GPTalk Mailing List

[gptalk] GPO Backgroun Images (UNCLASSIFIED)

gtmaxwell — Fri, 02 Oct 2009 21:27:03 GMT

Classification: UNCLASSIFIED
Caveats: NONE

Hi to all,

How can I force a standard background image I created through GPO?

Thanks to all and I hope everyone has a great Weekend!

Gregory T Maxwell
System Administrator
Network Enterprise Centert (NEC)
Fort Huachuca, AZ
(520)533-2393

https://ice.disa.mil/index.cfm?fa=service_provider_list&site_id=277&serv
ice_category_id=34

Classification: UNCLASSIFIED
Caveats: NONE

[gptalk] IE GPO - remove toobar

mdzikowski — Fri, 02 Oct 2009 16:29:13 GMT

How can I remove this tool bar and all the icons...

[cid:image001.png@01CA4353.2F117420]

==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.

Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.

==============================================================================

[gptalk] Group Policy for PST Size Limit

DhirajHaritwal — Fri, 02 Oct 2009 11:42:54 GMT

Hi,

I want to deploy a policy to restrict Outlook PST size to 2 GB after that a new PST should be created automatically & the delivery should be set to that PST. Because in some cases I have seen PST may corrupt after 3-4 GB. Kindly tell me how can I do this.

Regards,

Dhiraj

________________________________
This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway..

Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

pmgough — Fri, 02 Oct 2009 05:49:59 GMT

I've attached a copy of the report.

2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com>

> OK. Then something is definitely screwed up. Can you post the RSOP report
> for one of these machines with the domain admin user logging in?
>
>
>
> Darren
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 5:25 PM
>
> *To:* gptalk@lists.gpoguy.com
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> These are brand new machines. We're building them using the same install
> media we've used previously and then joining them to our domain. Nothing in
> this part of our process has changed.
>
> 2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com>
>
> It depends upon how the loopback policy is setup (i.e. where its linked and
> whether its security-group filtered) but if you don’t see it, that’s not the
> issue. Let me ask this. You said earlier in the thread that this is only
> affecting new machines that you join to the domain? Where did these machines
> come from? Were they in another AD domain? If so, what you may be seeing is
> some lingering policies that were implemented in that original domain. I’ve
> seen this problem before and its ugly.
>
>
>
> Darren
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 4:16 PM
>
>
> *To:* gptalk@lists.gpoguy.com
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> I've checked and there's definitely no loopback enabled on any of my
> policies. If there was wouldn't this affect all machines anyway?
>
> 2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com>
>
> Another thing to look into Peter—make sure you don’t have loopback enabled
> on these computers at some point. This could be causing the effect you’re
> seeing.
>
>
>
> Darren
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Founder— www.gpoguy.com – The Group Policy Resource Site
>
> Blog: www.sdmsoftware.com/blog
>
> Twitter: www.twitter.com/grouppolicyguy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 7:07 AM
>
>
> *To:* gptalk@lists.gpoguy.com
>
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> Thanks guys. I'm off to bed now (00:06 in Brisbane having just watched last
> week's MotD <http://en.wikipedia.org/wiki/MOTD> (I'm a Pom<http://en.wikipedia.org/wiki/Alternative_words_for_British#Pommy>!)).
> I'll try out your suggestions tomorrow and let you know how I get on.
>
> Peter
>
> 2009/10/1 Tim Bolton <jsclmedave@gmail.com>
>
> Peter
>
>
>
> This link may help
> http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html
> Have not looked at any differences - if any - in 2008 as of yet.
>
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
>
> Microsoft Certified IT Professional
>
> On Thu, Oct 1, 2009 at 8:12 AM, Peter Gough <pmgough@gmail.com> wrote:
>
> Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on
