TS2 in Remote Desktop Users group add SG B
moncho
>
"Florian Frommherz [MVP]" wrote:
>
>>
Howdie!
>>
>>
Eduardo Nazato schrieb:
>>>
I know I can restrict Terminal Services connections to a computer through
>>>
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User
>>>
Rights\Allow log on through TS
>>>
But I'd like to know if there is a way to do the same, but using User
>>>
Configuration section
>>
Why would you need such a thing? I cannot imagine, at the moment, what
>>
you're trying to do. Could you please elaborate?
>>
>>
cheers,
>>
>>
Florian
>>
--
>>
Microsoft MVP - Windows Server - Group Policy.
>>
eMail: prename [at] frickelsoft [dot] net.
>>
blog: http://www.frickelsoft.net/blog.
>>
Top
From: Eduardo Nazato
<EduardoNazato@discussions.microsoft.com>
To:
none
Subject:
Re: Disable Terminal Services through User Configs
Date:
09/28/2007 08:01:02
Ok.
It's because here in our AD all the users are in an OU, and all the
computers
are on a different OU. Some weeks ago we had to block the access
through
TS on all computers, using domain policies. But now some of the
computers
need to be accessed through TS again, and they are too much.
Because
just a certain group of users need TS access on these computers, I
could
re-enabled TS for this group of users only. But then they could access
every
computer in the domain through TS, and I don't want this to happen.
So,
there is a way to re-enable access through TS, but only for certain
users
(to any computer where they log in) ?
"Florian
Frommherz [MVP]" wrote:
>
Howdie!
>
>
Eduardo Nazato schrieb:
>
> I know I can restrict Terminal Services connections to a computer
through
>
> Computer Configuration\Windows Settings\Security Settings\Local Policies\User
>
> Rights\Allow log on through TS
>
> But I'd like to know if there is a way to do the same, but using User
>
> Configuration section
>
>
Why would you need such a thing? I cannot imagine, at the moment, what
>
you're trying to do. Could you please elaborate?
>
>
cheers,
>
>
Florian
>
--
>
Microsoft MVP - Windows Server - Group Policy.
>
eMail: prename [at] frickelsoft [dot] net.
>
blog: http://www.frickelsoft.net/blog.
>
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Disable Terminal Services through User Configs
Date:
09/28/2007 00:17:50
Howdie!
Eduardo
Nazato schrieb:
>
I know I can restrict Terminal Services connections to a computer through
>
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User
>
Rights\Allow log on through TS
>
But I'd like to know if there is a way to do the same, but using User
>
Configuration section
Why
would you need such a thing? I cannot imagine, at the moment, what
you're
trying to do. Could you please elaborate?
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 09:57:02
The
real question is: what are you trying to protect from ?
If
they have standard user right, they shouldn't be able to hurt your system
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Willem"
<Willem@discussions.microsoft.com> wrote in message
news:35D81957-0127-4079-9E0C-EA670DF20D62@microsoft.com...
>I
want to disable the Run command for Terminal Server. They can start
>
everything on the server with the run command.
>
>
"Florian Frommherz [MVP]" wrote:
>
>>
Howdie!
>>
>>
Willem schrieb:
>>
> Thanks for your reply, but the question is : > "Willem"
wrote in
>>
> message
>>
>>> Is there a work arround to disable the run command but to
enable
>>
>>> typing in
>>
>>> the address bar?
>>
> So is there a solution to work around the side effect?
>>
>>
Not that I knew of. You could try to add shortcuts to common shares on
>>
the user's desktops. Why is it, you want to restrict "Run"?
>>
>>
cheers,
>>
>>
Florian
>>
--
>>
Microsoft MVP - Windows Server - Group Policy.
>>
eMail: prename [at] frickelsoft [dot] net.
>>
blog: http://www.frickelsoft.net/blog.
>>
Top
From: Willem
<Willem@discussions.microsoft.com>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 07:18:01
I
want to disable the Run command for Terminal Server. They can start
everything
on the server with the run command.
"Florian
Frommherz [MVP]" wrote:
>
Howdie!
