Re: Replaing "lockdown" PCs with GPO
From: David Doumani (ddoumani_at_verizon.net)
Date: 07/08/04
- Next message: Scott Harding - MS MVP: "Re: Change Domain name"
- Previous message: Niase Borjaille: "Re: GPO Auditing"
- In reply to: David Doumani: "Re: Replaing "lockdown" PCs with GPO"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 8 Jul 2004 13:20:53 -0400
I guess it's also worth noting that there is a group (it_staff) that has the
"deny" set for the GP so the staff isn't restricted when doing desktop
work - in the NT4 world they had to load gpedit and unlock the control panel
(for example) to get to certain settings - if I leave the local policy in
place and just overwrite it i lose the effectivness of the group set to not
apply the GP.
the SCM only reset the computer settings and not the user configuation (at
least in my testing?)
"David Doumani" <ddoumani@verizon.net> wrote in message
news:ekge1MPZEHA.2776@TK2MSFTNGP10.phx.gbl...
> That is exactly what the goal is; the GP is created; the OU is ready and
the
> test machines work fine but I figured it would be wise to remove all the
> local policy settings before letting GP manage the machine. I know the GP
> will override local settings; but all things being equal I would like to
> know that the local machines policy is "default" otherwise we might always
> be guessing when we have issues.
>
> Thanks
> David
> "Dave Shaw [MVP]" <Sensei@NoUnsolicitedEmail.com> wrote in message
> news:%23KTfaqIZEHA.4032@TK2MSFTNGP11.phx.gbl...
> > If you used the Security Configuration Management tool to reset the
local
> > policy on the workstation, the only way to set it back is to explicitly
> > reset the settings back to what they were. You can do that by importing
a
> > default policy back onto the machine. However, using the SCM tool to
set
> > policy directly on the computer "tags" the registry and any changes
> > subsequent to that will require an explicit change to the same value.
> >
> > Have you considered simply creating a policy, applying it to an OU and
> > placing the computer in the OU so the policy is applied?
> >
> > -ds
> >
> >
> >
> > "David Doumani" <ddoumani@verizon.net> wrote in message
> > news:ucHjSYIZEHA.3688@TK2MSFTNGP12.phx.gbl...
> > > Now that we have the AD domain up and running; we are begining the GPO
> > > phase
> > > of the project. Prior to being a AD environment we had 200 'lockdown'
> > > pc's
> > > that were deployed using a local policy; there is a variety of
Computer
> > > and
> > > User configurations set.
> > >
> > > On these existing machines I figured I would just "wipe out" the local
> > > policy and start tossing them in the new Lockdown OU with the proper
> > > linked
> > > GPO...
> > >
> > > So we grabbed the standard ADM file for the XP workstations; loaded
the
> > > database and did a system compare and reset the settings that didn't
> match
> > > up (i.e. the ones we changed) however this only works for the computer
> > > configurations; not the user configuations.
> > >
> > > Anyone know how to re-set a XP machine back to "not configured" or the
> > > ddefault setting for all of the user configuration options? I would
> > > perfer
> > > to not have to write a VBScript for each and every available option in
> the
> > > user configuration.
> > >
> > > Thanks
> > > David Doumani
> > >
> > >
> >
> >
>
>
- Next message: Scott Harding - MS MVP: "Re: Change Domain name"
- Previous message: Niase Borjaille: "Re: GPO Auditing"
- In reply to: David Doumani: "Re: Replaing "lockdown" PCs with GPO"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