> the box itself, although I wish I'd noticed!
>
> I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting
> running something like:
>
> gpresult /s \\myproblemcomputer /v ... from my Server 2008?
>
> I'll give it a go tomorrow morning.
>
> Thanks,
>
> Peter
>
> 2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk>
>
>
>
> Hi Peter
>
>
>
> If you’re applying GP Preferences to an XP machine you won’t see the
> results of that in an RSoP report ran on that machine as it can’t display
> GPP settings.
>
>
>
> Try running GPResult for the problematic machine, but from a 2008 machine
> to get a true picture of all the settings being applied.
>
>
>
> Andrew
>
>
>
>
>
> *From:* Peter Gough [mailto:pmgough@gmail.com]
> *Sent:* 01 October 2009 13:39
>
>
> *To:* gptalk@lists.gpoguy.com
>
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> The only other thing I can think of that's changed recently is that we've
> started managing policies from a Windows Server 2008 box to take advantage
> of the Group Policy Preference stuff. Would that have any impact?
>
> 2009/10/1 Peter Gough <pmgough@gmail.com>
>
> I don't believe that's the case. The image we're currently using is fairly
> new but we've installed an old image on a couple of workstations to see if
> this is the issue and the same problem occurs. We've also setup a total
> vanilla-build workstation from our original XP SP2 disks and again we're
> seeing the same issue.
>
> This seems to be an active directory / group policy thing rather than a
> workstation specific problem.
>
> The thing that's got me baffled is that the results we're getting from
> running RSoP against the machine don't reflect what we're experiencing on
> the ground. RSoP says everything is normal but domain admins are still
> unable to login to a machine and run services.msc (for example).
>
> 2009/10/1 Martin Hugo <Martin_Hugo@hboe.org>
>
>
>
> Is it in the local policies of your image?
>
>
>
>
>
> Martin T. Hugo
>
> Network Administrator
>
> Hilliard City Schools
>
> 614-921-7102 (Ph)
>
> 614-771-7243 (Fax)
>
> *Error! Filename not specified.*Think before you print
>
>
>
>
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 2:36 AM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* [gptalk] Domain Admins unable to manage workstations - group /
> local policy strangeness
>
>
>
> I've got a bit of a strange problem which I've been totally unable to
> resolve. Essentially what's happening is that when I join a workstation to
> our Windows Server 2003 domain the domain admins are affected by our
> restrictive group policies and we are unable to manage the machines. For
> example a domain admin is unable to launch regedit, manage services etc.
>
> We restrict this sort of stuff for our regular users but currently on any
> new workstations we join to the domain *all* domain user accounts are being
> affected. Interestingly group policy settings appear to be applied correctly
> on existing workstations.
>
> The only 'fix' I've found is to login as a local admin, launch group policy
> for the local machine and navigate to [User Config / Admin Templates /
> System / Prevent access to registry editing tools].
>
> I then change this setting from its default 'Not Configured' state to
> 'Disabled', hit apply, then change it back again to 'Not Configured' and hit
> apply and suddenly domain admins can run regedit and standard domain users
> can't.
>
> In order to get access to some of the other restricted stuff I have to
> login as a local admin, navigate to [User Config / Admin Templates / Windows
> Components / Microsoft Management Console / Restrict users to the explicitly
> permitted list of snap-ins] and again toggle the settings.
>
> The change happens even before I move the computer object into any of our
> sub OUs so none of our restrictive policies should be applied at this point.
> When I run an RSoP against the machine it tells me that only the Default
> Domain Policy is applied (which doesn't contain any of our restrictive
> policies) and that the Local Policy isn't applied because it is empty.
>
> Any thoughts on why this might be happening or what I can do next to
> troubleshoot?
>
> Thanks,
>
> Peter
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