>
>
Willem schrieb:
>
> Thanks for your reply, but the question is : > "Willem"
wrote in message
>
>>> Is there a work arround to disable the run command but to
enable typing in
>
>>> the address bar?
>
> So is there a solution to work around the side effect?
>
>
Not that I knew of. You could try to add shortcuts to common shares on
>
the user's desktops. Why is it, you want to restrict "Run"?
>
>
cheers,
>
>
Florian
>
--
>
Microsoft MVP - Windows Server - Group Policy.
>
eMail: prename [at] frickelsoft [dot] net.
>
blog: http://www.frickelsoft.net/blog.
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 07:00:36
I
don't think so
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Willem"
<Willem@discussions.microsoft.com> wrote in message
news:270A7F84-7829-4784-9238-49D78753E684@microsoft.com...
>
Thanks for your reply, but the question is : > "Willem" wrote
in message
>>
> Is there a work arround to disable the run command but to enable
typing
>>
> in
>>
> the address bar?
>
So is there a solution to work around the side effect?
>
>
>
"Mathieu CHATEAU" wrote:
>
>>
Hello,
>>
>>
indeed this is a documented side effect:
>>
>>
Allows you to remove the Run command from the Start menu, Internet
>>
Explorer,
>>
and Task Manager. If you enable this setting, the following changes
>>
occur:
>>
(1) The Run command is removed from the Start menu. (2) The New Task
>>
(Run)
>>
command is removed from Task Manager. (3) The user will be blocked
from
>>
entering the following into the Internet Explorer Address Bar: --- A
UNC
>>
path: \\<server>\<share> ---Accessing local
drives: e.g., C: ---
>>
Accessing local folders: e.g., \temp> Also, users with extended
>>
keyboards
>>
will no longer be able to display the Run dialog box by pressing the
>>
Application key (the key with the Windows logo) + R. If you disable
or
>>
do
>>
not configure this setting, users will be able to access the Run command
>>
in
>>
the Start menu and in Task Manager and use the Internet Explorer Address
>>
Bar. Note:This setting affects the specified interface
only. It does
>>
not
>>
prevent users from using other methods to run programs. Note: It is a
>>
requirement for third-party applications with Windows 2000 or later
>>
certification to adhere to this setting.
>>
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"Willem" <Willem@discussions.microsoft.com> wrote in
message
>>
news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...
>>
>I removed the Run command from the startmenu (User
>>
>settings/Administrative
>>
> template/Start menu and taskbar/remove run from start menu) but a side
>>
> effect
>>
> is that users no langer can type a UNC path in the IE address bar.
>>
>
>>
> I've got drive mappings, i.e. I:\ maps to \\server\mymap
>>
> When a user clicks to I:\2006\anothermap all works fine off course,
but
>>
> when
>>
> the user wants to go to the same map in 2007 (I:\2007\anothermap) by
>>
> just
>>
> changing 2006 in 2007 in the address bar it is not allowed (because of
>>
> the
>>
> remove run policy).
>>
>
>>
> Is there a work arround to disable the run command but to enable
typing
>>
> in
>>
> the address bar?
>>
>
>>
>>
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 06:41:39
Howdie!
Willem
schrieb:
>
Thanks for your reply, but the question is : > "Willem" wrote
in message
>>>
Is there a work arround to disable the run command but to enable typing in
>>>
the address bar?
>
So is there a solution to work around the side effect?
Not
that I knew of. You could try to add shortcuts to common shares on
the
user's desktops. Why is it, you want to restrict "Run"?
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Willem
<Willem@discussions.microsoft.com>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 06:08:01
Thanks
for your reply, but the question is : > "Willem" wrote in
message
>
> Is there a work arround to disable the run command but to enable
typing in
>
> the address bar?
So
is there a solution to work around the side effect?
