http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1
[EMAIL PROTECTED]
p.com.br
ooops, sorry replied to the wrong one
[EMAIL PROTECTED]
p.com.br
Sent by:
http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1
Simon Bembridge
[EMAIL PROTECTED]
Not sure if this will work or not. I seem to remember something like this
a long time ago.
It was a registry key:
HKLM\System\CurrentcontrolSet\Control\Terminal Server\fDenyTSConnections
and set it to 0
Hi WIlliam
Computer Configuration/Windows Settings/Security Settings/Local
Policies/Security Options/Interactive Logon:Number of previous logons to
cache, setting that to 0 will turn off cached credientals.
Hope that helps,
John
Hi Larry...
http://technet2.microsoft.com/WindowsServer/en/Library/a834e844-8eb2-4ee2-927c-9989b4f55dd71033.mspx?mfr=true
You can easily use the GPMC to delegete where they can link them, just
click the OU, and the delegate tab.
HTH,
John
Hi Murtaza...
You can try computer configuration/administrative templates/windows
components/system/group policy/registry policy processing. Checking the
process even if group policy has not changed may help.
Could cause some performance issues though, unless you have those machines
seperated.
nbtstat - A ipaddress
John
Harding, Devon
[EMAIL PROTECTED]
NWINE.com
Hi Christine,
In a GPO you can set always install with elevated privileges to MSI's
It is in both the user, and computer settings. You may want to set those.
John
Christine Allen
Hi James...
There are a couple articles warning against using Domain Local groups for
policies.
Can you try having them put in a global group in their own domain, and
adding that directly to the read and apply section of the policy?
http://support.microsoft.com/kb/309172/en-us has some info.
Hi Christine..
You can use the restricted groups function to add say domain users to the
power users group on the local machine. It's a little tricky as one
function of it will replace any other members of the power users group,
should there be any. As of XPSP2 though, you can do it additive,
Hi Peter...
If the clients are SP2, you can use the bottom box, to use it additively.
They finally fixed it.
You use the bottom box, kinda backwards relative to the top...So, you would
say for the group Domain Users, then that it is always a member of the
local power users group. You can even
Hi Jef...
I'm sure it works with 2003 also, was really a bug in XP that they had to
fix, that the additive part just plain didn't work.
I believe, but can't promise that 2000 SP4 works too.
John
Jef
Yep...Absoultely right you don't have to browse, and you can't choose from
there. Sorry for the confusion.
What I have seen people do by mistake though, is to add Domain Users to the
Domain group Remote Desktop Users instead of the local group, by not
paying attention.
It's a powerful piece of
Hi Adeel, this setting:
-Enabled Always wait for the network at computer startup and logon in the
GPO
Will slow down an XP box pretty good, they usually login cached and let
things catch up with them.
HTH,
John
Hi Adam,
Not sure if anyone has mentioned it or not, You'll see this often if
someone has an RDP session open somewhere and changed his password
elsewhere. Or if he was logged into another computer in another way when
he changed it. Lots of times users disconnect instead of logging out.
HTH,
There's a ton in goggle about this:
http://groups.google.com/groups?q=The+system+administrator+has+set+policies+to+prevent+this+installationstart=0hl=enlr=lang_en;
No one seems to know how, but it looks like the local policy, or registry.
John
Hi Bill...
Unless I'm misunderstanding you, you shouldn't need to write a query at
all, just give the group read and apply to the policy, and remove
authenticated users. If you're trying to write a WMI filter for this
purpose, I haven't had any luck at all trying to get that to work in this
way.
Hi Noah..
I believe the 500 k is for group policy processing. Some parts of policies
will not process if the client thinks it's a slow link. Although, this is
not the most reliable thing in the world.
There's a separate setting for offline files: Under Computer
Configuration/Administrative
Please make it easy to turn off drag and drop? Advanced option perhaps?
Thanks,
John
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Policy setting even better, thought about it after I hit send.
John
[EMAIL PROTECTED]
lcollins.com
Hi Steve,...
Looks like you have a loopback policy.
That would be under computer configuration/administrative
templates/system/Group Policy/User Group Policy loopback processing mode
Hope this helps,
John
Hi Steve...
That's about the only way to apply user settings to computers, using the
loopback.
Not sure of your OU structure, if you had your users seperated, you could
apply the actual user policies (loginscripts etc.) at the user OU level.
As long as that was a different scope it would
Not to doubt your expertise Darren, but we use a worksation loopback here
for the screen saver. Not my idea, but in our situation, it is easier to
figure out machines that need to be exempt, rather than users. They could
run a certain test for weeks on one pc, but on their administrative pc, the
Absolutely I'd love to know the answer also. I've seen this behavior for
years, and just figured it was the nature of loopbacks, and having other
policies in their scope.
