| Author | Messages | |
dmarelia
Posts:441
 | | 09/30/2010 8:37 PM |
| That's why I like VDI... A re-image is just a button press away!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Thursday, September 30, 2010 1:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Yep, and after that, my favourite... re-image!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
 Very true Darragh, and failing that...another reboot for good measure!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 30 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Out of ideas Sean?! Never, there's always a reboot
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Brilliant... failing that I was out of ideas ;o)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 17:59
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Made the change and the GPO is being applied as it should.
Thanks again to you all for your help.
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 12:15 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren is correct. Just looking at it now myself. You are not using loopback processing either? Don't see it in you gpresult.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 29 September 2010 17:11
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
I see your problem. The screensaver policy is per-user. You have linked that GPO to a set of OUs, but the user account you are logging in with is in the CN=Users container within your domain, not within one of the linked OUs. Because the user account is not in one of the targeted OUs, the user is never going to process that policy. You need to either move your user accounts to somewhere where the GPO is linked or change the GPO linking. As it stands now, if you leave your users in CN=Users (not recommended btw), then you would have to link this GPO at the domain level to have it apply to the users there.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: Wednesday, September 29, 2010 9:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
I noticed on the gpresult output I do not see the screensaver settings listed but they are there on the report.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 11:02 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ok,
If you could post a gpresult /Z from one of the machines that would be great. Also, if you could dump a report from GPMC of that OU that would also be great so we could see the security filtering and scoping also. Just strip out an sensitive data. I have a feeling we are missing something obvious here.
[cid:image001.png@01CB6084.92FE4CC0]
This should have all the info we need in case there are any deny permissions set on an ACL.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 15:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren, Sean and Darragh
Thanks for your suggestions. Loopback is not enabled nor are any WMI filters. I am not sure what you mean by being in the same hierarchy as the GPO. Are you asking if the users are domain users?........then yes they are and the security filtering reflects that. I have a feeling the problem is staring me in the face, but I just can't see it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 4:03 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
And if you look at GP Results in GPMC, I think you said that on the Summary Tab, Under User Configuration, you see your "Security" under the list of Applied GPOs? If so, is it possible that you have loopback mode enabled on these computers?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: Tuesday, September 28, 2010 11:05 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Mar-Elia,
Thanks for your help. Yes I did try gpupdate /force and I also did a reboot. It is applying the computer configuration, but not the user configuration for this particular GPO.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 1:09 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
Have you tried doing a gpupdate /force on one of those clients that aren't getting the "security" GPO? Sometimes the client thinks it has the most recent GP settings but really doesn't.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 8:33 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
What other settings have you got in the policy and are they being applied, if there are other settings, are they a mixture of user and computer settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 28 September 2010 14:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Sean,
Thanks for the reply. I ran RSOP on the server and it showed the screen saver settings, but the GPO name is "Local Group Policy" not "security" which is the name of the GPO. I checked one of the 32bit clients and found they have the screen saver settings set locally (I should have checked that before), so I disabled the local settings and now the system is not applying the settings (can see screensaver tab and can change settings) so it appears to be a global problem not a 32bit/64bit issue. If I enforce the gpo from the server it still doesn't apply to clients, but the event log says policies applied successfully. I am now totally confused. I hope I haven't done the same to you.
I could not find any settings under the following key [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\
Desktop] is this the correct location? It is there on the server. If I run "Group Policy results" on the clients from the management console I get no errors on the summary page. The "security" gpo is listed under "Applied GPO's".
Thanks again for your time!
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 6:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Hi Jim,
Try running Rsop from the server where the template is held, that will show you the settings, you do not need to import this template to all of the clients, unless you intend on running GPMC on them all, I would also check the policies key within the registry to see if the setting is also being applied, as far as I know x64 registry location for the screen saver is the same as x86 versions of xp
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 27 September 2010 17:15
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO and x64 XP
Good Mourning can anyone help me with the following issue?
