Home | Site Map | Cisco How To |  Net How To | Windows Vista | Case Studies | Forums | Services | Donations | Careers | About Us | Contact Us|

From: Paul Glickenhaus <PaulGlickenhaus@discussions.microsoft.com>

To: none

Subject: Re: force without reboot and logoff

Date: 09/19/2007 07:52:03

Thanks that was the solution.

Paul

Top

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: force without reboot and logoff

Date: 09/18/2007 13:42:36

Howdie Paul!

Paul Glickenhaus schrieb:

> I have a policy to manage the IE proxy exceptions.  It seems that this can

> only be applied via a /force.  This will require a reboot / or logoff.  Id

> there a way to apply policies that need to be forced without the reboot?

Is it just about IE proxy exceptions? See the following Group Policy,

that may help:

CompConf\AdmTemp\System\Group Policy\ - "Internet Explorer Maintenance

policy processing" - "Process even if the Group Policy objects

have not changed"

cheers,

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

Top

From: ejmichaud@hotmail.com

To: none

Subject: Re: Folder Redirection / Offline Files / Synchronization manager ....Ahhhhh!

Date: 09/27/2007 13:52:13

After further testing I was able to determine that the necessary GPO

setting to prevent the synchronization manager from appearing on

desktops is: "Allow or Disallow use of the Offline Files feature".

For those who might be curious, here is an explanation of the approach

I have chosen:

Goals:

1. Redirect My Documents to a network location (DFS Namespace). DFS

Namespace provides greater flexibility for the future since there is

no hard coded server names or share names in the redirected path.

2. Be able to roll out the folder redirection for small groups of

users at a time, instead of all the users immediately

3. Do not make the My Documents available offline for all devices

except mobile devices (laptops/tablets). For mobile devices, the end

users on the devices may work disconnected from the network from time

to time, when they are disconnected we still want those users to have

access to their "My Documents" when disconnected from the network.

4. Make the implementation as seamless as possible for the end user.

5. Have separate policies to turn on offline files for mobile devices,

but not have separate policies that are required to disable offline

files for desktops/laptops. In other words, top level policy disables

offline folders for all devices (setting turn off offline files as the

default), but have separate policies that can enable offline files for

mobile devices. If we create an OU, we don't want to have to link a

policy to that OU to disable automatic caching of the redirected My

Documents folder.

6. Do not have offline files automatically cache files for those who

support end users but still allow them the ability to manually set My

Documents to be set as offline. When support personnel log into other

laptops, we don't want the support personnel's My Documents to be

cached as offline on that device. However, for those support personnel

who have mobile devices, we still want to allow them the ability to

set their "My Documents" as offline files.

To implement My Documents folder redirection four GPOs will be used.

The four GPOs and their settings are listed below, explanation of the

approach taken and explanations of why particular GPO settings were

used can be found below the listed settings.

Disable Offline Files

General

Links

Root of domain

Computer Configuration

Administrative Templates

Network/Offline Files

Allow or Disallow use of the Offline Files feature--------------

Disabled

My Documents Redirection

General

Links

(OU with users who will receive My Documents redirection, eventually

root of domain)

User Configuration

Folder Redirection

My Documents

Setting: Advanced (Specify locations for various user groups)

GROUP1----------------------------------------------------------

Location1

Options

Grant user exclusive rights to My Documents---------------------

Disabled

Move the contents of My Documents to the new location-----------

Enabled

Policy Removal Behavior-----------------------------------------

Restore Contents

Configure Offline Files (1 of 2)

General

Links

(All Laptop-Tablet OUs)

Delegation

(Support people group(s) will have Apply Group Policy=Deny)

Computer Configuration

Administrative Templates

Network/Offline Files

Allow or Disallow use of the Offline Files Feature--------------

Enabled

System/Group Policy

User Group Policy loopback processing mode----------------------

Enabled

Mode:----------------------------------------------------------Merge

User Configuration

Administrative Templates

Network/Offline Files

Event Logging Level---------------------------------------------

Enabled (3)

Synchronize all offline files before logging off-----------------

Enabled

Synchronize offline files before suspend-------------------------

Enabled

Type of sync to perform when suspending-------------------------Full

Configure Offline Files (2 of 2)

General

Links

(All Laptop-Tablet OUs)

Delegation

(Authenticated Users removed)

Security Filtering

(Support people group(s), only those in these group(s) will receive

this policy)

Computer Configuration

Administrative Templates

System/Group Policy

User Group Policy loopback processing mode----------------------

Enabled

Mode:----------------------------------------------------------Merge

User Configuration

Administrative Templates

Network/Offline Files

Do not automatically make redirected folders available offline--

Enabled

The first question after reviewing the group policies likely is why

four GPOs to accomplish this. The answer is simply that after

significant testing that number of GPOs was the least number that

could be used to accomplish all my goals. Below you will find

descriptions of each of the policies:

Disable Offline Files

The essential purpose of this GPO is to disable offline files. This

GPO will be linked to the root of the domain.

Q. Why disable offline files?

A. Testing has shown that this is the only Group Policy setting that

could be used to prevent the synchronization manager from appearing on

desktops/servers (during a logoff) after folder redirection was

implemented. Since we want to make folder redirection as seamless as

possible, we didn't want end users of desktops or Citrix/Terminal

servers to be seeing the synchronization manager running at logoff,

even though the synchronization manager isn't syncing anything.

Q. Why link this policy at the root?

A. We want to make sure that all devices (desktops/servers/special

project machines/test computers/etc.) receive this policy. This will

eliminate the synchronization manager from automatically being

displayed on any device in which it is not indented to run on.

Q. What about mobile devices, don't we want them to have offline files

available?

A. Another policy linked at each of the Laptops-Tablets OU will

override this policy making Offline Files available for mobile

devices.

Q. Why not use the "Do not automatically make redirected folders

available offline" setting instead?

A. Although the "Do not automatically make redirected folders

available offline" GPO setting will prevent the redirected "My

Documents" folder from automatically being made available offline, it

will not prevent the synchronization manager from running, even though

there are no offline files to synchronize. The "Allow or Disallow use

of the Offline Files feature" setting serves both purposes; it

prevents offline files from automatically being made available

offline, and it prevents the synchronization manager from running.

My Documents Redirection

The essential purpose of this GPO is to redirect the end user's "My

Documents" folder to an appropriate network location. This policy uses

group membership to determine the appropriate network location the

user's "My Documents" folder should be redirected too.

Q. What happens if a user isn't a member of any of the groups defined

in the policy, but the user is receiving the policy?

A. The user's "My Documents" folder will not be redirected.

Q. What happens if a user is a member of multiple groups, likely a

result of being employed for multiple affiliates?

A. The top most group that the user is a member of listed in the "My

Documents Redirection" GPO will be the winning location for the user's

My Documents folder to be redirected to.

Q. What happens if the user's group membership changes?

A. When group membership changes from one group to another, the user's

data will be transferred from the old location to the location

specified by the new group membership.

Q. What happens to the user's data if they are removed from the group

that is used to determine the appropriate location to re-direct the My

Documents folder?

A. When a user is removed from the group that is used to re-direct "My

Documents" that data will be transferred back to the default "My

Documents" path on the user's local computer. The user's data will

then only be available from that one computer. The user's folder will

still exist on the network, however it will be empty.

Configure Offline Files (1 of 2)

The essential purpose of this GPO is to make "My Documents" available

offline for users of mobile devices; this is done so that the user's

"My Documents" is still available when the user isn't connected to the

network. This policy is linked to each of the Laptops-Tablets OUs.

Through delegation, this policy is denied to Support Personnel; note

however that only the user configuration side is denied, the computer

configuration side still applies regardless of who logs in.

