[prathapml]

How can I apply group policies for the machine and/or specific user during unattended install ?

I mean to ask about the policies that take effect after using gpedit.msc.
Don't tell me to monitor the registry changes it makes - I have certain changes needed to be made through the group policy editor which are not enforced from registry.

I've tried copying over an "ntuser.pol" file made previously by running gpedit after a user is created and rebooted.
Let me describe - created user XYZ, then logged in once, rebooted, logged in as user ABC, copied over the ntuser.pol to its normal place in "C:\Documents and Settings\XYZ" manually. Then, when I log-in as user XYZ, those policies weren't applied. Tried the above procedure with 10 different deviations, but still doesn't work. And, my opinion is that if it doesn't work when I do it manually, nor can it in automated mode. Maybe it requires something else too.


Has anybody managed to apply group policies unattended ?

[big_gie]

do you mean like adding someone to the administrator group? or changing password?

I have a JScript wich add users (family members) to the computer like this:

Shell = WScript.CreateObject("WScript.Shell");
Environnement = Shell.Environment("SYSTEM");
Network = WScript.CreateObject("WScript.Network");

path = WScript.ScriptFullName;
path = path.substr(0,path.lastIndexOf("\\")+1);

Shell.Run("net user <UserName> <Password> /add", 0, true);
Shell.Run("net localgroup Administrators <UserName> /add", 0, true);

try to look for an net.exe guide for command switches...

good luck

[prathapml]

no, I am referring to the modifications you can do to the system using the tool that comes up when you type "gpedit.msc" from Start Menu > Run.

[maxXPsoft]

Can't you just add it to your reg imports or import the Hive like someone was talking about.

[Sammy20]

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\

Are were all the gpedit settings are kept.


Here's my settings in case anyones instrested.

Quote

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]"Enabled"=dword:00000000
"NoMakeAvailableOffline"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DiskQuota]
"Enable"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\NetCache]
"NoMakeAvailableOffline"=dword:00000001
"NoReminders"=dword:00000001
"NoConfigCache"=dword:00000001

[prathapml]

right, that's where all the gpedit settings are kept, but there's some which aren't applied through the registry and I have a hunch "ntuser.pol" has something to do with it.

In any case, gpedit.msc has thousands of settings and the registry keys have millions, so I think using some method to auto-apply a user restrictions like "ntuser.pol" might be better. It's seems that all the experts on this subject haven't yet seen this topic.

Hopefully, somebody would have posted a solution by tomorrow.

[SKiTLz]

be handy if we knew what settings you were reffering to that aren't kept in the registry. IF your reffering to the security settins set in gpedit.msc
take a trip too C:\windows\security\templates

Load one up, make the necessary changes and keep the template. As for imprting it during the install Im not to sure.

[mniccum]

%systemroot%\system32\GroupPolicy\User\Registry.pol

%systemroot%\system32\GroupPolicy\Machine\Registry.pol

[chan]

prathapml, on Jan 18 2004, 12:04 PM, said:

How can I apply group policies for the machine and/or specific user during unattended install ?

I mean to ask about the policies that take effect after using gpedit.msc.
Don't tell me to monitor the registry changes it makes - I have certain changes needed to be made through the group policy editor which are not enforced from registry.

I've tried copying over an "ntuser.pol" file made previously by running gpedit after a user is created and rebooted.
Let me describe - created user XYZ, then logged in once, rebooted, logged in as user ABC, copied over the ntuser.pol to its normal place in "C:\Documents and Settings\XYZ" manually. Then, when I log-in as user XYZ, those policies weren't applied. Tried the above procedure with 10 different deviations, but still doesn't work. And, my opinion is that if it doesn't work when I do it manually, nor can it in automated mode. Maybe it requires something else too.


Has anybody managed to apply group policies unattended ?

can you not move the %systemroot%\system32\GroupPolicy directory to $oem$\$$\System32 ?

chan

[gosh]

The xp registry guide has some good info on that, i highly recommend getting it. I have a .chm of the guide hanging around here...

-gosh

[prathapml]

Quote

would be handy if we knew what settings you were referring to

This is just an example of what I want to do, please don't latch on to this alone - probably it has a registry key somewhere, but many others don't.
1. There's this setting that applies to all users saying "Prohibit access to the control panel".
2. Hide/Prevent access to specified drives.
3. Forcibly lock taskbar/windows explorer/IE toolbars.
4. Dis-allow interactive users from generating RSOP.
5. Remove Folder Options from tools menu.
Seeing these, you get the general drift of what I am wanting to do - like, pre-configuring the UI and controlling access to system.


