| Author | Messages | |
ns00h
Posts:5
 | | 08/06/2010 4:15 PM |
| Hi,
We are pushing out Open Office using GP. We use Security Filtering to do
this so only specific computers, who are in the OpenOffice group install
the software at computer startup.
There is some software from Open Office Technology which includes ADM
files so the settings in Open Office can be configured. These all apply at
the user level. I don't want to put the users in the same OpenOffice group
as the GPO settings will apply to all computers regardless of whether Open
Office is installed or not.
So is there a way to make the second GPO apply only after the software
installation GPO applies? Or putting it this way, only apply the user GPO
on the computers with Open Office installed. But I don't want it to apply
to other computers without Open Office.
Thanks
Nathan Simpson
| | | |
| davesharples
Posts:55
| | 08/06/2010 4:17 PM |
| You can also put the settings in the policy with the software, then use merge processing to ensure they only get applied where the software is applied as well
On 30 Jun 2010, at 20:10, "Darren Mar-Elia" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Its really hard to control CSE processing order. Or, more specifically, its fixed and you don’t have much control over it. You could use GPP’s item-level targeting to search for OpenOffice being installed and then use the GPP registry extension to deliver the customizations. That would mean that you would have to convert the ADMs for Open Office to GPP extensions, but this is not as hard as it sounds. Create a test GPO containing the ADMs, set the settings the way you want and apply them to a test user. Then, use the Registry Collection Wizard in GPP to capture those reg settings from the actual user registry and you’re good to go. That’s probably the way I would handle it, rather than trying to jury rig dependencies btw CSEs.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, June 30, 2010 5:34 AM
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Could work if the order of gpo processing is well defined, and as long as there are no windows 200 machines as they will ignore the wmi filter.
If suppose if the machines were windows 7, you could use security filtering and ass the computer to a new security group if the policy is applied and then filter that’s security group on the later gpo but probably overkill
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: <http://www.vhi.ie> www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: <http://www.ecofont.eu/ecofont_en.html> http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nathan Simpson
Sent: 30 June 2010 13:28
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Run a GPO only if another GPO runs
Just thinking about this....
Will maybe using the GPP of the software installation GPO to create an environment variable and then using WMI filtering on the user GPO to see if the ENV VAR exists.
Is this a decent way to do what I need?
Thanks
Nathan Simpson
Hi,
We are pushing out Open Office using GP. We use Security Filtering to do this so only specific computers, who are in the OpenOffice group install the software at computer startup.
There is some software from Open Office Technology which includes ADM files so the settings in Open Office can be configured. These all apply at the user level. I don't want to put the users in the same OpenOffice group as the GPO settings will apply to all computers regardless of whether Open Office is installed or not.
So is there a way to make the second GPO apply only after the software installation GPO applies? Or putting it this way, only apply the user GPO on the computers with Open Office installed. But I don't want it to apply to other computers without Open Office.
Thanks
Nathan Simpson
| | | |
| jeromelcruz
Posts:120
| | 08/06/2010 4:17 PM |
| Nathan,
Assuming you have 'some' control over the contents of the installation package and assuming the installation does not require a reboot, then there could be some time before the GPO settings apply. To get around this:
Make sure the Group Policy Preference setting are ready to go (ready to apply). Then to the installation script, add a 'GPUpdate /force' command to the end. That should ensure that the Group Policy Preference settings apply 'almost' right-way' after the installation itself--as opposed to waiting for the next 90-120 minute update interval.
Note: You can trigger the new GPP based policy using any of the mentioned methods (e.g. create a new environment variable in the installation package, look for a new registry key from the new applications, etc.)