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
indeed this is a documented side effect:
>
>
Allows you to remove the Run command from the Start menu, Internet
Explorer,
>
and Task Manager. If you enable this setting, the following changes
occur:
>
(1) The Run command is removed from the Start menu. (2) The New Task
(Run)
>
command is removed from Task Manager. (3) The user will be blocked
from
>
entering the following into the Internet Explorer Address Bar: --- A
UNC
>
path: \\<server>\<share> ---Accessing local
drives: e.g., C: ---
>
Accessing local folders: e.g., \temp> Also, users with extended
keyboards
>
will no longer be able to display the Run dialog box by pressing the
>
Application key (the key with the Windows logo) + R. If you disable
or do
>
not configure this setting, users will be able to access the Run command in
>
the Start menu and in Task Manager and use the Internet Explorer Address
>
Bar. Note:This setting affects the specified interface
only. It does not
>
prevent users from using other methods to run programs. Note: It is a
>
requirement for third-party applications with Windows 2000 or later
>
certification to adhere to this setting.
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
"Willem" <Willem@discussions.microsoft.com> wrote in
message
>
news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...
>
>I removed the Run command from the startmenu (User
settings/Administrative
>
> template/Start menu and taskbar/remove run from start menu) but a side
>
> effect
>
> is that users no langer can type a UNC path in the IE address bar.
>
>
>
> I've got drive mappings, i.e. I:\ maps to \\server\mymap
>
> When a user clicks to I:\2006\anothermap all works fine off course,
but
>
> when
>
> the user wants to go to the same map in 2007 (I:\2007\anothermap) by
just
>
> changing 2006 in 2007 in the address bar it is not allowed (because of
the
>
> remove run policy).
>
>
>
> Is there a work arround to disable the run command but to enable
typing in
>
> the address bar?
>
>
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Disable Run in startmenu; no more typing IE address bar
Date:
09/17/2007 05:56:55
Hello,
indeed
this is a documented side effect:
Allows
you to remove the Run command from the Start menu, Internet Explorer,
and
Task Manager. If you enable this setting, the following changes
occur:
(1)
The Run command is removed from the Start menu. (2) The New Task
(Run)
command
is removed from Task Manager. (3) The user will be blocked from
entering
the following into the Internet Explorer Address Bar: --- A UNC
path:
\\<server>\<share> ---Accessing local drives:
e.g., C: ---
Accessing
local folders: e.g., \temp> Also, users with extended keyboards
will
no longer be able to display the Run dialog box by pressing the
Application
key (the key with the Windows logo) + R. If you disable or do
not
configure this setting, users will be able to access the Run command in
the
Start menu and in Task Manager and use the Internet Explorer Address
Bar.
Note:This setting affects the specified interface only. It does not
prevent
users from using other methods to run programs. Note: It is a
requirement
for third-party applications with Windows 2000 or later
certification
to adhere to this setting.
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Willem"
<Willem@discussions.microsoft.com> wrote in message
news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...
>I
removed the Run command from the startmenu (User settings/Administrative
>
template/Start menu and taskbar/remove run from start menu) but a side
>
effect
>
is that users no langer can type a UNC path in the IE address bar.
>
>
I've got drive mappings, i.e. I:\ maps to \\server\mymap
>
When a user clicks to I:\2006\anothermap all works fine off course, but
>
when
>
the user wants to go to the same map in 2007 (I:\2007\anothermap) by just
>
changing 2006 in 2007 in the address bar it is not allowed (because of the
>
remove run policy).
>
>
Is there a work arround to disable the run command but to enable typing in
>
the address bar?
>
Top
From: G Johansson
<fantomen@NOSPAM.GPfaq.se>
To:
none
Subject:
Re: Disable General Page for IE in Computer node does not work
Date:
09/25/2007 15:35:36
I
think the USER node "wins" in this case.
Which
means if you put disable in COMPUTER and enable in USER the final
result
will be that it's enabled.
MS
GPOsettings file doesn't say anything about this so I think the above is
correct...
--
Regards
G Johansson
fantomen@NOSPAM.GPfaq.se
http://GPfaq.se
"T"
<T@discussions.microsoft.com> wrote in message
news:F0CCC32F-3F0B-4031-8139-51CE55A9412E@microsoft.com...