In the Computer Configuration side of the GPO, "Allow or Disallow use

of the Offline Files Feature" is enabled which overrides the Disabled

setting from the "Disable Offline Files" GPO.

Loopback processing is enabled, to allow the user configuration

settings to apply to almost all users who log into the laptops.

Q. Why use loopback processing, the user configuration settings that

are applied in this policy are also available in the computer

configuration side. Why not just use the computer configuration

settings?

A. We don't want these settings to apply to all users, we want to deny

the settings (deny setting the redirected My Documents folder to

automatically be setup as an offline folder) for support personnel. If

we were to use the computer configuration side settings, there would

be no way to deny these settings for some users since it would be

applied at the computer level for all users. By denying the "Apply

Group Policy" permission VIA delegation, we can prevent support

personnel from automatically setting My Documents as an offline

folder.

Configure Offline Files (2 of 2)

The essential purpose of this GPO is to aid in the prevention of

automatically setting the user's "My Documents" folder as offline for

support personnel. Since the default for Windows XP is to

automatically make redirected folders available offline, we need this

policy to disable the default action for Windows XP. Using Security

Filtering, only support personnel will receive this policy. This

policy is linked to each of the Laptops-Tablets OUs.

Loopback processing is enabled; this is done to allow the user

configuration setting to apply to support personnel who log into the

laptops.

Q. Can't "Configure Offline Files (1 of 2)" and "Configure Offline

Files (2 of 2)" be combined?

A. No, because the setting in "Configure Offline Files (2 of 2)"

contradicts the settings in "Configure Offline Files (1 of 2)". Normal

end users will only receive the "Configure Offline Files (1 of 2)" GPO

where as support personnel will only receive the "Configure Offline

Files (2 of 2)".

Q. Why can't the "Do not automatically make redirected folders

available offline" setting be disabled in the "Disable Offline Files"

GPO, then in the "Configure Offline Files (1 of 2)" the setting be

enabled?

A. In theory you would expect this combination to work properly. You

would expect that "automatically make redirected folders offline"

would be disabled for all users/devices, but would then be enabled for

all users of laptops except for support personnel. Testing has shown

that with this GPO settings configuration, for some unknown reason,

when laptop users reboot or shutdown the synchronization manager

doesn't run, interestingly enough though during a logoff the

synchronization manager works as expected. By applying the GPO

settings in the fashion documented, i.e. using "Configure Offline

Files (2 of 2)" we can get everything to work as expected.

Q. For support personnel with mobile devices, how can their redirected

My Documents folder be made available offline since the "Configure

Offline Files (1 of 2)" and "Configure Offline Files (2 of 2)" prevent

this from happening automatically.

A. Right click on "My Documents" and select "Make Available Offline"

Top

From: ejmichaud@hotmail.com

To: none

Subject: Re: Folder Redirection / Offline Files / Synchronization manager ....Ahhhhh!

Date: 09/25/2007 11:48:53

I am sorry, that wasn't very clear. #2 should have read:

2. All desktops will not have My Documents available offline

For desktops, I do not want offline files enabled by default for the

redirected My Documents folder. I only want offline files enabled by

default on the redirected My Documents folder for mobile devices.

Of course the issue I have is that even when I enable the "Do not

automatically make redirected folders available offline" the

synchronization manager still appears at logoff. The My Documents

folder, which has been redirected, is not made available offline.

However, even though the redirected My Documents isn't being made

available offline, when the computer/user receives the GPO to redirect

My Documents, synchronization manager is turned on, which obviously

isn't syncing anything because no files are being made available

offline, but the synchronization manager is still being displayed at

logoff.

What I want to do is prevent the synchronization manager from being

displayed on the desktops when I enable My Documents folder

redirection. In addition, I don't want to break the synchronization

manager for anyone who may have previously manually set some files

offline and depend on synchronization manager running.

So to sum up what I want on desktop computers:

1. Redirect my documents to a network location

2. Do not make the my documents available offline

3. If synchronization manager was not previously enabled, do not

enable it / do not show the synchronization manager during user

logoff.

4. If synchronization manager was previously being used to make other

files available offline, do not disable it.

I am still testing so none of this has been implemented yet except in

my test lab.

Thanks,

Eric

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Folder Redirection / Offline Files / Synchronization manager ....Ahhhhh!

Date: 09/24/2007 15:52:41

Hello,

if nobody needs the desktop synced offline, you may disable the offline

feature at the share level

what about an rsop.msc result?

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

<ejmichaud@hotmail.com> wrote in message

news:1190661864.051523.322590@k79g2000hse.googlegroups.com...

> Well let me start of by describing my goals with folder redirection

> and offline files

> 1. All users will have there My Documents redirected to a folder with

> a DFS Namespace based on group membership.

> 2. All desktops will not have offline files disabled

> 3. All mobile devices (laptops/tablets) will have offline files

> enabled

>

> Working with Windows XP SP2 computers.

>

> Interesting enough, the issue/concern I am having is with item #2.  I

> have created two GPOs.  The first GPO "My Documents Re-Direction" will

> be applied to all users.  This GPO sets the My Document Redirection

> settings and also sets the "Do not automatically make redirected

> folders available offline" setting to enabled.  The second GPO

> "Offline Files" will be applied to OUs that contain mobile devices

> (laptops/tablets).  This GPO has the "Do not automatically make

> redirected folders available offline" disabled (user Configuration)

> with loopback enabled.

>

> The two GPOs do everything I expected except on the desktop side.

> When a users log off a desktop they see the Synchronization Manager.

> The synchronization manager states it's syncing the root of the DFS

> Namespace, shows a status of Succeeded, but there are no files stored

> in the offline cache.

>

> It appears that even though I have specifically enabled the "Do not

> automatically make redirected folders available offline", the

> synchronization manager gets enabled when Folder Redirection is turned

> on even though there are no offline files to sync.  Does anyone know

> of a way to set redirected folders VIA GPO(s), to not have the files

> available offline, and to not have the synchronization manager show up

> at logoff?

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 14:00:47

From GPMC, trace all GPO GUID to find what is this one...If you can post

what it should do.

This GPO may be corrupted

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

news:47373EFB-45AD-4FC0-99A0-38092ED0E6B7@microsoft.com...

>I just ran the 'gpupdate /force' & the errors are still logging.

> Yes, this has been happening since the restarts of both DC's.

> Should I try restarting them both again but this time allowing the PDC to

> fully boot back up before restarting the DC?

>

>

>

> "Mathieu CHATEAU" wrote:

>

>> yes it's the syntax and yes you can safely do it while running on

>> production

>> mode.

>> It is done regulary anyway. Did you get these message since reboot?

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

>> news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...

>> > To be honest I wouldn't know if it looks correct because this is the

>> > first

>> > time I have ever opened that file.  It only has the following two

>> > lines:

>> >

>> > [General]

>> > Version=65539

>> >

>> > Are you stating to do a START - RUN - 'gpupdate /force'?

>> >

>> > If so, is the syntax correct and can I do this while still in

>> > production

>> > mode?

>> >

>> > Thanks....

>> >

>> >

>> > "Mathieu CHATEAU" wrote:

>> >

>> >> If you open it, does it look correct ?

>> >> gpupdate /force on DC make the error coming back ?

>> >>

>> >>

>> >> --

>> >> Cordialement,

>> >> Mathieu CHATEAU

>> >> http://lordoftheping.blogspot.com

>> >>

>> >>

>> >> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

>> >> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...

>> >> > Yes.

>> >> >

>> >> >

>> >> > "Mathieu CHATEAU" wrote:

>> >> >

>> >> >> Hello,

>> >> >>

>> >> >> Does this file really exist ?

