Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Hi John
Is this software installed everywhere or just on a few machines? As Gary
said, you could restrict the application of the policy to those machines
which are used for this purpose by putting them in a common OU or applying
security specific to the computer accounts.
If it's a case where users move from machine to machine and the software is
applied everywhere, perhaps you could create two GPO's, one for the user
settings (and have that apply only to the users) and one for the computer
settings that applies everywhere.
HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"John Price" <jwp@beco.com> wrote in message
news:e7ZbjAdaEHA.3596@tk2msftngp13.phx.gbl...
> Gary,
> Well at least I know why it does not work. It is not the end of the
> world
> to apply the settings to everyone. It just violates my sense of
> aesthetics.
>
> Thanks
>
> John Price
>
> "Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
> news:%23rl9idcaEHA.2488@tk2msftngp13.phx.gbl...
>> The bottom line is that the computer account does not have permissions to
>> read/apply the policy like they do with the Default Domain Policy. If
> there
>> are a group of machines that use this software you could create a group
> and
>> add the machine accounts to that group with read and apply permissions to
>> the policy as well as the users that use the policy (or add the machines
> to
>> the same group with the users). Or you can put those machines in an OU
> and
>> apply the machine portion of the policy to that OU.
>>
>> Beyond those 2 ways there isn't a great answer.
>>
>> --
>> Gary Mudgett, MCSE, MCSA
>> Windows 2000/2003 Directory Services
>>
>> =====================================================
>> When responding to posts, please "Reply to Group" via
>> your newsreader so that others may learn and benefit
>> from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>>
>> "John Price" <jwp@beco.com> wrote in message
>> news:uDmB0WcaEHA.3016@tk2msftngp13.phx.gbl...
>> > Mark,
>> > Thanks for the help. Here is (hopefully) a better explanation.
>> >
>> > I open the properties oat the root of the domain - Right under
>> > Active
>> > Directory Users and Computers. In our case Firm.BEC.com. Under Group
>> Policy
>> > I added a new policy object. In the new policy I install my addin which
>> > makes changes to both [USER] and [MACHINE] registry settings - these
>> changes
>> > are preferences. I then apply the GPO security to only the group that
> uses
>> > the software that we are trying to configure rgistry settings for.
>> > Under
>> > this scenario the [USER] settings are applied but the [MACHINE]
>> > settings
>
>> are
>> > blocked by security. If u edit the Default Domain Policy and add the
>> > new
>> ADM
>> > template here both [USER] and [MACHINE] settings work fine.
>> >
>> > We can do this but would prefer to have the settings only apply to
>> users
>> > of the software not all users in the domain.
>> >
>> > Thanks again.
>> >
>> > John
>> >
>> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
>> > news:uv$oYIKaEHA.996@TK2MSFTNGP12.phx.gbl...
>> > > Hi John
>> > >
>> > > I'm not totally clear on what you're doing but for the machine
> settings
>> to
>> > > apply, the computer account must be in the OU to which the policy is
>> > > applying, the computer configuration settings must not be disabled
>> > > and
>> the
>> > > computer account must have read and apply group policy permissions
>> > > (authenticated users takes care of this).
>> > >
>> > > HTH
>> > > --
>> > > Mark Renoden [MSFT]
>> > > Windows Platform Support Team
>> > > Email: markreno@online.microsoft.com
>> > >
>> > > Please note you'll need to strip ".online" from my email address to
>> email
>> > > me; I'll post a response back to the group.
>> > >
>> > > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> > >
>> > > "John Price" <jwp@beco.com> wrote in message
>> > > news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
>> > > > Hey all,
>> > > >
>> > > > Well I am finally going insane. I have built a custom ADM file for
>> > testing
>> > > > and it appears to work well for the USER settings but I could not
> get
>> it
>> > > > to
>> > > > work with the Machine settings.
>> > > >
>> > > > I created a new policy off the Domain and applied it to my user
>> account.
>> > > > GPResults shows it being blocked - security
>> > > >
>> > > > I created a new OU and moved my user account into the OU. Created a
>> GPO
>> > > > and
>> > > > applied it to Authenticated users. Same results as above.
>> > > >
>> > > > I added the template to the Default Domain Policy - IT WORKED FINE.
>> > Anyone
>> > > > have any ideas of what to do now.
>> > > >
>> > > > Thanks in Advance.
>> > > >
>> > > > John Price
>> > > > JWP@Beco.com
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>
Facebook
Twitter
Instagram