>
How does the COMPUTER node vs USER node take perference for IE. We
want
>
to
>
disable the General Page and set the default home page in IE using the
>
computer node and not the user node. When I set disable the general
page
>
in
>
the computer node it is not working . The RSoP said it was the
runling
>
Policy and it was set apporpiately but when I went into IE the general
>
page
>
was not disabled.
Top
From: Chris.Coops
<chris.coops@hotmail.co.uk>
To:
none
Subject:
Re: Different User GPO depending on computer logging onto
Date:
09/27/2007 06:43:21
On
27 Sep, 12:13,
"Chris.Coops" <chris.co...@hotmail.co.uk> wrote:
>
Hi all,
>
I hope there's someone out there that can help...
>
>
I want to strip and lockdown the desktop when our users logon to a
>
terminal services server without it affecting their logon to their
>
local desktop.
>
I have users in 1 OU, their desktop/laptop in another OU, and the
>
terminal servers in third OU. I have 3 policies which apply to the
>
users, their computer and the terminal servers individually, however,
>
if I apply the terminal server GPO to the users, this means their own
>
computer is also locked down.
>
>
I want the GPO to only lockdown the desktop when the user's logon to
>
the terminal servers, and at no other time.
>
>
Does anyone know of a way of doing this?
>
>
Thanks
>
Chris
Brilliant,
thanks very much. If only it was more obviously titled so a
quick
search could have found it, and not been one of those frequent
newsgroup
questions you're always coming across!
Chris
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Different User GPO depending on computer logging onto
Date:
09/27/2007 06:22:26
Howdie!
Chris.Coops
schrieb:
>
I want the GPO to only lockdown the desktop when the user's logon to
>
the terminal servers, and at no other time.
Your
keyword is "Loopback Processing Mode":
http://www.frickelsoft.net/blog/?p=22
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Cassidy Macfarlane <CassidyMacfarlane@discussions.microsoft.com>
To:
none
Subject:
RE: Deploy MSN Live Messenger through Group Policy
Date:
09/26/2007 09:18:07
OK,
I have found a fix for this folks.:
you
have to download the windows installer SDK (free)
install
the 'Orca' MSI config tool ( found in the 'bin' folder of the SDK
install)
use
orca to edit the MSI you extract from the messenger installer to add the
'AdvtExecuteSequence'
table, then add the following rows to that table.
Action
Sequence
CostInitialize
800
CostFinalize
1000
InstallValidate
1400
InstallInitialize
1500
CreateShortcuts
4500
RegisterClassInfo
4600
RegisterExtensionInfo
4700
RegisterProgIdInfo
4800
RegisterMIMEInfo
4900
PublishComponents
6200
MsiPublishAssemblies
6250
PublishFeatures
6300
PublishProduct
6400
InstallFinalize
6600
then
add the final row to that table:
action:
ProgramMenuFolder.ADEB440D_7847_4F65_80BD_899870ED 2EC9 condition :
{NULL}
sequence:
1
this
fixed it for me. Apparently MS have deliberately disabled GP publish
functionality
for Live messenger, the additions above simply re-enable it.
good
luck with this, caused me a headache, but it IS working now.
cheers
"rscyber"
wrote:
>
>
Hi, i have the same problem.
>
"Cassidy Macfarlane" wrote:
>
>
> I am having the exact same problem - after a recent auto-update
through WSUS,
>
> some clients are getting 'a new version of messenger is available'
prompts,
>
> and when I try to publish the msnmsgs.MSI extracted from
>
> install_messenger.exe through GP, I gete the error as shown by
Per-Torben
>
> below.
>
>
>
> Thanks in advance for any assistance.
>
>
>
> "Per-Torben Sørensen" wrote:
>
>
>
> > Hello.
>
> >
>
> > I'm trying to publish MSN Live Messenger to users via a group
policy but the
>
> > install keeps dailing with "A fatal error occured during
installation". The
>
> > "always install with elevated privliges" policy is
enable on both users and
>
> > computer settings and they have access to the share. The users
are not local
>
> > admins on their desktops.
>
> >
>
> > Anyone who can help me please?