>> >> >>

>> >> >> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu

>> >> >> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"

>> >> >> <bsbm525@discussions.microsoft.com> wrote in

>> >> >> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>

>> >> >> Hello,>> I'm running a Windows 2003 Server domain with two servers

>> >> >> (PDC &

>> >> >> DC).> A few days ago I restarted both servers by restarting the PDC

>> >> >> first

>> >> >> andthen> the DC and now I keep getting the following two errors in

>> >> >> the

>> >> >> event log:>> Event ID 1030> 'Windows cannot query for the list of

>> >> >> Group

>> >> >> Policy objects.  Check theevent> log for possible messages

>> >> >> previously

>> >> >> logged by the policy engine that> describes the reason for this.'>>

>> >> >> Event

>> >> >> ID 1058> Description: Windows cannot access the file gpt.ini for

>> >> >> GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>

>> >> >> . The file must be present at the

>> >> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>

>> >> > F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For

>> >> > more>

>> >> > information, see Help and Support Center at

>> >> > http://support.microsoft.com.>> This only starting happening after

>> >> > the

>> >> > restarts.> Should I attempt to restart both servers again to

>> >> > resolve?>>

>> >> > Thanks....>

>> >> >>

>> >>

>> >>

>>

>>

Top

From: bsbm525 <bsbm525@discussions.microsoft.com>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 13:54:02

I just ran the 'gpupdate /force' & the errors are still logging.

Yes, this has been happening since the restarts of both DC's.

Should I try restarting them both again but this time allowing the PDC to

fully boot back up before restarting the DC?

"Mathieu CHATEAU" wrote:

> yes it's the syntax and yes you can safely do it while running on production

> mode.

> It is done regulary anyway. Did you get these message since reboot?

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

> news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...

> > To be honest I wouldn't know if it looks correct because this is the first

> > time I have ever opened that file.  It only has the following two lines:

> >

> > [General]

> > Version=65539

> >

> > Are you stating to do a START - RUN - 'gpupdate /force'?

> >

> > If so, is the syntax correct and can I do this while still in production

> > mode?

> >

> > Thanks....

> >

> >

> > "Mathieu CHATEAU" wrote:

> >

> >> If you open it, does it look correct ?

> >> gpupdate /force on DC make the error coming back ?

> >>

> >>

> >> --

> >> Cordialement,

> >> Mathieu CHATEAU

> >> http://lordoftheping.blogspot.com

> >>

> >>

> >> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

> >> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...

> >> > Yes.

> >> >

> >> >

> >> > "Mathieu CHATEAU" wrote:

> >> >

> >> >> Hello,

> >> >>

> >> >> Does this file really exist ?

> >> >>

> >> >> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu

> >> >> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"

> >> >> <bsbm525@discussions.microsoft.com> wrote in

> >> >> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>

> >> >> Hello,>> I'm running a Windows 2003 Server domain with two servers

> >> >> (PDC &

> >> >> DC).> A few days ago I restarted both servers by restarting the PDC

> >> >> first

> >> >> andthen> the DC and now I keep getting the following two errors in the

> >> >> event log:>> Event ID 1030> 'Windows cannot query for the list of

> >> >> Group

> >> >> Policy objects.  Check theevent> log for possible messages previously

> >> >> logged by the policy engine that> describes the reason for this.'>>

> >> >> Event

> >> >> ID 1058> Description: Windows cannot access the file gpt.ini for

> >> >> GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>

> >> >> . The file must be present at the

> >> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>

> >> > F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For

> >> > more>

> >> > information, see Help and Support Center at

> >> > http://support.microsoft.com.>> This only starting happening after the

> >> > restarts.> Should I attempt to restart both servers again to resolve?>>

> >> > Thanks....>

> >> >>

> >>

> >>

>

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 13:37:54

yes it's the syntax and yes you can safely do it while running on production

mode.

It is done regulary anyway. Did you get these message since reboot?

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

news:3FE86185-D8E1-47A6-8335-3E565B3040F4@microsoft.com...

> To be honest I wouldn't know if it looks correct because this is the first

> time I have ever opened that file.  It only has the following two lines:

>

> [General]

> Version=65539

>

> Are you stating to do a START - RUN - 'gpupdate /force'?

>

> If so, is the syntax correct and can I do this while still in production

> mode?

>

> Thanks....

>

>

> "Mathieu CHATEAU" wrote:

>

>> If you open it, does it look correct ?

>> gpupdate /force on DC make the error coming back ?

>>

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

>> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...

>> > Yes.

>> >

>> >

>> > "Mathieu CHATEAU" wrote:

>> >

>> >> Hello,

>> >>

>> >> Does this file really exist ?

>> >>

>> >> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu

>> >> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"

>> >> <bsbm525@discussions.microsoft.com> wrote in

>> >> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>

>> >> Hello,>> I'm running a Windows 2003 Server domain with two servers

>> >> (PDC &

>> >> DC).> A few days ago I restarted both servers by restarting the PDC

>> >> first

>> >> andthen> the DC and now I keep getting the following two errors in the

>> >> event log:>> Event ID 1030> 'Windows cannot query for the list of

>> >> Group

>> >> Policy objects.  Check theevent> log for possible messages previously

>> >> logged by the policy engine that> describes the reason for this.'>>

>> >> Event

>> >> ID 1058> Description: Windows cannot access the file gpt.ini for

>> >> GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>

>> >> . The file must be present at the

>> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>

>> > F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For

>> > more>

>> > information, see Help and Support Center at

>> > http://support.microsoft.com.>> This only starting happening after the

>> > restarts.> Should I attempt to restart both servers again to resolve?>>

>> > Thanks....>

>> >>

>>

>>

Top

From: bsbm525 <bsbm525@discussions.microsoft.com>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 12:50:02

To be honest I wouldn't know if it looks correct because this is the first

time I have ever opened that file.  It only has the following two lines:

[General]

Version=65539

Are you stating to do a START - RUN - 'gpupdate /force'?

If so, is the syntax correct and can I do this while still in production mode?

Thanks....

"Mathieu CHATEAU" wrote:

> If you open it, does it look correct ?

> gpupdate /force on DC make the error coming back ?

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

> "bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

> news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...

> > Yes.

> >

> >

> > "Mathieu CHATEAU" wrote:

> >

> >> Hello,

> >>

> >> Does this file really exist ?

> >>

> >> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu

> >> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"

> >> <bsbm525@discussions.microsoft.com> wrote in

> >> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>

> >> Hello,>> I'm running a Windows 2003 Server domain with two servers (PDC &

> >> DC).> A few days ago I restarted both servers by restarting the PDC first

> >> andthen> the DC and now I keep getting the following two errors in the

> >> event log:>> Event ID 1030> 'Windows cannot query for the list of Group

> >> Policy objects.  Check theevent> log for possible messages previously

> >> logged by the policy engine that> describes the reason for this.'>> Event

> >> ID 1058> Description: Windows cannot access the file gpt.ini for

> >> GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>

> >> . The file must be present at the

> > location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>

> > F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more>

> > information, see Help and Support Center at

> > http://support.microsoft.com.>> This only starting happening after the

> > restarts.> Should I attempt to restart both servers again to resolve?>>

> > Thanks....>

> >>

>

>

Top

From: Adrian Grigorof <adi@replace_with_my_last_name.com>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 11:55:19

See this link:

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

--

Regards,

Adrian Grigorof

www.eventid.net - Information for over 9000 Windows event IDs

www.altairtech.ca/evlog - Free event log monitoring

"bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

news:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...

> Hello,

>

> I'm running a Windows 2003 Server domain with two servers (PDC & DC).

