[TheWalrus]

I could use some tips. I created GPO which is supposed to 1) copy a file from a server to local disk and 2) do simple change in registry. Unfortunately it doesn't work and I can't figure out why.

I want it to work on whole computer rather on user, so in the editor I changed relevant settings under computer configuration. I also linked the GPO to one computer only - for testing purposes.

gpresult /r shows me that the policy is applied, but in reality nothing happens. I am out of ideas... What should I check?

Attached File(s)

•  gpo.png (45.95K)
  Number of downloads: 11

[allen2]

Did you checked the rights on the share and the ntfs permission there (the computer account should have the rights there) ?
Also i wouldn't do it this way: I would create a batch file to copy the file and import the reg entry and i would put the needed files (if they are small) in the gpo folder.

[TheWalrus]

allen2, on 24 January 2012 - 01:58 PM, said:

Did you checked the rights on the share and the ntfs permission there (the computer account should have the rights there) ?
Also i wouldn't do it this way: I would create a batch file to copy the file and import the reg entry and i would put the needed files (if they are small) in the gpo folder.

That makes no sense to do since the functionality is right there in the GPO editor....




Rights should be ok as I logged on to the domain with admin account.

[allen2]

Of course, but you're still stuck with a not working gpo and also those settings are new (i never used them so i can't tell if they are reliable) but i'm sure of something: everything that run under a computer config in a gpo will run with the computer system account so if you copy something from a share it might not work if the shared folder isn't properly configured (unless the gpo tools make a local copy of the file in the gpo folder).
Usually, i use a script only to get logs of the executed work to debug problems.

[TheWalrus]

So which permissions should I specifically check for?

[allen2]

You need to add the accounts of your target computers (or a group containing them like "authenticated users" but this one contains almost all AD objects).

[TheWalrus]

Well, I should have that. In the Scope tab, under security filtering, I added that specific computer to the list.

I created other policy in the same way (computer settings etc.) that installs an app and it works just fine.

[TheWalrus]

I nailed it down to probably permissions problem. I added some app installation to the same policy and it worked.




So:

What kinda permissions do I need (and where?) in order to be able to do a registry change on a machine via GPO, under computer configuration?

[TheWalrus]

Really need some help here... I googled like mad and found nothing.

[TheWalrus]

After hopelessly trying this and that I managed to nail it down to some sort of incompatibility with Windows XP. In theory, this http://support.microsoft.com/kb/943729 should let me use the new stuff on XP, but it is still not working at all.

[TheWalrus]

I will finish my monologue with what I finally found out.

I use nLite to ease the installation of XP machines. After even more trial and error I accidentally found out that that KB943729 doesn't install (or just doesn't work - I don't know) if I integrate Intel chipset drivers into the installation image. Doesn't make sense? I know. It does work if I install those drivers after I join domain and install the KB.

What I did was integrade the KB into the image as well like if I was adding updates. I have no idea what the deal was, but it works.

[Tripredacus]

TheWalrus, on 01 February 2012 - 09:02 AM, said:

I will finish my monologue with what I finally found out.

I use nLite to ease the installation of XP machines.

Many of our users will be sad/angry to read this.

I see you've been using nLite for quite a while now and no one would jump to a conclusion and think maybe your use to nLite was related to your recent question about pushing out a Flash update via GPO for your customer.... By now you must have encountered the many threads in the nLite forum that talk about its EULA.

[iamtheky]

indeed Trip,

Dont get me wrong, I spent months building a hardened XP image. Many roadblocks were overcome by letting Nlite accomplish the task, then working very much backwards with windiff/regshot to see what was altered. Then applying the effective changes manually to the Master Systems, then researching why it worked, then documenting. Seems if you let Nlite do all the work and push it out the door, more often than not your answer would be:

Quote

I have no idea what the deal was, but it works.

Even if I were to ignore the EULA and authors wishes, with such a grand lack of documentation and dedicated support it would still not be a feasible solution for distribution.

This post has been edited by iamtheky: 01 February 2012 - 11:35 AM

[TheWalrus]

You are quite right, actually. If I could I'd pay for a licence for nLite, but sadly such option doesn't exist I also completely forgot about this because I haven't touched XP for quite some time and then I needed to come up with a solution when I got this job.