Hi Doug,
Scripting registry changes really isn't that smart considering that group policy allows you to change the ACL on both files/folders and registry keys. By changing it at the OU level it's consistent and in the event of a new server being introduced to the OU or a change on an exiting server the ACLs will always get reappliewd at reboot.
Plus if you're using the GPMC (group policy management console, free download from Microsoft,) you have built in documentationm of all the registry settings.
I wouldn't suggest using any other methodology besides group policies if you want to get consistent, absolutely reliable results. The exception to this rule is applying user rights because using via group policy replaces local rights with sometimes disastrous results.
Edit or create a group policy for the terminal services server OUs, then run gpedit against the group policy (this can't be applied by a local policy, well actually it can but not using gpedit). Got to computer configuration > Windows Settings > Security Settings > Registry > Add key. Browse to the key where you want to change the ACL, define the user access and save. Repeat for the other key ACLs you want to manage.
The next time you reboot the server it'll all be done.
regards,
Rick
--
Ulrich Mack
Quest Software
Provision Networks Division
On Thu, Apr 23, 2009 at 1:17 AM, Doug Rooney
<Doug@sonomatilemakers.com> wrote:
Neil,
Unfortunately I didn't, I inherited this, I came from a Unix world and I am still learning the windows stuff, we had a consultant set everything up, then he dropped off the face of the earth. I have learned a lot about AD and policies, but I am quite the novice compared to you all, which is why I ask for help. I prefer to look dumb and ask obvious questions, that just 'try it' and screw something up. One thing out friendly consultant did was create a group called "Many Rights" and then made everyone a member of it, well, "Many Rights" was just another name for Administrator, so everyone could do anything, what a flipping mess that was, he did it because there was a permissions issue and instead of figuring it out and fixing it, he just made "Many Rights", I finally figured out the issue and fixed it, and removed "Many Rights". So I know I have to change permissions on some Registry Keys, but have only a slight idea how, and I know I have to have permission as Administrator, but have no idea how to fix that. So any and all help is greatly appreciated.
Thank You
~Doug Rooney
Sonoma Tilemakers
IT Manager
7750 Bell Rd.
Windsor Ca, 95492
(707) 837-8177 X11
(707) 837-9472 FAX
it@sonomatilemakers.com
No comments:
Post a Comment