> A few days ago I restarted both servers by restarting the PDC first and

> then

> the DC and now I keep getting the following two errors in the event log:

>

> Event ID 1030

> 'Windows cannot query for the list of Group Policy objects.  Check the

> event

> log for possible messages previously logged by the policy engine that

> describes the reason for this.'

>

> Event ID 1058

> Description: Windows cannot access the file gpt.ini for GPO

> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com

> . The file must be present at the location

> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984

> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more

> information, see Help and Support Center at http://support.microsoft.com.

>

> This only starting happening after the restarts.

> Should I attempt to restart both servers again to resolve?

>

> Thanks....

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 11:37:47

If you open it, does it look correct ?

gpupdate /force on DC make the error coming back ?

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"bsbm525" <bsbm525@discussions.microsoft.com> wrote in message

news:454A9169-831E-49CE-89D9-D3189407F63E@microsoft.com...

> Yes.

>

>

> "Mathieu CHATEAU" wrote:

>

>> Hello,

>>

>> Does this file really exist ?

>>

>> <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu

>> CHATEAUhttp://lordoftheping.blogspot.com"bsbm525"

>> <bsbm525@discussions.microsoft.com> wrote in

>> messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...>

>> Hello,>> I'm running a Windows 2003 Server domain with two servers (PDC &

>> DC).> A few days ago I restarted both servers by restarting the PDC first

>> andthen> the DC and now I keep getting the following two errors in the

>> event log:>> Event ID 1030> 'Windows cannot query for the list of Group

>> Policy objects.  Check theevent> log for possible messages previously

>> logged by the policy engine that> describes the reason for this.'>> Event

>> ID 1058> Description: Windows cannot access the file gpt.ini for

>> GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com>

>> . The file must be present at the

> location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984>

> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more>

> information, see Help and Support Center at

> http://support.microsoft.com.>> This only starting happening after the

> restarts.> Should I attempt to restart both servers again to resolve?>>

> Thanks....>

>>

Top

From: bsbm525 <bsbm525@discussions.microsoft.com>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 11:34:04

Yes.

"Mathieu CHATEAU" wrote:

> Hello,

>

> Does this file really exist ?

>  <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu CHATEAUhttp://lordoftheping.blogspot.com"bsbm525" <bsbm525@discussions.microsoft.com> wrote in messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...> Hello,>> I'm running a Windows 2003 Server domain with two servers (PDC & DC).> A few days ago I restarted both servers by restarting the PDC first andthen> the DC and now I keep getting the following two errors in the event log:>> Event ID 1030> 'Windows cannot query for the list of Group Policy objects.  Check theevent> log for possible messages previously logged by the policy engine that> describes the reason for this.'>> Event ID 1058> Description: Windows cannot access the file gpt.ini for GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com> . The file must be present at the

location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more> information, see Help and Support Center at http://support.microsoft.com.>> This only starting happening after the restarts.> Should I attempt to restart both servers again to resolve?>> Thanks....>

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Event ID 1030 & 1058

Date: 09/19/2007 11:24:14

Hello,

Does this file really exist ?

<\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>--Cordialement,Mathieu CHATEAUhttp://lordoftheping.blogspot.com"bsbm525" <bsbm525@discussions.microsoft.com> wrote in messagenews:E0AD665B-3E0A-4125-B691-12FDAE1825BE@microsoft.com...> Hello,>> I'm running a Windows 2003 Server domain with two servers (PDC & DC).> A few days ago I restarted both servers by restarting the PDC first andthen> the DC and now I keep getting the following two errors in the event log:>> Event ID 1030> 'Windows cannot query for the list of Group Policy objects.  Check theevent> log for possible messages previously logged by the policy engine that> describes the reason for this.'>> Event ID 1058> Description: Windows cannot access the file gpt.ini for GPO>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com> . The file must be present at the location><\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984> F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more> information, see Help and Support Center at http://support.microsoft.com.>> This only starting happening after the restarts.> Should I attempt to restart both servers again to resolve?>> Thanks....>

Top

From: Mark Barratt (remsup[remove]@gmail.com ) <MarkBarrattremsupremovegmailcom@discussions.microsoft.com>

To: none

Subject: Re: Enabling Content Advisor through Group Policy

Date: 09/28/2007 03:43:00

Hi Meinolf

maybe I'm not making myself particularly clear here

I have already defined the settings in the relevant security zones and

content ratings section

but on the client it still shows as disabled in IE7 ( but it works in IE6 )

email directly if you need any further clarification

Thanks

Mark

"Meinolf Weber" wrote:

> Hello Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

>

> You enable it not with the .adm file. Go to userer configuration> windows

> settings> internet explorer maintenance>security and double click security

> yones and content ratings.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Thanks for that,

> >

> > however I already have that inetres adm file anyway, I just seem to be

> > 'missing' the option that says "enable content ratings"

> >

> > i can see the part where  iimport them from the current machines

> > settings but it stays 'disabled'

> >

> > any more advice??

> >

> > Regards

> >

> > Mark

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Mark Barratt )

> >> MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

> >>

> >> Check this out:

> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-646

> >> 2-4fda-8ee5-fcb8264c44b1&DisplayLang=en

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Hi All, hope you can help.  I'm probably missing something galringly

> >>> obvious here but let me provide some background first.

> >>>

> >>> SBS2003 - server

> >>> XP Pro SP2 - clients

> >>> IE7

> >>> We have a GP that had the content advisor enabled and certain sites

> >>> blocked with IE6, but since the 'upgrade' to IE7 the asme policy has

> >>> stopped working.

> >>> The sites do not appear to be 'rolling out' to the clients and on

> >>> the content page the Content Advisor is showing as 'disabled' ( an

> >>> option that the end user doesn't get to change )

> >>>

> >>> Is there a new ADM template for IE7 that I have overlooked?

> >>> Is there a setting to "Switch On Content Advisor in IE7"

> >>> I know the policy itself works as the one PC with IE6 is still

> >>> having

> >>> the

> >>> required sites blocked

> >>> Thanks in advance for any and all assistance in this matter

>

Top

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Enabling Content Advisor through Group Policy

Date: 09/28/2007 03:26:36

Hello Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

You enable it not with the .adm file. Go to userer configuration> windows

settings> internet explorer maintenance>security and double click security

yones and content ratings.

Best regards

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Thanks for that,

>

> however I already have that inetres adm file anyway, I just seem to be

> 'missing' the option that says "enable content ratings"

>

> i can see the part where  iimport them from the current machines

> settings but it stays 'disabled'

>

> any more advice??

>

> Regards

>

> Mark

>

> "Meinolf Weber" wrote:

>

>> Hello Mark Barratt )

>> MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

>>

>> Check this out:

>> http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-646

>> 2-4fda-8ee5-fcb8264c44b1&DisplayLang=en

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hi All, hope you can help.  I'm probably missing something galringly

>>> obvious here but let me provide some background first.

>>>

>>> SBS2003 - server

>>> XP Pro SP2 - clients

>>> IE7

>>> We have a GP that had the content advisor enabled and certain sites

>>> blocked with IE6, but since the 'upgrade' to IE7 the asme policy has

>>> stopped working.

>>> The sites do not appear to be 'rolling out' to the clients and on

>>> the content page the Content Advisor is showing as 'disabled' ( an

>>> option that the end user doesn't get to change )

>>>

>>> Is there a new ADM template for IE7 that I have overlooked?