The case in point as I said before, is that if your users are in a
different OU structure (scope) and you put say the login
Sorry, I did forget one thing though. We have had situations where a
loginscript policy was misplaced, and in the scope of the loopback, it will
cause the specified device is already in use error. Which does
suspiciously sound like the login script ran twice, and does not dismount
first. I know
Hi Russ...We don't use dynamic update here, but you can see that it can be
set to enabled.
HTH,
John
Administrative Templates
Network/DNS Client
|---+-|
| |
There are some things like this one that you don't see in the GUI when you
enable them.
It applies to XP and 2003, not 2000 The explanation text in the policy
specifies that.
John
Rimmerman, Russ
Not sure if you ever got this going?
If not, do you have either of these policy settings set?
computer configuratin/windows settings/security settings/local
policies/user rights assignment/deny access to this computer from the
network
or access this computer from the network?
For sure, the
Hi Bagus..
In the GPO, Computer Configuration, Windows Settings, Security Settings,
File System, you can browse to the directory there, and assign rights.
Probably to *.*, I don't remember what it needs to write to. You may even
have to give full control to Domain Users. Not sure. But you can
Hello Bagus..
I believe Lotus Notes requires the user to have Modfiy rights to the
Notes\Data directory. You can assign this with a GPO, if you wish.
The sharing, I'm wondering if you have simple file sharing turned on? It's
in explorer, tools, folder options, view, uncheck the box that says
Hi Jeff...
Might I suggest putting the sites you wish to be in the trusted sites on
your Internet Options on your administrative machine, then open the policy,
and tell it to import. It works fine here doing it that way.
John
Well, using offline files on desktops is really not worth the hassles..On
laptops it's more than handy, on desktops, no real value we've found. So,
you could just have a policy that does turn it off for desktops, if the
machines they log into are desktops.
But
I would probably try user configuration/administrative
templates/system/code signing for device drivers:
Determines how the system responds when a user tries to install device
driver files that are not digitally signed.
This setting establishes the least secure response permitted on the
Hi Noah..
I have not tested with SP2, but the hotfix is part of SP2. I did test it
on SP1 with the patch. The patch did not create the keys either. You need
to do it manually.
All of what they said I did find to work correctly with the additon of the
reg keys. It still isn't close to being
It sounds like a restricted groups policy being attempted wrong.But,
from what I've seen, it won't even let you try that.
John
Sudhir Kaushal
You can work around it, not really an easy fix though.
http://support.microsoft.com/default.aspx?scid=kb;en-us;811660
steve patrick
[EMAIL
Well, that's why I said it' s not easy...You have to create the keys...
If you have SP2, adding the keys should work. I never tested it with SP2,
but did try it with the patch, pre-SP2.
Of course they want everyone to install SP2, and someday soon, will not
support anything less.
John
Hi JakeNot sure if these have been mentioned or not?
The one we see the most is when someone disconnects from an RDP session,
rather than logs out, then changes their password.
Next to that, persistent mapped drives, then scheduled tasks with the old
password.
John
Hi Jeff...
Up in the Computer Configuration\Windows Settings\Security settings\ Local
Policies\User Rights Assignments
There is both a Deny access to this computer from the network and an
allow. You may want to look there.
John
In the Security Zones under Internet Explorer Maintanence under User
Configuration.
You can set the settings on your IE settings, and Import them. It will
import All of your settings though. So, be sure of what you set there.
John
OpppsYes, that is a GPO
John
Cothern Jeff D.
Team EITC
[EMAIL PROTECTED]
Hi Fred...
Try User Configuration/Administrative Templates/Windows
Components/Internet Explorer/Toolbars/Configure toolbar buttons.
You can choose what you wish to show there...I believe
John
Freddie
Hi Russ...
Enforced overrides Block Inheritance
Enforced means run always and last really. You shouldn't even need the
block. Should run last by default without the enforced.
John
Rimmerman, Russ
Hey Jeff
If i understand you right, I think I'd do a variation of #2...
A seperate software restriction policy user basedThen a global group
that has deny apply set on the delegation. That way you only manage the
group.
Remember too, these only apply to XP+, and you have to restart
Hi...
I 'm pretty sure you have to assign the SP to a machine, rather than a
user.
John
Tabs The Cat
[EMAIL PROTECTED]
Hey Justin..
I use merge when they get user settings from other policies, like login
scripts, normal user settings...etc.
If you want them to get these settings only when on a terminal server, you
can use replace. Then these will be the only settings they get.
John
Hi James...
A policy shouldn't affect a subnet only, unless it's a site policy.
Unless Im misunderstanding you?
Sounds more like private addressing actually. 169.245 ip range? At least
to me.
That would keep clients only accessing others on their perceived subnet.
John
Hi John..