RE: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

dmarelia — Fri, 02 Oct 2009 05:25:57 GMT

OK. Then something is definitely screwed up. Can you post the RSOP report for one of these machines with the domain admin user logging in?

Darren

From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 5:25 PM
To: gptalk@lists.gpoguy.com
Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

These are brand new machines. We're building them using the same install media we've used previously and then joining them to our domain. Nothing in this part of our process has changed.
2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>>

It depends upon how the loopback policy is setup (i.e. where its linked and whether its security-group filtered) but if you don't see it, that's not the issue. Let me ask this. You said earlier in the thread that this is only affecting new machines that you join to the domain? Where did these machines come from? Were they in another AD domain? If so, what you may be seeing is some lingering policies that were implemented in that original domain. I've seen this problem before and its ugly.

Darren

From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 4:16 PM

To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

I've checked and there's definitely no loopback enabled on any of my policies. If there was wouldn't this affect all machines anyway?

2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>>

Another thing to look into Peter-make sure you don't have loopback enabled on these computers at some point. This could be causing the effect you're seeing.

Darren

****

Darren Mar-Elia

CTO & Founder

SDM Software, Inc.

"The Group Policy Experts"

www.sdmsoftware.com<http://www.sdmsoftware.com/>

Founder- www.gpoguy.com<http://www.gpoguy.com> - The Group Policy Resource Site

Blog: www.sdmsoftware.com/blog<http://www.sdmsoftware.com/blog>

Twitter: www.twitter.com/grouppolicyguy<http://www.twitter.com/grouppolicyguy>

From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 7:07 AM

To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>

Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

Thanks guys. I'm off to bed now (00:06 in Brisbane having just watched last week's MotD<http://en.wikipedia.org/wiki/MOTD> (I'm a Pom<http://en.wikipedia.org/wiki/Alternative_words_for_British#Pommy>!)). I'll try out your suggestions tomorrow and let you know how I get on.

Peter

2009/10/1 Tim Bolton <jsclmedave@gmail.com<mailto:jsclmedave@gmail.com>>

Peter

This link may help http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html Have not looked at any differences - if any - in 2008 as of yet.

Tim Bolton
148 2nd Street North
Central City Iowa, 52214

Microsoft Certified IT Professional

On Thu, Oct 1, 2009 at 8:12 AM, Peter Gough <pmgough@gmail.com<mailto:pmgough@gmail.com>> wrote:

Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on the box itself, although I wish I'd noticed!

I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting running something like:

gpresult /s \\myproblemcomputer /v ... from my Server 2008?

I'll give it a go tomorrow morning.

Thanks,

Peter

2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk<mailto:Andrew.McHale@synergix.co.uk>>

Hi Peter

If you're applying GP Preferences to an XP machine you won't see the results of that in an RSoP report ran on that machine as it can't display GPP settings.

Try running GPResult for the problematic machine, but from a 2008 machine to get a true picture of all the settings being applied.

Andrew

From: Peter Gough [mailto:pmgough@gmail.com<mailto:pmgough@gmail.com>]
Sent: 01 October 2009 13:39

To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>

Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

The only other thing I can think of that's changed recently is that we've started managing policies from a Windows Server 2008 box to take advantage of the Group Policy Preference stuff. Would that have any impact?

2009/10/1 Peter Gough <pmgough@gmail.com<mailto:pmgough@gmail.com>>

I don't believe that's the case. The image we're currently using is fairly new but we've installed an old image on a couple of workstations to see if this is the issue and the same problem occurs. We've also setup a total vanilla-build workstation from our original XP SP2 disks and again we're seeing the same issue.

This seems to be an active directory / group policy thing rather than a workstation specific problem.

The thing that's got me baffled is that the results we're getting from running RSoP against the machine don't reflect what we're experiencing on the ground. RSoP says everything is normal but domain admins are still unable to login to a machine and run services.msc (for example).

2009/10/1 Martin Hugo <Martin_Hugo@hboe.org<mailto:Martin_Hugo@hboe.org>>

Is it in the local policies of your image?

Martin T. Hugo

Network Administrator

Hilliard City Schools

614-921-7102 (Ph)

614-771-7243 (Fax)

Error! Filename not specified.Think before you print

From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 2:36 AM
To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

I've got a bit of a strange problem which I've been totally unable to resolve. Essentially what's happening is that when I join a workstation to our Windows Server 2003 domain the domain admins are affected by our restrictive group policies and we are unable to manage the machines. For example a domain admin is unable to launch regedit, manage services etc.

We restrict this sort of stuff for our regular users but currently on any new workstations we join to the domain *all* domain user accounts are being affected. Interestingly group policy settings appear to be applied correctly on existing workstations.

The only 'fix' I've found is to login as a local admin, launch group policy for the local machine and navigate to [User Config / Admin Templates / System / Prevent access to registry editing tools].

I then change this setting from its default 'Not Configured' state to 'Disabled', hit apply, then change it back again to 'Not Configured' and hit apply and suddenly domain admins can run regedit and standard domain users can't.

In order to get access to some of the other restricted stuff I have to login as a local admin, navigate to [User Config / Admin Templates / Windows Components / Microsoft Management Console / Restrict users to the explicitly permitted list of snap-ins] and again toggle the settings.

The change happens even before I move the computer object into any of our sub OUs so none of our restrictive policies should be applied at this point. When I run an RSoP against the machine it tells me that only the Default Domain Policy is applied (which doesn't contain any of our restrictive policies) and that the Local Policy isn't applied because it is empty.

Any thoughts on why this might be happening or what I can do next to troubleshoot?

Thanks,

Peter

Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

pmgough — Fri, 02 Oct 2009 01:25:29 GMT

These are brand new machines. We're building them using the same install
media we've used previously and then joining them to our domain. Nothing in
this part of our process has changed.