>>> Is there a setting to "Switch On Content Advisor in IE7"

>>> I know the policy itself works as the one PC with IE6 is still

>>> having

>>> the

>>> required sites blocked

>>> Thanks in advance for any and all assistance in this matter

Top

From: Mark Barratt (remsup[remove]@gmail.com ) <MarkBarrattremsupremovegmailcom@discussions.microsoft.com>

To: none

Subject: Re: Enabling Content Advisor through Group Policy

Date: 09/27/2007 03:58:02

Thanks for that,

however I already have that inetres adm file anyway, I just seem to be

'missing' the option that says "enable content ratings"

i can see the part where  iimport them from the current machines settings

but it stays 'disabled'

any more advice??

Regards

Mark

"Meinolf Weber" wrote:

> Hello Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

>

> Check this out:

> http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&DisplayLang=en

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi All, hope you can help.  I'm probably missing something galringly

> > obvious here but let me provide some background first.

> >

> > SBS2003 - server

> > XP Pro SP2 - clients

> > IE7

> > We have a GP that had the content advisor enabled and certain sites

> > blocked with IE6, but since the 'upgrade' to IE7 the asme policy has

> > stopped working.

> >

> > The sites do not appear to be 'rolling out' to the clients and on the

> > content page the Content Advisor is showing as 'disabled' ( an option

> > that the end user doesn't get to change )

> >

> > Is there a new ADM template for IE7 that I have overlooked?

> > Is there a setting to "Switch On Content Advisor in IE7"

> > I know the policy itself works as the one PC with IE6 is still having

> > the

> > required sites blocked

> > Thanks in advance for any and all assistance in this matter

> >

>

Top

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Enabling Content Advisor through Group Policy

Date: 09/26/2007 14:47:32

Hello Mark Barratt ) MarkBarrattremsupremovegmailcom@discussions.microsoft.com,

Check this out:

http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&DisplayLang=en

Best regards

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

> Hi All, hope you can help.  I'm probably missing something galringly

> obvious here but let me provide some background first.

>

> SBS2003 - server

> XP Pro SP2 - clients

> IE7

> We have a GP that had the content advisor enabled and certain sites

> blocked with IE6, but since the 'upgrade' to IE7 the asme policy has

> stopped working.

>

> The sites do not appear to be 'rolling out' to the clients and on the

> content page the Content Advisor is showing as 'disabled' ( an option

> that the end user doesn't get to change )

>

> Is there a new ADM template for IE7 that I have overlooked?

> Is there a setting to "Switch On Content Advisor in IE7"

> I know the policy itself works as the one PC with IE6 is still having

> the

> required sites blocked

> Thanks in advance for any and all assistance in this matter

>

Top

From: Anthony <anthony.spam@spammedout.com>

To: none

Subject: Re: DST 2007

Date: 09/24/2007 02:59:37

Scripts run each time. You can add some logic to the script to check the key first, but the script still has to run.

If you only run the script once (i.e not in Group Policy) then you have the question of what happens when you add a new computer.

Anthony,

http://www.airdesk.com

  "el" <drop_msg -@- hotmail -DOT- com> wrote in message news:%23TeqH2m$HHA.1168@TK2MSFTNGP02.phx.gbl...

  Hi all,

  I am new to deploy changes on registry through group policy.

  I followed the suggestion in KB 914387 to change time zone setting on multiple networked computers by created a DST2007Update_Win2k.cmd file in \\[AD]\netlogon folder.  I had also created a new group policy in Active Directory Users and Computers and put that .cmd file in Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup.  I had test it on a test machine and everything looked ok.

  But I have a question to ask.  If this test machine restart again, will that group policy (startup script) runs to the test machine again?  If yes, is there any way to stop it from running again after the first run?

  TIA,

  el

Top

From: Lanwench [MVP - Exchange] <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com>

To: none

Subject: Re: Disable Volume Shadow Copy with Group Policy

Date: 09/21/2007 09:02:54

Olivier <Olivier@discussions.microsoft.com> wrote:

> Dear all,

>

> Currently every user in our organization has the right to restore

> files using the volume shadow copy functionality. We want to restrict

> these rights so that only the administrators group has this

> functionality. Can this be done through Group Policy. If so, how?

>

> Thanks in advance,

>

> Olivier

Do you want to deny them the ability to do *any* kind of activity with the

previous versions tab? Or just keep them from clicking Restore, which can

overwrite the "good" files of other users?

Most companies don't mind people having access to Previous Versions, as it

means users don't have to call the helpdesk for file restores. The users can

open/view the previous versions, and copy individual files where they like.

However, the "Restore" button can have serious and unexpectedly bad

consequences.

See the following:

http://support.microsoft.com/kb/888603 (you'll need to call for the hotfix)

and

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10906

If you don't want them to have *any* access to the previous versions tab,

simply uninstall the Volume Shadow Copy Client from the workstations.

However, I wouldn't, as I find it very useful.

Top

From: Eduardo Nazato <EduardoNazato@discussions.microsoft.com>

To: none

Subject: Re: Disable Terminal Services through User Configs

Date: 10/01/2007 07:16:00

Thanks moncho, but I did another way:

- Created two security groups: one for the specific computers, and one for

the users that need TS access

- Created a new GPO giving access through TS, but only for the security

group containing the right users

- Linked the GPO to the computers OU, but applied it only to the security

group with the specific computers, and put it as the last GPO to be applied

Simple, and worked well... I had to do some work, but no problem here :)

Thanks all for the try!

"moncho" wrote:

> Eduardo Nazato wrote:

> > Ok. It's because here in our AD all the users are in an OU, and all the

> > computers are on a different OU. Some weeks ago we had to block the access

> > through TS on all computers, using domain policies. But now some of the

> > computers need to be accessed through TS again, and they are too much.

> >

> > Because just a certain group of users need TS access on these computers, I

> > could re-enabled TS for this group of users only. But then they could access

> > every computer in the domain through TS, and I don't want this to happen.

> >

> > So, there is a way to re-enable access through TS, but only for certain

> > users (to any computer where they log in) ?

>

> You could create multiple security groups, add specific users to each

> group, then assign the specific group to allow access on the specific TS

> server. This may not be the most efficient way but it is possible.

>

> Example -

> SG A - john, tom

> SG B - dave, jane

>

> On local TS1 in Remote Desktop Users group add SG A

> On local TS2 in Remote Desktop Users group add SG B

>

> moncho

> >

> >

> > "Florian Frommherz [MVP]" wrote:

> >

> >> Howdie!

> >>

> >> Eduardo Nazato schrieb:

> >>> I know I can restrict Terminal Services connections to a computer through

> >>> Computer Configuration\Windows Settings\Security Settings\Local Policies\User

> >>> Rights\Allow log on through TS

> >>> But I'd like to know if there is a way to do the same, but using User

> >>> Configuration section

> >> Why would you need such a thing? I cannot imagine, at the moment, what

> >> you're trying to do. Could you please elaborate?

> >>

> >> cheers,

> >>

> >> Florian

> >> --

> >> Microsoft MVP - Windows Server - Group Policy.

> >> eMail: prename [at] frickelsoft [dot] net.

> >> blog: http://www.frickelsoft.net/blog.

> >>

>

Top

From: moncho <moncho@NOspmanywhere.com>

To: none

Subject: Re: Disable Terminal Services through User Configs

Date: 09/29/2007 07:09:43

Eduardo Nazato wrote:

> Ok. It's because here in our AD all the users are in an OU, and all the

> computers are on a different OU. Some weeks ago we had to block the access

> through TS on all computers, using domain policies. But now some of the

> computers need to be accessed through TS again, and they are too much.

>

> Because just a certain group of users need TS access on these computers, I

> could re-enabled TS for this group of users only. But then they could access

> every computer in the domain through TS, and I don't want this to happen.

>

> So, there is a way to re-enable access through TS, but only for certain

> users (to any computer where they log in) ?

