| Author | Messages | |
rpo8373
Posts:43
 | | 08/24/2010 12:52 AM |
| hi all,
we've recently been through an ie8 rollout and have created gpos containing
ie related computer and user settings: ie8-users and ie8-computers.
we have one particular ou that contains computers that are on the domain,
but users log on to these computers with a local account. the gpo
ie8-computers is linked to this ou.
because users log on to these computers with local accounts, they're not
getting settings defined in ie8-users (which is linked to the user's ou). an
idea i had was to move the settings in ie8-users into the user config of
ie8-computers and then set loopback enabled in this gpo. but my
understanding is that even with loopback enabled, group policy won't apply
to local accounts? if this is correct, can anyone suggest a way forward for
me.
my current plan is to replace the local account used with a single domain
account with no roaming profile, and a specific set of computers that it can
log on to. any other ideas would be great.
daniel.
| | | |
| DarraghOShaughnessy
Posts:161
| | 08/24/2010 9:59 AM |
| Yes, local accounts process local group policy so loopback has no effect.
The account has to query the DC for a list of available/applicable GPO's so
a local account would not have permission to do this regardless. You could
roll out a local policy? What OS are the desktops?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may
be confidential and which may also be privileged and is intended solely for
the use of the individual or entity to whom it is addressed. Unless you are
the intended recipient you may not copy or use it, or disclose it to anyone
else. Any opinions expressed are that of the individual and not necessarily
that of Vhi Healthcare. If you have received this e-mail in error please
notify the sender by return. This footnote also confirms that this e-mail
message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of daniel
Sent: 24 August 2010 00:10
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] group policy for local accounts
hi all,
we've recently been through an ie8 rollout and have created gpos containing
ie related computer and user settings: ie8-users and ie8-computers.
we have one particular ou that contains computers that are on the domain,
but users log on to these computers with a local account. the gpo
ie8-computers is linked to this ou.
because users log on to these computers with local accounts, they're not
getting settings defined in ie8-users (which is linked to the user's ou). an
idea i had was to move the settings in ie8-users into the user config of
ie8-computers and then set loopback enabled in this gpo. but my
understanding is that even with loopback enabled, group policy won't apply
to local accounts? if this is correct, can anyone suggest a way forward for
me.
my current plan is to replace the local account used with a single domain
account with no roaming profile, and a specific set of computers that it can
log on to. any other ideas would be great.
daniel.
| | | |
| john.vanmeter
Posts:41
| | 08/24/2010 12:15 PM |
| You may be able to take the gpttmp.inf file and any registry.pol files and use apply_lgpo_delta.exe and importregpol.exe to recreate the user settings locally
Best Regards ::John van Meter
Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
On Aug 24, 2010, at 4:24 AM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx> wrote:
> Yes, local accounts process local group policy so loopback has no effect. The account has to query the DC for a list of available/applicable GPO’s so a local account would not have permission to do this regardless. You could roll out a local policy? What OS are the desktops?
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of daniel
> Sent: 24 August 2010 00:10
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] group policy for local accounts
>
>
>
> hi all,
>
>
>
> we've recently been through an ie8 rollout and have created gpos containing ie related computer and user settings: ie8-users and ie8-computers.
>
>
>
> we have one particular ou that contains computers that are on the domain, but users log on to these computers with a local account. the gpo ie8-computers is linked to this ou.
>
>
>
> because users log on to these computers with local accounts, they're not getting settings defined in ie8-users (which is linked to the user's ou). an idea i had was to move the settings in ie8-users into the user config of ie8-computers and then set loopback enabled in this gpo. but my understanding is that even with loopback enabled, group policy won't apply to local accounts? if this is correct, can anyone suggest a way forward for me.
>
>
>
> my current plan is to replace the local account used with a single domain account with no roaming profile, and a specific set of computers that it can log on to. any other ideas would be great.
>
>
>
> daniel.
| | | |
| rpo8373
Posts:43
| | 08/25/2010 1:42 PM |
| hi,
the os is windows xp.
i'll investigate those two executables unless anyone else has any other
ideas...
On 24 August 2010 20:39, John van Meter <xxxxxxxxxxxxxxxx> wrote:
> You may be able to take the gpttmp.inf file and any registry.pol files and
> use apply_lgpo_delta.exe and importregpol.exe to recreate the user settings
> locally
>
> Best Regards ::John van Meter
> Never be afraid to try something new. Remember amateurs built the Ark,
> Professionals built the Titanic.