2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com>

> It depends upon how the loopback policy is setup (i.e. where its linked
> and whether its security-group filtered) but if you don’t see it, that’s not
> the issue. Let me ask this. You said earlier in the thread that this is only
> affecting new machines that you join to the domain? Where did these machines
> come from? Were they in another AD domain? If so, what you may be seeing is
> some lingering policies that were implemented in that original domain. I’ve
> seen this problem before and its ugly.
>
>
>
> Darren
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 4:16 PM
>
> *To:* gptalk@lists.gpoguy.com
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> I've checked and there's definitely no loopback enabled on any of my
> policies. If there was wouldn't this affect all machines anyway?
>
> 2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com>
>
> Another thing to look into Peter—make sure you don’t have loopback enabled
> on these computers at some point. This could be causing the effect you’re
> seeing.
>
>
>
> Darren
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Founder— www.gpoguy.com – The Group Policy Resource Site
>
> Blog: www.sdmsoftware.com/blog
>
> Twitter: www.twitter.com/grouppolicyguy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 7:07 AM
>
>
> *To:* gptalk@lists.gpoguy.com
>
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> Thanks guys. I'm off to bed now (00:06 in Brisbane having just watched last
> week's MotD <http://en.wikipedia.org/wiki/MOTD> (I'm a Pom<http://en.wikipedia.org/wiki/Alternative_words_for_British#Pommy>!)).
> I'll try out your suggestions tomorrow and let you know how I get on.
>
> Peter
>
> 2009/10/1 Tim Bolton <jsclmedave@gmail.com>
>
> Peter
>
>
>
> This link may help
> http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html
> Have not looked at any differences - if any - in 2008 as of yet.
>
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
>
> Microsoft Certified IT Professional
>
> On Thu, Oct 1, 2009 at 8:12 AM, Peter Gough <pmgough@gmail.com> wrote:
>
> Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on
> the box itself, although I wish I'd noticed!
>
> I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting
> running something like:
>
> gpresult /s \\myproblemcomputer /v ... from my Server 2008?
>
> I'll give it a go tomorrow morning.
>
> Thanks,
>
> Peter
>
> 2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk>
>
>
>
> Hi Peter
>
>
>
> If you’re applying GP Preferences to an XP machine you won’t see the
> results of that in an RSoP report ran on that machine as it can’t display
> GPP settings.
>
>
>
> Try running GPResult for the problematic machine, but from a 2008 machine
> to get a true picture of all the settings being applied.
>
>
>
> Andrew
>
>
>
>
>
> *From:* Peter Gough [mailto:pmgough@gmail.com]
> *Sent:* 01 October 2009 13:39
>
>
> *To:* gptalk@lists.gpoguy.com
>
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> The only other thing I can think of that's changed recently is that we've
> started managing policies from a Windows Server 2008 box to take advantage
> of the Group Policy Preference stuff. Would that have any impact?
>
> 2009/10/1 Peter Gough <pmgough@gmail.com>
>
> I don't believe that's the case. The image we're currently using is fairly
> new but we've installed an old image on a couple of workstations to see if
> this is the issue and the same problem occurs. We've also setup a total
> vanilla-build workstation from our original XP SP2 disks and again we're
> seeing the same issue.
>
> This seems to be an active directory / group policy thing rather than a
> workstation specific problem.
>
> The thing that's got me baffled is that the results we're getting from
> running RSoP against the machine don't reflect what we're experiencing on
> the ground. RSoP says everything is normal but domain admins are still
> unable to login to a machine and run services.msc (for example).
>
> 2009/10/1 Martin Hugo <Martin_Hugo@hboe.org>
>
>
>
> Is it in the local policies of your image?
>
>
>
>
>
> Martin T. Hugo
>
> Network Administrator
>
> Hilliard City Schools
>
> 614-921-7102 (Ph)
>
> 614-771-7243 (Fax)
>
> *Error! Filename not specified.*Think before you print
>
>
>
>
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 2:36 AM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* [gptalk] Domain Admins unable to manage workstations - group /
> local policy strangeness
>
>
>
> I've got a bit of a strange problem which I've been totally unable to
> resolve. Essentially what's happening is that when I join a workstation to
> our Windows Server 2003 domain the domain admins are affected by our
> restrictive group policies and we are unable to manage the machines. For
> example a domain admin is unable to launch regedit, manage services etc.
>
> We restrict this sort of stuff for our regular users but currently on any
> new workstations we join to the domain *all* domain user accounts are being
> affected. Interestingly group policy settings appear to be applied correctly
> on existing workstations.
>
> The only 'fix' I've found is to login as a local admin, launch group policy
> for the local machine and navigate to [User Config / Admin Templates /
> System / Prevent access to registry editing tools].
>
> I then change this setting from its default 'Not Configured' state to
> 'Disabled', hit apply, then change it back again to 'Not Configured' and hit
> apply and suddenly domain admins can run regedit and standard domain users
> can't.
>
> In order to get access to some of the other restricted stuff I have to
> login as a local admin, navigate to [User Config / Admin Templates / Windows
> Components / Microsoft Management Console / Restrict users to the explicitly
> permitted list of snap-ins] and again toggle the settings.
>
> The change happens even before I move the computer object into any of our
> sub OUs so none of our restrictive policies should be applied at this point.
> When I run an RSoP against the machine it tells me that only the Default
> Domain Policy is applied (which doesn't contain any of our restrictive
> policies) and that the Local Policy isn't applied because it is empty.
>
> Any thoughts on why this might be happening or what I can do next to
> troubleshoot?
>
> Thanks,
>
> Peter
>
>
>
>
>
>
>
>
>
>
>
>
>