>
> >
>
> > Regards
>
> > Per-Torben Sørensen
>
> >
>
> >
>
> >
Top
From: rscyber <rscyber@discussions.microsoft.com>
To:
none
Subject:
RE: Deploy MSN Live Messenger through Group Policy
Date:
09/25/2007 14:40:05
Hi,
i have the same problem.
"Cassidy
Macfarlane" wrote:
>
I am having the exact same problem - after a recent auto-update through
WSUS,
>
some clients are getting 'a new version of messenger is available' prompts,
>
and when I try to publish the msnmsgs.MSI extracted from
>
install_messenger.exe through GP, I gete the error as shown by Per-Torben
>
below.
>
>
Thanks in advance for any assistance.
>
>
"Per-Torben Sørensen" wrote:
>
>
> Hello.
>
>
>
> I'm trying to publish MSN Live Messenger to users via a group policy
but the
>
> install keeps dailing with "A fatal error occured during
installation". The
>
> "always install with elevated privliges" policy is enable on
both users and
>
> computer settings and they have access to the share. The users are not
local
>
> admins on their desktops.
>
>
>
> Anyone who can help me please?
>
>
>
> Regards
>
> Per-Torben Sørensen
>
>
>
>
>
>
Top
From: Cassidy Macfarlane <Cassidy
Macfarlane@discussions.microsoft.com>
To:
none
Subject:
RE: Deploy MSN Live Messenger through Group Policy
Date:
09/20/2007 11:46:03
I
am having the exact same problem - after a recent auto-update through WSUS,
some
clients are getting 'a new version of messenger is available' prompts,
and
when I try to publish the msnmsgs.MSI extracted from
install_messenger.exe
through GP, I gete the error as shown by Per-Torben
below.
Thanks
in advance for any assistance.
"Per-Torben
Sørensen" wrote:
>
Hello.
>
>
I'm trying to publish MSN Live Messenger to users via a group policy but
the
>
install keeps dailing with "A fatal error occured during
installation". The
>
"always install with elevated privliges" policy is enable on both
users and
>
computer settings and they have access to the share. The users are not
local
>
admins on their desktops.
>
>
Anyone who can help me please?
>
>
Regards
>
Per-Torben Sørensen
>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: Deny Clear all Events in Event Viewer?
Date:
09/19/2007 11:06:54
BayCoMIS
wrote:
>
Hello.
>
>
I have a user who will clear her own event logs, which I do not want
>
her doing. I'm unsure of a way to do this within the Group Policy.
>
>
I don't mind that she can view it or make a backup of it. I just
>
don't want her -- or anyone who is not an Administrator -- to have
>
the ability to clear out a log.
>
>
Any help would be most appreciated!
http://msdn2.microsoft.com/en-us/library/4xz6w79h(VS.80).aspx
Lists
the permissions required for the event logs. You have some room to
'tweak'
a novice, but as administrator there's limits on your overall
success.
--
/kj
Top
From: Roger Abell [MVP]
<mvpNoSpam@asu.edu>
To:
none
Subject:
Re: Deny Clear all Events in Event Viewer?
Date:
09/19/2007 09:54:22
I
agree with Mathieu in that users should not be admin, that the vast
majority
of old software can be made to work without grant of admin.
I
also wanted to add that there is no simple way to prevent an admin
from
doing things allow to Administrators, like clearing the event logs,
and
when one does find a way it is usually not difficult for the admin
to
walk around / ignore the restriction.
Roger
"BayCoMIS"
<BayCoMIS@discussions.microsoft.com> wrote in message
news:E382324C-43DC-4857-9C6F-ABA09E5CA1A3@microsoft.com...
>I
appreciate the fast response; I suppose I should have provided more
>
information in my first request.
>
>
True, she is a local admin, but we are running some (archaic) software
>
that
>
requires the user to be a local admin, so we cannot change that without
>
killing access to the software she's using.
>
>
So, is there any way within Group Policy to deny access to "Clear all
>
Events" to a user on a system, based on the user's login name?
>
>
Patrick
>
>
"Mathieu CHATEAU" wrote:
>
>>
standard user can't clear eventlog
>>
>>
So if she can, she would be local admin
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in
message
>>
news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...