I have a mix of windows x32 and x64 Xp clients. I have several gpo's that are working fine, but part of one is not working on the x64 clients.
The gpo is for security related policies and the only part that is not being applied is the settings to restrict users from changing the screen saver settings.
The users can still see the screen saver tab and can change the settings which is not what should be happening. If I run rsop.msc I do not get any errors but I do not see the following tab "user configuration/Administrative Templates/Control Panel/Display". All I see under the Administrative Templates is "Windows Components". Do I need to import the ADM templates to the clients?
Thanks for any help you can give!
Jim
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/01/2010 12:53 PM |
| Ha ha!
Is there a GPP setting for re-imaging your machine? If so, does it classify
as tattooing!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 30 September 2010 17:48
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
That's why I like VDI. A re-image is just a button press away!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Thursday, September 30, 2010 1:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Yep, and after that, my favourite. re-image!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
:-) Very true Darragh, and failing that...another reboot for good measure!
:-)
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 30 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Out of ideas Sean?! Never, there's always a reboot :-)
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Brilliant. failing that I was out of ideas ;o)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 17:59
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Made the change and the GPO is being applied as it should.
Thanks again to you all for your help.
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 12:15 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren is correct. Just looking at it now myself. You are not using loopback
processing either? Don't see it in you gpresult.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 29 September 2010 17:11
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
I see your problem. The screensaver policy is per-user. You have linked that
GPO to a set of OUs, but the user account you are logging in with is in the
CN=Users container within your domain, not within one of the linked OUs.
Because the user account is not in one of the targeted OUs, the user is
never going to process that policy. You need to either move your user
accounts to somewhere where the GPO is linked or change the GPO linking. As
it stands now, if you leave your users in CN=Users (not recommended btw),
then you would have to link this GPO at the domain level to have it apply to
the users there.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: Wednesday, September 29, 2010 9:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
I noticed on the gpresult output I do not see the screensaver settings
listed but they are there on the report.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 11:02 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ok,
If you could post a gpresult /Z from one of the machines that would be
great. Also, if you could dump a report from GPMC of that OU that would also
be great so we could see the security filtering and scoping also. Just strip
out an sensitive data. I have a feeling we are missing something obvious
here.
Description: cid:image001.png@01CB5FCD.D6DD68C0
This should have all the info we need in case there are any deny permissions
set on an ACL.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 15:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren, Sean and Darragh
Thanks for your
suggestions. Loopback is not enabled nor are any WMI filters. I am not sure
what you mean by being in the same hierarchy as the GPO. Are you asking if
the users are domain users?........then yes they are and the security
filtering reflects that. I have a feeling the problem is staring me in the
face, but I just can't see it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 4:03 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
And if you look at GP Results in GPMC, I think you said that on the Summary
Tab, Under User Configuration, you see your "Security" under the list of
Applied GPOs? If so, is it possible that you have loopback mode enabled on
these computers?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: Tuesday, September 28, 2010 11:05 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Mar-Elia,
Thanks for your help. Yes I did try gpupdate /force and I also did
a reboot. It is applying the computer configuration, but not the user
configuration for this particular GPO.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 1:09 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
Have you tried doing a gpupdate /force on one of those clients that aren't
getting the "security" GPO? Sometimes the client thinks it has the most
recent GP settings but really doesn't.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 8:33 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
What other settings have you got in the policy and are they being applied,
if there are other settings, are they a mixture of user and computer
settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 28 September 2010 14:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Sean,
Thanks for the reply. I ran RSOP on the server and it showed the
screen saver settings, but the GPO name is "Local Group Policy" not
"security" which is the name of the GPO. I checked one of the 32bit clients
and found they have the screen saver settings set locally (I should have
checked that before), so I disabled the local settings and now the system is
not applying the settings (can see screensaver tab and can change settings)
so it appears to be a global problem not a 32bit/64bit issue. If I enforce
the gpo from the server it still doesn't apply to clients, but the event log
says policies applied successfully. I am now totally confused. I hope I
haven't done the same to you.
