Re: Custom GPO and suggested settings
- From: "JJ Runnion" <jjrNOSPAM@xxxxxxxxx>
- Date: Wed, 8 Jun 2005 11:35:21 -0500
what are you referring to when you state "a setting in the 4 policies
sections" --
is this to say that anything not in Account Policies, Local Policies, Public
Key Policies, or IPSEC policies, gets tattooed? In which case Adm Template
settings are tattooed?
--
jj runnion
jjrNOSPAM@xxxxxxxxx
"Simon Geary" <simon_geary@xxxxxxxxxxx> wrote in message
news:uhcCVe5aFHA.1404@xxxxxxxxxxxxxxxxxxxxxxx
> You can't change what portion of the registry a particular setting lives
> in, that's not what that quote means. If Microsoft have decided to put the
> junk mail setting in the Policies section of the registry (which is a good
> thing) then it must stay there, you can't move it elsewhere.
>
> The main difference between a policy (a setting in the 4 policies
> sections) and a preference (a setting anywhere else) is that when a user
> or computer moves out of scope of a Group Policy (eg. removed from an OU)
> the registry settings will automatically undo themselves. With a
> preference, the registry is 'tattooed' with the registry change which must
> be manually removed.
>
> Policies are generally considered to be 'better' than preferences. You
> would only write an ADM for a registry change if there was not already a
> proper policy for it. In your case, outlk11.adm already has this setting
> so you do not need to create your own adm. But as you have noticed, there
> is no option in Group Policy to allow an end user to choose whether or not
> to apply a particular policy.
>
> "Robert LeBlanc" <leblanc@xxxxxxx> wrote in message
> news:O8oPPH3aFHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
>> Ok, I'm going to be weird and reply to myself. The document is very
>> helpful and I highly recommend it. The one question that I have is
>> concerning preferences. The document states:
>>
>> "Preferences are set by the user or by the operating system at
>> installation time. The registry values that store preferences are located
>> outside the approved Group Policy keys listed in Table 1. They are
>> located in other areas of the registry."
>>
>> Anyone aware of where the "other areas" could be? I tried to move the
>> Junk Mail filter rule out of the policy portion of the tree, but the
>> setting does not seem to take. I haven't exhausted all the options yet,
>> but wanted to see if someone else had a good idea of where they are
>> talking about. If anyone is interested, I think the preference should go
>> to :
>>
>> HKCU\Software\Microsoft\Office\11.0\Outlook\Options\Mail
>>
>> from
>>
>> HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Options\Mail
>>
>> Thanks,
>> Robert LeBlanc
>> BioAg Computer Support
>> Brigham Young University
>>
>> Robert LeBlanc wrote:
>>>
>>>
>>> Simon Geary wrote:
>>>
>>>> It's pretty easy to create a custom ADM file in Group Policy that can
>>>> be used to change\add\delete registry values in most (but not all)
>>>> sections of the registry. This is the white paper that explains all.
>>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en
>>>>
>>>> If you have particular changes in mind you can post a query back here
>>>> and you will often find that someone has already written an ADM for it
>>>> thus saving you the trouble. Although it's a skill well worth learning
>>>> for yourself though.
>>>
>>>
>>> Thanks for the link, I'll look into it. I really like learning how to do
>>> it.
>>>
>>>> As for the second question, this isn't really what Group Policy is
>>>> meant for IMO. I see it as more of a tool for enforcing the settings
>>>> you want rather than giving users the option, why don't you just leave
>>>> that policy unconfigured and allow the users to configure it
>>>> themselves? In any case, you can't do this with Group Policy. A quick
>>>> way to remove unwanted policies from individual users is to use
>>>> security filtering with your GPOs, and apply the policy to the group.
>>>> When you decide you don't want a policy to apply to a particular user,
>>>> just remove him from the group.
>>>
>>>
>>> I understand filtering, but I would like to suggest a more secure
>>> setting, but allow the user to change the setting at will. For instance
>>> the Junk Mail filter level in Office. We have several hundred users
>>> (300-400) and only a handful of support personal (the university will
>>> not allow us to expand right now) and to have someone moving people into
>>> a group to prevent a setting is not feasible. So for the mean time we
>>> have to have no security (not a setting that I like). There are settings
>>> that I don't want changed, but there are some that I would like
>>> suggested. I guess this is more of a feature request if it doesn't
>>> exist. It seems like a simple enough implementation, but I could be very
>>> wrong.
>>>
>>> Robert LeBlanc
>>> BioAg Computer Support
>>> Brigham Young University
>
>
.
- Follow-Ups:
- Re: Custom GPO and suggested settings
- From: Robert LeBlanc
- Re: Custom GPO and suggested settings
- References:
- Custom GPO and suggested settings
- From: Robert LeBlanc
- Re: Custom GPO and suggested settings
- From: Simon Geary
- Re: Custom GPO and suggested settings
- From: Robert LeBlanc
- Re: Custom GPO and suggested settings
- From: Robert LeBlanc
- Re: Custom GPO and suggested settings
- From: Simon Geary
- Custom GPO and suggested settings
- Prev by Date: Re: Locking Down an XP Workstation
- Next by Date: Re: Custom GPO and suggested settings
- Previous by thread: Re: Custom GPO and suggested settings
- Next by thread: Re: Custom GPO and suggested settings
- Index(es):
Relevant Pages
|
Loading