>>
> Hello.
>>
>
>>
> I have a user who will clear her own event logs, which I do not want
>>
> her
>>
> doing. I'm unsure of a way to do this within the Group Policy.
>>
>
>>
> I don't mind that she can view it or make a backup of it. I just
don't
>>
> want
>>
> her -- or anyone who is not an Administrator -- to have the ability to
>>
> clear
>>
> out a log.
>>
>
>>
> Any help would be most appreciated!
>>
>
>>
>>
Top
From: Mathieu CHATEAU <gollum123@free.fr>
To:
none
Subject:
Re: Deny Clear all Events in Event Viewer?
Date:
09/18/2007 14:37:19
Even
very old software can work without admin rights.
Just
use process monitor to dientify the bad things it will get denied with
a
standard account
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
Getting
rid of having admin users should be in your high priority.
I
have done it many times, never found an application that couldn't work
with
standard user + ntfs/registry right
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"BayCoMIS"
<BayCoMIS@discussions.microsoft.com> wrote in message
news:E382324C-43DC-4857-9C6F-ABA09E5CA1A3@microsoft.com...
>I
appreciate the fast response; I suppose I should have provided more
>
information in my first request.
>
>
True, she is a local admin, but we are running some (archaic) software
>
that
>
requires the user to be a local admin, so we cannot change that without
>
killing access to the software she's using.
>
>
So, is there any way within Group Policy to deny access to "Clear all
>
Events" to a user on a system, based on the user's login name?
>
>
Patrick
>
>
"Mathieu CHATEAU" wrote:
>
>>
standard user can't clear eventlog
>>
>>
So if she can, she would be local admin
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in
message
>>
news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...
>>
> Hello.
>>
>
>>
> I have a user who will clear her own event logs, which I do not want
>>
> her
>>
> doing. I'm unsure of a way to do this within the Group Policy.
>>
>
>>
> I don't mind that she can view it or make a backup of it. I just
don't
>>
> want
>>
> her -- or anyone who is not an Administrator -- to have the ability to
>>
> clear
>>
> out a log.
>>
>
>>
> Any help would be most appreciated!
>>
>
>>
>>
Top
From: BayCoMIS
<BayCoMIS@discussions.microsoft.com>
To:
none
Subject:
Re: Deny Clear all Events in Event Viewer?
Date:
09/18/2007 14:32:01
I
appreciate the fast response; I suppose I should have provided more
information
in my first request.
True,
she is a local admin, but we are running some (archaic) software that
requires
the user to be a local admin, so we cannot change that without
killing
access to the software she's using.
So,
is there any way within Group Policy to deny access to "Clear all
Events"
to a user on a system, based on the user's login name?
Patrick
"Mathieu
CHATEAU" wrote:
>
standard user can't clear eventlog
>
>
So if she can, she would be local admin
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
"BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in
message
>
news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...
>
> Hello.
>
>
>
> I have a user who will clear her own event logs, which I do not want
her
>
> doing. I'm unsure of a way to do this within the Group Policy.
>
>
>
> I don't mind that she can view it or make a backup of it. I just
don't
>
> want
>
> her -- or anyone who is not an Administrator -- to have the ability to
>
> clear
>
> out a log.
>
>
>
> Any help would be most appreciated!
>
>
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Deny Clear all Events in Event Viewer?
Date:
09/18/2007 14:20:55
standard
user can't clear eventlog
So
if she can, she would be local admin
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"BayCoMIS"
<BayCoMIS@discussions.microsoft.com> wrote in message
news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...
>
Hello.
>
>
I have a user who will clear her own event logs, which I do not want her
>
doing. I'm unsure of a way to do this within the Group Policy.
>
>
I don't mind that she can view it or make a backup of it. I just
don't
>
want
>
her -- or anyone who is not an Administrator -- to have the ability to
>
clear
>
out a log.
>
>
Any help would be most appreciated!
>
Top
From: Kyle Blake
<KyleBlake@discussions.microsoft.com>
To:
none
Subject:
RE: Deleting a GPO FULLY
Date:
09/25/2007 12:14:00
Forget
it I found it.