I could not find any settings under the following key
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\
Desktop] is this the correct location? It is there on the server. If I run
"Group Policy results" on the clients from the management console I get no
errors on the summary page. The "security" gpo is listed under "Applied
GPO's".
Thanks again for your time!
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 6:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Hi Jim,
Try running Rsop from the server where the template is held, that will show
you the settings, you do not need to import this template to all of the
clients, unless you intend on running GPMC on them all, I would also check
the policies key within the registry to see if the setting is also being
applied, as far as I know x64 registry location for the screen saver is the
same as x86 versions of xp
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 27 September 2010 17:15
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO and x64 XP
Good Mourning can anyone help me with the following issue?
I have a mix of windows x32 and x64 Xp clients. I have several gpo's that
are working fine, but part of one is not working on the x64 clients.
The gpo is for security related policies and the only part that is not being
applied is the settings to restrict users from changing the screen saver
settings.
The users can still see the screen saver tab and can change the settings
which is not what should be happening. If I run rsop.msc I do not get any
errors but I do not see the following tab "user configuration/Administrative
Templates/Control Panel/Display". All I see under the Administrative
Templates is "Windows Components". Do I need to import the ADM templates to
the clients?
Thanks for any help you can give!
Jim
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| jeromelcruz
Posts:123
| | 10/01/2010 9:04 PM |
| Computer Configuration | Preferences | Control Panel Settings | Scheduled Tasks
Then configure an 'Immediate' Scheduled Task named 'Extreme PC Makeover' to launch a re-imaging process.
Simple! ROTFL
And... I'd classify it as 'Rubber Stamping with a Sledge Hammer'... J
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Friday, October 01, 2010 1:34 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ha ha!
Is there a GPP setting for re-imaging your machine? If so, does it classify as tattooing!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 30 September 2010 17:48
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
That's why I like VDI... A re-image is just a button press away!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Thursday, September 30, 2010 1:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Yep, and after that, my favourite... re-image!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
J Very true Darragh, and failing that...another reboot for good measure! J
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 30 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Out of ideas Sean?! Never, there's always a reboot J
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Brilliant... failing that I was out of ideas ;o)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 17:59
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Made the change and the GPO is being applied as it should.
Thanks again to you all for your help.
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 12:15 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren is correct. Just looking at it now myself. You are not using loopback processing either? Don't see it in you gpresult.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 29 September 2010 17:11
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
I see your problem. The screensaver policy is per-user. You have linked that GPO to a set of OUs, but the user account you are logging in with is in the CN=Users container within your domain, not within one of the linked OUs. Because the user account is not in one of the targeted OUs, the user is never going to process that policy. You need to either move your user accounts to somewhere where the GPO is linked or change the GPO linking. As it stands now, if you leave your users in CN=Users (not recommended btw), then you would have to link this GPO at the domain level to have it apply to the users there.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: Wednesday, September 29, 2010 9:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
I noticed on the gpresult output I do not see the screensaver settings listed but they are there on the report.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 11:02 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ok,
If you could post a gpresult /Z from one of the machines that would be great. Also, if you could dump a report from GPMC of that OU that would also be great so we could see the security filtering and scoping also. Just strip out an sensitive data. I have a feeling we are missing something obvious here.