Jerry
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, June 30, 2010 12:34 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Dave-
If you're referring to loopback, that is definitely an option, although I tend to shy away from suggesting loopback for these kinds of "everyday" problems because it is an all-or-nothing decision that forever modifies user-policy processing behavior for those systems.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Sharples
Sent: Wednesday, June 30, 2010 12:16 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Run a GPO only if another GPO runs
You can also put the settings in the policy with the software, then use merge processing to ensure they only get applied where the software is applied as well
On 30 Jun 2010, at 20:10, "Darren Mar-Elia" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Its really hard to control CSE processing order. Or, more specifically, its fixed and you don’t have much control over it. You could use GPP’s item-level targeting to search for OpenOffice being installed and then use the GPP registry extension to deliver the customizations. That would mean that you would have to convert the ADMs for Open Office to GPP extensions, but this is not as hard as it sounds. Create a test GPO containing the ADMs, set the settings the way you want and apply them to a test user. Then, use the Registry Collection Wizard in GPP to capture those reg settings from the actual user registry and you’re good to go. That’s probably the way I would handle it, rather than trying to jury rig dependencies btw CSEs.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, June 30, 2010 5:34 AM
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Could work if the order of gpo processing is well defined, and as long as there are no windows 200 machines as they will ignore the wmi filter.
If suppose if the machines were windows 7, you could use security filtering and ass the computer to a new security group if the policy is applied and then filter that’s security group on the later gpo but probably overkill
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: <http://www.vhi.ie> www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: <http://www.ecofont.eu/ecofont_en.html> http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nathan Simpson
Sent: 30 June 2010 13:28
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Run a GPO only if another GPO runs
Just thinking about this....
Will maybe using the GPP of the software installation GPO to create an environment variable and then using WMI filtering on the user GPO to see if the ENV VAR exists.
Is this a decent way to do what I need?
Thanks
Nathan Simpson
Hi,
We are pushing out Open Office using GP. We use Security Filtering to do this so only specific computers, who are in the OpenOffice group install the software at computer startup.
There is some software from Open Office Technology which includes ADM files so the settings in Open Office can be configured. These all apply at the user level. I don't want to put the users in the same OpenOffice group as the GPO settings will apply to all computers regardless of whether Open Office is installed or not.
So is there a way to make the second GPO apply only after the software installation GPO applies? Or putting it this way, only apply the user GPO on the computers with Open Office installed. But I don't want it to apply to other computers without Open Office.
Thanks
Nathan Simpson
| | | |
| bwatson
Posts:0
| | 08/06/2010 4:17 PM |
| Hi Darren,
Forever? As in once you turn it on, you can never turn it off on those systems?
Ben
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, June 30, 2010 12:34 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Dave-
If you're referring to loopback, that is definitely an option, although I tend to shy away from suggesting loopback for these kinds of "everyday" problems because it is an all-or-nothing decision that forever modifies user-policy processing behavior for those systems.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Sharples
Sent: Wednesday, June 30, 2010 12:16 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Run a GPO only if another GPO runs
You can also put the settings in the policy with the software, then use merge processing to ensure they only get applied where the software is applied as well
On 30 Jun 2010, at 20:10, "Darren Mar-Elia" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Its really hard to control CSE processing order. Or, more specifically, its fixed and you don’t have much control over it. You could use GPP’s item-level targeting to search for OpenOffice being installed and then use the GPP registry extension to deliver the customizations. That would mean that you would have to convert the ADMs for Open Office to GPP extensions, but this is not as hard as it sounds. Create a test GPO containing the ADMs, set the settings the way you want and apply them to a test user. Then, use the Registry Collection Wizard in GPP to capture those reg settings from the actual user registry and you’re good to go. That’s probably the way I would handle it, rather than trying to jury rig dependencies btw CSEs.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, June 30, 2010 5:34 AM
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Could work if the order of gpo processing is well defined, and as long as there are no windows 200 machines as they will ignore the wmi filter.
If suppose if the machines were windows 7, you could use security filtering and ass the computer to a new security group if the policy is applied and then filter that’s security group on the later gpo but probably overkill
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: <http://www.vhi.ie> www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: <http://www.ecofont.eu/ecofont_en.html> http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nathan Simpson
Sent: 30 June 2010 13:28
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Run a GPO only if another GPO runs
Just thinking about this....
Will maybe using the GPP of the software installation GPO to create an environment variable and then using WMI filtering on the user GPO to see if the ENV VAR exists.
Is this a decent way to do what I need?
