igor7

Forum Replies Created

Viewing 6 posts - 61 through 66 (of 66 total)
  • Author
    Posts
  • Avatar
    igor7
    Member
    in reply to: Centralized change of DCOM settings #295024

    Re: Centralized change of DCOM settings

    If I understand correctly you are trying to run WMI queries against client computers in AD environment.
    So, ff you want successfully run WMI quires from you server to client computer with windows firewall enabled, just open port 135 is not enough.
    In additional you should enable Windows Firewall: Allow remote administration exception:
    Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile(if you want to use this settings in domain environment)
    Than you should allow Unsecapp.exe. The client application is frequently the Unsecapp.exe application, this application is used to send results back.
    It can be done trough GPO:
    Locate Windows Firewall: Define program exceptions setting and enable it.
    Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
    Click on Show and add to the list following line:
    %WINDIR%SYSTEM32wbemunsecapp.exe:*:You Application or Service name.
    Sure instead of * you can use you local subnet.
    Here example from my test environment, where Offer Remote Assistance and RSoP in logging mode are allowed (both use DCOM):

    dpeic5.jpg

    And than you can check that everything configured in proper way on one of client computer:

    clientyv5.jpg

    In Windows XP and Windows 2003, the DCOM entry is located in the following registry subkey:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
    The String value of the DCOM entry is EnableDCOM = Y. If this value is set to ‘N’ or if this value is missing, WMI quires based on DCOM will not work.

    Avatar
    igor7
    Member
    in reply to: Restrictive group policy conflict #295023

    Re: Restrictive group policy conflict

    If I understand correctly, you are using Group Policy Restricted Groups.
    And it should be (according to you explanation) the “Members” Restricted Group Portion of Policy:

    Quote:
    When a Restricted Group policy is enforced, any current member of a restricted group that is not on the “Members” list is removed with the exception of administrator in the Administrators group. Any user on the “Members” list which is not currently a member of the restricted group is added.

    So, if yes, you can try the following scenario:
    Add appropriate users to local admin group on their own computers. Then use GPO filtering on Group Policy Restricted Groups GPO for those users. Example:
    Say that you add User1 to local admin group on him own computer. Now use GPMC, click on appropriate GPO, went to Delegation tab and click on Advanced button and you will receive ACL Editor of GPO:
    securitytp5.jpg
    Now click Add button and add User1 to the list and than grant him Deny permission on Read and Apply Group Policy settings. So, next time user will not be removed on every refresh of GPO.

    Avatar
    igor7
    Member

    Re: How To Apply GPO to an Security Groups in Active Directory

    Hi, everybody!!
    I already find solution that work for me and I share it with all of you!
    After I several times tried MS KB 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003 on my virtual test lab, and it not worked for me, I decided search Microsoft website fore more explanation about GPO. In end of story I found this link:
    http://www.microsoft.com/technet/technetmag/issues/2007/02/Troubleshooting/default.aspx%5B/CODE%5D
    Below is quoted from this website:

    [QUOTE]GPO Must Target Correct Object
    As you know, Group Policy must target the correct objects in Active Directory. However, this is sometimes overlooked in the midst of a troubleshooting exercise. Within a GPO, there are two major categories: computer and user. When you configure a GPO, be sure to note if it is for a computer or user object. Then you can verify that the correct object types are placed in the Organizational Unit (OU) where the GPO is linked.

    GPOs Don’t Apply to Groups
    Although you may wish it were so, a GPO cannot apply to an Active Directory security group object. The only two objects that a GPO setting can configure are computers and users. GPOs can’t configure objects via group membership. For example, if there is a GPO linked to the Finance OU, as shown in Figure 2 the only objects that will be affected by the setting are Derek and Frank. The settings in the GPO will not affect the members of the Marketing group, no matter who has membership in that group.[/QUOTE]

    So, after I read this I was confused: One article says that we can assign Software Installation GPO to Security group and another one says NO!! And in real life is not work!
    So, the right answer is NO. We can’t create Software installation GPO and link it to any OU’s if in those OU’s users or computers accounts not presented.
    But, like I sad above, I found, how we can assign Software installation GPO to an security group. It simple… After we create GPO with GPMC , we should delete Authenticated Users from the GPO scope (as we know,- by default GPO applied to Authenticated Users). No we need add to the list only security group that we want this policy applied to. This action will give to this group appropriate permissions by default – READ and APPLY GROUP POLICY. And now the trick: instead of link this GPO to OU with Security group inside we apply a GPO in the Domain level. The software will be installed when user logon next time. That all!! It work fine!
    So, now, I absolutely sure that MS KB 324750 is wrong. Later I will write full article with detailed explanation(with screen shot) [B]How to assign software to a specific group by using Group Policy in Windows Server 2003[/B]
    Thank to all for help!![CODE]http://www.microsoft.com/technet/technetmag/issues/2007/02/Troubleshooting/default.aspx[/CODE]
    Below is quoted from this website:

    Quote:
    GPO Must Target Correct Object
    As you know, Group Policy must target the correct objects in Active Directory. However, this is sometimes overlooked in the midst of a troubleshooting exercise. Within a GPO, there are two major categories: computer and user. When you configure a GPO, be sure to note if it is for a computer or user object. Then you can verify that the correct object types are placed in the Organizational Unit (OU) where the GPO is linked.

    GPOs Don’t Apply to Groups
    Although you may wish it were so, a GPO cannot apply to an Active Directory security group object. The only two objects that a GPO setting can configure are computers and users. GPOs can’t configure objects via group membership. For example, if there is a GPO linked to the Finance OU, as shown in Figure 2 the only objects that will be affected by the setting are Derek and Frank. The settings in the GPO will not affect the members of the Marketing group, no matter who has membership in that group.

    So, after I read this I was confused: One article says that we can assign Software Installation GPO to Security group and another one says NO!! And in real life is not work!
    So, the right answer is NO. We can’t create Software installation GPO and link it to any OU’s if in those OU’s users or computers accounts not presented.
    But, like I sad above, I found, how we can assign Software installation GPO to an security group. It simple… After we create GPO with GPMC , we should delete Authenticated Users from the GPO scope (as we know,- by default GPO applied to Authenticated Users). No we need add to the list only security group that we want this policy applied to. This action will give to this group appropriate permissions by default – READ and APPLY GROUP POLICY. And now the trick: instead of link this GPO to OU with Security group inside we apply a GPO in the Domain level. The software will be installed when user logon next time. That all!! It work fine!
    So, now, I absolutely sure that MS KB 324750 is wrong. Later I will write full article with detailed explanation(with screen shot) How to assign software to a specific group by using Group Policy in Windows Server 2003
    Thank to all for help!!

    Avatar
    igor7
    Member

    Re: How To Apply GPO to an Security Groups in Active Directory

    Hi, Dr. Kernel!!
    Thank you for replay. Are you from Sadikov forum? Several days ago I thought precisely as well as you. I was pretty sure that GPO can apply on user only if user account is presents in this OU. But few days ago somebody from Sadikov forum ask exactly same questions. I searched the internet and found MS KB Article 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003. Read here:
    http://support.microsoft.com/kb/324750%5B/CODE%5D
    So, in summary session, on top of this article, very clean explained, that you, as admin, can create software deployment policy applied to users who are not in an OU:
    [QUOTE]You (as an administrator) can use Group Policy to assign or to publish software to users or computers in a domain. Additionally, it is useful to be able to deploy software based on group membership. A Group Policy object (GPO) is usually applied only to members of an organizational unit (OU) to which the GPO is linked. [B][I]Because a user cannot be located in several OUs at the same time, you must be able to apply Group Policy settings outside the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in an OU.[/I][/B][/QUOTE]
    I decide try this explanation on my virtual environment, but it not work. So, now I want understand why…[CODE]http://support.microsoft.com/kb/324750[/CODE]
    So, in summary session, on top of this article, very clean explained, that you, as admin, can create software deployment policy applied to users who are not in an OU:

    Quote:
    You (as an administrator) can use Group Policy to assign or to publish software to users or computers in a domain. Additionally, it is useful to be able to deploy software based on group membership. A Group Policy object (GPO) is usually applied only to members of an organizational unit (OU) to which the GPO is linked. Because a user cannot be located in several OUs at the same time, you must be able to apply Group Policy settings outside the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in an OU.