Description: cid:image001.png@01CB5FCD.D6DD68C0
This should have all the info we need in case there are any deny permissions set on an ACL.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 15:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren, Sean and Darragh
Thanks for your suggestions. Loopback is not enabled nor are any WMI filters. I am not sure what you mean by being in the same hierarchy as the GPO. Are you asking if the users are domain users?........then yes they are and the security filtering reflects that. I have a feeling the problem is staring me in the face, but I just can't see it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 4:03 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
And if you look at GP Results in GPMC, I think you said that on the Summary Tab, Under User Configuration, you see your "Security" under the list of Applied GPOs? If so, is it possible that you have loopback mode enabled on these computers?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: Tuesday, September 28, 2010 11:05 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Mar-Elia,
Thanks for your help. Yes I did try gpupdate /force and I also did a reboot. It is applying the computer configuration, but not the user configuration for this particular GPO.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 1:09 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
Have you tried doing a gpupdate /force on one of those clients that aren't getting the "security" GPO? Sometimes the client thinks it has the most recent GP settings but really doesn't.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 8:33 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
What other settings have you got in the policy and are they being applied, if there are other settings, are they a mixture of user and computer settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 28 September 2010 14:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Sean,
Thanks for the reply. I ran RSOP on the server and it showed the screen saver settings, but the GPO name is "Local Group Policy" not "security" which is the name of the GPO. I checked one of the 32bit clients and found they have the screen saver settings set locally (I should have checked that before), so I disabled the local settings and now the system is not applying the settings (can see screensaver tab and can change settings) so it appears to be a global problem not a 32bit/64bit issue. If I enforce the gpo from the server it still doesn't apply to clients, but the event log says policies applied successfully. I am now totally confused. I hope I haven't done the same to you.
I could not find any settings under the following key [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\
Desktop] is this the correct location? It is there on the server. If I run "Group Policy results" on the clients from the management console I get no errors on the summary page. The "security" gpo is listed under "Applied GPO's".
Thanks again for your time!
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 6:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Hi Jim,
Try running Rsop from the server where the template is held, that will show you the settings, you do not need to import this template to all of the clients, unless you intend on running GPMC on them all, I would also check the policies key within the registry to see if the setting is also being applied, as far as I know x64 registry location for the screen saver is the same as x86 versions of xp
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Camacho, James - 0336 - MITLL
Sent: 27 September 2010 17:15
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO and x64 XP
Good Mourning can anyone help me with the following issue?
I have a mix of windows x32 and x64 Xp clients. I have several gpo's that are working fine, but part of one is not working on the x64 clients.
The gpo is for security related policies and the only part that is not being applied is the settings to restrict users from changing the screen saver settings.
The users can still see the screen saver tab and can change the settings which is not what should be happening. If I run rsop.msc I do not get any errors but I do not see the following tab "user configuration/Administrative Templates/Control Panel/Display". All I see under the Administrative Templates is "Windows Components". Do I need to import the ADM templates to the clients?
Thanks for any help you can give!
Jim
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/01/2010 9:48 PM |
| And obviously choose the setting 'Apply at each refresh" ! It's weekend
time, I must stop thinking about group policy :-)
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Cruz, Jerome L
Sent: 01 October 2010 17:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Computer Configuration | Preferences | Control Panel Settings | Scheduled
Tasks
Then configure an 'Immediate' Scheduled Task named 'Extreme PC Makeover' to
launch a re-imaging process.
Simple! ROTFL
And. I'd classify it as 'Rubber Stamping with a Sledge Hammer'. :-)
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Friday, October 01, 2010 1:34 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ha ha!
Is there a GPP setting for re-imaging your machine? If so, does it classify
as tattooing!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 30 September 2010 17:48
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
That's why I like VDI. A re-image is just a button press away!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Thursday, September 30, 2010 1:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Yep, and after that, my favourite. re-image!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
:-) Very true Darragh, and failing that...another reboot for good measure!
:-)
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 30 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Out of ideas Sean?! Never, there's always a reboot :-)
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 30 September 2010 09:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Brilliant. failing that I was out of ideas ;o)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 17:59
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Made the change and the GPO is being applied as it should.
Thanks again to you all for your help.
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 12:15 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren is correct. Just looking at it now myself. You are not using loopback
processing either? Don't see it in you gpresult.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 29 September 2010 17:11
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
I see your problem. The screensaver policy is per-user. You have linked that
GPO to a set of OUs, but the user account you are logging in with is in the
CN=Users container within your domain, not within one of the linked OUs.
