Re: Two part Group Policy question
- From: Stetson Admin <StetsonAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 26 Jun 2007 13:31:00 -0700
Darren,
Your script works great! I have a new GPO that I can use to enable the
local Group Policy at computer startup, and it seems to work flawlessly. The
jury is still out on whether this will help with the WSUS issue or the
password issue, but this, to me, is going to help out tremendously in our
computer lab environments.
Thank you once again for your help,
Jack
"Darren Mar-Elia" wrote:
Jack-.
Well, what they've done is disabled the local GPO. That does not disable GP
processing altogether. It just means that the computer and user will ignore
the local GPO. If you have domain-based GPOs, they will always override the
local GPO anyway, so this does not seem to be much of a problem unless you
are doing everything via local GPO. If that is the case, then you can "fix"
that. I have a script on my website (http://www.gpoguy.com/Tools.htm#LGPO)
that is designed to disable the local GPO via computer startup script.
However, you can modify the script to enable the GPO just as easily.
Basically, edit the script using notepad and change the following two lines:
On the line that says:
strLine = "Options=3"
change it to:
strLine = "Options=0"
and on the line that says:
strContents=strContents+"Options=3"+VbCrLf
change that to:
strContents=strContents+"Options=0"+VbCrLf
As for checking the password notification, not sure how you could
artifically force the expire period to occur but if you have a decent-sized
environment, you will likely find out from some user soon enough :)
Darrne
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Simplify Group Policy Troubleshooting with the NEW GPExpert Troubleshooting
Pak 1.0 at http://www.sdmsoftware.com/products.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Stetson Admin" <StetsonAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E4E24D4-285C-418A-8766-78B0E874AB76@xxxxxxxxxxxxxxxx
Darren,
Thank you for the prompt reply!
Firstly: [Darren] What did they do exactly to disable GP? This is pretty
hard to do.
There is no "switch" to throw that disables GP.
They actually went into gpedit.msc, Action, Properties and selected both
check boxes to disable GP. I was beside myself when I heard of it! All
I'm
trying to do is see if there is a way to automate it so they don't have to
go
around and touch every PC. I take it from your comment about there being
no
"switch" to throw that they may indeed have to take this course? I
suppose
it's a good learning exercise for them, but it doesn't make me feel any
better about the image builds.
As for the password expiring notification, I removed the setting from the
DDP and configured it on the Default Domain Controller GPO. Then I ran
gpupdate /force on the DC's. I am using the Group Policy Management
Console
(v 1.0.2) and have verified that the change is being applied to our DC's.
Can you think of an easy way to test this for functionality without having
to wait for my account to be within 10 days of expiring?
Thanks again for your help,
Jack
"Darren Mar-Elia" wrote:
Jack--
See below.
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Simplify Group Policy Troubleshooting with the NEW GPExpert
Troubleshooting
Pak 1.0 at http://www.sdmsoftware.com/products.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Stetson Admin" <StetsonAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E71AD1DE-7846-4844-9741-09525479D2C8@xxxxxxxxxxxxxxxx
I have two issues that I need to try and solve:
1. I recently installed WSUS and configured client connectivity
through
Group Policy. I have tested it, and it works on about 30% of our
computers.
I discovered today that our HelpDesk has been deploying imaged with
Group
Policy disabled (Ugh!). Is there any way to script, or otherwise
remotely
enable, Group Policy on domain PCs?
[Darren] What did they do exactly to disable GP? This is pretty hard to
do.
There is no "switch" to throw that disables GP.
2. In our Default Domain Policy, we have the Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> Security
Options
-> Interactive logon: Prompt user to change password before expiration
set
at
10 days. The setting has been verified client-side with RSOP, but it
is
not
working.
[Darren] Try setting this on the Default Domain Controllers Policy. I
suspect that if you're setting it on the DDP currently, that the Default
DC
Policy is overriding it. Modify that instead, since it has to apply to
DCs
to affect domain user accounts.
Any help would be appreciated to answer one, or preferably both, of
these
issues.
Thanks,
Jack
- References:
- Re: Two part Group Policy question
- From: Darren Mar-Elia
- Re: Two part Group Policy question
- From: Stetson Admin
- Re: Two part Group Policy question
- From: Darren Mar-Elia
- Re: Two part Group Policy question
- Prev by Date: Re: Two part Group Policy question
- Next by Date: RE: Windows Media Player ignores policy on XP
- Previous by thread: Re: Two part Group Policy question
- Next by thread: Windows Time Server via Group Policy
- Index(es):
Relevant Pages
|
Loading