Thanks
---------------------------------------------------
If
you delete a "link" to a Group Policy, that does not
"delete" the Group
Policy.
In GPMC,
open the built in Group Policy Objects container (the last item in
the
list under the Domain name) and delete the GPO from there. You will
get
a
prompt asking you if you really want to delete the GPO.
Depending
on how replication is configured in your domain, it can take
several
minutes (e.g. more than 5 minutes) for a change (including addition
or
deletion of a GPO to get replicated to all of the domain controllers.
--
Bruce
Sanderson MVP
"Kyle
Blake" wrote:
>
Hi,
>
>
I'm using Group Policy Mgmt Console V1.02 with MMC v3.
>
>
I'm having problems deleting the whole GPO.
>
>
I right click delete but I still see the old code in sysvol.
>
>
In the old days before this consolde AD users and Computers did a good job
>
of ensuring you had that choice.
>
>
I'm missing something, can someone tell where the new way to delete it is?
>
>
Top
From: NH <nh@noreply.com>
To:
none
Subject:
Re: Deleted GPO
Date:
09/21/2007 14:40:12
2003
R2.
"Meinolf
Weber" <meiweb(nospam)@gmx.de> a écrit dans le message de news:
ff16fb6658f738c9caaaf4cb84c8@msnews.microsoft.com...
>
Hello NH,
>
>
Which server version did you use, 2000 or 2003?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>
confers no rights.
>
>>
I created GPOs to install printers.
>>
Now, I don't need those GPO. I deleted these GPO but they still
>>
apply.
>>
How can I deactivate those GPO ?
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Deleted GPO
Date:
09/21/2007 14:10:22
Hello NH,
Which
server version did you use, 2000 or 2003?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
I created GPOs to install printers.
>
Now, I don't need those GPO. I deleted these GPO but they still
>
apply.
>
How can I deactivate those GPO ?
Top
From: Phillip Windell
<philwindell@hotmail.com>
To:
none
Subject:
Re: Define intranet zone
Date:
09/26/2007 08:35:32
Once
you do that you will have to define All entries in All the Zones,...it
will
no longer be able to be done at the local machine.
--
Phillip
Windell
www.wandtv.com
The
views expressed, are my own and not those of my employer, or Microsoft,
or anyone
else associated with me, including my cats.
-----------------------------------------------------
"Björn"
<bjoernurbanek@gmx.de> wrote in message
news:%23gGeeCEAIHA.536@TK2MSFTNGP06.phx.gbl...
>
Hello NG!
>
>
I want to define one entry in "IE Security -> intranet zone ->
site" with
>
GPOs.
>
Is it possible and how can I make it?
>
>
Many Thanks!
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: default number of concurrent login allowed by GP
Date:
09/18/2007 13:16:24
Howdie!
Dan
schrieb:
>
What is the default number of concurrent logins allowed by GP is not
>
configured for anything number?
There
is no default limit on how many (different) machines a user can be
logged
on at the same time. People can log on to any number of machines
they
wish.
You
cannot limit this via Group Policy - you'd need a third party tool
like
limitlogon or something like that in order to handle that.
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Roger Abell [MVP]
<mvpNoSpam@asu.edu>
To:
none
Subject:
Re: default number of concurrent login allowed by GP
Date:
09/18/2007 10:46:39
There
is no constraint imposed by Windows on the number of
concurrent
authenticated login sessions an account may have.
Take
a look at (the somewhat involved to implement)
limitlogon
(newer)
cconnect
(older reskit)
or
the relatively simple method with network shares
http://support.microsoft.com/kb/260364
Roger
"Dan"
<Dan@discussions.microsoft.com> wrote in message
news:31522B58-AF4D-4894-864F-9B12FB672653@microsoft.com...
>
What is the default number of concurrent logins allowed by GP is not
>
configured for anything number?
>
>
Then if I need to alter this, where in GP or where the config lives, do I
>
make the alterations?
>
>
I don't see anything about it in my default user security policy.
Top
|