Because the user account is not in one of the targeted OUs, the user is
never going to process that policy. You need to either move your user
accounts to somewhere where the GPO is linked or change the GPO linking. As
it stands now, if you leave your users in CN=Users (not recommended btw),
then you would have to link this GPO at the domain level to have it apply to
the users there.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: Wednesday, September 29, 2010 9:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
I noticed on the gpresult output I do not see the screensaver settings
listed but they are there on the report.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 29, 2010 11:02 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Ok,
If you could post a gpresult /Z from one of the machines that would be
great. Also, if you could dump a report from GPMC of that OU that would also
be great so we could see the security filtering and scoping also. Just strip
out an sensitive data. I have a feeling we are missing something obvious
here.
Description: cid:image001.png@01CB5FCD.D6DD68C0
This should have all the info we need in case there are any deny permissions
set on an ACL.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 29 September 2010 15:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Darren, Sean and Darragh
Thanks for your
suggestions. Loopback is not enabled nor are any WMI filters. I am not sure
what you mean by being in the same hierarchy as the GPO. Are you asking if
the users are domain users?........then yes they are and the security
filtering reflects that. I have a feeling the problem is staring me in the
face, but I just can't see it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 4:03 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
And if you look at GP Results in GPMC, I think you said that on the Summary
Tab, Under User Configuration, you see your "Security" under the list of
Applied GPOs? If so, is it possible that you have loopback mode enabled on
these computers?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: Tuesday, September 28, 2010 11:05 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Mar-Elia,
Thanks for your help. Yes I did try gpupdate /force and I also did
a reboot. It is applying the computer configuration, but not the user
configuration for this particular GPO.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 28, 2010 1:09 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
James-
Have you tried doing a gpupdate /force on one of those clients that aren't
getting the "security" GPO? Sometimes the client thinks it has the most
recent GP settings but really doesn't.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 8:33 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
What other settings have you got in the policy and are they being applied,
if there are other settings, are they a mixture of user and computer
settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 28 September 2010 14:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Sean,
Thanks for the reply. I ran RSOP on the server and it showed the
screen saver settings, but the GPO name is "Local Group Policy" not
"security" which is the name of the GPO. I checked one of the 32bit clients
and found they have the screen saver settings set locally (I should have
checked that before), so I disabled the local settings and now the system is
not applying the settings (can see screensaver tab and can change settings)
so it appears to be a global problem not a 32bit/64bit issue. If I enforce
the gpo from the server it still doesn't apply to clients, but the event log
says policies applied successfully. I am now totally confused. I hope I
haven't done the same to you.
I could not find any settings under the following key
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\
Desktop] is this the correct location? It is there on the server. If I run
"Group Policy results" on the clients from the management console I get no
errors on the summary page. The "security" gpo is listed under "Applied
GPO's".
Thanks again for your time!
Jim
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Tuesday, September 28, 2010 6:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO and x64 XP
Hi Jim,
Try running Rsop from the server where the template is held, that will show
you the settings, you do not need to import this template to all of the
clients, unless you intend on running GPMC on them all, I would also check
the policies key within the registry to see if the setting is also being
applied, as far as I know x64 registry location for the screen saver is the
same as x86 versions of xp
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Camacho, James - 0336 - MITLL
Sent: 27 September 2010 17:15
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO and x64 XP
Good Mourning can anyone help me with the following issue?
I have a mix of windows x32 and x64 Xp clients. I have several gpo's that
are working fine, but part of one is not working on the x64 clients.
The gpo is for security related policies and the only part that is not being
applied is the settings to restrict users from changing the screen saver
settings.
The users can still see the screen saver tab and can change the settings
which is not what should be happening. If I run rsop.msc I do not get any
errors but I do not see the following tab "user configuration/Administrative
Templates/Control Panel/Display". All I see under the Administrative
Templates is "Windows Components". Do I need to import the ADM templates to
the clients?
Thanks for any help you can give!
Jim
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
|
|