RE: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

dmarelia — Fri, 02 Oct 2009 00:32:12 GMT

It depends upon how the loopback policy is setup (i.e. where its linked and whether its security-group filtered) but if you don't see it, that's not the issue. Let me ask this. You said earlier in the thread that this is only affecting new machines that you join to the domain? Where did these machines come from? Were they in another AD domain? If so, what you may be seeing is some lingering policies that were implemented in that original domain. I've seen this problem before and its ugly.

Darren

From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 4:16 PM
To: gptalk@lists.gpoguy.com
Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

I've checked and there's definitely no loopback enabled on any of my policies. If there was wouldn't this affect all machines anyway?
2009/10/2 Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>>

Another thing to look into Peter-make sure you don't have loopback enabled on these computers at some point. This could be causing the effect you're seeing.

Darren

****

Darren Mar-Elia

CTO & Founder

SDM Software, Inc.

"The Group Policy Experts"

www.sdmsoftware.com<http://www.sdmsoftware.com/>

Founder- www.gpoguy.com<http://www.gpoguy.com> - The Group Policy Resource Site

Blog: www.sdmsoftware.com/blog<http://www.sdmsoftware.com/blog>

Twitter: www.twitter.com/grouppolicyguy<http://www.twitter.com/grouppolicyguy>

From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 7:07 AM

To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

Thanks guys. I'm off to bed now (00:06 in Brisbane having just watched last week's MotD<http://en.wikipedia.org/wiki/MOTD> (I'm a Pom<http://en.wikipedia.org/wiki/Alternative_words_for_British#Pommy>!)). I'll try out your suggestions tomorrow and let you know how I get on.

Peter

2009/10/1 Tim Bolton <jsclmedave@gmail.com<mailto:jsclmedave@gmail.com>>

Peter

This link may help http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html Have not looked at any differences - if any - in 2008 as of yet.

Tim Bolton
148 2nd Street North
Central City Iowa, 52214

Microsoft Certified IT Professional

On Thu, Oct 1, 2009 at 8:12 AM, Peter Gough <pmgough@gmail.com<mailto:pmgough@gmail.com>> wrote:

Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on the box itself, although I wish I'd noticed!

I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting running something like:

gpresult /s \\myproblemcomputer /v ... from my Server 2008?

I'll give it a go tomorrow morning.

Thanks,

Peter

2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk<mailto:Andrew.McHale@synergix.co.uk>>

Hi Peter

If you're applying GP Preferences to an XP machine you won't see the results of that in an RSoP report ran on that machine as it can't display GPP settings.

Try running GPResult for the problematic machine, but from a 2008 machine to get a true picture of all the settings being applied.

Andrew

From: Peter Gough [mailto:pmgough@gmail.com<mailto:pmgough@gmail.com>]
Sent: 01 October 2009 13:39

To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>

Subject: Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

The only other thing I can think of that's changed recently is that we've started managing policies from a Windows Server 2008 box to take advantage of the Group Policy Preference stuff. Would that have any impact?

2009/10/1 Peter Gough <pmgough@gmail.com<mailto:pmgough@gmail.com>>

I don't believe that's the case. The image we're currently using is fairly new but we've installed an old image on a couple of workstations to see if this is the issue and the same problem occurs. We've also setup a total vanilla-build workstation from our original XP SP2 disks and again we're seeing the same issue.

This seems to be an active directory / group policy thing rather than a workstation specific problem.

The thing that's got me baffled is that the results we're getting from running RSoP against the machine don't reflect what we're experiencing on the ground. RSoP says everything is normal but domain admins are still unable to login to a machine and run services.msc (for example).

2009/10/1 Martin Hugo <Martin_Hugo@hboe.org<mailto:Martin_Hugo@hboe.org>>

Is it in the local policies of your image?

