troxy

Hi! I've noticed that the gpedit.msc tool (Group Policy Editor console) doesn't show the actual registry value for a policy. For example, the policy "Always use classic logon" relates to the following registry key value: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType 0 = Classic logon (Policy is "Enabled") 1 = Welcome Screen (Policy is "Disabled") If I use gpedit.msc to enable the policy, and then use regedit.exe to disable it (manually changing the value for LogonType), the GUI in gpedit.msc still says "Enabled". I've now realised that gpedit.msc keeps the status for every policy in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ So when you use gpedit.msc to change a policy, it saves the status in the "Group Policy" reg key, and then writes changes to the "Registry.pol" file in the policy folder "%SystemRoot%\System32\GroupPolicy\" (User or Machine) At logon time, Windows reads "Registry.pol" and updates the registry accordingly. This is no news to most people here I suppose. But since I found no good info on the web about the relation between gpedit.msc and the registry, I wanted to raise the topic here in order to clarify. Please confirm my following conclusions: gpedit.msc is not just a GUI for editing registry values for policies. gpedit.msc is rather a GUI to manage policy settings stored in "Registry.pol". gpedit.msc becomes irrelevant when you edit the registry settings manually (using scripts or regedit.exe). Using gpedit.msc when you are editing the registry settings manually makes no sense and will only confuse things. I hope I've made things a little clearer for some tweakers out there. /Emil

Hi, I want to restrict a Windows user account to only run one single program. Let's say I create a user called Bob. Bob is not a member of any group, not even Users. He is simply a Nobody! Still, I'm able to successfully run Firefox as Bob, using the following command: runas /user:Bob "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" How is that possible? What fundamental part the Windows security model am I missing? Please explain! Thanks.

Hi, I've been struggling with Group Policies in Windows XP. I'm trying to grant some extra rights to a Power User (ie. a member of the Power Users group). Some policy settings simply won't stick or are being overridden. For example: NC_LanChangeProperties, DisableWindowsUpdateAccess etc. Could anyone please confirm that you cannot, under any circumstances allow Power Users to perform the following tasks: Modify settings for Windows Firewall Modify settings for Windows Update/Automatic Updates Modify all settings for Network Connections Install or update device drivers Thanks!

I tried adding the reg keys using RunOnceEx. But the shell:ControlPanelFolder and some other stull still won't apply. But if I run the reg file by double clicking it, right after first login, it applies. What the heck.

Allright. But the guide at http://unattended.msfn.org reads the following: http://unattended.msfn.org/unattended.xp/view/web/17/ Accually, I have like 50 HKCU tweaks, and there's only 5 of them that don't work. The rest work like a charm. That's kinda odd...

Hello, I'm applying my reg tweaks during the T-12 using cmdlines.txt. I'm using the following command: "REGEDIT /S Tweaks.reg" Most of the tweaks are working, but some of the key values won't "stick". For example, I have the following entries in Tweaks.reg: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders] "shell:System"=dword:00000000 "shell:SystemDriveRootFolder"=dword:00000000 "shell:ControlPanelFolder"=dword:00000000 "shell:Windows"=dword:00000000 "shell:ProgramFiles"=dword:00000000 The ControlPanelFolder isn't added, but the rest of the values are. The value is 00000001 after installation is completed. How come? The same goes for the following tweaks: [HKEY_CURRENT_USER\Control Panel\Desktop] "ScreenSaveActive"="0" "SCRNSAVE.EXE"=- "NoAutoReturnToWelcome"="1" I'm still having a screensaver showing up after 10 minutes. Am I doing something wrong?

You will have to use the Repartition entry in the [unattended] section. [Unattended] Repartition="Yes"