You could create multiple security groups, add specific users to each

group, then assign the specific group to allow access on the specific TS

server. This may not be the most efficient way but it is possible.

Example -

SG A - john, tom

SG B - dave, jane

On local TS1 in Remote Desktop Users group add SG A

On local TS2 in Remote Desktop Users group add SG B

moncho

> "Florian Frommherz [MVP]" wrote:

>

>> Howdie!

>>

>> Eduardo Nazato schrieb:

>>> I know I can restrict Terminal Services connections to a computer through

>>> Computer Configuration\Windows Settings\Security Settings\Local Policies\User

>>> Rights\Allow log on through TS

>>> But I'd like to know if there is a way to do the same, but using User

>>> Configuration section

>> Why would you need such a thing? I cannot imagine, at the moment, what

>> you're trying to do. Could you please elaborate?

>>

>> cheers,

>>

>> Florian

>> --

>> Microsoft MVP - Windows Server - Group Policy.

>> eMail: prename [at] frickelsoft [dot] net.

>> blog: http://www.frickelsoft.net/blog.

>>

Top

From: Eduardo Nazato <EduardoNazato@discussions.microsoft.com>

To: none

Subject: Re: Disable Terminal Services through User Configs

Date: 09/28/2007 08:01:02

Ok. It's because here in our AD all the users are in an OU, and all the

computers are on a different OU. Some weeks ago we had to block the access

through TS on all computers, using domain policies. But now some of the

computers need to be accessed through TS again, and they are too much.

Because just a certain group of users need TS access on these computers, I

could re-enabled TS for this group of users only. But then they could access

every computer in the domain through TS, and I don't want this to happen.

So, there is a way to re-enable access through TS, but only for certain

users (to any computer where they log in) ?

"Florian Frommherz [MVP]" wrote:

> Howdie!

>

> Eduardo Nazato schrieb:

> > I know I can restrict Terminal Services connections to a computer through

> > Computer Configuration\Windows Settings\Security Settings\Local Policies\User

> > Rights\Allow log on through TS

> > But I'd like to know if there is a way to do the same, but using User

> > Configuration section

>

> Why would you need such a thing? I cannot imagine, at the moment, what

> you're trying to do. Could you please elaborate?

>

> cheers,

>

> Florian

> --

> Microsoft MVP - Windows Server - Group Policy.

> eMail: prename [at] frickelsoft [dot] net.

> blog: http://www.frickelsoft.net/blog.

>

Top

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Disable Terminal Services through User Configs

Date: 09/28/2007 00:17:50

Howdie!

Eduardo Nazato schrieb:

> I know I can restrict Terminal Services connections to a computer through

> Computer Configuration\Windows Settings\Security Settings\Local Policies\User

> Rights\Allow log on through TS

> But I'd like to know if there is a way to do the same, but using User

> Configuration section

Why would you need such a thing? I cannot imagine, at the moment, what

you're trying to do. Could you please elaborate?

cheers,

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 09:57:02

The real question is: what are you trying to protect from ?

If they have standard user right, they shouldn't be able to hurt your system

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Willem" <Willem@discussions.microsoft.com> wrote in message

news:35D81957-0127-4079-9E0C-EA670DF20D62@microsoft.com...

>I want to disable the Run command for Terminal Server. They can start

> everything on the server with the run command.

>

> "Florian Frommherz [MVP]" wrote:

>

>> Howdie!

>>

>> Willem schrieb:

>> > Thanks for your reply, but the question is : > "Willem" wrote in

>> > message

>> >>> Is there a work arround to disable the run command but to enable

>> >>> typing in

>> >>> the address bar?

>> > So is there a solution to work around the side effect?

>>

>> Not that I knew of. You could try to add shortcuts to common shares on

>> the user's desktops. Why is it, you want to restrict "Run"?

>>

>> cheers,

>>

>> Florian

>> --

>> Microsoft MVP - Windows Server - Group Policy.

>> eMail: prename [at] frickelsoft [dot] net.

>> blog: http://www.frickelsoft.net/blog.

>>

Top

From: Willem <Willem@discussions.microsoft.com>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 07:18:01

I want to disable the Run command for Terminal Server. They can start

everything on the server with the run command.

"Florian Frommherz [MVP]" wrote:

> Howdie!

>

> Willem schrieb:

> > Thanks for your reply, but the question is : > "Willem" wrote in message

> >>> Is there a work arround to disable the run command but to enable typing in

> >>> the address bar?

> > So is there a solution to work around the side effect?

>

> Not that I knew of. You could try to add shortcuts to common shares on

> the user's desktops. Why is it, you want to restrict "Run"?

>

> cheers,

>

> Florian

> --

> Microsoft MVP - Windows Server - Group Policy.

> eMail: prename [at] frickelsoft [dot] net.

> blog: http://www.frickelsoft.net/blog.

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 07:00:36

I don't think so

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Willem" <Willem@discussions.microsoft.com> wrote in message

news:270A7F84-7829-4784-9238-49D78753E684@microsoft.com...

> Thanks for your reply, but the question is : > "Willem" wrote in message

>> > Is there a work arround to disable the run command but to enable typing

>> > in

>> > the address bar?

> So is there a solution to work around the side effect?

>

>

> "Mathieu CHATEAU" wrote:

>

>> Hello,

>>

>> indeed this is a documented side effect:

>>

>> Allows you to remove the Run command from the Start menu, Internet

>> Explorer,

>> and Task Manager.  If you enable this setting, the following changes

>> occur:

>> (1) The Run command is removed from the Start menu.  (2) The New Task

>> (Run)

>> command is removed from Task Manager.  (3) The user will be blocked from

>> entering the following into the Internet Explorer Address Bar:  --- A UNC

>> path: \\<server>\<share>   ---Accessing local drives:  e.g., C:  ---

>> Accessing local folders: e.g., \temp>  Also, users with extended

>> keyboards

>> will no longer be able to display the Run dialog box by pressing the

>> Application key (the key with the Windows logo) + R.  If you disable or

>> do

>> not configure this setting, users will be able to access the Run command

>> in

>> the Start menu and in Task Manager and use the Internet Explorer Address

>> Bar.    Note:This setting affects the specified interface only. It does

>> not

>> prevent users from using other methods to run programs.  Note: It is a

>> requirement for third-party applications with Windows 2000 or later

>> certification to adhere to this setting.

>>

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "Willem" <Willem@discussions.microsoft.com> wrote in message

>> news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...

>> >I removed the Run command from the startmenu (User

>> >settings/Administrative

>> > template/Start menu and taskbar/remove run from start menu) but a side

>> > effect

>> > is that users no langer can type a UNC path in the IE address bar.

>> >

>> > I've got drive mappings, i.e. I:\ maps to \\server\mymap

>> > When a user clicks to I:\2006\anothermap all works fine off course, but

>> > when

>> > the user wants to go to the same map in 2007 (I:\2007\anothermap) by

>> > just

>> > changing 2006 in 2007 in the address bar it is not allowed (because of

>> > the

>> > remove run policy).

>> >

>> > Is there a work arround to disable the run command but to enable typing

>> > in

>> > the address bar?

>> >

>>

>>

Top

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 06:41:39

Howdie!

Willem schrieb:

> Thanks for your reply, but the question is : > "Willem" wrote in message

>>> Is there a work arround to disable the run command but to enable typing in

>>> the address bar?

> So is there a solution to work around the side effect?

Not that I knew of. You could try to add shortcuts to common shares on

the user's desktops. Why is it, you want to restrict "Run"?

cheers,

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

Top

From: Willem <Willem@discussions.microsoft.com>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 06:08:01

Thanks for your reply, but the question is : > "Willem" wrote in message

> > Is there a work arround to disable the run command but to enable typing in

> > the address bar?