I've seen some very odd behavior sometimes as you describe, where even as
DA, and being in the local group, I've had to do a runas, and specify the
local user, Administrator, to install something.
Also, if it's an MSI, you can set it to always run at elevated privliges
with policy,
Hey George..
Does the remote site have offline files turned on?
John
George Arezina
[EMAIL PROTECTED]
Hey Russ...
Loopbacks have two modes, merge and replace...They basically make computers
take user settings.
So, the short answer is yes, you can reverse the setting on the OU, set the
timeout to disabled...If you want them to get other user settings you have
defined, then merge may be what
http://support.microsoft.com/default.aspx?scid=kb;en-us;269075
Looks like the ced means nothing really...
John
Kern, Tom
[EMAIL PROTECTED]
Hi Jeff
Probably the easiest way to do this, at least in my world. Is with seperate
OU's and loopbacks.
We faced a similar problem with laptops. We couldn't tell who a laptop
user was, as they could log into a desktop anytime, but we wanted to
apply settings to laptop users. So we have an
Absolutely...
I personally just find OU's easier to manage than groups.
Must be the graphical representation..
John
Beelders, Ivor
[EMAIL
I just have to ask...
Are you using folder redirection on these accounts?
Can the home drive be wronglike in oshkosh, and the user is in
timbuktu?
Any hints in event viewer?
John
Salandra, Justin
Hey Tom...
In W2k3, you can set the rights...
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
On 2000, and 2003 there is a policy setting in the local user rights
assingments manage auditing and security log Which can be set to a
global group. However, you have to be careful
Hi Tom...
The article says you have to enable these settings:
Important: To view the group policy settings that are described in this
article in the Group Policy editor, first complete the following steps,
Hi Mark..
This is a policy setting that you can set at the computer level
I haven't had to do this for SP2, but I'm sure it calls an MSI, If you put
a hash on that MSI, the machine shouldn't be able to run it. It's up in
the security settings, and you have to create rules and disallow that
One more thing, explorer needs to be restarted, logout and in, or reboot,
for it to take affect.
John
Abbiss, Mark
[EMAIL PROTECTED]
Hi Mark...
You can just put a software restriction hash GPO on it, and disallow it
until you want it.
Then you can just remove it, when you wish.
John
[EMAIL PROTECTED]
Hi Joe..
If I remember correctly, you need to enable active desktop, and the active
desktop wallpaper...But, put a bogus path to bogus file in there.
I think it comes up with the default blue that way, but not sure if you can
specify a different color.
John
Hi Michel...
Is MSN supposed to be MSN messenger? I dont think the policies are for
that, but for Windows Messenger.Or maybe I'm just not reading this
right.
Not that it would make applying them any differently, but you might be able
to just eliminate that policy, if that's the case.
John
Hi Mark...
I believe it's running at system level on startup, and i believe system has
no network rights.
John
Mark Abbiss
[EMAIL PROTECTED]
Sorry if I missed it, didn't see a reply to this?
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655
John
Cothern Jeff D.
Team EITC
Hey allHope someone has the answer to this.
We consistently have problems with some admin dragging and dropping an OU
by mistake inside another, wreaking havoc with AD. Not to mention the
errors etc.
Politically, we have way too many admins, too much rights...etc. Slowly
approaching that
Thanks, we'll give it a try.
John
Coleman, Hunter
[EMAIL PROTECTED]
t.us
Hey Noah..
That's a couple of the issues with offline files.
http://support.microsoft.com/?kbid=811660
John
Noah Eiger
[EMAIL PROTECTED]
Hi Rosen.
It'll probably work if you use an XP machine for the administrative policy
editing machine. Install GPMC on it, and edit the policy from there. Be
aware though, some of those settings work differently at the domain level,
than at an OU level. They decide they are the boss and if you
Well, it depends...
If you wish all your terminal servers to get the same policy, just put them
all in one OU...
Apply the policy there, and you're set.
If you have multiple different policies to apply, you may need more OU's.
Policies have a scope ...It's kind of like it has to be over the
On terminal servers, loopbacks work well.
Makes the user settings apply to the computer.
John
Rosales, Mario
[EMAIL PROTECTED]
Loopbacks can be set on either merge or replace.
replace is probably what you need.
John
Rosales, Mario
[EMAIL PROTECTED]
No, you can have layers of user policies, and OU's, and change settings
later, filter by groups etc.
The problem with this approach is, once you set a setting, there's no way
to get them back to not configured. If you enable something, later on you
have to disable it. This is not desireable in
Hey Justin,
There's a script you need to run.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_zscr.asp
John
Don't they have to be in the remote desktop users group on the DC?
