Re: Custom GPO and suggested settings

You can't change what portion of the registry a particular setting lives in,
that's not what that quote means. If Microsoft have decided to put the junk
mail setting in the Policies section of the registry (which is a good thing)
then it must stay there, you can't move it elsewhere.

The main difference between a policy (a setting in the 4 policies sections)
and a preference (a setting anywhere else) is that when a user or computer
moves out of scope of a Group Policy (eg. removed from an OU) the registry
settings will automatically undo themselves. With a preference, the registry
is 'tattooed' with the registry change which must be manually removed.

Policies are generally considered to be 'better' than preferences. You would
only write an ADM for a registry change if there was not already a proper
policy for it. In your case, outlk11.adm already has this setting so you do
not need to create your own adm. But as you have noticed, there is no option
in Group Policy to allow an end user to choose whether or not to apply a
particular policy.

"Robert LeBlanc" <leblanc@xxxxxxx> wrote in message
news:O8oPPH3aFHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
> Ok, I'm going to be weird and reply to myself. The document is very
> helpful and I highly recommend it. The one question that I have is
> concerning preferences. The document states:
>
> "Preferences are set by the user or by the operating system at
> installation time. The registry values that store preferences are located
> outside the approved Group Policy keys listed in Table 1. They are located
> in other areas of the registry."
>
> Anyone aware of where the "other areas" could be? I tried to move the Junk
> Mail filter rule out of the policy portion of the tree, but the setting
> does not seem to take. I haven't exhausted all the options yet, but wanted
> to see if someone else had a good idea of where they are talking about. If
> anyone is interested, I think the preference should go to :
>
> HKCU\Software\Microsoft\Office\11.0\Outlook\Options\Mail
>
> from
>
> HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Options\Mail
>
> Thanks,
> Robert LeBlanc
> BioAg Computer Support
> Brigham Young University
>
> Robert LeBlanc wrote:
>>
>>
>> Simon Geary wrote:
>>
>>> It's pretty easy to create a custom ADM file in Group Policy that can be
>>> used to change\add\delete registry values in most (but not all) sections
>>> of the registry. This is the white paper that explains all.
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en
>>>
>>> If you have particular changes in mind you can post a query back here
>>> and you will often find that someone has already written an ADM for it
>>> thus saving you the trouble. Although it's a skill well worth learning
>>> for yourself though.
>>
>>
>> Thanks for the link, I'll look into it. I really like learning how to do
>> it.
>>
>>> As for the second question, this isn't really what Group Policy is meant
>>> for IMO. I see it as more of a tool for enforcing the settings you want
>>> rather than giving users the option, why don't you just leave that
>>> policy unconfigured and allow the users to configure it themselves? In
>>> any case, you can't do this with Group Policy. A quick way to remove
>>> unwanted policies from individual users is to use security filtering
>>> with your GPOs, and apply the policy to the group. When you decide you
>>> don't want a policy to apply to a particular user, just remove him from
>>> the group.
>>
>>
>> I understand filtering, but I would like to suggest a more secure
>> setting, but allow the user to change the setting at will. For instance
>> the Junk Mail filter level in Office. We have several hundred users
>> (300-400) and only a handful of support personal (the university will not
>> allow us to expand right now) and to have someone moving people into a
>> group to prevent a setting is not feasible. So for the mean time we have
>> to have no security (not a setting that I like). There are settings that
>> I don't want changed, but there are some that I would like suggested. I
>> guess this is more of a feature request if it doesn't exist. It seems
>> like a simple enough implementation, but I could be very wrong.
>>
>> Robert LeBlanc
>> BioAg Computer Support
>> Brigham Young University


.

Relevant Pages

  • Re: Group Policy question
    ... I was wondering why my Group Policy Help section would have directed ... Steve, I asked a question, which is just under this one about an account ... I do know to not mess with the registry ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group Policy question
    ... Thans to all who responded to my question about group policy and how to ... I do know to not mess with the registry ... able to use it to some degree to lock down the limited account I created I ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group Policy question
    ... Policies" and Local Security Policy that is a subset of local Group Policy. ... the registry directly unless given direct and cohesive instructions ...
    (microsoft.public.windowsxp.security_admin)
  • Re: What program is used to write events to the event log??????
    ... The intent of Safer is for it to be applied from AD in GPOs. ... that they are refteshed by the sce policy engine. ... > registry files is that while apparently the restrictions are aplied...you ... >>> issue....whenever there is an exe being started it normally writes this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Registry settings management for 16 computers through Group Po
    ... AutoLogonCfg="Configure Automatic user logon" ... This ADM fiel is working fine. ... policy templete. ... the key needs to be located under Approved Registry Key ...
    (microsoft.public.windows.group_policy)