Morning..
The situation: I want to implement GPO's to lockdown settings and to help me deploy software.
The culprits: One XP Pro laptop, newly built with Dell recovery discs. No sp's. One W2K Server (DC) fully patched. AD installed and working OK (AFAIK). Mixed mode domain. One 2K3 Server with network share acting as software repository. Member server.
My main concern is the software deployment - I have followed all the advice I can find yet still it won't work (including this thread
To recap, I have created a new OU (New Build), in it there is the computer account for the new machine, and a newly created domain admin for running the software deployments. There is also a security group of which both objects are members.
I right-click on my new OU, go to properties, create a new Policy, and edit the properties in it so that the security group has read, write and apply group policy permissions. Auth users is removed.
I then added a new package to the computer configuration (SP1 - I want it to deploy automatically), using a UNC path to the W2K3 server. The share on the server has the security group added to the permissions - read/read and execute. I also changed the setting to Run Logon Scripts Synchronously.
I then secedit refresh the policy and gpupdate the laptop and reboot. Nothing happens. I get event ID's 101, 103, 108 from App management source. One is about logon optimization enabled (which I thought I'd disabled with the above setting), the others are about "the group policy framework should call the extension in the synchronous foreground policy refresh". Same results with an AV .msi.
Now, if I publish the sp1 package in user config, it pops up in add/remove and installs fine. "Ahh, permissions!!" I cry - but we put the user and computer account in the same security group.
So I "sanity checked" the policy by enabling the "remove Ctrl-Alt-Delete requirement" setting. It worked fine. Although now, even though I've returned it to "not configured" (rsop says so!!), the ctr-alt-delete screen never shows up - even though I've deleted the .dom file in the system32/security/template/policies file. If anyone can help me get my ctrl-alt-del screen back that would be cool too!!
So; summary - ctrl-alt-delete screen back, and software installation issue when using computer config.
Not sure if this is info overload - any questions I'll provide the info.
All help much appreciated. Been working on this for days.
Cheers
James..
The situation: I want to implement GPO's to lockdown settings and to help me deploy software.
The culprits: One XP Pro laptop, newly built with Dell recovery discs. No sp's. One W2K Server (DC) fully patched. AD installed and working OK (AFAIK). Mixed mode domain. One 2K3 Server with network share acting as software repository. Member server.
My main concern is the software deployment - I have followed all the advice I can find yet still it won't work (including this thread
To recap, I have created a new OU (New Build), in it there is the computer account for the new machine, and a newly created domain admin for running the software deployments. There is also a security group of which both objects are members.
I right-click on my new OU, go to properties, create a new Policy, and edit the properties in it so that the security group has read, write and apply group policy permissions. Auth users is removed.
I then added a new package to the computer configuration (SP1 - I want it to deploy automatically), using a UNC path to the W2K3 server. The share on the server has the security group added to the permissions - read/read and execute. I also changed the setting to Run Logon Scripts Synchronously.
I then secedit refresh the policy and gpupdate the laptop and reboot. Nothing happens. I get event ID's 101, 103, 108 from App management source. One is about logon optimization enabled (which I thought I'd disabled with the above setting), the others are about "the group policy framework should call the extension in the synchronous foreground policy refresh". Same results with an AV .msi.
Now, if I publish the sp1 package in user config, it pops up in add/remove and installs fine. "Ahh, permissions!!" I cry - but we put the user and computer account in the same security group.
So I "sanity checked" the policy by enabling the "remove Ctrl-Alt-Delete requirement" setting. It worked fine. Although now, even though I've returned it to "not configured" (rsop says so!!), the ctr-alt-delete screen never shows up - even though I've deleted the .dom file in the system32/security/template/policies file. If anyone can help me get my ctrl-alt-del screen back that would be cool too!!
So; summary - ctrl-alt-delete screen back, and software installation issue when using computer config.
Not sure if this is info overload - any questions I'll provide the info.
All help much appreciated. Been working on this for days.
Cheers
James..
