Re: Overwritten ADM files - recovery?
- From: Dave Swales <DaveSwales@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 23 Mar 2008 17:46:01 -0700
Hi again Mark,
I saw the complete sense in "going back to basics", and followed your
suggestion...actually, I now realise that splitting the User/Computer
settings and disabling their opposites provides a much more granular approach
to several GP scenarios.
Unfortunately, no difference was made to this situation.
The new RDP_Users still does not apply proxy, and as an experiment, the new
RDP_Computer does not change slow link detection setting (for example).
Both settings appear in GPMC...gpresults on the RDP server confirms the
application of the respective RDP GPOs, and the "opposites" being
filtered-out...RSOP says it sees no setting for proxy / slow link, and Group
Policy results run in GPMC against my own account on RDP server "confirms"
the application of the linked GPOs, but gives no detail of what is applied.
I checked Local Policy on the RDP server to ensure there were no settings
applied anywhere there.
This is _all_ exactly as it was before today.
After the problem arose, and before I went "back to basics" today, I did
note that with "loopback - merge" applied, gpresult would show the sequence
Default Domain Policy-RDP-Local Policy-Default Domain Policy-Local Policy as
applied on the RDP server.
This kind of made sense, if proxy settings were being overwritten....now, it
sort of seems like that this is still the case, but we're not now seeing it
in gpresult.
.....if you see what I mean....
Inetres was already in use, by the way.
If I play around with some link settings, I do see artefacts of a previous
proxy setting ...they appear in the greyed-out portions of IE7 "Options
-Connections - Lan Settings"... including an incorrect one I set two days
after the issue arose (distuinguishable by wrong port number).
So there's some certainly "pollution" or "stale" records somewhere.
I do get it (MUCH better now, thankyou) about the registry.pol, and how the
templates are used to edit it for the Domain.
I did a search against registry.pol on my DCs, and, as I'm sure you would
know, I saw several copies, who's file dates _appear_ to relate to structural
changes in OU/GPO going back to original NT4>Active Directory....and up to
the above "back to basics" changes today....and also including the one that
created the "artefact" settings described above.
So, assuming (a dangerous thing, I accept), that policies are, as they
appear to be, replicated within the DOMAIN properly (as other OU's etc do not
seem affected, and they promptly propogate between DCs), could it be that my
RDP server is simply refusing to have a stale copy replaced (Session settings
are still in place, for example, so it has saved something from pre-problem
GPOs)
BTW, as far as I could tell, WPAP did not provide the flexibility for
excludes; sites we wouldn't want port 80 traffic to be routed via the proxy.
I didn't lookup the transparent proxy info, simply because, right now, I
need to restore what _was_ working....but I will check it out later (thanks
again).
Meantime...stale local settings?
Am I on the right track do you think? (haven't found anything via Google
yet).
Dave
"Mark Heitbrink [MVP]" wrote:
Hi,.
Dave Swales schrieb:
[...] a working environment until I installed GPMC on my
Vista box and explored GPOs with it.
You should have used the gpmc.msc integrated in Vista.
MMC -> SnapIn -> GPMC
(it will not be there after installing SP1 ... there will come
a new one)
When you say "just import them", do you mean from a "clean" source
(Microsoft download)?
I think, you still do not have recognized, that ADMs are not containing
any setting you make. ADM or ADMX are just a Mask to edit the registry.pol
You do not need a download source. EVERY XP/2003 has the original ADM
inside in %systemroot%\inf it´s just a matter of actuality.
The 2003 SP2 are the newest, containing ALL possibilities that have been
there before.
Perhaps you should better start from the beginning?
- Do no touch the Default Policies
- create a OU "MyComputer", move all your computers here
- create a OU "MyUsers", move all your users here
- Create and Link a GPO "MyComputer Settings" and link it to
MyComputers, deactivate UserConfiguratoin you do not need them,
because inside this OU are no Users. Forget about Loopback.
You do not need it.
- Create and Link a GPO "MyUsers Settings" and link it to
MyUsers, deactivate Computer Configuration
- Do not use "Internet Explorer Maintainance". It will be a mess,
if you are running IE7. Use the inetres.adm comming with IE7.
You will find the inetres on EVERY MACHINE, where IE7 is installed
%systemroot%\inf\inetres.adm
- Instead of deploying a proxy I would recommend WPAP [1] or a Transparent
Proxy [2]. Much easier and a centralized way to control the clients,
Why configuring 1.500 clients, if you do it on one machine?
Mark
[1]
http://groups.google.com/group/microsoft.public.win2000.group_policy/msg/fcfd6830d1763330?
[2]
http://en.wikipedia.org/wiki/Proxy_server#Transparent_and_non-transparent_proxy_server
.... it´s just a Firewall Rule that automatically redirects every HTTP
access to the proxy, without configuring the clients.
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
- Follow-Ups:
- Re: Overwritten ADM files - recovery?
- From: Mark Heitbrink [MVP]
- Re: Overwritten ADM files - recovery?
- References:
- Re: Overwritten ADM files - recovery?
- From: Mark Heitbrink [MVP]
- Re: Overwritten ADM files - recovery?
- From: Dave Swales
- Re: Overwritten ADM files - recovery?
- From: Mark Heitbrink [MVP]
- Re: Overwritten ADM files - recovery?
- Prev by Date: Re: Assigned app only installs to user's 1st PC and not 2nd
- Next by Date: Unable to run setup.exe or install.exe
- Previous by thread: Re: Overwritten ADM files - recovery?
- Next by thread: Re: Overwritten ADM files - recovery?
- Index(es):
Relevant Pages
|
Loading