    I decide try this explanation on my virtual environment, but it not work. So, now I want understand why…

    Avatar
    igor7
    Member

    Re: How To Apply GPO to an Security Groups in Active Directory

    Hi!!
    Thank you for replay!
    I reinstalled all my test environment, to be sure that I working on clean installed machines. I recreated everything according to scenario that I explained earlier and it still not work!!
    Even this time I didn’t install GPMC, because I want perform each task according to MS KB 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003. After all I executed RSoP in Planning and Logging modes and result was the same,- the list is empty :confused::

    rsopplanningxt8.th.jpg

    I checked one more time,- the Gpo is linked to appropriate OU and Security settings are configured in proper way as well…:

    conful6.th.jpg

    securityiq0.th.jpg

    Than I run gpresult /Z on target computer and found that not only GPO not on the list, also user Test 3 not member of User1 domain local group:

    cmdgpresultcw5.th.jpg

    But on server, under user properties everything is OK:

    test3qj3.th.jpg

    So, I confused… What I did wrong?? Or, may be it not work because Virtual enviroment… But one more time,- when I applied the same policy to users rather then to security group,- it work grate:roll:

    Avatar
    igor7
    Member
    in reply to: Redirect Favorites to Home Folder or Server Share #295019

    Re: Redirect Favorites to Home Folder or Server Share

    Quote:
    Does anyone know how to redirect Internet Favorites to a share on the server or a users Home Directory using GPO. I am able to to achieve this by editing the following reg key hkcusoftwaremicrosoftwinodwscurrentversionexp loreruser shell foldersfavorite on each client machine but I would like to either use a policy for the redirect or be able to edit the reg key with a script and use a gpo to push the script.

    Hi!!
    If you still need solution, here is it.
    It works in my test environment…
    The example below redirects both locations to “\LondonHome%username%” however as the first one is in hex if you are using a different location, then you will need to make the change in your own registry so that the export will be correct.
    1. Create the registry file “favorites.reg”
    Open notepad and add following:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders]

    “Favorites”=hex(2):25,00,48,00,4f,00,4d,00,45,00,44,00,52,00,49,00,56,00,45,00,
    25,00,5c,00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]

    “Favorites”=”\LondonHome%username%”[/CODE]

    Note: In this example I redirect favorites folder for each user to him own Home directory that was created previously at \LondonHome folder.
    You can change this value according to you environment…

    2. Create the redirect.bat file (or give another name…) and place this line in it:

    %systemroot%regedit /s favorites.reg

    3. Now, you should configure group policy for this logon script.

    To do this open GPO editor, create new GPO object. went to User configuration > Windows settings > Scripts (Logon/Logoff)
    Right click on Logon script > Properties and you should receive window like in a picture bellow:
    [IMG]http://img397.imageshack.us/img397/7708/setingsgg9.jpg[/IMG]

    Now click on “Show files” button and copy/paste favorites.reg and favorites.bat into the opened window. Close this window and click on “Add” button:

    [IMG]http://img397.imageshack.us/img397/3414/72856393hp0.jpg[/IMG]

    Click on “Browse” button and chose favorites.bat.

    Note: Make sure that both favorites.reg and favorites.bat in same directory, otherwise redirection will not work!!!
    Don’t forget link this GPO to appropriate OU…

    Now you can close all opened windows.
    Open command prompt on you Server where you create this policy and do gpupdate /force command for ensure that policy you created is applied.
    Hope it help.:roll:[CODE]Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders]

    “Favorites”=hex(2):25,00,48,00,4f,00,4d,00,45,00,44,00,52,00,49,00,56,00,45,00,
    25,00,5c,00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]

    “Favorites”=”\LondonHome%username%”[/CODE]

    Note: In this example I redirect favorites folder for each user to him own Home directory that was created previously at \LondonHome folder.
    You can change this value according to you environment…

    2. Create the redirect.bat file (or give another name…) and place this line in it:

    %systemroot%regedit /s favorites.reg

    3. Now, you should configure group policy for this logon script.

    To do this open GPO editor, create new GPO object. went to User configuration > Windows settings > Scripts (Logon/Logoff)
    Right click on Logon script > Properties and you should receive window like in a picture bellow:
    setingsgg9.jpg

    Now click on “Show files” button and copy/paste favorites.reg and favorites.bat into the opened window. Close this window and click on “Add” button:

    72856393hp0.jpg

    Click on “Browse” button and chose favorites.bat.

    Note: Make sure that both favorites.reg and favorites.bat in same directory, otherwise redirection will not work!!!
    Don’t forget link this GPO to appropriate OU…

    Now you can close all opened windows.
    Open command prompt on you Server where you create this policy and do gpupdate /force command for ensure that policy you created is applied.
    Hope it help.:roll:

Viewing 6 posts - 61 through 66 (of 66 total)