Thanks for all the suggestions posted until now. I'll try it out when I get home. Do post more ideas you may get - I'm not sure if what has been posted by you experts is easy to understand/do.

@gosh - I'd be grateful if you could post a link to it or attach it to your next post here.

[McoreD]

Hi,

I was wondering the same. If the following...

Start > run > gpedit.msc > User Configuration > Administrative Templates > Start Menu and Taskbar > Lock taskbar > enabled

...can be done using a RegistryTweak, that would be excellent.

Thanks,
McoreD

[Yonderboy]

I have some experience with GPO settings.
For me, the best way is to configure those setting on reference computer, then save them and possibly copy to target.
Few notices.

1) GPO settings are stored in ADM profiles. These are located in GroupPolicy folder.

2) The GroupPolicy folder isn't there by gefault, it is created on the first instance of
GPEDIT.MSC run. It creates itself in the C/windows/system32/ directory.

3) Some "hives" in the GPO management console, that are visible as a part of the settings tree, are actually not a part of GPO. For example - some security settings, - these consequently dont apply on the target computer because when moving or copying GPO profiles, these setting are not part of the profile you are moving

WHAT I DO>

I configure what I want on a reference computer, then save a full copy of GroupPolicy folder.
On target computer I run the GPO editor once in order to properly create the Group policy folder, then copy the content of my saved one to that on that new computer.
(this is possible by script in unattended mode, I believe...)
I then mannualy set up the few lasting settings that were not moved to the new pc because of a problem I wrote above.

If there is interest I can write more about my GPO experience.
For example , I managed to exclude the Administrator account from the reach of GPO rules at all on standalone machine..etc...

[prathapml]

@Yonderboy
I'd be most interested to read more on this.
Do post how to apply the "gpedit.msc" settings unattended, and the others too!

[my2001]

Hhm, I'm interested in it as well! I just don't want to believe that it's only feasible to apply one's desired group policy settings by copying folders and files.

[despal]

Simple. Open cmdlines.txt:
"gpedit.msc"
"taskkill.exe mmc.exe"
"copy \policy %systemroot%\system32\GroupPolicy"

Will try it later

[tarl57]

you create new policies on one computer on xp.
you copy C:\WINDOWS\system32\groupolicy directory or only
C:\WINDOWS\system32\groupolicy\user\*.pol
C:\WINDOWS\system32\groupolicy\machine\*.pol
on your distribution point
an after you push this file on the same directory struture on the new computer
with batch file or directly on

$OEM$\$$\system32 structure

Have you try it ?
ITs ok ?

[neophyte]

Prathapml: This may be of some assitance to you...

http://www.msfn.org/board/index.php?showtopic=15294&hl=


Specifically, the secedit command.

[Raja]

Hope this helps,

All policies under administrative templates do relate to registry. Microsoft provides a spreadsheet which has corresponding registry entry for each policy seen through gpedit.msc.

Have failed to attach the file (323 Kb) as of the following error,

"The total filespace required to upload all the attached files is greater than your per post or global limit. Please reduce the number of attachments or the size of the attachments."

If you fail to find the spreadsheet (PolicySetting.xls) on MS site help me with instructions to upload it to this forum or am happy to mail it directly to any one interested.

Cheers

Raja

[MyDomain]

I would be very interested in getting that file...
I did do a search of 45 minutes on google and microsoft, but failed to find the file...

Google got 1 result, leading back to this page
Microsoft got some more, but i couldn't locate the file.
Could you e-mail me the file?

ToMyDomain70@hotmail.com is my email!

I have managed to write a reg file that indeed sets almost all of my settings from the gpedit.msc, excapt for de policy that locks you out after entering a wrong password X times.

Also the .NET Passport password and email saving should be disabled, there is this policy that needs to be enabled to disable this, i do know which one... but not how to set it automaticly.

Thanks for any help, grtz, MyDomain.


P.S.
Just for those who might have any use for it, here is my .reg file... can't hurt to post

 mydomainregfile.reg (20.86K)
Number of downloads: 88