So is there a solution to work around the side effect?

"Mathieu CHATEAU" wrote:

> Hello,

>

> indeed this is a documented side effect:

>

> Allows you to remove the Run command from the Start menu, Internet Explorer,

> and Task Manager.  If you enable this setting, the following changes occur:

> (1) The Run command is removed from the Start menu.  (2) The New Task (Run)

> command is removed from Task Manager.  (3) The user will be blocked from

> entering the following into the Internet Explorer Address Bar:  --- A UNC

> path: \\<server>\<share>   ---Accessing local drives:  e.g., C:  ---

> Accessing local folders: e.g., \temp>  Also, users with extended keyboards

> will no longer be able to display the Run dialog box by pressing the

> Application key (the key with the Windows logo) + R.  If you disable or do

> not configure this setting, users will be able to access the Run command in

> the Start menu and in Task Manager and use the Internet Explorer Address

> Bar.    Note:This setting affects the specified interface only. It does not

> prevent users from using other methods to run programs.  Note: It is a

> requirement for third-party applications with Windows 2000 or later

> certification to adhere to this setting.

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

> "Willem" <Willem@discussions.microsoft.com> wrote in message

> news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...

> >I removed the Run command from the startmenu (User settings/Administrative

> > template/Start menu and taskbar/remove run from start menu) but a side

> > effect

> > is that users no langer can type a UNC path in the IE address bar.

> >

> > I've got drive mappings, i.e. I:\ maps to \\server\mymap

> > When a user clicks to I:\2006\anothermap all works fine off course, but

> > when

> > the user wants to go to the same map in 2007 (I:\2007\anothermap) by just

> > changing 2006 in 2007 in the address bar it is not allowed (because of the

> > remove run policy).

> >

> > Is there a work arround to disable the run command but to enable typing in

> > the address bar?

> >

>

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Disable Run in startmenu; no more typing IE address bar

Date: 09/17/2007 05:56:55

Hello,

indeed this is a documented side effect:

Allows you to remove the Run command from the Start menu, Internet Explorer,

and Task Manager.  If you enable this setting, the following changes occur:

(1) The Run command is removed from the Start menu.  (2) The New Task (Run)

command is removed from Task Manager.  (3) The user will be blocked from

entering the following into the Internet Explorer Address Bar:  --- A UNC

path: \\<server>\<share>   ---Accessing local drives:  e.g., C:  ---

Accessing local folders: e.g., \temp>  Also, users with extended keyboards

will no longer be able to display the Run dialog box by pressing the

Application key (the key with the Windows logo) + R.  If you disable or do

not configure this setting, users will be able to access the Run command in

the Start menu and in Task Manager and use the Internet Explorer Address

Bar.    Note:This setting affects the specified interface only. It does not

prevent users from using other methods to run programs.  Note: It is a

requirement for third-party applications with Windows 2000 or later

certification to adhere to this setting.

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Willem" <Willem@discussions.microsoft.com> wrote in message

news:CE211EE4-D8C1-411F-8CD5-1AE9BDB6DBDE@microsoft.com...

>I removed the Run command from the startmenu (User settings/Administrative

> template/Start menu and taskbar/remove run from start menu) but a side

> effect

> is that users no langer can type a UNC path in the IE address bar.

>

> I've got drive mappings, i.e. I:\ maps to \\server\mymap

> When a user clicks to I:\2006\anothermap all works fine off course, but

> when

> the user wants to go to the same map in 2007 (I:\2007\anothermap) by just

> changing 2006 in 2007 in the address bar it is not allowed (because of the

> remove run policy).

>

> Is there a work arround to disable the run command but to enable typing in

> the address bar?

>

Top

From: G Johansson <fantomen@NOSPAM.GPfaq.se>

To: none

Subject: Re: Disable General Page for IE in Computer node does not work

Date: 09/25/2007 15:35:36

I think the USER node "wins" in this case.

Which means if you put disable in COMPUTER and enable in USER the final

result will be that it's enabled.

MS GPOsettings file doesn't say anything about this so I think the above is

correct...

--

Regards G Johansson

fantomen@NOSPAM.GPfaq.se

http://GPfaq.se

"T" <T@discussions.microsoft.com> wrote in message

news:F0CCC32F-3F0B-4031-8139-51CE55A9412E@microsoft.com...

> How does the COMPUTER node vs USER node take perference for IE.  We want

> to

> disable the General Page and set the default home page in IE using the

> computer node and not the user node.  When I set disable the general page

> in

> the computer node it is not working .  The RSoP said it was the runling

> Policy and it was set apporpiately but when I went into IE the general

> page

> was not disabled.

Top

From: Chris.Coops <chris.coops@hotmail.co.uk>

To: none

Subject: Re: Different User GPO depending on computer logging onto

Date: 09/27/2007 06:43:21

On 27 Sep, 12:13, "Chris.Coops" <chris.co...@hotmail.co.uk> wrote:

> Hi all,

> I hope there's someone out there that can help...

>

> I want to strip and lockdown the desktop when our users logon to a

> terminal services server without it affecting their logon to their

> local desktop.

> I have users in 1 OU, their desktop/laptop in another OU, and the

> terminal servers in third OU. I have 3 policies which apply to the

> users, their computer and the terminal servers individually, however,

> if I apply the terminal server GPO to the users, this means their own

> computer is also locked down.

>

> I want the GPO to only lockdown the desktop when the user's logon to

> the terminal servers, and at no other time.

>

> Does anyone know of a way of doing this?

>

> Thanks

> Chris

Brilliant, thanks very much. If only it was more obviously titled so a

quick search could have found it, and not been one of those frequent

newsgroup questions you're always coming across!

Chris

Top

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Different User GPO depending on computer logging onto

Date: 09/27/2007 06:22:26

Howdie!

Chris.Coops schrieb:

> I want the GPO to only lockdown the desktop when the user's logon to

> the terminal servers, and at no other time.

Your keyword is "Loopback Processing Mode":

http://www.frickelsoft.net/blog/?p=22

cheers,

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

Top

From: Cassidy Macfarlane <CassidyMacfarlane@discussions.microsoft.com>

To: none

Subject: RE: Deploy MSN Live Messenger through Group Policy

Date: 09/26/2007 09:18:07

OK, I have found a fix for this folks.:

you have to download the windows installer SDK (free)

install the 'Orca' MSI config tool ( found in the 'bin' folder of the SDK

install)

use orca to edit the MSI you extract from the messenger installer to add the

'AdvtExecuteSequence' table, then add the following rows to that table.

Action           Sequence

CostInitialize  800

CostFinalize  1000

InstallValidate  1400

InstallInitialize  1500

CreateShortcuts  4500

RegisterClassInfo  4600

RegisterExtensionInfo  4700

RegisterProgIdInfo  4800

RegisterMIMEInfo  4900

PublishComponents  6200

MsiPublishAssemblies  6250

PublishFeatures  6300

PublishProduct  6400

InstallFinalize  6600

then add the final row to that table:

action: ProgramMenuFolder.ADEB440D_7847_4F65_80BD_899870ED 2EC9 condition :

{NULL}

sequence: 1

this fixed it for me.  Apparently MS have deliberately disabled GP publish

functionality for Live messenger, the additions above simply re-enable it.

good luck with this, caused me a headache, but it IS working now.

cheers

"rscyber" wrote:

>

> Hi, i have the same problem.

> "Cassidy Macfarlane" wrote:

>

> > I am having the exact same problem - after a recent auto-update through WSUS,

> > some clients are getting 'a new version of messenger is available' prompts,

> > and when I try to publish the msnmsgs.MSI extracted from

> > install_messenger.exe through GP, I gete the error as shown by Per-Torben

> > below.