Martin T. Hugo

Network Administrator

Hilliard City Schools

614-921-7102 (Ph)

614-771-7243 (Fax)

Error! Filename not specified.Think before you print

From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Peter Gough
Sent: Thursday, October 01, 2009 2:36 AM
To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

I've got a bit of a strange problem which I've been totally unable to resolve. Essentially what's happening is that when I join a workstation to our Windows Server 2003 domain the domain admins are affected by our restrictive group policies and we are unable to manage the machines. For example a domain admin is unable to launch regedit, manage services etc.

We restrict this sort of stuff for our regular users but currently on any new workstations we join to the domain *all* domain user accounts are being affected. Interestingly group policy settings appear to be applied correctly on existing workstations.

The only 'fix' I've found is to login as a local admin, launch group policy for the local machine and navigate to [User Config / Admin Templates / System / Prevent access to registry editing tools].

I then change this setting from its default 'Not Configured' state to 'Disabled', hit apply, then change it back again to 'Not Configured' and hit apply and suddenly domain admins can run regedit and standard domain users can't.

In order to get access to some of the other restricted stuff I have to login as a local admin, navigate to [User Config / Admin Templates / Windows Components / Microsoft Management Console / Restrict users to the explicitly permitted list of snap-ins] and again toggle the settings.

The change happens even before I move the computer object into any of our sub OUs so none of our restrictive policies should be applied at this point. When I run an RSoP against the machine it tells me that only the Default Domain Policy is applied (which doesn't contain any of our restrictive policies) and that the Local Policy isn't applied because it is empty.

Any thoughts on why this might be happening or what I can do next to troubleshoot?

Thanks,

Peter

Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

pmgough — Fri, 02 Oct 2009 00:25:55 GMT

Thanks. The only thing I've changed recently is that I've begun using Group
Policy Preferences and administering these from a Server 2008 box but I
don't see how this would cause the behaviour I'm seeing.

2009/10/1 Tim Bolton <jsclmedave@gmail.com>

> Peter
>
> This link may help
> http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html
> Have not looked at any differences - if any - in 2008 as of yet.
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
>
> Microsoft Certified IT Professional
>
>
> On Thu, Oct 1, 2009 at 8:12 AM, Peter Gough <pmgough@gmail.com> wrote:
>
>> Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on
>> the box itself, although I wish I'd noticed!
>>
>> I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting
>> running something like:
>>
>> gpresult /s \\myproblemcomputer /v ... from my Server 2008?
>>
>> I'll give it a go tomorrow morning.
>>
>> Thanks,
>>
>> Peter
>>
>> 2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk>
>>
>> Hi Peter
>>>
>>>
>>>
>>> If you’re applying GP Preferences to an XP machine you won’t see the
>>> results of that in an RSoP report ran on that machine as it can’t display
>>> GPP settings.
>>>
>>>
>>>
>>> Try running GPResult for the problematic machine, but from a 2008 machine
>>> to get a true picture of all the settings being applied.
>>>
>>>
>>>
>>> Andrew
>>>
>>>
>>>
>>>
>>>
>>> *From:* Peter Gough [mailto:pmgough@gmail.com]
>>> *Sent:* 01 October 2009 13:39
>>> *To:* gptalk@lists.gpoguy.com
>>> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
>>> group / local policy strangeness
>>>
>>>
>>>
>>> The only other thing I can think of that's changed recently is that we've
>>> started managing policies from a Windows Server 2008 box to take advantage
>>> of the Group Policy Preference stuff. Would that have any impact?
>>>
>>> 2009/10/1 Peter Gough <pmgough@gmail.com>
>>>
>>> I don't believe that's the case. The image we're currently using is
>>> fairly new but we've installed an old image on a couple of workstations to
>>> see if this is the issue and the same problem occurs. We've also setup a
>>> total vanilla-build workstation from our original XP SP2 disks and again
>>> we're seeing the same issue.
>>>
>>> This seems to be an active directory / group policy thing rather than a
>>> workstation specific problem.
>>>
>>> The thing that's got me baffled is that the results we're getting from
>>> running RSoP against the machine don't reflect what we're experiencing on
>>> the ground. RSoP says everything is normal but domain admins are still
>>> unable to login to a machine and run services.msc (for example).
>>>
>>> 2009/10/1 Martin Hugo <Martin_Hugo@hboe.org>
>>>
>>>
>>>
>>> Is it in the local policies of your image?
>>>
>>>
>>>
>>>
>>>
>>> Martin T. Hugo
>>>
>>> Network Administrator
>>>
>>> Hilliard City Schools
>>>
>>> 614-921-7102 (Ph)
>>>
>>> 614-771-7243 (Fax)
>>>
>>> *Error! Filename not specified.*Think before you print
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* gptalk-owner@lists.gpoguy.com [mailto:
>>> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
>>> *Sent:* Thursday, October 01, 2009 2:36 AM
>>> *To:* gptalk@lists.gpoguy.com
>>> *Subject:* [gptalk] Domain Admins unable to manage workstations - group
>>> / local policy strangeness
>>>
>>>
>>>
>>> I've got a bit of a strange problem which I've been totally unable to
>>> resolve. Essentially what's happening is that when I join a workstation to
>>> our Windows Server 2003 domain the domain admins are affected by our
>>> restrictive group policies and we are unable to manage the machines. For
>>> example a domain admin is unable to launch regedit, manage services etc.
>>>
>>> We restrict this sort of stuff for our regular users but currently on any
>>> new workstations we join to the domain *all* domain user accounts are being
>>> affected. Interestingly group policy settings appear to be applied correctly
>>> on existing workstations.
>>>
>>> The only 'fix' I've found is to login as a local admin, launch group
>>> policy for the local machine and navigate to [User Config / Admin Templates
>>> / System / Prevent access to registry editing tools].
>>>
>>> I then change this setting from its default 'Not Configured' state to
>>> 'Disabled', hit apply, then change it back again to 'Not Configured' and hit
>>> apply and suddenly domain admins can run regedit and standard domain users
>>> can't.
>>>
>>> In order to get access to some of the other restricted stuff I have to
>>> login as a local admin, navigate to [User Config / Admin Templates / Windows
>>> Components / Microsoft Management Console / Restrict users to the explicitly
>>> permitted list of snap-ins] and again toggle the settings.
>>>
>>> The change happens even before I move the computer object into any of our
>>> sub OUs so none of our restrictive policies should be applied at this point.
>>> When I run an RSoP against the machine it tells me that only the Default
>>> Domain Policy is applied (which doesn't contain any of our restrictive
>>> policies) and that the Local Policy isn't applied because it is empty.
>>>
>>> Any thoughts on why this might be happening or what I can do next to
>>> troubleshoot?
>>>
>>> Thanks,
>>>
>>> Peter
>>>
>>>
>>>
>>>
>>>
>>
>>
>

