RE: [ActiveDir] GPO

Darren Mar-Elia Wed, 10 May 2006 10:11:25 -0700

This is primarily because GP will only refresh if the GPO has changed or, in the case of security policy, every 16 hours by default. However, there are a couple of ways around this. You can set security policy to refresh during every background interval by enabling the relevant policy at computer configuration\admin templates\system\group policy\security policy processing, or, you can tune down the 16 hour interval by modifying the registry value on every client, described at http://support.microsoft.com/kb/277543/en-us.

Darren

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin
Sent: Wednesday, May 10, 2006 9:47 AM
To: [email protected]
Subject: RE: [ActiveDir] GPO

In my experience, this now works but there is still one issue. In my testing, groups that you add to the local group can be removed by a local admin and group policy does not replace them. As a result, I use a simple batch file configured as a startup script to achieve the same result. The downside is that it only applies when the machine is restarted.

Batch File:

net localgroup Administrators /add "domain_name\SomeDomainGroupName"

Devin Riley

City of Pasadena

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, May 10, 2006 8:02 AM
To: [email protected]
Subject: RE: [ActiveDir] GPO

Yes. Here's the KB article referencing the fix (works for Win2K as well):

http://support.microsoft.com/kb/810076/en-us

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, May 10, 2006 7:52 AM
To: [email protected]
Subject: RE: [ActiveDir] GPO

John,

Just curious, was these option *ONLY* availiable in XP SP2? Any hope it exists in Windows Server 2003 SP1? :)

Thanks,

Jef

> From: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] GPO
> To: [email protected]
> Date: Wed, 10 May 2006 08:49:21 -0500
>
> Hi Peter...
>
> If the clients are SP2, you can use the bottom box, to use it additively.
> They finally fixed it.
>
> You use the bottom box, kinda backwards relative to the top...So, you would
> say for the group Domain Users, then that it is always a member of the
> local power users group.  You can even just browse to that, if you just
> pick the local machine as the location.
>
> Hope this helps,
> John
>
>
>
>
>
>
>              "Peter Johnson"
>              <[EMAIL PROTECTED]>
>              Sent by:                                                   To
>              [EMAIL PROTECTED]         <[email protected]>
>              ail.activedir.org                                          cc
>
>                                                                    Subject
>              05/10/2006 08:39          RE: [ActiveDir] GPO
>              AM
>
>
>              Please respond to
>              [EMAIL PROTECTED]
>                 tivedir.org
>
>
>
>
>
>
> Hi John
>
> Is there some way to define additive versus replacement as the last time
> I tried this it did a hard replacement.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: 10 May 2006 14:57
> To: [email protected]
> Subject: Re: [ActiveDir] GPO
>
> Hi Christine..
>
> You can use the restricted groups function to add say domain users to
> the
> power users group on the local machine.  It's a little tricky as one
> function of it will replace any other members of  the power users group,
> should there be any.  As of XPSP2 though, you can do it additive,
> instead
> of replacing.
>
> Hope this helps...
>
> John
>
>
>
>
>
>
>              "Christine Allen"
>
>              <Christine.Allen@
>
>              bmchp.org>
> To
>              Sent by:                  "[email protected]"
>
>              [EMAIL PROTECTED]         <'[email protected]'>
>
>              ail.activedir.org
> cc
>
>
>
> Subject
>              05/10/2006 07:46          [ActiveDir] GPO
>
>              AM
>
>
>
>
>
>              Please respond to
>
>              [EMAIL PROTECTED]
>
>                 tivedir.org
>
>
>
>
>
>
>
>
>
> Hello,
>
>
> Is there a way to change local computer rights via a gpo.  We would like
> to
> add our users to the Power users group to distribute software, then take
> about that right after the software has been deployed.
>
>
> -Christine
>
>
> Christine N. Allen
> Systems Engineer
> BMC HealthNet Plan
> 2 Copley Place
> Boston, MA 02116
> 617-748-6034
> 617-293-4407
>
>
> [EMAIL PROTECTED]
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] GPO

Reply via email to