> >

> > Thanks in advance for any assistance.

> >

> > "Per-Torben Sørensen" wrote:

> >

> > > Hello.

> > >

> > > I'm trying to publish MSN Live Messenger to users via a group policy but the

> > > install keeps dailing with "A fatal error occured during installation". The

> > > "always install with elevated privliges" policy is enable on both users and

> > > computer settings and they have access to the share. The users are not local

> > > admins on their desktops.

> > >

> > > Anyone who can help me please?

> > >

> > > Regards

> > > Per-Torben Sørensen

> > >

> > >

> > >

Top

From: rscyber <rscyber@discussions.microsoft.com>

To: none

Subject: RE: Deploy MSN Live Messenger through Group Policy

Date: 09/25/2007 14:40:05

Hi, i have the same problem.

"Cassidy Macfarlane" wrote:

> I am having the exact same problem - after a recent auto-update through WSUS,

> some clients are getting 'a new version of messenger is available' prompts,

> and when I try to publish the msnmsgs.MSI extracted from

> install_messenger.exe through GP, I gete the error as shown by Per-Torben

> below.

>

> Thanks in advance for any assistance.

>

> "Per-Torben Sørensen" wrote:

>

> > Hello.

> >

> > I'm trying to publish MSN Live Messenger to users via a group policy but the

> > install keeps dailing with "A fatal error occured during installation". The

> > "always install with elevated privliges" policy is enable on both users and

> > computer settings and they have access to the share. The users are not local

> > admins on their desktops.

> >

> > Anyone who can help me please?

> >

> > Regards

> > Per-Torben Sørensen

> >

> >

> >

Top

From: Cassidy Macfarlane <Cassidy Macfarlane@discussions.microsoft.com>

To: none

Subject: RE: Deploy MSN Live Messenger through Group Policy

Date: 09/20/2007 11:46:03

I am having the exact same problem - after a recent auto-update through WSUS,

some clients are getting 'a new version of messenger is available' prompts,

and when I try to publish the msnmsgs.MSI extracted from

install_messenger.exe through GP, I gete the error as shown by Per-Torben

below.

Thanks in advance for any assistance.

"Per-Torben Sørensen" wrote:

> Hello.

>

> I'm trying to publish MSN Live Messenger to users via a group policy but the

> install keeps dailing with "A fatal error occured during installation". The

> "always install with elevated privliges" policy is enable on both users and

> computer settings and they have access to the share. The users are not local

> admins on their desktops.

>

> Anyone who can help me please?

>

> Regards

> Per-Torben Sørensen

>

Top

From: kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com>

To: none

Subject: Re: Deny Clear all Events in Event Viewer?

Date: 09/19/2007 11:06:54

BayCoMIS wrote:

> Hello.

>

> I have a user who will clear her own event logs, which I do not want

> her doing.  I'm unsure of a way to do this within the Group Policy.

>

> I don't mind that she can view it or make a backup of it.  I just

> don't want her -- or anyone who is not an Administrator -- to have

> the ability to clear out a log.

>

> Any help would be most appreciated!

http://msdn2.microsoft.com/en-us/library/4xz6w79h(VS.80).aspx

Lists the permissions required for the event logs. You have some room to

'tweak' a novice, but as administrator there's limits on your overall

success.

--

/kj

Top

From: Roger Abell [MVP] <mvpNoSpam@asu.edu>

To: none

Subject: Re: Deny Clear all Events in Event Viewer?

Date: 09/19/2007 09:54:22

I agree with Mathieu in that users should not be admin, that the vast

majority of old software can be made to work without grant of admin.

I also wanted to add that there is no simple way to prevent an admin

from doing things allow to Administrators, like clearing the event logs,

and when one does find a way it is usually not difficult for the admin

to walk around / ignore the restriction.

Roger

"BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in message

news:E382324C-43DC-4857-9C6F-ABA09E5CA1A3@microsoft.com...

>I appreciate the fast response; I suppose I should have provided more

> information in my first request.

>

> True, she is a local admin, but we are running some (archaic) software

> that

> requires the user to be a local admin, so we cannot change that without

> killing access to the software she's using.

>

> So, is there any way within Group Policy to deny access to "Clear all

> Events" to a user on a system, based on the user's login name?

>

> Patrick

>

> "Mathieu CHATEAU" wrote:

>

>> standard user can't clear eventlog

>>

>> So if she can, she would be local admin

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in message

>> news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...

>> > Hello.

>> >

>> > I have a user who will clear her own event logs, which I do not want

>> > her

>> > doing.  I'm unsure of a way to do this within the Group Policy.

>> >

>> > I don't mind that she can view it or make a backup of it.  I just don't

>> > want

>> > her -- or anyone who is not an Administrator -- to have the ability to

>> > clear

>> > out a log.

>> >

>> > Any help would be most appreciated!

>> >

>>

>>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Deny Clear all Events in Event Viewer?

Date: 09/18/2007 14:37:19

Even very old software can work without admin rights.

Just use process monitor to dientify the bad things it will get denied with

a standard account

http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Getting rid of having admin users should be in your high priority.

I have done it many times, never found an application that couldn't work

with standard user + ntfs/registry right

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in message

news:E382324C-43DC-4857-9C6F-ABA09E5CA1A3@microsoft.com...

>I appreciate the fast response; I suppose I should have provided more

> information in my first request.

>

> True, she is a local admin, but we are running some (archaic) software

> that

> requires the user to be a local admin, so we cannot change that without

> killing access to the software she's using.

>

> So, is there any way within Group Policy to deny access to "Clear all

> Events" to a user on a system, based on the user's login name?

>

> Patrick

>

> "Mathieu CHATEAU" wrote:

>

>> standard user can't clear eventlog

>>

>> So if she can, she would be local admin

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in message

>> news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...

>> > Hello.

>> >

>> > I have a user who will clear her own event logs, which I do not want

>> > her

>> > doing.  I'm unsure of a way to do this within the Group Policy.

>> >

>> > I don't mind that she can view it or make a backup of it.  I just don't

>> > want

>> > her -- or anyone who is not an Administrator -- to have the ability to

>> > clear

>> > out a log.

>> >

>> > Any help would be most appreciated!

>> >

>>

>>

Top

From: BayCoMIS <BayCoMIS@discussions.microsoft.com>

To: none

Subject: Re: Deny Clear all Events in Event Viewer?

Date: 09/18/2007 14:32:01

I appreciate the fast response; I suppose I should have provided more

information in my first request.

True, she is a local admin, but we are running some (archaic) software that

requires the user to be a local admin, so we cannot change that without

killing access to the software she's using.

So, is there any way within Group Policy to deny access to "Clear all

Events" to a user on a system, based on the user's login name?

Patrick

"Mathieu CHATEAU" wrote:

> standard user can't clear eventlog

>

> So if she can, she would be local admin

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

> "BayCoMIS" <BayCoMIS@discussions.microsoft.com> wrote in message

> news:A0B0B521-C229-4E22-B14D-E0C0208C19B1@microsoft.com...

> > Hello.

> >

> > I have a user who will clear her own event logs, which I do not want her

> > doing.  I'm unsure of a way to do this within the Group Policy.

> >

> > I don't mind that she can view it or make a backup of it.  I just don't

> > want

> > her -- or anyone who is not an Administrator -- to have the ability to

> > clear

> > out a log.

> >

> > Any help would be most appreciated!

> >

>

>

Top

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Deny Clear all Events in Event Viewer?

Date: 09/18/2007 14:20:55

standard user can't clear eventlog

So if she can, she would be local admin

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com