>
>
> On Aug 24, 2010, at 4:24 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> Yes, local accounts process local group policy so loopback has no effect.
> The account has to query the DC for a list of available/applicable GPO’s so
> a local account would not have permission to do this regardless. You could
> roll out a local policy? What OS are the desktops?
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: <xxxxxxxxxxxxxxxx>xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: <http://www.vhi.ie>www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco
> Font to save ink: <http://www.ecofont.eu/ecofont_en.html>
> http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may
> be confidential and which may also be privileged and is intended solely for
> the use of the individual or entity to whom it is addressed. Unless you are
> the intended recipient you may not copy or use it, or disclose it to anyone
> else. Any opinions expressed are that of the individual and not necessarily
> that of Vhi Healthcare. If you have received this e-mail in error please
> notify the sender by return. This footnote also confirms that this e-mail
> message has been Swept for the presence of computer viruses.
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *daniel
> *Sent:* 24 August 2010 00:10
> *To:* <xxxxxxxxxxxxxxxx>xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] group policy for local accounts
>
>
>
> hi all,
>
>
>
> we've recently been through an ie8 rollout and have created gpos containing
> ie related computer and user settings: ie8-users and ie8-computers.
>
>
>
> we have one particular ou that contains computers that are on the domain,
> but users log on to these computers with a local account. the gpo
> ie8-computers is linked to this ou.
>
>
>
> because users log on to these computers with local accounts, they're not
> getting settings defined in ie8-users (which is linked to the user's ou). an
> idea i had was to move the settings in ie8-users into the user config of
> ie8-computers and then set loopback enabled in this gpo. but my
> understanding is that even with loopback enabled, group policy won't apply
> to local accounts? if this is correct, can anyone suggest a way forward for
> me.
>
>
>
> my current plan is to replace the local account used with a single domain
> account with no roaming profile, and a specific set of computers that it can
> log on to. any other ideas would be great.
>
>
>
> daniel.
>
>
| | | |
| jeromelcruz
Posts:120
| | 08/26/2010 12:52 AM |
| You might want to take a look at the (April 2010 released) Microsoft Security Compliance Manager tool. Darren noted this recently in his Blog.
It comes with a newer tool called the LTP (Local Policy Tool), described as follows:
Introducing the Local Policy Tool
When you install the SCM tool, another utility called the Local Policy Tool (LPT) becomes available. This tool is designed to assist you...
* Applying a security baseline to the local Group Policy of a computer.
* Exporting the local Group Policy of a computer to a group policy backup file.
* Updating the user interface of the Group Policy management tools.
You may want to apply the settings to the local Group Policy for stand-alone computers. You should update the user interface on the computers you will use to manage Group Policy so that you can view and manage the additional security settings ...
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of daniel
Sent: Wednesday, August 25, 2010 5:07 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] group policy for local accounts
hi,
the os is windows xp.
i'll investigate those two executables unless anyone else has any other ideas...
On 24 August 2010 20:39, John van Meter <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You may be able to take the gpttmp.inf file and any registry.pol files and use apply_lgpo_delta.exe and importregpol.exe to recreate the user settings locally
Best Regards ::John van Meter
Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
On Aug 24, 2010, at 4:24 AM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx<mailto xxxxxxxxxxxxxxxx>> wrote:
Yes, local accounts process local group policy so loopback has no effect. The account has to query the DC for a list of available/applicable GPO's so a local account would not have permission to do this regardless. You could roll out a local policy? What OS are the desktops?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of daniel
Sent: 24 August 2010 00:10
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] group policy for local accounts
hi all,
we've recently been through an ie8 rollout and have created gpos containing ie related computer and user settings: ie8-users and ie8-computers.
we have one particular ou that contains computers that are on the domain, but users log on to these computers with a local account. the gpo ie8-computers is linked to this ou.
because users log on to these computers with local accounts, they're not getting settings defined in ie8-users (which is linked to the user's ou). an idea i had was to move the settings in ie8-users into the user config of ie8-computers and then set loopback enabled in this gpo. but my understanding is that even with loopback enabled, group policy won't apply to local accounts? if this is correct, can anyone suggest a way forward for me.
my current plan is to replace the local account used with a single domain account with no roaming profile, and a specific set of computers that it can log on to. any other ideas would be great.
daniel.
| | | |
|
|