Group Policy Question - Laptops 2

[LadySlinger]

I would like to implement a group policy for some of the laptops that connect to our domain.
Some of the policies I want to create include preventing installation of software, and preventing them from uninstalling software.

However my fear is that when these users go to leave and they are no longer a part of the domain that the policies become a free for all and when they come back onto the domain they have problems.

Is there a way to make sure that this doesn't happen?

 

[wkim623]

How are they logging onto the machine off the domain?

I'm not totally clear on how they are using the machine offsite, but maybe removing the access of the add/remove icon from the control panel. Or just have them as a user locally so they can't change anything.

 

[markdmac]

If the users are not local admins and only have domain IDs and not local IDs, then the policies don't just go away because they machine is not logging into the network while the user travels. The policies you push down when you set the machine up on the network will still be applied.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[mrdenny]

When policies are applied to the machine those policies remain in effect if the machine is not physically connected to the network. Just because the machine is not plugged in, it is still a member of the domain. Windows keeps those settings cached for just this reason.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[LadySlinger]

Oooo...I like the cache.

Yes, this probably has to do with the cache, but they still log into their laptop off the domain using the domain instead of the local computer.

I'm just working on creating some form of flexibility between the user and the admin when they are off site and out of state.

 

[gmail2]

Sorry to "barge in" on somebody elses post, but I always understood that anything written to any of the policies hive in the registry was removed when the user logged off or the pc was shut down (depending on if it was written to HKCU or HKLM). Where are the settings cached? Is there any way to control this? I've had instances where sometimes a desktop pc failed to apply group policy correctly at some point during a normal refresh and the windows firewall changed to on (instead of off which is forced by policy) so if the settings are cached, would it not have applied these rather than failing competely?

I'm not questioning anybody's replies, just curious

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[markdmac]

Policies are stored in the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[lhuegele]

Sorry to "barge in" on somebody elses post, but I always understood that anything written to any of the policies hive in the registry was removed when the user logged off or the pc was shut down (depending on if it was written to HKCU or HKLM). Where are the settings cached? Is there any way to control this? I've had instances where sometimes a desktop pc failed to apply group policy correctly at some point during a normal refresh and the windows firewall changed to on (instead of off which is forced by policy) so if the settings are cached, would it not have applied these rather than failing competely?

The only time a system will use cached credentials and settings is when the domain controller is unavailable. You can have a DC available and still have policy replication issues.

Good luck,

 

[gmail2]

Thanks for the replies on this (althought it wasn't originally my post !!). Like I said, I've always understood that anything in the policies hive was removed when the user logged off or the PC was shutdown - is this not the case? Or if so, where are the policies "cached"?

Thanks again

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[markdmac]

The policies are applied and saved in the registry. Delete the registry keys and the policies no longer are applied.

There are 4 places where the policies may be applied:

HKEY_LOCAL_MACHINE\Software\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.