John
Douglas M. Long
[EMAIL PROTECTED]
Maybe you need to add builtin\backup operators to this one:
Allow log on through Terminal Services: BUILTIN\administrators
John
Douglas M. Long
Yes, unless it's enforced
Rosales, Mario
[EMAIL PROTECTED]
com
cd /d drive:path
cd /d c:\path
have fun,
John
Jacob Stabl
[EMAIL PROTECTED]
Hey Michael...
Best thing to do is install the GPMC for free, and it's also a very good
tool..
You can save reports as html's and print themeven export to excel after
that, if you need to.
hth,
John
Well...you can It just has to be at a higher OU level, over both the
user, and computer objects.
John
Jared Manhat
Hey Jeff...If you can get them to use cached credentials on the laptops,
you can do a loopback policy. They'll cache it locally and get the
settings even when off the wire.
Not sure this fits your needsAnd it does make for some complaints,
travellers doing presentations etc.
John
Hey Rick...
You can turn off the server service, even with a GPO, but then no one gets
there, not even admins...as far as i know.
It's a bit awkwards...but, in computer configuration/windows
settings/security settings/local policies/user rights assignments/deny
access to this computer from
Hey Rick..
I'm not positive on this...but, i think this key controls that...
and you could write an adm file to do it.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Paramaters]
AutoShareWks=dword:0001
Have fun,
John
|-+--
Hey Debbie,
take a look here
http://support.microsoft.com/default.aspx?scid=kb;en-us;281923
|-+--
| | Ellis, Debbie|
| | [EMAIL PROTECTED]|
| | m |
| |
Hey Daniel
I may be missing something here, but i don't think i've ever seen them work
correctly from a drive letter?
Even if i share something out from my local machine, for testing (like
SP2), i always end up doing \\computer\drive$\share\file
Might be something you want to try.
Hey Edwin...
You can write the policy to only allow specified snap-ins
You can then write an adm file for the enterprise manager (you'll need the
guid for that)
Then you can explicitly allow it.
John
|-+--
| | Lou Vega
Hey Edwin...
If you don't roam it, it will still use the local one, not go away. From
the way i understand it.
This is from the GPO...
Lets you add to the list of folders excluded from the user's roaming
profile.
This setting lets you exclude folders that are normally included in the
Hey EdwinWe haven't been using roaming profiles here, but what i can
tell you is that the quick launch is in the Application Data directory. We
experminted with redirecting it here so the quicklaunch would follow
users around, but ran into many problems with it. Lots of slowness in
There was an interesting article the other day :
http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120ad=484520
Because of licensing issues we try to not let our users download adaware
etc
John
|-+--
| |
You could probably put it into a gpo, might be a lot of work maintaining...
Probably a login script, using vbs or something...You can set them to run
silently in the GPO.
I was looking at the reg.exe command, doesn't seem to be a silent switch on
import.
I'm sure one of the scripters would
Hi David...
I've seen behavior like this myself. I've defined a software restriction
policy at the domain level, for when we get a worm in house and i can get
my hands on code. This is processed before the default domain policy, and
we also have a modified domain policy at that level.
At
Hi Daniel..
I'm wondering if you have some groups double-nested one is a member of
the other, and the reverse also?
We use group nesting a lot here, running a gpresult enumerates all groups,
but i had no duplicates.
John
|-+--
| |
You might try under computer configuration/administrative
templates/system/group policy registry policy processing process even
if group policy objects have not changed
Although you'll need to apply this at the computer object
John
|-+--
|
We removed it completely also..
|-+--
| | Free, Bob|
| | [EMAIL PROTECTED] |
| | Sent by: |
| | [EMAIL PROTECTED]|
| |
just for kicks
you may want to check in an rsop.there is a setting under computer
configuration/windows settings/security settings/local policies/security
options --- Interactive logon: Require Domain Controller authentication to
unlock workstation.
could be turned on, and for some
you don't say, unless i missed it, if you're using dhcp?
if so, and any kind of personal firewalls, could just not be getting an
iptrying and trying...we've seen this with checkpoint. i would also
guess that ipsec, or any kind of packet filtering would do the same, if not
configured
i dont' think you're missing anything. i've seen this same behavior with a
policy i had set for software restrictions at the domain level. it had
blank proxy settings, and it was overriding the proxy settings i had set
at the users level, and blanking out the proxy settings we had been
i have a question here:
unless something has changed, domain admins should be populated in the
local administrators group when you join the domain...so, by default
they should have remote access rights.
there are ways to block this with policy, and the most obvious one would be
to use
well, at least on my xp box
setting a gpo on my test ou
computer configuration/administrative templates/windows components/terminal
services/allow users to connect remotely using terminal services...setting
this to enabled, checks the box, and greys it out
imho, much better to
it must be the default xp templates...if you create the policy from an xp
box, it should use them..
|-+--
| | Philadelphia, Lynden -|
| | Revios Toronto|
| | [EMAIL PROTECTED]|
|
99 matches
Mail list logo