Thanks
Nathan Simpson
Hi,
We are pushing out Open Office using GP. We use Security Filtering to do this so only specific computers, who are in the OpenOffice group install the software at computer startup.
There is some software from Open Office Technology which includes ADM files so the settings in Open Office can be configured. These all apply at the user level. I don't want to put the users in the same OpenOffice group as the GPO settings will apply to all computers regardless of whether Open Office is installed or not.
So is there a way to make the second GPO apply only after the software installation GPO applies? Or putting it this way, only apply the user GPO on the computers with Open Office installed. But I don't want it to apply to other computers without Open Office.
Thanks
Nathan Simpson
| | | |
| Syspro
Posts:0
| | 08/06/2010 4:17 PM |
| Hi Nathan,
Is this really worth it? I presume the user settings are all in a single branch of the User Registry. Since Open Office is the only product that will bother reading them, does it matter if everyone has the settings? They will be ignored on non-Open Office machines.
I would go for simplicity and apply the settings to everyone. Activating Loop Back Processing will achieve what you want, but I would agree with Darren that the increased complexity and confusion that it may create in the future is probably not worth the effort. It also slows down processing since additional policies have to be applied.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter – including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, 1 July 2010 6:42 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Run a GPO only if another GPO runs
 . No, you can turn it off. What I meant, more accurately, is that when its enabled, its on during every processing cycle--it becomes the default state, which can be confusing.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of WATSON, BEN
Sent: Wednesday, June 30, 2010 1:33 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Hi Darren,
Forever? As in once you turn it on, you can never turn it off on those systems?
Ben
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, June 30, 2010 12:34 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Dave-
If you're referring to loopback, that is definitely an option, although I tend to shy away from suggesting loopback for these kinds of "everyday" problems because it is an all-or-nothing decision that forever modifies user-policy processing behavior for those systems.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Sharples
Sent: Wednesday, June 30, 2010 12:16 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Run a GPO only if another GPO runs
You can also put the settings in the policy with the software, then use merge processing to ensure they only get applied where the software is applied as well
On 30 Jun 2010, at 20:10, "Darren Mar-Elia" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Its really hard to control CSE processing order. Or, more specifically, its fixed and you don’t have much control over it. You could use GPP’s item-level targeting to search for OpenOffice being installed and then use the GPP registry extension to deliver the customizations. That would mean that you would have to convert the ADMs for Open Office to GPP extensions, but this is not as hard as it sounds. Create a test GPO containing the ADMs, set the settings the way you want and apply them to a test user. Then, use the Registry Collection Wizard in GPP to capture those reg settings from the actual user registry and you’re good to go. That’s probably the way I would handle it, rather than trying to jury rig dependencies btw CSEs.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, June 30, 2010 5:34 AM
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Run a GPO only if another GPO runs
Could work if the order of gpo processing is well defined, and as long as there are no windows 200 machines as they will ignore the wmi filter.
If suppose if the machines were windows 7, you could use security filtering and ass the computer to a new security group if the policy is applied and then filter that’s security group on the later gpo but probably overkill
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: <http://www.vhi.ie> www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: <http://www.ecofont.eu/ecofont_en.html> http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nathan Simpson
Sent: 30 June 2010 13:28
To: <mailto:xxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Run a GPO only if another GPO runs
Just thinking about this....
Will maybe using the GPP of the software installation GPO to create an environment variable and then using WMI filtering on the user GPO to see if the ENV VAR exists.
Is this a decent way to do what I need?
Thanks
Nathan Simpson
Hi,
We are pushing out Open Office using GP. We use Security Filtering to do this so only specific computers, who are in the OpenOffice group install the software at computer startup.
There is some software from Open Office Technology which includes ADM files so the settings in Open Office can be configured. These all apply at the user level. I don't want to put the users in the same OpenOffice group as the GPO settings will apply to all computers regardless of whether Open Office is installed or not.
So is there a way to make the second GPO apply only after the software installation GPO applies? Or putting it this way, only apply the user GPO on the computers with Open Office installed. But I don't want it to apply to other computers without Open Office.
Thanks
Nathan Simpson
| | | |
|
|