Re: [gptalk] Domain Admins unable to manage workstations - group / local policy strangeness

pmgough — Fri, 02 Oct 2009 00:15:45 GMT

Thanks. When I run this I get the setup I expect, ie. the Default Domain
Policy is being applied and the Local Group Policy is denied because it is
empty. According to the results no other policies are being applied and
there is nothing in the DDP which would cause the results I'm seeing.

Any other thoughts?

It's strange because according to the RSoP info everything should be fine.
The components are all okay, i don't get any weird policy events to
investigate and the results look exactly the same on an affected computer as
they do on one of my unaffected machines.

Peter

2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk>

> Yep, that’d do the job. I’d suggest adding the /H parameter (only
> available on Vista/7/2008 I believe) to nominate a file to output the
> results to. Makes it much easier reading.
>
>
>
> gpresult /S \\myproblemcomputer /V /H gpresult.htm
>
>
>
> The file is output into the root of the logged on users profile (c:\users\
> user.name\). Make sure you open the file in IE as Firefox doesn’t display
> the active content correctly. And make sure the Windows Firewall is off on
> the remote machine if you are able to (which you probably can’t due to no
> admin rights!)
>
>
>
> Good luck and good night!
>
>
>
> Andrew
>
>
>
>
>
> *From:* Peter Gough [mailto:pmgough@gmail.com]
> *Sent:* 01 October 2009 14:13
>
> *To:* gptalk@lists.gpoguy.com
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> Wow! Hadn't realised GP Preferences weren't displayed when I ran RSoP on
> the box itself, although I wish I'd noticed!
>
> I'm at home at the moment (it's 23:10 in Brisbane!) but are you suggesting
> running something like:
>
> gpresult /s \\myproblemcomputer /v ... from my Server 2008?
>
> I'll give it a go tomorrow morning.
>
> Thanks,
>
> Peter
>
> 2009/10/1 Andrew McHale <Andrew.McHale@synergix.co.uk>
>
> Hi Peter
>
>
>
> If you’re applying GP Preferences to an XP machine you won’t see the
> results of that in an RSoP report ran on that machine as it can’t display
> GPP settings.
>
>
>
> Try running GPResult for the problematic machine, but from a 2008 machine
> to get a true picture of all the settings being applied.
>
>
>
> Andrew
>
>
>
>
>
> *From:* Peter Gough [mailto:pmgough@gmail.com]
> *Sent:* 01 October 2009 13:39
>
>
> *To:* gptalk@lists.gpoguy.com
>
> *Subject:* Re: [gptalk] Domain Admins unable to manage workstations -
> group / local policy strangeness
>
>
>
> The only other thing I can think of that's changed recently is that we've
> started managing policies from a Windows Server 2008 box to take advantage
> of the Group Policy Preference stuff. Would that have any impact?
>
> 2009/10/1 Peter Gough <pmgough@gmail.com>
>
> I don't believe that's the case. The image we're currently using is fairly
> new but we've installed an old image on a couple of workstations to see if
> this is the issue and the same problem occurs. We've also setup a total
> vanilla-build workstation from our original XP SP2 disks and again we're
> seeing the same issue.
>
> This seems to be an active directory / group policy thing rather than a
> workstation specific problem.
>
> The thing that's got me baffled is that the results we're getting from
> running RSoP against the machine don't reflect what we're experiencing on
> the ground. RSoP says everything is normal but domain admins are still
> unable to login to a machine and run services.msc (for example).
>
> 2009/10/1 Martin Hugo <Martin_Hugo@hboe.org>
>
>
>
> Is it in the local policies of your image?
>
>
>
>
>
> Martin T. Hugo
>
> Network Administrator
>
> Hilliard City Schools
>
> 614-921-7102 (Ph)
>
> 614-771-7243 (Fax)
>
> *Error! Filename not specified.*Think before you print
>
>
>
>
>
>
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Peter Gough
> *Sent:* Thursday, October 01, 2009 2:36 AM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* [gptalk] Domain Admins unable to manage workstations - group /
> local policy strangeness
>
>
>
> I've got a bit of a strange problem which I've been totally unable to
> resolve. Essentially what's happening is that when I join a workstation to
> our Windows Server 2003 domain the domain admins are affected by our
> restrictive group policies and we are unable to manage the machines. For
> example a domain admin is unable to launch regedit, manage services etc.
>
> We restrict this sort of stuff for our regular users but currently on any
> new workstations we join to the domain *all* domain user accounts are being
> affected. Interestingly group policy settings appear to be applied correctly
> on existing workstations.
>
> The only 'fix' I've found is to login as a local admin, launch group policy
> for the local machine and navigate to [User Config / Admin Templates /
> System / Prevent access to registry editing tools].
>
> I then change this setting from its default 'Not Configured' state to
> 'Disabled', hit apply, then change it back again to 'Not Configured' and hit
> apply and suddenly domain admins can run regedit and standard domain users
> can't.
>
> In order to get access to some of the other restricted stuff I have to
> login as a local admin, navigate to [User Config / Admin Templates / Windows
> Components / Microsoft Management Console / Restrict users to the explicitly
> permitted list of snap-ins] and again toggle the settings.
>
> The change happens even before I move the computer object into any of our
> sub OUs so none of our restrictive policies should be applied at this point.
> When I run an RSoP against the machine it tells me that only the Default
> Domain Policy is applied (which doesn't contain any of our restrictive
> policies) and that the Local Policy isn't applied because it is empty.
>
> Any thoughts on why this might be happening or what I can do next to
> troubleshoot?
>
> Thanks,
>
> Peter
>
>
>
>
>
>
>

[gptalk] WSUS gpo

mrbusdriversir — Thu, 01 Oct 2009 23:13:48 GMT

Does any of you have experience dealing with WSUS? I deployed a new WSUS server in our 100% windows environment and I am having issues with computers not showing on WSUS. There are about 400 computers missing and when I fix one by forcing the gpo refresh, running the windows fix it utility, or going to the extreme of deleting the computer domain account and rejoin the pc back on the domain then another computer that was showing on WSUS disappears. It is like if they were playing games with me!

My gpo seems to be good for almost 900 computers so I have no idea what is going on. And I have spent countless hours looking on the internet for solutions and trying things but nothing helps.

Another problem I am having is that on windows vista when the user wants to run the updates manually using "Windows updates" the computer goes to my WSUS server instead of going to the internet and update from there. For workstations that works ok but for laptops is not good since some users run their updates manually at home and they get errors saying that windows can't connect to windows updates because it is looking for my WSUS server. Is there anything different that I need to do on the gpo for these windows vista computers? Our DCs and AD are running on windows 2003 mode.

I really would appreciate any help.

Thanks

Dagoberto Estrada
Utah transit Authority
801-287-2310
--------------------------
Sent from my BlackBerry Wireless Handheld