Re: [ActiveDir] "Add or Remove Programs" GPO
might it be worth running something like filemon and regmon and checking whats happening? On 1/26/07, Bart Van den Wyngaert <[EMAIL PROTECTED]> wrote: That opens the snap-in... So through the Control Panel it doesn't work, directly running the .cpl it does. Still don't understand it totally though... On 1/25/07, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: > > > > > You would not get a permissions problem from that admin. templates policy. They just don't work that way. So my guess is its something else. What happens, as administrator, when you run "appwiz.cpl" from a command prompt? > > > > Darren > > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert > Sent: Thursday, January 25, 2007 4:31 AM > > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] "Add or Remove Programs" GPO > > > > > > > > > > I did, but the local administrators group has full control on the file. And ofcourse, my AD admin account is part of the local administrators group on the workstations (naturally). > > > > > > That's the reason I absolutely don't have a clue, I don't see the relation in restrictions put in place and the effect on the admin account and when I start looking for that error message, I don't make progress either... > > > > > On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: > > > > So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert > Sent: Donnerstag, 25. Januar 2007 12:00 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] "Add or Remove Programs" GPO > > > > > > No NTFS or other restrictions set in that GPO or the PC GPO. > > > Only some other restrictions like no access to control panel, no messenger, ... stuff. > > > > > > These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). > > > > > > My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... > > > > > > Thanks, > > > Bart > > > > > On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: > > > > What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins > > > > /Guido > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert > Sent: Mittwoch, 24. Januar 2007 17:38 > To: ActiveDir > Subject: [ActiveDir] "Add or Remove Programs" GPO > > > > > > Hi, > > > > > > I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. > > > > > > But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe > > > > > > Is this normal?! Did I miss something before setting this GPO? > > > > > > Thanks, > > > Bart > > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] "Add or Remove Programs" GPO
That opens the snap-in... So through the Control Panel it doesn't work, directly running the .cpl it does. Still don't understand it totally though... On 1/25/07, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: You would not get a permissions problem from that admin. templates policy. They just don't work that way. So my guess is its something else. What happens, as administrator, when you run "appwiz.cpl" from a command prompt? Darren *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Thursday, January 25, 2007 4:31 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO I did, but the local administrators group has full control on the file. And ofcourse, my AD admin account is part of the local administrators group on the workstations (naturally). That's the reason I absolutely don't have a clue, I don't see the relation in restrictions put in place and the effect on the admin account and when I start looking for that error message, I don't make progress either... On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote: So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Donnerstag, 25. Januar 2007 12:00 *To:* ActiveDir@mail.activedir.org *Subject: *Re: [ActiveDir] "Add or Remove Programs" GPO No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Mittwoch, 24. Januar 2007 17:38 *To:* ActiveDir *Subject:* [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
RE: [ActiveDir] "Add or Remove Programs" GPO
You would not get a permissions problem from that admin. templates policy. They just don't work that way. So my guess is its something else. What happens, as administrator, when you run "appwiz.cpl" from a command prompt? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, January 25, 2007 4:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] "Add or Remove Programs" GPO I did, but the local administrators group has full control on the file. And ofcourse, my AD admin account is part of the local administrators group on the workstations (naturally). That's the reason I absolutely don't have a clue, I don't see the relation in restrictions put in place and the effect on the admin account and when I start looking for that error message, I don't make progress either... On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Donnerstag, 25. Januar 2007 12:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] "Add or Remove Programs" GPO No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Mittwoch, 24. Januar 2007 17:38 To: ActiveDir Subject: [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
Re: [ActiveDir] "Add or Remove Programs" GPO
I did, but the local administrators group has full control on the file. And ofcourse, my AD admin account is part of the local administrators group on the workstations (naturally). That's the reason I absolutely don't have a clue, I don't see the relation in restrictions put in place and the effect on the admin account and when I start looking for that error message, I don't make progress either... On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Donnerstag, 25. Januar 2007 12:00 *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Mittwoch, 24. Januar 2007 17:38 *To:* ActiveDir *Subject:* [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
RE: [ActiveDir] "Add or Remove Programs" GPO
So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Donnerstag, 25. Januar 2007 12:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] "Add or Remove Programs" GPO No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] On Behalf Of Bart Van den Wyngaert Sent: Mittwoch, 24. Januar 2007 17:38 To: ActiveDir Subject: [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
Re: [ActiveDir] "Add or Remove Programs" GPO
No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User & PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert *Sent:* Mittwoch, 24. Januar 2007 17:38 *To:* ActiveDir *Subject:* [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
RE: [ActiveDir] "Add or Remove Programs" GPO
What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Mittwoch, 24. Januar 2007 17:38 To: ActiveDir Subject: [ActiveDir] "Add or Remove Programs" GPO Hi, I've set a GPO for some users that restricts usage of "Add or Remove Programs" (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart