| Author | Messages | |
alanjr_uk
Posts:14
 | | 10/18/2010 10:13 PM |
| Hi
Apologies for what is probably really quite obvious to you experts, but I'd
be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on
upgrading from Windows XP to Windows 7 Professional. At the same time I'd
like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a
standard user account (I used control userpasswords2 for this), but we want
to lock them down so they can really just be used for web browsing and
editing documents. There's also a second account on each PC which has admin
rights.
I've followed the steps at
http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make
changes to the GPO settings without them affecting the admin account - so
far so good.
I'm not planning to play about with the various different settings on offer
but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've
made? It's just it would be nice when we wanted to make any changes to the
user account to be able to quickly disable our GPO settings, make the
changes, then re-enable them. I read at
http://technet.microsoft.com/en-us/library/cc163078.aspx about security
templates (which sounded like the sort of thing we were looking for). but it
seems like you need Windows Server to generate these in the first place. Is
that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This
would be particularly handy when setting up multiple machines or at a later
stage if we want to change a GPO setting across all of them. If not then
the other method I was thinking of was to do a fresh install on one of them,
make all the GPO settings, image the drive and then install the image to all
the machines before manually entering the individual product keys on each
machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the
PC is restarted? This way even if someone finds a way round our 'lockdowns'
it would reset itself to default. Again if there's not an easy way then we
can use the drive image instead, but just thought I'd see if anyone knew of
an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above
issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/19/2010 6:40 AM |
| HI,
Sounds like templates are the way to go and also possibly mandatory profiles
so changes do not persist. Templates should allow you to configure a
baseline that you could apply via the command line at start-up. You can also
export these settings to a custm.inf file. However, if the templates include
a lot of security ACL's this can slow down processing otherwise they should
be fine.
Personally, for this scenario, I would boot a small locked down image of XP
via PXE but that may not be possible in your scenario. 
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 00:02
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Standalone GPO
Hi
Apologies for what is probably really quite obvious to you experts, but I'd
be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on
upgrading from Windows XP to Windows 7 Professional. At the same time I'd
like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a
standard user account (I used control userpasswords2 for this), but we want
to lock them down so they can really just be used for web browsing and
editing documents. There's also a second account on each PC which has admin
rights.
I've followed the steps at
http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make
changes to the GPO settings without them affecting the admin account - so
far so good.
I'm not planning to play about with the various different settings on offer
but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've
made? It's just it would be nice when we wanted to make any changes to the
user account to be able to quickly disable our GPO settings, make the
changes, then re-enable them. I read at
http://technet.microsoft.com/en-us/library/cc163078.aspx about security
templates (which sounded like the sort of thing we were looking for). but it
seems like you need Windows Server to generate these in the first place. Is
that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This
would be particularly handy when setting up multiple machines or at a later
stage if we want to change a GPO setting across all of them. If not then
the other method I was thinking of was to do a fresh install on one of them,
make all the GPO settings, image the drive and then install the image to all
the machines before manually entering the individual product keys on each
machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the
PC is restarted? This way even if someone finds a way round our 'lockdowns'
it would reset itself to default. Again if there's not an easy way then we
can use the drive image instead, but just thought I'd see if anyone knew of
an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above
issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| alanjr_uk
Posts:14
| | 10/19/2010 7:42 AM |
| Hi Darragh
Thanks for your reply!
Is there a way to create templates without having Windows Server? The
instructions I found on the MS website talked about how to apply them but I
couldn't find out a way to actually create them in the first place.
Agree PXE booting would be a good option although don't quite have the setup
for this just now (& have already bought the Win 7 licenses;-)).
Alan
On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
xxxxxxxxxxxxxxxx> wrote:
> HI,
>
>
>
> Sounds like templates are the way to go and also possibly mandatory
> profiles so changes do not persist. Templates should allow you to configure
> a baseline that you could apply via the command line at start-up. You can
> also export these settings to a custm.inf file. However, if the templates
> include a lot of security ACL’s this can slow down processing otherwise they
> should be fine.
>
>
>
> Personally, for this scenario, I would boot a small locked down image of XP
> via PXE but that may not be possible in your scenario.
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 00:02
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Standalone GPO
>
>
>
> Hi
>
>
>
> Apologies for what is probably really quite obvious to you experts, but I'd
> be grateful for some help with the following...
>
>
>
> Basically we've got a small setup (4 machines) that we're planning on
> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
> like to tighten up on the GPO settings on these machines.
>
>
>
> They're in a secure location so when booted up just go straight into a
> standard user account (I used control userpasswords2 for this), but we want
> to lock them down so they can really just be used for web browsing and
> editing documents. There's also a second account on each PC which has admin
> rights.
>
>
>
> I've followed the steps at
> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
> make changes to the GPO settings without them affecting the admin account -
> so far so good.
>
>
>
> I'm not planning to play about with the various different settings on offer
> but had the following (I think linked) questions:
>
>
>
> 1) is there an easy way to enable/disable the settings changes that I've
> made? It's just it would be nice when we wanted to make any changes to the
> user account to be able to quickly disable our GPO settings, make the
> changes, then re-enable them. I read at
> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
> templates (which sounded like the sort of thing we were looking for). but it
> seems like you need Windows Server to generate these in the first place. Is
> that right? Are there any other ways of doing this?
>
>
>
> 2) is there an easy way to export the GPO settings that we've made? This
> would be particularly handy when setting up multiple machines or at a later
> stage if we want to change a GPO setting across all of them. If not then
> the other method I was thinking of was to do a fresh install on one of them,
> make all the GPO settings, image the drive and then install the image to all
> the machines before manually entering the individual product keys on each
> machine.
>
>
>
> And a kinda bonus question...
>
>
>
> 3) is there any easy way to revert all the changes a user has made when the
> PC is restarted? This way even if someone finds a way round our 'lockdowns'
> it would reset itself to default. Again if there's not an easy way then we
> can use the drive image instead, but just thought I'd see if anyone knew of
> an automated way of doing things.
>
>
>
> As I understand it a Windows Server-type setup would solve all the above
> issues but we just don't have the budget for that.
>
>
>
> Thanks in advance for any advice.
>
>
>
> Alan
>
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/19/2010 7:49 AM |
| You should be able to access the templates form an XP pro domain joined
machine via the mmc:
Just load in what you need here
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 09:53
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for your reply!
Is there a way to create templates without having Windows Server? The
instructions I found on the MS website talked about how to apply them but I
couldn't find out a way to actually create them in the first place.
Agree PXE booting would be a good option although don't quite have the setup
for this just now (& have already bought the Win 7 licenses;-)).
Alan
On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
HI,
Sounds like templates are the way to go and also possibly mandatory profiles
so changes do not persist. Templates should allow you to configure a
baseline that you could apply via the command line at start-up. You can also
export these settings to a custm.inf file. However, if the templates include
a lot of security ACL's this can slow down processing otherwise they should
be fine.
Personally, for this scenario, I would boot a small locked down image of XP
via PXE but that may not be possible in your scenario.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 00:02
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Standalone GPO
Hi
Apologies for what is probably really quite obvious to you experts, but I'd
be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on
upgrading from Windows XP to Windows 7 Professional. At the same time I'd
like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a
standard user account (I used control userpasswords2 for this), but we want
to lock them down so they can really just be used for web browsing and
editing documents. There's also a second account on each PC which has admin
rights.
I've followed the steps at
http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make
changes to the GPO settings without them affecting the admin account - so
far so good.
I'm not planning to play about with the various different settings on offer
but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've
made? It's just it would be nice when we wanted to make any changes to the
user account to be able to quickly disable our GPO settings, make the
changes, then re-enable them. I read at
http://technet.microsoft.com/en-us/library/cc163078.aspx about security
templates (which sounded like the sort of thing we were looking for). but it
seems like you need Windows Server to generate these in the first place. Is
that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This
would be particularly handy when setting up multiple machines or at a later
stage if we want to change a GPO setting across all of them. If not then
the other method I was thinking of was to do a fresh install on one of them,
make all the GPO settings, image the drive and then install the image to all
the machines before manually entering the individual product keys on each
machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the
PC is restarted? This way even if someone finds a way round our 'lockdowns'
it would reset itself to default. Again if there's not an easy way then we
can use the drive image instead, but just thought I'd see if anyone knew of
an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above
issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| alanjr_uk
Posts:14
| | 10/19/2010 9:00 AM |
| Hi Darragh
Thanks for the reply + screenshot!
Unfortunately we don't have any XP domain-joined machines, just standalone
ones - is there any other way to create the templates?
A.
On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
xxxxxxxxxxxxxxxx> wrote:
> You should be able to access the templates form an XP pro domain joined
> machine via the mmc:
>
>
>
>
>
> Just load in what you need here
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 09:53
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for your reply!
>
>
>
> Is there a way to create templates without having Windows Server? The
> instructions I found on the MS website talked about how to apply them but I
> couldn't find out a way to actually create them in the first place.
>
>
>
> Agree PXE booting would be a good option although don't quite have the
> setup for this just now (& have already bought the Win 7 licenses;-)).
>
>
>
> Alan
>
> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> HI,
>
>
>
> Sounds like templates are the way to go and also possibly mandatory
> profiles so changes do not persist. Templates should allow you to configure
> a baseline that you could apply via the command line at start-up. You can
> also export these settings to a custm.inf file. However, if the templates
> include a lot of security ACL’s this can slow down processing otherwise they
> should be fine.
>
>
>
> Personally, for this scenario, I would boot a small locked down image of XP
> via PXE but that may not be possible in your scenario.
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 00:02
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* [gptalk] Standalone GPO
>
>
>
> Hi
>
>
>
> Apologies for what is probably really quite obvious to you experts, but I'd
> be grateful for some help with the following...
>
>
>
> Basically we've got a small setup (4 machines) that we're planning on
> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
> like to tighten up on the GPO settings on these machines.
>
>
>
> They're in a secure location so when booted up just go straight into a
> standard user account (I used control userpasswords2 for this), but we want
> to lock them down so they can really just be used for web browsing and
> editing documents. There's also a second account on each PC which has admin
> rights.
>
>
>
> I've followed the steps at
> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
> make changes to the GPO settings without them affecting the admin account -
> so far so good.
>
>
>
> I'm not planning to play about with the various different settings on offer
> but had the following (I think linked) questions:
>
>
>
> 1) is there an easy way to enable/disable the settings changes that I've
> made? It's just it would be nice when we wanted to make any changes to the
> user account to be able to quickly disable our GPO settings, make the
> changes, then re-enable them. I read at
> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
> templates (which sounded like the sort of thing we were looking for). but it
> seems like you need Windows Server to generate these in the first place. Is
> that right? Are there any other ways of doing this?
>
>
>
> 2) is there an easy way to export the GPO settings that we've made? This
> would be particularly handy when setting up multiple machines or at a later
> stage if we want to change a GPO setting across all of them. If not then
> the other method I was thinking of was to do a fresh install on one of them,
> make all the GPO settings, image the drive and then install the image to all
> the machines before manually entering the individual product keys on each
> machine.
>
>
>
> And a kinda bonus question...
>
>
>
> 3) is there any easy way to revert all the changes a user has made when the
> PC is restarted? This way even if someone finds a way round our 'lockdowns'
> it would reset itself to default. Again if there's not an easy way then we
> can use the drive image instead, but just thought I'd see if anyone knew of
> an automated way of doing things.
>
>
>
> As I understand it a Windows Server-type setup would solve all the above
> issues but we just don't have the budget for that.
>
>
>
> Thanks in advance for any advice.
>
>
>
> Alan
>
>
>
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/19/2010 9:04 AM |
| Well, perhaps a domain joined machine is not required. Just tried on a
non-domain joined machine here and they are available. Have you tried on to
add them into the mmc? They are just text files at the end of the day so you
could create them from scratch but I wouldn't recommend it!
Alternatively just download a virtualization freebie like VMWare player or
the SUN VirtualBox and create an XP Pro machine in there to do the exports.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 11:12
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for the reply + screenshot!
Unfortunately we don't have any XP domain-joined machines, just standalone
ones - is there any other way to create the templates?
A.
On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
You should be able to access the templates form an XP pro domain joined
machine via the mmc:
Just load in what you need here
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 09:53
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for your reply!
Is there a way to create templates without having Windows Server? The
instructions I found on the MS website talked about how to apply them but I
couldn't find out a way to actually create them in the first place.
Agree PXE booting would be a good option although don't quite have the setup
for this just now (& have already bought the Win 7 licenses;-)).
Alan
On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
HI,
Sounds like templates are the way to go and also possibly mandatory profiles
so changes do not persist. Templates should allow you to configure a
baseline that you could apply via the command line at start-up. You can also
export these settings to a custm.inf file. However, if the templates include
a lot of security ACL's this can slow down processing otherwise they should
be fine.
Personally, for this scenario, I would boot a small locked down image of XP
via PXE but that may not be possible in your scenario.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 00:02
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Standalone GPO
Hi
Apologies for what is probably really quite obvious to you experts, but I'd
be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on
upgrading from Windows XP to Windows 7 Professional. At the same time I'd
like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a
standard user account (I used control userpasswords2 for this), but we want
to lock them down so they can really just be used for web browsing and
editing documents. There's also a second account on each PC which has admin
rights.
I've followed the steps at
http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make
changes to the GPO settings without them affecting the admin account - so
far so good.
I'm not planning to play about with the various different settings on offer
but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've
made? It's just it would be nice when we wanted to make any changes to the
user account to be able to quickly disable our GPO settings, make the
changes, then re-enable them. I read at
http://technet.microsoft.com/en-us/library/cc163078.aspx about security
templates (which sounded like the sort of thing we were looking for). but it
seems like you need Windows Server to generate these in the first place. Is
that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This
would be particularly handy when setting up multiple machines or at a later
stage if we want to change a GPO setting across all of them. If not then
the other method I was thinking of was to do a fresh install on one of them,
make all the GPO settings, image the drive and then install the image to all
the machines before manually entering the individual product keys on each
machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the
PC is restarted? This way even if someone finds a way round our 'lockdowns'
it would reset itself to default. Again if there's not an easy way then we
can use the drive image instead, but just thought I'd see if anyone knew of
an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above
issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| alanjr_uk
Posts:14
| | 10/19/2010 9:17 AM |
| Thanks Darragh - had a look on an XP machine and found these templates.
Looks like they're not included in Win 7 by default but I guess I should be
able to copy them across.
A.
On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
xxxxxxxxxxxxxxxx> wrote:
> Well, perhaps a domain joined machine is not required. * *Just tried on a
> non-domain joined machine here and they are available. Have you tried on to
> add them into the mmc? They are just text files at the end of the day so you
> could create them from scratch but I wouldn’t recommend it!
>
>
>
>
>
> Alternatively just download a virtualization freebie like VMWare player or
> the SUN VirtualBox and create an XP Pro machine in there to do the exports.
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 11:12
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for the reply + screenshot!
>
>
>
> Unfortunately we don't have any XP domain-joined machines, just standalone
> ones - is there any other way to create the templates?
>
>
>
> A.
>
> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> You should be able to access the templates form an XP pro domain joined
> machine via the mmc:
>
>
>
>
>
> Just load in what you need here
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 09:53
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for your reply!
>
>
>
> Is there a way to create templates without having Windows Server? The
> instructions I found on the MS website talked about how to apply them but I
> couldn't find out a way to actually create them in the first place.
>
>
>
> Agree PXE booting would be a good option although don't quite have the
> setup for this just now (& have already bought the Win 7 licenses;-)).
>
>
>
> Alan
>
> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> HI,
>
>
>
> Sounds like templates are the way to go and also possibly mandatory
> profiles so changes do not persist. Templates should allow you to configure
> a baseline that you could apply via the command line at start-up. You can
> also export these settings to a custm.inf file. However, if the templates
> include a lot of security ACL’s this can slow down processing otherwise they
> should be fine.
>
>
>
> Personally, for this scenario, I would boot a small locked down image of XP
> via PXE but that may not be possible in your scenario.
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 00:02
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* [gptalk] Standalone GPO
>
>
>
> Hi
>
>
>
> Apologies for what is probably really quite obvious to you experts, but I'd
> be grateful for some help with the following...
>
>
>
> Basically we've got a small setup (4 machines) that we're planning on
> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
> like to tighten up on the GPO settings on these machines.
>
>
>
> They're in a secure location so when booted up just go straight into a
> standard user account (I used control userpasswords2 for this), but we want
> to lock them down so they can really just be used for web browsing and
> editing documents. There's also a second account on each PC which has admin
> rights.
>
>
>
> I've followed the steps at
> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
> make changes to the GPO settings without them affecting the admin account -
> so far so good.
>
>
>
> I'm not planning to play about with the various different settings on offer
> but had the following (I think linked) questions:
>
>
>
> 1) is there an easy way to enable/disable the settings changes that I've
> made? It's just it would be nice when we wanted to make any changes to the
> user account to be able to quickly disable our GPO settings, make the
> changes, then re-enable them. I read at
> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
> templates (which sounded like the sort of thing we were looking for). but it
> seems like you need Windows Server to generate these in the first place. Is
> that right? Are there any other ways of doing this?
>
>
>
> 2) is there an easy way to export the GPO settings that we've made? This
> would be particularly handy when setting up multiple machines or at a later
> stage if we want to change a GPO setting across all of them. If not then
> the other method I was thinking of was to do a fresh install on one of them,
> make all the GPO settings, image the drive and then install the image to all
> the machines before manually entering the individual product keys on each
> machine.
>
>
>
> And a kinda bonus question...
>
>
>
> 3) is there any easy way to revert all the changes a user has made when the
> PC is restarted? This way even if someone finds a way round our 'lockdowns'
> it would reset itself to default. Again if there's not an easy way then we
> can use the drive image instead, but just thought I'd see if anyone knew of
> an automated way of doing things.
>
>
>
> As I understand it a Windows Server-type setup would solve all the above
> issues but we just don't have the budget for that.
>
>
>
> Thanks in advance for any advice.
>
>
>
> Alan
>
>
>
>
>
| | | |
| DarraghOShaughnessy
Posts:177
| | 10/19/2010 9:20 AM |
| Hi,
They should be there on windows 7 pro (my workstation has them). Perhaps you
need to install the RSAT tools?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 11:32
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Thanks Darragh - had a look on an XP machine and found these templates.
Looks like they're not included in Win 7 by default but I guess I should be
able to copy them across.
A.
On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
Well, perhaps a domain joined machine is not required. Just tried on a
non-domain joined machine here and they are available. Have you tried on to
add them into the mmc? They are just text files at the end of the day so you
could create them from scratch but I wouldn't recommend it!
Alternatively just download a virtualization freebie like VMWare player or
the SUN VirtualBox and create an XP Pro machine in there to do the exports.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 11:12
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for the reply + screenshot!
Unfortunately we don't have any XP domain-joined machines, just standalone
ones - is there any other way to create the templates?
A.
On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
You should be able to access the templates form an XP pro domain joined
machine via the mmc:
Just load in what you need here
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 09:53
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for your reply!
Is there a way to create templates without having Windows Server? The
instructions I found on the MS website talked about how to apply them but I
couldn't find out a way to actually create them in the first place.
Agree PXE booting would be a good option although don't quite have the setup
for this just now (& have already bought the Win 7 licenses;-)).
Alan
On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy
<xxxxxxxxxxxxxxxx> wrote:
HI,
Sounds like templates are the way to go and also possibly mandatory profiles
so changes do not persist. Templates should allow you to configure a
baseline that you could apply via the command line at start-up. You can also
export these settings to a custm.inf file. However, if the templates include
a lot of security ACL's this can slow down processing otherwise they should
be fine.
Personally, for this scenario, I would boot a small locked down image of XP
via PXE but that may not be possible in your scenario.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 00:02
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Standalone GPO
Hi
Apologies for what is probably really quite obvious to you experts, but I'd
be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on
upgrading from Windows XP to Windows 7 Professional. At the same time I'd
like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a
standard user account (I used control userpasswords2 for this), but we want
to lock them down so they can really just be used for web browsing and
editing documents. There's also a second account on each PC which has admin
rights.
I've followed the steps at
http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make
changes to the GPO settings without them affecting the admin account - so
far so good.
I'm not planning to play about with the various different settings on offer
but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've
made? It's just it would be nice when we wanted to make any changes to the
user account to be able to quickly disable our GPO settings, make the
changes, then re-enable them. I read at
http://technet.microsoft.com/en-us/library/cc163078.aspx about security
templates (which sounded like the sort of thing we were looking for). but it
seems like you need Windows Server to generate these in the first place. Is
that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This
would be particularly handy when setting up multiple machines or at a later
stage if we want to change a GPO setting across all of them. If not then
the other method I was thinking of was to do a fresh install on one of them,
make all the GPO settings, image the drive and then install the image to all
the machines before manually entering the individual product keys on each
machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the
PC is restarted? This way even if someone finds a way round our 'lockdowns'
it would reset itself to default. Again if there's not an easy way then we
can use the drive image instead, but just thought I'd see if anyone knew of
an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above
issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| dmarelia
Posts:441
| | 10/19/2010 12:17 PM |
| You can also download the "security compliance toolkit" from Microsoft, which includes the latest security templates for Win7. However, keep in mind that security templates only handle those settings under "Security Settings" in the GPO. They do not template-ize any other settings (e.g. Administrative Templates). You might have a look at this blog posting I wrote recently that talks about a tool from MS for copying the local GPO:
http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Monday, October 18, 2010 3:34 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Standalone GPO
Hi,
They should be there on windows 7 pro (my workstation has them). Perhaps you need to install the RSAT tools?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 11:32
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Thanks Darragh - had a look on an XP machine and found these templates. Looks like they're not included in Win 7 by default but I guess I should be able to copy them across.
A.
On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx<mailto xxxxxxxxxxxxxxxx>> wrote:
Well, perhaps a domain joined machine is not required. Just tried on a non-domain joined machine here and they are available. Have you tried on to add them into the mmc? They are just text files at the end of the day so you could create them from scratch but I wouldn't recommend it!
Alternatively just download a virtualization freebie like VMWare player or the SUN VirtualBox and create an XP Pro machine in there to do the exports.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 11:12
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for the reply + screenshot!
Unfortunately we don't have any XP domain-joined machines, just standalone ones - is there any other way to create the templates?
A.
On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>> wrote:
You should be able to access the templates form an XP pro domain joined machine via the mmc:
Just load in what you need here
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 09:53
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Standalone GPO
Hi Darragh
Thanks for your reply!
Is there a way to create templates without having Windows Server? The instructions I found on the MS website talked about how to apply them but I couldn't find out a way to actually create them in the first place.
Agree PXE booting would be a good option although don't quite have the setup for this just now (& have already bought the Win 7 licenses;-)).
Alan
On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>> wrote:
HI,
Sounds like templates are the way to go and also possibly mandatory profiles so changes do not persist. Templates should allow you to configure a baseline that you could apply via the command line at start-up. You can also export these settings to a custm.inf file. However, if the templates include a lot of security ACL's this can slow down processing otherwise they should be fine.
Personally, for this scenario, I would boot a small locked down image of XP via PXE but that may not be possible in your scenario.
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Ninewells Doctors Mess
Sent: 18 October 2010 00:02
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Standalone GPO
Hi
Apologies for what is probably really quite obvious to you experts, but I'd be grateful for some help with the following...
Basically we've got a small setup (4 machines) that we're planning on upgrading from Windows XP to Windows 7 Professional. At the same time I'd like to tighten up on the GPO settings on these machines.
They're in a secure location so when booted up just go straight into a standard user account (I used control userpasswords2 for this), but we want to lock them down so they can really just be used for web browsing and editing documents. There's also a second account on each PC which has admin rights.
I've followed the steps at http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to make changes to the GPO settings without them affecting the admin account - so far so good.
I'm not planning to play about with the various different settings on offer but had the following (I think linked) questions:
1) is there an easy way to enable/disable the settings changes that I've made? It's just it would be nice when we wanted to make any changes to the user account to be able to quickly disable our GPO settings, make the changes, then re-enable them. I read at http://technet.microsoft.com/en-us/library/cc163078.aspx about security templates (which sounded like the sort of thing we were looking for). but it seems like you need Windows Server to generate these in the first place. Is that right? Are there any other ways of doing this?
2) is there an easy way to export the GPO settings that we've made? This would be particularly handy when setting up multiple machines or at a later stage if we want to change a GPO setting across all of them. If not then the other method I was thinking of was to do a fresh install on one of them, make all the GPO settings, image the drive and then install the image to all the machines before manually entering the individual product keys on each machine.
And a kinda bonus question...
3) is there any easy way to revert all the changes a user has made when the PC is restarted? This way even if someone finds a way round our 'lockdowns' it would reset itself to default. Again if there's not an easy way then we can use the drive image instead, but just thought I'd see if anyone knew of an automated way of doing things.
As I understand it a Windows Server-type setup would solve all the above issues but we just don't have the budget for that.
Thanks in advance for any advice.
Alan
| | | |
| jsclmedave
Posts:67
| | 10/19/2010 1:41 PM |
| " They do not template-ize any other settings (e.g. Administrative
Templates)."
So if there are settings local here,,, running Security Configuration and
Analysis with the setupsecurity.inf template to reset the permissions may
not work "IF" you are having strange security issues..?
Am heading to the link now to read further. Just happens to be a topic I am
looking at...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/ <http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
On Mon, Oct 18, 2010 at 8:32 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
> You can also download the “security compliance toolkit” from Microsoft,
> which includes the latest security templates for Win7. However, keep in mind
> that security templates only handle those settings under “Security Settings”
> in the GPO. They do not template-ize any other settings (e.g. Administrative
> Templates). You might have a look at this blog posting I wrote recently that
> talks about a tool from MS for copying the local GPO:
>
>
> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
> *Sent:* Monday, October 18, 2010 3:34 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Standalone GPO
>
>
>
> Hi,
>
> They should be there on windows 7 pro (my workstation has them). Perhaps
> you need to install the RSAT tools?
>
>
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 11:32
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Thanks Darragh - had a look on an XP machine and found these templates.
> Looks like they're not included in Win 7 by default but I guess I should be
> able to copy them across.
>
>
>
> A.
>
> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> Well, perhaps a domain joined machine is not required. * *Just tried on a
> non-domain joined machine here and they are available. Have you tried on to
> add them into the mmc? They are just text files at the end of the day so you
> could create them from scratch but I wouldn’t recommend it!
>
>
>
>
>
> Alternatively just download a virtualization freebie like VMWare player or
> the SUN VirtualBox and create an XP Pro machine in there to do the exports.
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 11:12
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for the reply + screenshot!
>
>
>
> Unfortunately we don't have any XP domain-joined machines, just standalone
> ones - is there any other way to create the templates?
>
>
>
> A.
>
> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> You should be able to access the templates form an XP pro domain joined
> machine via the mmc:
>
>
>
>
>
> Just load in what you need here
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 09:53
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for your reply!
>
>
>
> Is there a way to create templates without having Windows Server? The
> instructions I found on the MS website talked about how to apply them but I
> couldn't find out a way to actually create them in the first place.
>
>
>
> Agree PXE booting would be a good option although don't quite have the
> setup for this just now (& have already bought the Win 7 licenses;-)).
>
>
>
> Alan
>
> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> HI,
>
>
>
> Sounds like templates are the way to go and also possibly mandatory
> profiles so changes do not persist. Templates should allow you to configure
> a baseline that you could apply via the command line at start-up. You can
> also export these settings to a custm.inf file. However, if the templates
> include a lot of security ACL’s this can slow down processing otherwise they
> should be fine.
>
>
>
> Personally, for this scenario, I would boot a small locked down image of XP
> via PXE but that may not be possible in your scenario.
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 00:02
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* [gptalk] Standalone GPO
>
>
>
> Hi
>
>
>
> Apologies for what is probably really quite obvious to you experts, but I'd
> be grateful for some help with the following...
>
>
>
> Basically we've got a small setup (4 machines) that we're planning on
> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
> like to tighten up on the GPO settings on these machines.
>
>
>
> They're in a secure location so when booted up just go straight into a
> standard user account (I used control userpasswords2 for this), but we want
> to lock them down so they can really just be used for web browsing and
> editing documents. There's also a second account on each PC which has admin
> rights.
>
>
>
> I've followed the steps at
> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
> make changes to the GPO settings without them affecting the admin account -
> so far so good.
>
>
>
> I'm not planning to play about with the various different settings on offer
> but had the following (I think linked) questions:
>
>
>
> 1) is there an easy way to enable/disable the settings changes that I've
> made? It's just it would be nice when we wanted to make any changes to the
> user account to be able to quickly disable our GPO settings, make the
> changes, then re-enable them. I read at
> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
> templates (which sounded like the sort of thing we were looking for). but it
> seems like you need Windows Server to generate these in the first place. Is
> that right? Are there any other ways of doing this?
>
>
>
> 2) is there an easy way to export the GPO settings that we've made? This
> would be particularly handy when setting up multiple machines or at a later
> stage if we want to change a GPO setting across all of them. If not then
> the other method I was thinking of was to do a fresh install on one of them,
> make all the GPO settings, image the drive and then install the image to all
> the machines before manually entering the individual product keys on each
> machine.
>
>
>
> And a kinda bonus question...
>
>
>
> 3) is there any easy way to revert all the changes a user has made when the
> PC is restarted? This way even if someone finds a way round our 'lockdowns'
> it would reset itself to default. Again if there's not an easy way then we
> can use the drive image instead, but just thought I'd see if anyone knew of
> an automated way of doing things.
>
>
>
> As I understand it a Windows Server-type setup would solve all the above
> issues but we just don't have the budget for that.
>
>
>
> Thanks in advance for any advice.
>
>
>
> Alan
>
>
>
>
>
>
>
| |
Tim Bolton | |
| alanjr_uk
Posts:14
| | 10/19/2010 2:12 PM |
| Thanks, Darren - installing that MSCM tool now, as most of the things we
want to lock down fall under the Administrative Templates category so it
sounds like it might be more useful than the straightforward templates.
On the profile front is renaming the NTuser.dat file at c:\users\[limited
account name]\ to NTuser.man meant to make it mandatory and therefore not
save any changes to the desktop between logins? I tried this but it didn't
seem to do anything.
Alan
On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
> You can also download the “security compliance toolkit” from Microsoft,
> which includes the latest security templates for Win7. However, keep in mind
> that security templates only handle those settings under “Security Settings”
> in the GPO. They do not template-ize any other settings (e.g. Administrative
> Templates). You might have a look at this blog posting I wrote recently that
> talks about a tool from MS for copying the local GPO:
>
>
> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
> *Sent:* Monday, October 18, 2010 3:34 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Standalone GPO
>
>
>
> Hi,
>
> They should be there on windows 7 pro (my workstation has them). Perhaps
> you need to install the RSAT tools?
>
>
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 11:32
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Thanks Darragh - had a look on an XP machine and found these templates.
> Looks like they're not included in Win 7 by default but I guess I should be
> able to copy them across.
>
>
>
> A.
>
> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> Well, perhaps a domain joined machine is not required. * *Just tried on a
> non-domain joined machine here and they are available. Have you tried on to
> add them into the mmc? They are just text files at the end of the day so you
> could create them from scratch but I wouldn’t recommend it!
>
>
>
>
>
> Alternatively just download a virtualization freebie like VMWare player or
> the SUN VirtualBox and create an XP Pro machine in there to do the exports.
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 11:12
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for the reply + screenshot!
>
>
>
> Unfortunately we don't have any XP domain-joined machines, just standalone
> ones - is there any other way to create the templates?
>
>
>
> A.
>
> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> You should be able to access the templates form an XP pro domain joined
> machine via the mmc:
>
>
>
>
>
> Just load in what you need here
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 09:53
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Hi Darragh
>
>
>
> Thanks for your reply!
>
>
>
> Is there a way to create templates without having Windows Server? The
> instructions I found on the MS website talked about how to apply them but I
> couldn't find out a way to actually create them in the first place.
>
>
>
> Agree PXE booting would be a good option although don't quite have the
> setup for this just now (& have already bought the Win 7 licenses;-)).
>
>
>
> Alan
>
> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
> xxxxxxxxxxxxxxxx> wrote:
>
> HI,
>
>
>
> Sounds like templates are the way to go and also possibly mandatory
> profiles so changes do not persist. Templates should allow you to configure
> a baseline that you could apply via the command line at start-up. You can
> also export these settings to a custm.inf file. However, if the templates
> include a lot of security ACL’s this can slow down processing otherwise they
> should be fine.
>
>
>
> Personally, for this scenario, I would boot a small locked down image of XP
> via PXE but that may not be possible in your scenario.
>
>
>
> Darragh O’Shaughnessy
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* 18 October 2010 00:02
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* [gptalk] Standalone GPO
>
>
>
> Hi
>
>
>
> Apologies for what is probably really quite obvious to you experts, but I'd
> be grateful for some help with the following...
>
>
>
> Basically we've got a small setup (4 machines) that we're planning on
> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
> like to tighten up on the GPO settings on these machines.
>
>
>
> They're in a secure location so when booted up just go straight into a
> standard user account (I used control userpasswords2 for this), but we want
> to lock them down so they can really just be used for web browsing and
> editing documents. There's also a second account on each PC which has admin
> rights.
>
>
>
> I've followed the steps at
> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
> make changes to the GPO settings without them affecting the admin account -
> so far so good.
>
>
>
> I'm not planning to play about with the various different settings on offer
> but had the following (I think linked) questions:
>
>
>
> 1) is there an easy way to enable/disable the settings changes that I've
> made? It's just it would be nice when we wanted to make any changes to the
> user account to be able to quickly disable our GPO settings, make the
> changes, then re-enable them. I read at
> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
> templates (which sounded like the sort of thing we were looking for). but it
> seems like you need Windows Server to generate these in the first place. Is
> that right? Are there any other ways of doing this?
>
>
>
> 2) is there an easy way to export the GPO settings that we've made? This
> would be particularly handy when setting up multiple machines or at a later
> stage if we want to change a GPO setting across all of them. If not then
> the other method I was thinking of was to do a fresh install on one of them,
> make all the GPO settings, image the drive and then install the image to all
> the machines before manually entering the individual product keys on each
> machine.
>
>
>
> And a kinda bonus question...
>
>
>
> 3) is there any easy way to revert all the changes a user has made when the
> PC is restarted? This way even if someone finds a way round our 'lockdowns'
> it would reset itself to default. Again if there's not an easy way then we
> can use the drive image instead, but just thought I'd see if anyone knew of
> an automated way of doing things.
>
>
>
> As I understand it a Windows Server-type setup would solve all the above
> issues but we just don't have the budget for that.
>
>
>
> Thanks in advance for any advice.
>
>
>
> Alan
>
>
>
>
>
>
>
| | | |
| alanjr_uk
Posts:14
| | 10/25/2010 2:37 AM |
| Hi again Darren (& all!)
I've been playing about with the LocalGPO tool within the MSCM. However
despite exporting my settings, then doing a restore, rebooting, and
reapplying the exported files and rebooting, it doesn't seem to have
properly re-applied them.
I notice in your blog post you said "Also, the script does not appear
to deal with the multiple local GPOs feature supported in Win Vista and
above. So if you have per-user local GPOs, they are not captured–only the
default local GPO." - does that mean it's a non-starter with Win 7?
My basic requirement is to have an Admin and User account on each machine.
I'd like a way of backing up the GPO settings (currently set in
Administrative Templates for non-admin accounts via MMC, hence why it seems
that the security templates route is a non-starter) to a machine then
restoring them to another machine (or optionally temporarily disabling them
on the user account so I can make changes before re-applying them).
Many thanks
Alan
On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
xxxxxxxxxxxxxxxx> wrote:
> Thanks, Darren - installing that MSCM tool now, as most of the things we
> want to lock down fall under the Administrative Templates category so it
> sounds like it might be more useful than the straightforward templates.
>
> On the profile front is renaming the NTuser.dat file at c:\users\[limited
> account name]\ to NTuser.man meant to make it mandatory and therefore not
> save any changes to the desktop between logins? I tried this but it didn't
> seem to do anything.
>
> Alan
>
> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
>
>> You can also download the “security compliance toolkit” from Microsoft,
>> which includes the latest security templates for Win7. However, keep in mind
>> that security templates only handle those settings under “Security Settings”
>> in the GPO. They do not template-ize any other settings (e.g. Administrative
>> Templates). You might have a look at this blog posting I wrote recently that
>> talks about a tool from MS for copying the local GPO:
>>
>>
>> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
>> *Sent:* Monday, October 18, 2010 3:34 AM
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* RE: [gptalk] Standalone GPO
>>
>>
>>
>> Hi,
>>
>> They should be there on windows 7 pro (my workstation has them). Perhaps
>> you need to install the RSAT tools?
>>
>>
>>
>>
>>
>> Darragh O’Shaughnessy
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> *Sent:* 18 October 2010 11:32
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Standalone GPO
>>
>>
>>
>> Thanks Darragh - had a look on an XP machine and found these templates.
>> Looks like they're not included in Win 7 by default but I guess I should be
>> able to copy them across.
>>
>>
>>
>> A.
>>
>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> Well, perhaps a domain joined machine is not required. * *Just tried on a
>> non-domain joined machine here and they are available. Have you tried on to
>> add them into the mmc? They are just text files at the end of the day so you
>> could create them from scratch but I wouldn’t recommend it!
>>
>>
>>
>>
>>
>> Alternatively just download a virtualization freebie like VMWare player or
>> the SUN VirtualBox and create an XP Pro machine in there to do the exports.
>>
>>
>>
>> Darragh O’Shaughnessy
>>
>>
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> *Sent:* 18 October 2010 11:12
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Standalone GPO
>>
>>
>>
>> Hi Darragh
>>
>>
>>
>> Thanks for the reply + screenshot!
>>
>>
>>
>> Unfortunately we don't have any XP domain-joined machines, just standalone
>> ones - is there any other way to create the templates?
>>
>>
>>
>> A.
>>
>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> You should be able to access the templates form an XP pro domain joined
>> machine via the mmc:
>>
>>
>>
>>
>>
>> Just load in what you need here
>>
>>
>>
>> Darragh O’Shaughnessy
>>
>>
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> *Sent:* 18 October 2010 09:53
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>>
>> *Subject:* Re: [gptalk] Standalone GPO
>>
>>
>>
>> Hi Darragh
>>
>>
>>
>> Thanks for your reply!
>>
>>
>>
>> Is there a way to create templates without having Windows Server? The
>> instructions I found on the MS website talked about how to apply them but I
>> couldn't find out a way to actually create them in the first place.
>>
>>
>>
>> Agree PXE booting would be a good option although don't quite have the
>> setup for this just now (& have already bought the Win 7 licenses;-)).
>>
>>
>>
>> Alan
>>
>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> HI,
>>
>>
>>
>> Sounds like templates are the way to go and also possibly mandatory
>> profiles so changes do not persist. Templates should allow you to configure
>> a baseline that you could apply via the command line at start-up. You can
>> also export these settings to a custm.inf file. However, if the templates
>> include a lot of security ACL’s this can slow down processing otherwise they
>> should be fine.
>>
>>
>>
>> Personally, for this scenario, I would boot a small locked down image of
>> XP via PXE but that may not be possible in your scenario.
>>
>>
>>
>> Darragh O’Shaughnessy
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> *Sent:* 18 October 2010 00:02
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>>
>> *Subject:* [gptalk] Standalone GPO
>>
>>
>>
>> Hi
>>
>>
>>
>> Apologies for what is probably really quite obvious to you experts, but
>> I'd be grateful for some help with the following...
>>
>>
>>
>> Basically we've got a small setup (4 machines) that we're planning on
>> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
>> like to tighten up on the GPO settings on these machines.
>>
>>
>>
>> They're in a secure location so when booted up just go straight into a
>> standard user account (I used control userpasswords2 for this), but we want
>> to lock them down so they can really just be used for web browsing and
>> editing documents. There's also a second account on each PC which has admin
>> rights.
>>
>>
>>
>> I've followed the steps at
>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
>> make changes to the GPO settings without them affecting the admin account -
>> so far so good.
>>
>>
>>
>> I'm not planning to play about with the various different settings on
>> offer but had the following (I think linked) questions:
>>
>>
>>
>> 1) is there an easy way to enable/disable the settings changes that I've
>> made? It's just it would be nice when we wanted to make any changes to the
>> user account to be able to quickly disable our GPO settings, make the
>> changes, then re-enable them. I read at
>> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
>> templates (which sounded like the sort of thing we were looking for). but it
>> seems like you need Windows Server to generate these in the first place. Is
>> that right? Are there any other ways of doing this?
>>
>>
>>
>> 2) is there an easy way to export the GPO settings that we've made? This
>> would be particularly handy when setting up multiple machines or at a later
>> stage if we want to change a GPO setting across all of them. If not then
>> the other method I was thinking of was to do a fresh install on one of them,
>> make all the GPO settings, image the drive and then install the image to all
>> the machines before manually entering the individual product keys on each
>> machine.
>>
>>
>>
>> And a kinda bonus question...
>>
>>
>>
>> 3) is there any easy way to revert all the changes a user has made when
>> the PC is restarted? This way even if someone finds a way round our
>> 'lockdowns' it would reset itself to default. Again if there's not an easy
>> way then we can use the drive image instead, but just thought I'd see if
>> anyone knew of an automated way of doing things.
>>
>>
>>
>> As I understand it a Windows Server-type setup would solve all the above
>> issues but we just don't have the budget for that.
>>
>>
>>
>> Thanks in advance for any advice.
>>
>>
>>
>> Alan
>>
>>
>>
>>
>>
>>
>>
>
>
| | | |
| alanjr_uk
Posts:14
| | 10/25/2010 9:53 AM |
| PS - further thing I've been trying (after reading about it on a few
websites) is to backup %systemroot%\system32\grouppolicy. I tried this but
with no success. . I’ve currently got Administrative Template Group
Policies set for non-Admin users via a MMC Group Policy plugin set for Local
Computer\Non-Administrators I tried backing up the
%systemroot%\system32\grouppolicy folder then making changes, running
gpupdate /force then restoring the folder and running another gpupdate -
none of the settings were changed.
All I want to do is backup the settings I've made and then apply them to
another machine but it seems incredibly complex/nigh-on impossible!!
Thanks for any suggestions....
Alan
On Sun, Oct 24, 2010 at 1:57 AM, Ninewells Doctors Mess <
xxxxxxxxxxxxxxxx> wrote:
> Hi again Darren (& all!)
>
> I've been playing about with the LocalGPO tool within the MSCM. However
> despite exporting my settings, then doing a restore, rebooting, and
> reapplying the exported files and rebooting, it doesn't seem to have
> properly re-applied them.
>
> I notice in your blog post you said "Also, the script does not appear
> to deal with the multiple local GPOs feature supported in Win Vista and
> above. So if you have per-user local GPOs, they are not captured–only the
> default local GPO." - does that mean it's a non-starter with Win 7?
>
> My basic requirement is to have an Admin and User account on each machine.
> I'd like a way of backing up the GPO settings (currently set in
> Administrative Templates for non-admin accounts via MMC, hence why it seems
> that the security templates route is a non-starter) to a machine then
> restoring them to another machine (or optionally temporarily disabling them
> on the user account so I can make changes before re-applying them).
>
> Many thanks
>
> Alan
>
> On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
> xxxxxxxxxxxxxxxx> wrote:
>
>> Thanks, Darren - installing that MSCM tool now, as most of the things we
>> want to lock down fall under the Administrative Templates category so it
>> sounds like it might be more useful than the straightforward templates.
>>
>> On the profile front is renaming the NTuser.dat file at c:\users\[limited
>> account name]\ to NTuser.man meant to make it mandatory and therefore not
>> save any changes to the desktop between logins? I tried this but it didn't
>> seem to do anything.
>>
>> Alan
>>
>> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx
>> > wrote:
>>
>>> You can also download the “security compliance toolkit” from Microsoft,
>>> which includes the latest security templates for Win7. However, keep in mind
>>> that security templates only handle those settings under “Security Settings”
>>> in the GPO. They do not template-ize any other settings (e.g. Administrative
>>> Templates). You might have a look at this blog posting I wrote recently that
>>> talks about a tool from MS for copying the local GPO:
>>>
>>>
>>> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>>>
>>>
>>>
>>> Darren
>>>
>>>
>>>
>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
>>> *Sent:* Monday, October 18, 2010 3:34 AM
>>>
>>> *To:* xxxxxxxxxxxxxxxx
>>> *Subject:* RE: [gptalk] Standalone GPO
>>>
>>>
>>>
>>> Hi,
>>>
>>> They should be there on windows 7 pro (my workstation has them). Perhaps
>>> you need to install the RSAT tools?
>>>
>>>
>>>
>>>
>>>
>>> Darragh O’Shaughnessy
>>>
>>>
>>>
>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>> *Sent:* 18 October 2010 11:32
>>> *To:* xxxxxxxxxxxxxxxx
>>> *Subject:* Re: [gptalk] Standalone GPO
>>>
>>>
>>>
>>> Thanks Darragh - had a look on an XP machine and found these templates.
>>> Looks like they're not included in Win 7 by default but I guess I should be
>>> able to copy them across.
>>>
>>>
>>>
>>> A.
>>>
>>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
>>> xxxxxxxxxxxxxxxx> wrote:
>>>
>>> Well, perhaps a domain joined machine is not required. * *Just tried on
>>> a non-domain joined machine here and they are available. Have you tried on
>>> to add them into the mmc? They are just text files at the end of the day so
>>> you could create them from scratch but I wouldn’t recommend it!
>>>
>>>
>>>
>>>
>>>
>>> Alternatively just download a virtualization freebie like VMWare player
>>> or the SUN VirtualBox and create an XP Pro machine in there to do the
>>> exports.
>>>
>>>
>>>
>>> Darragh O’Shaughnessy
>>>
>>>
>>>
>>>
>>>
>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>> *Sent:* 18 October 2010 11:12
>>>
>>>
>>> *To:* xxxxxxxxxxxxxxxx
>>> *Subject:* Re: [gptalk] Standalone GPO
>>>
>>>
>>>
>>> Hi Darragh
>>>
>>>
>>>
>>> Thanks for the reply + screenshot!
>>>
>>>
>>>
>>> Unfortunately we don't have any XP domain-joined machines, just
>>> standalone ones - is there any other way to create the templates?
>>>
>>>
>>>
>>> A.
>>>
>>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
>>> xxxxxxxxxxxxxxxx> wrote:
>>>
>>> You should be able to access the templates form an XP pro domain joined
>>> machine via the mmc:
>>>
>>>
>>>
>>>
>>>
>>> Just load in what you need here
>>>
>>>
>>>
>>> Darragh O’Shaughnessy
>>>
>>>
>>>
>>>
>>>
>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>> *Sent:* 18 October 2010 09:53
>>>
>>>
>>> *To:* xxxxxxxxxxxxxxxx
>>>
>>> *Subject:* Re: [gptalk] Standalone GPO
>>>
>>>
>>>
>>> Hi Darragh
>>>
>>>
>>>
>>> Thanks for your reply!
>>>
>>>
>>>
>>> Is there a way to create templates without having Windows Server? The
>>> instructions I found on the MS website talked about how to apply them but I
>>> couldn't find out a way to actually create them in the first place.
>>>
>>>
>>>
>>> Agree PXE booting would be a good option although don't quite have the
>>> setup for this just now (& have already bought the Win 7 licenses;-)).
>>>
>>>
>>>
>>> Alan
>>>
>>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
>>> xxxxxxxxxxxxxxxx> wrote:
>>>
>>> HI,
>>>
>>>
>>>
>>> Sounds like templates are the way to go and also possibly mandatory
>>> profiles so changes do not persist. Templates should allow you to configure
>>> a baseline that you could apply via the command line at start-up. You can
>>> also export these settings to a custm.inf file. However, if the templates
>>> include a lot of security ACL’s this can slow down processing otherwise they
>>> should be fine.
>>>
>>>
>>>
>>> Personally, for this scenario, I would boot a small locked down image of
>>> XP via PXE but that may not be possible in your scenario.
>>>
>>>
>>>
>>> Darragh O’Shaughnessy
>>>
>>>
>>>
>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>> *Sent:* 18 October 2010 00:02
>>>
>>>
>>> *To:* xxxxxxxxxxxxxxxx
>>>
>>> *Subject:* [gptalk] Standalone GPO
>>>
>>>
>>>
>>> Hi
>>>
>>>
>>>
>>> Apologies for what is probably really quite obvious to you experts, but
>>> I'd be grateful for some help with the following...
>>>
>>>
>>>
>>> Basically we've got a small setup (4 machines) that we're planning on
>>> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
>>> like to tighten up on the GPO settings on these machines.
>>>
>>>
>>>
>>> They're in a secure location so when booted up just go straight into a
>>> standard user account (I used control userpasswords2 for this), but we want
>>> to lock them down so they can really just be used for web browsing and
>>> editing documents. There's also a second account on each PC which has admin
>>> rights.
>>>
>>>
>>>
>>> I've followed the steps at
>>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
>>> make changes to the GPO settings without them affecting the admin account -
>>> so far so good.
>>>
>>>
>>>
>>> I'm not planning to play about with the various different settings on
>>> offer but had the following (I think linked) questions:
>>>
>>>
>>>
>>> 1) is there an easy way to enable/disable the settings changes that I've
>>> made? It's just it would be nice when we wanted to make any changes to the
>>> user account to be able to quickly disable our GPO settings, make the
>>> changes, then re-enable them. I read at
>>> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
>>> templates (which sounded like the sort of thing we were looking for). but it
>>> seems like you need Windows Server to generate these in the first place. Is
>>> that right? Are there any other ways of doing this?
>>>
>>>
>>>
>>> 2) is there an easy way to export the GPO settings that we've made? This
>>> would be particularly handy when setting up multiple machines or at a later
>>> stage if we want to change a GPO setting across all of them. If not then
>>> the other method I was thinking of was to do a fresh install on one of them,
>>> make all the GPO settings, image the drive and then install the image to all
>>> the machines before manually entering the individual product keys on each
>>> machine.
>>>
>>>
>>>
>>> And a kinda bonus question...
>>>
>>>
>>>
>>> 3) is there any easy way to revert all the changes a user has made when
>>> the PC is restarted? This way even if someone finds a way round our
>>> 'lockdowns' it would reset itself to default. Again if there's not an easy
>>> way then we can use the drive image instead, but just thought I'd see if
>>> anyone knew of an automated way of doing things.
>>>
>>>
>>>
>>> As I understand it a Windows Server-type setup would solve all the above
>>> issues but we just don't have the budget for that.
>>>
>>>
>>>
>>> Thanks in advance for any advice.
>>>
>>>
>>>
>>> Alan
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
| | | |
| alanjr_uk
Posts:14
| | 10/28/2010 4:29 AM |
| Sorry to hassle, but just wondering if anyone had any other ideas on this
topic...
Cheers
Alan
On 24 Oct 2010 09:59, "Ninewells Doctors Mess" <
xxxxxxxxxxxxxxxx> wrote:
> PS - further thing I've been trying (after reading about it on a few
> websites) is to backup %systemroot%\system32\grouppolicy. I tried this but
> with no success. . I’ve currently got Administrative Template Group
> Policies set for non-Admin users via a MMC Group Policy plugin set for
Local
> Computer\Non-Administrators I tried backing up the
> %systemroot%\system32\grouppolicy folder then making changes, running
> gpupdate /force then restoring the folder and running another gpupdate -
> none of the settings were changed.
>
> All I want to do is backup the settings I've made and then apply them to
> another machine but it seems incredibly complex/nigh-on impossible!!
>
> Thanks for any suggestions....
>
> Alan
>
> On Sun, Oct 24, 2010 at 1:57 AM, Ninewells Doctors Mess <
> xxxxxxxxxxxxxxxx> wrote:
>
>> Hi again Darren (& all!)
>>
>> I've been playing about with the LocalGPO tool within the MSCM. However
>> despite exporting my settings, then doing a restore, rebooting, and
>> reapplying the exported files and rebooting, it doesn't seem to have
>> properly re-applied them.
>>
>> I notice in your blog post you said "Also, the script does not appear
>> to deal with the multiple local GPOs feature supported in Win Vista and
>> above. So if you have per-user local GPOs, they are not captured–only the
>> default local GPO." - does that mean it's a non-starter with Win 7?
>>
>> My basic requirement is to have an Admin and User account on each
machine.
>> I'd like a way of backing up the GPO settings (currently set in
>> Administrative Templates for non-admin accounts via MMC, hence why it
seems
>> that the security templates route is a non-starter) to a machine then
>> restoring them to another machine (or optionally temporarily disabling
them
>> on the user account so I can make changes before re-applying them).
>>
>> Many thanks
>>
>> Alan
>>
>> On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>>> Thanks, Darren - installing that MSCM tool now, as most of the things we
>>> want to lock down fall under the Administrative Templates category so it
>>> sounds like it might be more useful than the straightforward templates.
>>>
>>> On the profile front is renaming the NTuser.dat file at
c:\users\[limited
>>> account name]\ to NTuser.man meant to make it mandatory and therefore
not
>>> save any changes to the desktop between logins? I tried this but it
didn't
>>> seem to do anything.
>>>
>>> Alan
>>>
>>> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx
>>> > wrote:
>>>
>>>> You can also download the “security compliance toolkit” from Microsoft,
>>>> which includes the latest security templates for Win7. However, keep in
mind
>>>> that security templates only handle those settings under “Security
Settings”
>>>> in the GPO. They do not template-ize any other settings (e.g.
Administrative
>>>> Templates). You might have a look at this blog posting I wrote recently
that
>>>> talks about a tool from MS for copying the local GPO:
>>>>
>>>>
>>>>
http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>>>>
>>>>
>>>>
>>>> Darren
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
>>>> *Sent:* Monday, October 18, 2010 3:34 AM
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx
>>>> *Subject:* RE: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> They should be there on windows 7 pro (my workstation has them).
Perhaps
>>>> you need to install the RSAT tools?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Darragh O’Shaughnessy
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 11:32
>>>> *To:* xxxxxxxxxxxxxxxx
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Thanks Darragh - had a look on an XP machine and found these templates.
>>>> Looks like they're not included in Win 7 by default but I guess I
should be
>>>> able to copy them across.
>>>>
>>>>
>>>>
>>>> A.
>>>>
>>>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>> Well, perhaps a domain joined machine is not required. * *Just tried on
>>>> a non-domain joined machine here and they are available. Have you tried
on
>>>> to add them into the mmc? They are just text files at the end of the
day so
>>>> you could create them from scratch but I wouldn’t recommend it!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Alternatively just download a virtualization freebie like VMWare player
>>>> or the SUN VirtualBox and create an XP Pro machine in there to do the
>>>> exports.
>>>>
>>>>
>>>>
>>>> Darragh O’Shaughnessy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 11:12
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi Darragh
>>>>
>>>>
>>>>
>>>> Thanks for the reply + screenshot!
>>>>
>>>>
>>>>
>>>> Unfortunately we don't have any XP domain-joined machines, just
>>>> standalone ones - is there any other way to create the templates?
>>>>
>>>>
>>>>
>>>> A.
>>>>
>>>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>> You should be able to access the templates form an XP pro domain joined
>>>> machine via the mmc:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Just load in what you need here
>>>>
>>>>
>>>>
>>>> Darragh O’Shaughnessy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 09:53
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx
>>>>
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi Darragh
>>>>
>>>>
>>>>
>>>> Thanks for your reply!
>>>>
>>>>
>>>>
>>>> Is there a way to create templates without having Windows Server? The
>>>> instructions I found on the MS website talked about how to apply them
but I
>>>> couldn't find out a way to actually create them in the first place.
>>>>
>>>>
>>>>
>>>> Agree PXE booting would be a good option although don't quite have the
>>>> setup for this just now (& have already bought the Win 7 licenses;-)).
>>>>
>>>>
>>>>
>>>> Alan
>>>>
>>>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>> HI,
>>>>
>>>>
>>>>
>>>> Sounds like templates are the way to go and also possibly mandatory
>>>> profiles so changes do not persist. Templates should allow you to
configure
>>>> a baseline that you could apply via the command line at start-up. You
can
>>>> also export these settings to a custm.inf file. However, if the
templates
>>>> include a lot of security ACL’s this can slow down processing otherwise
they
>>>> should be fine.
>>>>
>>>>
>>>>
>>>> Personally, for this scenario, I would boot a small locked down image
of
>>>> XP via PXE but that may not be possible in your scenario.
>>>>
>>>>
>>>>
>>>> Darragh O’Shaughnessy
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 00:02
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx
>>>>
>>>> *Subject:* [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi
>>>>
>>>>
>>>>
>>>> Apologies for what is probably really quite obvious to you experts, but
>>>> I'd be grateful for some help with the following...
>>>>
>>>>
>>>>
>>>> Basically we've got a small setup (4 machines) that we're planning on
>>>> upgrading from Windows XP to Windows 7 Professional. At the same time
I'd
>>>> like to tighten up on the GPO settings on these machines.
>>>>
>>>>
>>>>
>>>> They're in a secure location so when booted up just go straight into a
>>>> standard user account (I used control userpasswords2 for this), but we
want
>>>> to lock them down so they can really just be used for web browsing and
>>>> editing documents. There's also a second account on each PC which has
admin
>>>> rights.
>>>>
>>>>
>>>>
>>>> I've followed the steps at
>>>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
>>>> make changes to the GPO settings without them affecting the admin
account -
>>>> so far so good.
>>>>
>>>>
>>>>
>>>> I'm not planning to play about with the various different settings on
>>>> offer but had the following (I think linked) questions:
>>>>
>>>>
>>>>
>>>> 1) is there an easy way to enable/disable the settings changes that
I've
>>>> made? It's just it would be nice when we wanted to make any changes to
the
>>>> user account to be able to quickly disable our GPO settings, make the
>>>> changes, then re-enable them. I read at
>>>> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
>>>> templates (which sounded like the sort of thing we were looking for).
but it
>>>> seems like you need Windows Server to generate these in the first
place. Is
>>>> that right? Are there any other ways of doing this?
>>>>
>>>>
>>>>
>>>> 2) is there an easy way to export the GPO settings that we've made?
This
>>>> would be particularly handy when setting up multiple machines or at a
later
>>>> stage if we want to change a GPO setting across all of them. If not
then
>>>> the other method I was thinking of was to do a fresh install on one of
them,
>>>> make all the GPO settings, image the drive and then install the image
to all
>>>> the machines before manually entering the individual product keys on
each
>>>> machine.
>>>>
>>>>
>>>>
>>>> And a kinda bonus question...
>>>>
>>>>
>>>>
>>>> 3) is there any easy way to revert all the changes a user has made when
>>>> the PC is restarted? This way even if someone finds a way round our
>>>> 'lockdowns' it would reset itself to default. Again if there's not an
easy
>>>> way then we can use the drive image instead, but just thought I'd see
if
>>>> anyone knew of an automated way of doing things.
>>>>
>>>>
>>>>
>>>> As I understand it a Windows Server-type setup would solve all the
above
>>>> issues but we just don't have the budget for that.
>>>>
>>>>
>>>>
>>>> Thanks in advance for any advice.
>>>>
>>>>
>>>>
>>>> Alan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
| | | |
| dmarelia
Posts:441
| | 10/28/2010 9:00 AM |
| Alan-
The non-Admin users Local GPO is going to be under C:\windows\system32\GroupPolicyUsers\S-1-5-32-545.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Ninewells Doctors Mess
Sent: Wednesday, October 27, 2010 3:37 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Standalone GPO
Sorry to hassle, but just wondering if anyone had any other ideas on this topic...
Cheers
Alan
On 24 Oct 2010 09:59, "Ninewells Doctors Mess" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
> PS - further thing I've been trying (after reading about it on a few
> websites) is to backup %systemroot%\system32\grouppolicy. I tried this but
> with no success. . I've currently got Administrative Template Group
> Policies set for non-Admin users via a MMC Group Policy plugin set for Local
> Computer\Non-Administrators I tried backing up the
> %systemroot%\system32\grouppolicy folder then making changes, running
> gpupdate /force then restoring the folder and running another gpupdate -
> none of the settings were changed.
>
> All I want to do is backup the settings I've made and then apply them to
> another machine but it seems incredibly complex/nigh-on impossible!!
>
> Thanks for any suggestions....
>
> Alan
>
> On Sun, Oct 24, 2010 at 1:57 AM, Ninewells Doctors Mess <
> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
>
>> Hi again Darren (& all!)
>>
>> I've been playing about with the LocalGPO tool within the MSCM. However
>> despite exporting my settings, then doing a restore, rebooting, and
>> reapplying the exported files and rebooting, it doesn't seem to have
>> properly re-applied them.
>>
>> I notice in your blog post you said "Also, the script does not appear
>> to deal with the multiple local GPOs feature supported in Win Vista and
>> above. So if you have per-user local GPOs, they are not captured-only the
>> default local GPO." - does that mean it's a non-starter with Win 7?
>>
>> My basic requirement is to have an Admin and User account on each machine.
>> I'd like a way of backing up the GPO settings (currently set in
>> Administrative Templates for non-admin accounts via MMC, hence why it seems
>> that the security templates route is a non-starter) to a machine then
>> restoring them to another machine (or optionally temporarily disabling them
>> on the user account so I can make changes before re-applying them).
>>
>> Many thanks
>>
>> Alan
>>
>> On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
>>
>>> Thanks, Darren - installing that MSCM tool now, as most of the things we
>>> want to lock down fall under the Administrative Templates category so it
>>> sounds like it might be more useful than the straightforward templates.
>>>
>>> On the profile front is renaming the NTuser.dat file at c:\users\[limited
>>> account name]\ to NTuser.man meant to make it mandatory and therefore not
>>> save any changes to the desktop between logins? I tried this but it didn't
>>> seem to do anything.
>>>
>>> Alan
>>>
>>> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>> > wrote:
>>>
>>>> You can also download the "security compliance toolkit" from Microsoft,
>>>> which includes the latest security templates for Win7. However, keep in mind
>>>> that security templates only handle those settings under "Security Settings"
>>>> in the GPO. They do not template-ize any other settings (e.g. Administrative
>>>> Templates). You might have a look at this blog posting I wrote recently that
>>>> talks about a tool from MS for copying the local GPO:
>>>>
>>>>
>>>> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>>>>
>>>>
>>>>
>>>> Darren
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:
>>>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] *On Behalf Of *Darragh O'Shaughnessy
>>>> *Sent:* Monday, October 18, 2010 3:34 AM
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>>> *Subject:* RE: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> They should be there on windows 7 pro (my workstation has them). Perhaps
>>>> you need to install the RSAT tools?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Darragh O'Shaughnessy
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:
>>>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 11:32
>>>> *To:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Thanks Darragh - had a look on an XP machine and found these templates.
>>>> Looks like they're not included in Win 7 by default but I guess I should be
>>>> able to copy them across.
>>>>
>>>>
>>>>
>>>> A.
>>>>
>>>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>> wrote:
>>>>
>>>> Well, perhaps a domain joined machine is not required. * *Just tried on
>>>> a non-domain joined machine here and they are available. Have you tried on
>>>> to add them into the mmc? They are just text files at the end of the day so
>>>> you could create them from scratch but I wouldn't recommend it!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Alternatively just download a virtualization freebie like VMWare player
>>>> or the SUN VirtualBox and create an XP Pro machine in there to do the
>>>> exports.
>>>>
>>>>
>>>>
>>>> Darragh O'Shaughnessy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:
>>>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 11:12
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi Darragh
>>>>
>>>>
>>>>
>>>> Thanks for the reply + screenshot!
>>>>
>>>>
>>>>
>>>> Unfortunately we don't have any XP domain-joined machines, just
>>>> standalone ones - is there any other way to create the templates?
>>>>
>>>>
>>>>
>>>> A.
>>>>
>>>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>> wrote:
>>>>
>>>> You should be able to access the templates form an XP pro domain joined
>>>> machine via the mmc:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Just load in what you need here
>>>>
>>>>
>>>>
>>>> Darragh O'Shaughnessy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:
>>>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 09:53
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>>>
>>>> *Subject:* Re: [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi Darragh
>>>>
>>>>
>>>>
>>>> Thanks for your reply!
>>>>
>>>>
>>>>
>>>> Is there a way to create templates without having Windows Server? The
>>>> instructions I found on the MS website talked about how to apply them but I
>>>> couldn't find out a way to actually create them in the first place.
>>>>
>>>>
>>>>
>>>> Agree PXE booting would be a good option although don't quite have the
>>>> setup for this just now (& have already bought the Win 7 licenses;-)).
>>>>
>>>>
>>>>
>>>> Alan
>>>>
>>>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
>>>> xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>> wrote:
>>>>
>>>> HI,
>>>>
>>>>
>>>>
>>>> Sounds like templates are the way to go and also possibly mandatory
>>>> profiles so changes do not persist. Templates should allow you to configure
>>>> a baseline that you could apply via the command line at start-up. You can
>>>> also export these settings to a custm.inf file. However, if the templates
>>>> include a lot of security ACL's this can slow down processing otherwise they
>>>> should be fine.
>>>>
>>>>
>>>>
>>>> Personally, for this scenario, I would boot a small locked down image of
>>>> XP via PXE but that may not be possible in your scenario.
>>>>
>>>>
>>>>
>>>> Darragh O'Shaughnessy
>>>>
>>>>
>>>>
>>>> *From:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:
>>>> xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] *On Behalf Of *Ninewells Doctors Mess
>>>> *Sent:* 18 October 2010 00:02
>>>>
>>>>
>>>> *To:* xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
>>>>
>>>> *Subject:* [gptalk] Standalone GPO
>>>>
>>>>
>>>>
>>>> Hi
>>>>
>>>>
>>>>
>>>> Apologies for what is probably really quite obvious to you experts, but
>>>> I'd be grateful for some help with the following...
>>>>
>>>>
>>>>
>>>> Basically we've got a small setup (4 machines) that we're planning on
>>>> upgrading from Windows XP to Windows 7 Professional. At the same time I'd
>>>> like to tighten up on the GPO settings on these machines.
>>>>
>>>>
>>>>
>>>> They're in a secure location so when booted up just go straight into a
>>>> standard user account (I used control userpasswords2 for this), but we want
>>>> to lock them down so they can really just be used for web browsing and
>>>> editing documents. There's also a second account on each PC which has admin
>>>> rights.
>>>>
>>>>
>>>>
>>>> I've followed the steps at
>>>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me to
>>>> make changes to the GPO settings without them affecting the admin account -
>>>> so far so good.
>>>>
>>>>
>>>>
>>>> I'm not planning to play about with the various different settings on
>>>> offer but had the following (I think linked) questions:
>>>>
>>>>
>>>>
>>>> 1) is there an easy way to enable/disable the settings changes that I've
>>>> made? It's just it would be nice when we wanted to make any changes to the
>>>> user account to be able to quickly disable our GPO settings, make the
>>>> changes, then re-enable them. I read at
>>>> http://technet.microsoft.com/en-us/library/cc163078.aspx about security
>>>> templates (which sounded like the sort of thing we were looking for). but it
>>>> seems like you need Windows Server to generate these in the first place. Is
>>>> that right? Are there any other ways of doing this?
>>>>
>>>>
>>>>
>>>> 2) is there an easy way to export the GPO settings that we've made? This
>>>> would be particularly handy when setting up multiple machines or at a later
>>>> stage if we want to change a GPO setting across all of them. If not then
>>>> the other method I was thinking of was to do a fresh install on one of them,
>>>> make all the GPO settings, image the drive and then install the image to all
>>>> the machines before manually entering the individual product keys on each
>>>> machine.
>>>>
>>>>
>>>>
>>>> And a kinda bonus question...
>>>>
>>>>
>>>>
>>>> 3) is there any easy way to revert all the changes a user has made when
>>>> the PC is restarted? This way even if someone finds a way round our
>>>> 'lockdowns' it would reset itself to default. Again if there's not an easy
>>>> way then we can use the drive image instead, but just thought I'd see if
>>>> anyone knew of an automated way of doing things.
>>>>
>>>>
>>>>
>>>> As I understand it a Windows Server-type setup would solve all the above
>>>> issues but we just don't have the budget for that.
>>>>
>>>>
>>>>
>>>> Thanks in advance for any advice.
>>>>
>>>>
>>>>
>>>> Alan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
| | | |
| alanjr_uk
Posts:14
| | 10/28/2010 4:46 PM |
| Woohoo!! Thanks so much, Darren!
I tried the following...
0. Set some GPO policies for non-admin users via the MMC
1. Copy C:\windows\system32\GroupPolicyUsers\S-1-5-32-545 (and subfolders)
to Desktop
2. Go into the MMC and reverse all GPO changes to 'not configured'
3. gpupdate /force
4. Logged in to user account - fully functional
5. Logged off user account again and back into admin account
6. Deleted the S-15-32-545 directory and subdirs, copied back in the version
I had on the Desktop
7. gpupdate /force
8. re-entered the guest account - all restrictions now back in force!!
Thanks so much for your help with this - will now try it on a few acutal
machines (this was all just within a handy VM!) but looks like it's sorted.
Cheers
Alan :-)
On Thu, Oct 28, 2010 at 3:14 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
> Alan-
>
> The non-Admin users Local GPO is going to be under
> C:\windows\system32\GroupPolicyUsers\S-1-5-32-545.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> *Sent:* Wednesday, October 27, 2010 3:37 PM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Standalone GPO
>
>
>
> Sorry to hassle, but just wondering if anyone had any other ideas on this
> topic...
>
> Cheers
>
> Alan
>
> On 24 Oct 2010 09:59, "Ninewells Doctors Mess" <
> xxxxxxxxxxxxxxxx> wrote:
> > PS - further thing I've been trying (after reading about it on a few
> > websites) is to backup %systemroot%\system32\grouppolicy. I tried this
> but
> > with no success. . I’ve currently got Administrative Template Group
> > Policies set for non-Admin users via a MMC Group Policy plugin set for
> Local
> > Computer\Non-Administrators I tried backing up the
> > %systemroot%\system32\grouppolicy folder then making changes, running
> > gpupdate /force then restoring the folder and running another gpupdate -
> > none of the settings were changed.
> >
> > All I want to do is backup the settings I've made and then apply them to
> > another machine but it seems incredibly complex/nigh-on impossible!!
> >
> > Thanks for any suggestions....
> >
> > Alan
> >
> > On Sun, Oct 24, 2010 at 1:57 AM, Ninewells Doctors Mess <
> > xxxxxxxxxxxxxxxx> wrote:
> >
> >> Hi again Darren (& all!)
> >>
> >> I've been playing about with the LocalGPO tool within the MSCM. However
> >> despite exporting my settings, then doing a restore, rebooting, and
> >> reapplying the exported files and rebooting, it doesn't seem to have
> >> properly re-applied them.
> >>
> >> I notice in your blog post you said "Also, the script does not appear
> >> to deal with the multiple local GPOs feature supported in Win Vista and
> >> above. So if you have per-user local GPOs, they are not captured–only
> the
> >> default local GPO." - does that mean it's a non-starter with Win 7?
> >>
> >> My basic requirement is to have an Admin and User account on each
> machine.
> >> I'd like a way of backing up the GPO settings (currently set in
> >> Administrative Templates for non-admin accounts via MMC, hence why it
> seems
> >> that the security templates route is a non-starter) to a machine then
> >> restoring them to another machine (or optionally temporarily disabling
> them
> >> on the user account so I can make changes before re-applying them).
> >>
> >> Many thanks
> >>
> >> Alan
> >>
> >> On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
> >> xxxxxxxxxxxxxxxx> wrote:
> >>
> >>> Thanks, Darren - installing that MSCM tool now, as most of the things
> we
> >>> want to lock down fall under the Administrative Templates category so
> it
> >>> sounds like it might be more useful than the straightforward templates.
> >>>
> >>> On the profile front is renaming the NTuser.dat file at
> c:\users\[limited
> >>> account name]\ to NTuser.man meant to make it mandatory and therefore
> not
> >>> save any changes to the desktop between logins? I tried this but it
> didn't
> >>> seem to do anything.
> >>>
> >>> Alan
> >>>
> >>> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <
> xxxxxxxxxxxxxxxx
> >>> > wrote:
> >>>
> >>>> You can also download the “security compliance toolkit” from
> Microsoft,
> >>>> which includes the latest security templates for Win7. However, keep
> in mind
> >>>> that security templates only handle those settings under “Security
> Settings”
> >>>> in the GPO. They do not template-ize any other settings (e.g.
> Administrative
> >>>> Templates). You might have a look at this blog posting I wrote
> recently that
> >>>> talks about a tool from MS for copying the local GPO:
> >>>>
> >>>>
> >>>>
> http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
> >>>>
> >>>>
> >>>>
> >>>> Darren
> >>>>
> >>>>
> >>>>
> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
> >>>> *Sent:* Monday, October 18, 2010 3:34 AM
> >>>>
> >>>> *To:* xxxxxxxxxxxxxxxx
> >>>> *Subject:* RE: [gptalk] Standalone GPO
> >>>>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> They should be there on windows 7 pro (my workstation has them).
> Perhaps
> >>>> you need to install the RSAT tools?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Darragh O’Shaughnessy
> >>>>
> >>>>
> >>>>
> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> >>>> *Sent:* 18 October 2010 11:32
> >>>> *To:* xxxxxxxxxxxxxxxx
> >>>> *Subject:* Re: [gptalk] Standalone GPO
> >>>>
> >>>>
> >>>>
> >>>> Thanks Darragh - had a look on an XP machine and found these
> templates.
> >>>> Looks like they're not included in Win 7 by default but I guess I
> should be
> >>>> able to copy them across.
> >>>>
> >>>>
> >>>>
> >>>> A.
> >>>>
> >>>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
> >>>> xxxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>> Well, perhaps a domain joined machine is not required. * *Just tried
> on
> >>>> a non-domain joined machine here and they are available. Have you
> tried on
> >>>> to add them into the mmc? They are just text files at the end of the
> day so
> >>>> you could create them from scratch but I wouldn’t recommend it!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Alternatively just download a virtualization freebie like VMWare
> player
> >>>> or the SUN VirtualBox and create an XP Pro machine in there to do the
> >>>> exports.
> >>>>
> >>>>
> >>>>
> >>>> Darragh O’Shaughnessy
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> >>>> *Sent:* 18 October 2010 11:12
> >>>>
> >>>>
> >>>> *To:* xxxxxxxxxxxxxxxx
> >>>> *Subject:* Re: [gptalk] Standalone GPO
> >>>>
> >>>>
> >>>>
> >>>> Hi Darragh
> >>>>
> >>>>
> >>>>
> >>>> Thanks for the reply + screenshot!
> >>>>
> >>>>
> >>>>
> >>>> Unfortunately we don't have any XP domain-joined machines, just
> >>>> standalone ones - is there any other way to create the templates?
> >>>>
> >>>>
> >>>>
> >>>> A.
> >>>>
> >>>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
> >>>> xxxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>> You should be able to access the templates form an XP pro domain
> joined
> >>>> machine via the mmc:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Just load in what you need here
> >>>>
> >>>>
> >>>>
> >>>> Darragh O’Shaughnessy
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> >>>> *Sent:* 18 October 2010 09:53
> >>>>
> >>>>
> >>>> *To:* xxxxxxxxxxxxxxxx
> >>>>
> >>>> *Subject:* Re: [gptalk] Standalone GPO
> >>>>
> >>>>
> >>>>
> >>>> Hi Darragh
> >>>>
> >>>>
> >>>>
> >>>> Thanks for your reply!
> >>>>
> >>>>
> >>>>
> >>>> Is there a way to create templates without having Windows Server? The
> >>>> instructions I found on the MS website talked about how to apply them
> but I
> >>>> couldn't find out a way to actually create them in the first place.
> >>>>
> >>>>
> >>>>
> >>>> Agree PXE booting would be a good option although don't quite have the
> >>>> setup for this just now (& have already bought the Win 7 licenses;-)).
> >>>>
> >>>>
> >>>>
> >>>> Alan
> >>>>
> >>>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
> >>>> xxxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>> HI,
> >>>>
> >>>>
> >>>>
> >>>> Sounds like templates are the way to go and also possibly mandatory
> >>>> profiles so changes do not persist. Templates should allow you to
> configure
> >>>> a baseline that you could apply via the command line at start-up. You
> can
> >>>> also export these settings to a custm.inf file. However, if the
> templates
> >>>> include a lot of security ACL’s this can slow down processing
> otherwise they
> >>>> should be fine.
> >>>>
> >>>>
> >>>>
> >>>> Personally, for this scenario, I would boot a small locked down image
> of
> >>>> XP via PXE but that may not be possible in your scenario.
> >>>>
> >>>>
> >>>>
> >>>> Darragh O’Shaughnessy
> >>>>
> >>>>
> >>>>
> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
> >>>> *Sent:* 18 October 2010 00:02
> >>>>
> >>>>
> >>>> *To:* xxxxxxxxxxxxxxxx
> >>>>
> >>>> *Subject:* [gptalk] Standalone GPO
> >>>>
> >>>>
> >>>>
> >>>> Hi
> >>>>
> >>>>
> >>>>
> >>>> Apologies for what is probably really quite obvious to you experts,
> but
> >>>> I'd be grateful for some help with the following...
> >>>>
> >>>>
> >>>>
> >>>> Basically we've got a small setup (4 machines) that we're planning on
> >>>> upgrading from Windows XP to Windows 7 Professional. At the same time
> I'd
> >>>> like to tighten up on the GPO settings on these machines.
> >>>>
> >>>>
> >>>>
> >>>> They're in a secure location so when booted up just go straight into a
> >>>> standard user account (I used control userpasswords2 for this), but we
> want
> >>>> to lock them down so they can really just be used for web browsing and
> >>>> editing documents. There's also a second account on each PC which has
> admin
> >>>> rights.
> >>>>
> >>>>
> >>>>
> >>>> I've followed the steps at
> >>>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me
> to
> >>>> make changes to the GPO settings without them affecting the admin
> account -
> >>>> so far so good.
> >>>>
> >>>>
> >>>>
> >>>> I'm not planning to play about with the various different settings on
> >>>> offer but had the following (I think linked) questions:
> >>>>
> >>>>
> >>>>
> >>>> 1) is there an easy way to enable/disable the settings changes that
> I've
> >>>> made? It's just it would be nice when we wanted to make any changes to
> the
> >>>> user account to be able to quickly disable our GPO settings, make the
> >>>> changes, then re-enable them. I read at
> >>>> http://technet.microsoft.com/en-us/library/cc163078.aspx about
> security
> >>>> templates (which sounded like the sort of thing we were looking for).
> but it
> >>>> seems like you need Windows Server to generate these in the first
> place. Is
> >>>> that right? Are there any other ways of doing this?
> >>>>
> >>>>
> >>>>
> >>>> 2) is there an easy way to export the GPO settings that we've made?
> This
> >>>> would be particularly handy when setting up multiple machines or at a
> later
> >>>> stage if we want to change a GPO setting across all of them. If not
> then
> >>>> the other method I was thinking of was to do a fresh install on one of
> them,
> >>>> make all the GPO settings, image the drive and then install the image
> to all
> >>>> the machines before manually entering the individual product keys on
> each
> >>>> machine.
> >>>>
> >>>>
> >>>>
> >>>> And a kinda bonus question...
> >>>>
> >>>>
> >>>>
> >>>> 3) is there any easy way to revert all the changes a user has made
> when
> >>>> the PC is restarted? This way even if someone finds a way round our
> >>>> 'lockdowns' it would reset itself to default. Again if there's not an
> easy
> >>>> way then we can use the drive image instead, but just thought I'd see
> if
> >>>> anyone knew of an automated way of doing things.
> >>>>
> >>>>
> >>>>
> >>>> As I understand it a Windows Server-type setup would solve all the
> above
> >>>> issues but we just don't have the budget for that.
> >>>>
> >>>>
> >>>>
> >>>> Thanks in advance for any advice.
> >>>>
> >>>>
> >>>>
> >>>> Alan
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
>
| | | |
| alanjr_uk
Posts:14
| | 11/01/2010 8:17 PM |
| PS - have now tried it on a physical machine and the restrictions all copied
across perfectly.
Alan
On 28 Oct 2010 11:21, "Ninewells Doctors Mess" <
xxxxxxxxxxxxxxxx> wrote:
> Woohoo!! Thanks so much, Darren!
>
> I tried the following...
>
> 0. Set some GPO policies for non-admin users via the MMC
> 1. Copy C:\windows\system32\GroupPolicyUsers\S-1-5-32-545 (and subfolders)
> to Desktop
> 2. Go into the MMC and reverse all GPO changes to 'not configured'
> 3. gpupdate /force
> 4. Logged in to user account - fully functional
> 5. Logged off user account again and back into admin account
> 6. Deleted the S-15-32-545 directory and subdirs, copied back in the
version
> I had on the Desktop
> 7. gpupdate /force
> 8. re-entered the guest account - all restrictions now back in force!!
>
> Thanks so much for your help with this - will now try it on a few acutal
> machines (this was all just within a handy VM!) but looks like it's
sorted.
>
> Cheers
>
> Alan :-)
> On Thu, Oct 28, 2010 at 3:14 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx
>wrote:
>
>> Alan-
>>
>> The non-Admin users Local GPO is going to be under
>> C:\windows\system32\GroupPolicyUsers\S-1-5-32-545.
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> *Sent:* Wednesday, October 27, 2010 3:37 PM
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Standalone GPO
>>
>>
>>
>> Sorry to hassle, but just wondering if anyone had any other ideas on this
>> topic...
>>
>> Cheers
>>
>> Alan
>>
>> On 24 Oct 2010 09:59, "Ninewells Doctors Mess" <
>> xxxxxxxxxxxxxxxx> wrote:
>> > PS - further thing I've been trying (after reading about it on a few
>> > websites) is to backup %systemroot%\system32\grouppolicy. I tried this
>> but
>> > with no success. . I’ve currently got Administrative Template Group
>> > Policies set for non-Admin users via a MMC Group Policy plugin set for
>> Local
>> > Computer\Non-Administrators I tried backing up the
>> > %systemroot%\system32\grouppolicy folder then making changes, running
>> > gpupdate /force then restoring the folder and running another gpupdate
-
>> > none of the settings were changed.
>> >
>> > All I want to do is backup the settings I've made and then apply them
to
>> > another machine but it seems incredibly complex/nigh-on impossible!!
>> >
>> > Thanks for any suggestions....
>> >
>> > Alan
>> >
>> > On Sun, Oct 24, 2010 at 1:57 AM, Ninewells Doctors Mess <
>> > xxxxxxxxxxxxxxxx> wrote:
>> >
>> >> Hi again Darren (& all!)
>> >>
>> >> I've been playing about with the LocalGPO tool within the MSCM.
However
>> >> despite exporting my settings, then doing a restore, rebooting, and
>> >> reapplying the exported files and rebooting, it doesn't seem to have
>> >> properly re-applied them.
>> >>
>> >> I notice in your blog post you said "Also, the script does not appear
>> >> to deal with the multiple local GPOs feature supported in Win Vista
and
>> >> above. So if you have per-user local GPOs, they are not captured–only
>> the
>> >> default local GPO." - does that mean it's a non-starter with Win 7?
>> >>
>> >> My basic requirement is to have an Admin and User account on each
>> machine.
>> >> I'd like a way of backing up the GPO settings (currently set in
>> >> Administrative Templates for non-admin accounts via MMC, hence why it
>> seems
>> >> that the security templates route is a non-starter) to a machine then
>> >> restoring them to another machine (or optionally temporarily disabling
>> them
>> >> on the user account so I can make changes before re-applying them).
>> >>
>> >> Many thanks
>> >>
>> >> Alan
>> >>
>> >> On Mon, Oct 18, 2010 at 4:38 PM, Ninewells Doctors Mess <
>> >> xxxxxxxxxxxxxxxx> wrote:
>> >>
>> >>> Thanks, Darren - installing that MSCM tool now, as most of the things
>> we
>> >>> want to lock down fall under the Administrative Templates category so
>> it
>> >>> sounds like it might be more useful than the straightforward
templates.
>> >>>
>> >>> On the profile front is renaming the NTuser.dat file at
>> c:\users\[limited
>> >>> account name]\ to NTuser.man meant to make it mandatory and therefore
>> not
>> >>> save any changes to the desktop between logins? I tried this but it
>> didn't
>> >>> seem to do anything.
>> >>>
>> >>> Alan
>> >>>
>> >>> On Mon, Oct 18, 2010 at 2:32 PM, Darren Mar-Elia <
>> xxxxxxxxxxxxxxxx
>> >>> > wrote:
>> >>>
>> >>>> You can also download the “security compliance toolkit” from
>> Microsoft,
>> >>>> which includes the latest security templates for Win7. However, keep
>> in mind
>> >>>> that security templates only handle those settings under “Security
>> Settings”
>> >>>> in the GPO. They do not template-ize any other settings (e.g.
>> Administrative
>> >>>> Templates). You might have a look at this blog posting I wrote
>> recently that
>> >>>> talks about a tool from MS for copying the local GPO:
>> >>>>
>> >>>>
>> >>>>
>>
http://sdmsoftware.com/blog/2010/07/22/backing-up-and-restoring-the-local-gpo/
>> >>>>
>> >>>>
>> >>>>
>> >>>> Darren
>> >>>>
>> >>>>
>> >>>>
>> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darragh O'Shaughnessy
>> >>>> *Sent:* Monday, October 18, 2010 3:34 AM
>> >>>>
>> >>>> *To:* xxxxxxxxxxxxxxxx
>> >>>> *Subject:* RE: [gptalk] Standalone GPO
>> >>>>
>> >>>>
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> They should be there on windows 7 pro (my workstation has them).
>> Perhaps
>> >>>> you need to install the RSAT tools?
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Darragh O’Shaughnessy
>> >>>>
>> >>>>
>> >>>>
>> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> >>>> *Sent:* 18 October 2010 11:32
>> >>>> *To:* xxxxxxxxxxxxxxxx
>> >>>> *Subject:* Re: [gptalk] Standalone GPO
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks Darragh - had a look on an XP machine and found these
>> templates.
>> >>>> Looks like they're not included in Win 7 by default but I guess I
>> should be
>> >>>> able to copy them across.
>> >>>>
>> >>>>
>> >>>>
>> >>>> A.
>> >>>>
>> >>>> On Mon, Oct 18, 2010 at 11:18 AM, Darragh O'Shaughnessy <
>> >>>> xxxxxxxxxxxxxxxx> wrote:
>> >>>>
>> >>>> Well, perhaps a domain joined machine is not required. * *Just tried
>> on
>> >>>> a non-domain joined machine here and they are available. Have you
>> tried on
>> >>>> to add them into the mmc? They are just text files at the end of the
>> day so
>> >>>> you could create them from scratch but I wouldn’t recommend it!
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Alternatively just download a virtualization freebie like VMWare
>> player
>> >>>> or the SUN VirtualBox and create an XP Pro machine in there to do
the
>> >>>> exports.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Darragh O’Shaughnessy
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> >>>> *Sent:* 18 October 2010 11:12
>> >>>>
>> >>>>
>> >>>> *To:* xxxxxxxxxxxxxxxx
>> >>>> *Subject:* Re: [gptalk] Standalone GPO
>> >>>>
>> >>>>
>> >>>>
>> >>>> Hi Darragh
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks for the reply + screenshot!
>> >>>>
>> >>>>
>> >>>>
>> >>>> Unfortunately we don't have any XP domain-joined machines, just
>> >>>> standalone ones - is there any other way to create the templates?
>> >>>>
>> >>>>
>> >>>>
>> >>>> A.
>> >>>>
>> >>>> On Mon, Oct 18, 2010 at 10:03 AM, Darragh O'Shaughnessy <
>> >>>> xxxxxxxxxxxxxxxx> wrote:
>> >>>>
>> >>>> You should be able to access the templates form an XP pro domain
>> joined
>> >>>> machine via the mmc:
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Just load in what you need here
>> >>>>
>> >>>>
>> >>>>
>> >>>> Darragh O’Shaughnessy
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> >>>> *Sent:* 18 October 2010 09:53
>> >>>>
>> >>>>
>> >>>> *To:* xxxxxxxxxxxxxxxx
>> >>>>
>> >>>> *Subject:* Re: [gptalk] Standalone GPO
>> >>>>
>> >>>>
>> >>>>
>> >>>> Hi Darragh
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks for your reply!
>> >>>>
>> >>>>
>> >>>>
>> >>>> Is there a way to create templates without having Windows Server?
The
>> >>>> instructions I found on the MS website talked about how to apply
them
>> but I
>> >>>> couldn't find out a way to actually create them in the first place.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Agree PXE booting would be a good option although don't quite have
the
>> >>>> setup for this just now (& have already bought the Win 7
licenses;-)).
>> >>>>
>> >>>>
>> >>>>
>> >>>> Alan
>> >>>>
>> >>>> On Mon, Oct 18, 2010 at 8:55 AM, Darragh O'Shaughnessy <
>> >>>> xxxxxxxxxxxxxxxx> wrote:
>> >>>>
>> >>>> HI,
>> >>>>
>> >>>>
>> >>>>
>> >>>> Sounds like templates are the way to go and also possibly mandatory
>> >>>> profiles so changes do not persist. Templates should allow you to
>> configure
>> >>>> a baseline that you could apply via the command line at start-up.
You
>> can
>> >>>> also export these settings to a custm.inf file. However, if the
>> templates
>> >>>> include a lot of security ACL’s this can slow down processing
>> otherwise they
>> >>>> should be fine.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Personally, for this scenario, I would boot a small locked down
image
>> of
>> >>>> XP via PXE but that may not be possible in your scenario.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Darragh O’Shaughnessy
>> >>>>
>> >>>>
>> >>>>
>> >>>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> >>>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ninewells Doctors Mess
>> >>>> *Sent:* 18 October 2010 00:02
>> >>>>
>> >>>>
>> >>>> *To:* xxxxxxxxxxxxxxxx
>> >>>>
>> >>>> *Subject:* [gptalk] Standalone GPO
>> >>>>
>> >>>>
>> >>>>
>> >>>> Hi
>> >>>>
>> >>>>
>> >>>>
>> >>>> Apologies for what is probably really quite obvious to you experts,
>> but
>> >>>> I'd be grateful for some help with the following...
>> >>>>
>> >>>>
>> >>>>
>> >>>> Basically we've got a small setup (4 machines) that we're planning
on
>> >>>> upgrading from Windows XP to Windows 7 Professional. At the same
time
>> I'd
>> >>>> like to tighten up on the GPO settings on these machines.
>> >>>>
>> >>>>
>> >>>>
>> >>>> They're in a secure location so when booted up just go straight into
a
>> >>>> standard user account (I used control userpasswords2 for this), but
we
>> want
>> >>>> to lock them down so they can really just be used for web browsing
and
>> >>>> editing documents. There's also a second account on each PC which
has
>> admin
>> >>>> rights.
>> >>>>
>> >>>>
>> >>>>
>> >>>> I've followed the steps at
>> >>>> http://technet.microsoft.com/en-us/library/cc730760.aspx to allow me
>> to
>> >>>> make changes to the GPO settings without them affecting the admin
>> account -
>> >>>> so far so good.
>> >>>>
>> >>>>
>> >>>>
>> >>>> I'm not planning to play about with the various different settings
on
>> >>>> offer but had the following (I think linked) questions:
>> >>>>
>> >>>>
>> >>>>
>> >>>> 1) is there an easy way to enable/disable the settings changes that
>> I've
>> >>>> made? It's just it would be nice when we wanted to make any changes
to
>> the
>> >>>> user account to be able to quickly disable our GPO settings, make
the
>> >>>> changes, then re-enable them. I read at
>> >>>> http://technet.microsoft.com/en-us/library/cc163078.aspx about
>> security
>> >>>> templates (which sounded like the sort of thing we were looking
for).
>> but it
>> >>>> seems like you need Windows Server to generate these in the first
>> place. Is
>> >>>> that right? Are there any other ways of doing this?
>> >>>>
>> >>>>
>> >>>>
>> >>>> 2) is there an easy way to export the GPO settings that we've made?
>> This
>> >>>> would be particularly handy when setting up multiple machines or at
a
>> later
>> >>>> stage if we want to change a GPO setting across all of them. If not
>> then
>> >>>> the other method I was thinking of was to do a fresh install on one
of
>> them,
>> >>>> make all the GPO settings, image the drive and then install the
image
>> to all
>> >>>> the machines before manually entering the individual product keys on
>> each
>> >>>> machine.
>> >>>>
>> >>>>
>> >>>>
>> >>>> And a kinda bonus question...
>> >>>>
>> >>>>
>> >>>>
>> >>>> 3) is there any easy way to revert all the changes a user has made
>> when
>> >>>> the PC is restarted? This way even if someone finds a way round our
>> >>>> 'lockdowns' it would reset itself to default. Again if there's not
an
>> easy
>> >>>> way then we can use the drive image instead, but just thought I'd
see
>> if
>> >>>> anyone knew of an automated way of doing things.
>> >>>>
>> >>>>
>> >>>>
>> >>>> As I understand it a Windows Server-type setup would solve all the
>> above
>> >>>> issues but we just don't have the budget for that.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks in advance for any advice.
>> >>>>
>> >>>>
>> >>>>
>> >>>> Alan
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>>
| | | |
|
|