Windows 7, 32 bit. I have added the "Group Policy Object" to the MMC with group selected as "non-administrators" (from [browse]-->Users). I have locked down the capabilities of the local machine so that non-administrators can do very little, and now I want to be able to apply this policy setting to clones of this machine. Further, I want to be able to put these settings into source control so that policy modifications can be tracked. I want the administrators to have full capabilities.
Once configured on my target machine, I have created a WIM with the Microsoft Deployment Toolkit (MDT) which solves the first half of my needs but this makes it hard to compare any changes to the policy.
I have installed the Security Compliance Manager (SCM) but this wants a baseline to start with and I do not see how to apply policies to groups with this tool. I have installed the LocalGPO.wsf tool as well and have created a backup of the local policy with the /Export switch, but when I use the MMC to change the non-administrator policies, this is not reflected with the LocalGPO.wsf when I run the /Compare against my previously exported GPO. We cracked open the LocalGPO.wsf file and at first glance it looks like it calls SECEDIT.exe which does not seem to take any switches for group policies.
Am I missing a switch on the LocalGPO.wsf that will export the non-administrator group policy settings so that I can put this into source control?
Is there another way to apply my changes to the non-administrators in the SCM? I could not find that menu item.
Are my aspirations too high to be able to update these policies in a controlled fashion?
Thanks - Steve
%windir%\System32\GroupPolicyUsers
Unhide files
or
MMC add Group Policy Object Editor -> Users Tab -> Non-Administrators Policy
Expand User Configuration > Windows Settings > Scripts > Logon; Click Add; Click Browse; It will open up the folder containing scripts. If you go up two folders you will find the folder to copy to other machines (for me it was called S-1-5-32-545).
I'd like to know the answer to this as well. I recently made a Windows 7 kiosk and I'd like to export the changes I made in non-administrators for future reference. It seems that gpresult only looks at what is applied from a domain level.
Related
I'd like to add a Quick Look extension to my program, but in order to be useful, it would have to access the Core Data stack, which seems to require me to add an App Group and a provisioning profile to the project.
Until now, it has been possible for anyone to download the project from Github and compile and run it out of the box. All project targets are set to Team: None and Sign to Run Locally. If I add my provisioning profile to the project, this will no longer work. They will have to create and add their own provisioning profile and change the Signing & Capabilities settings on each of the 26 targets (there seems to be no way to do them all at once). And the profile will have to be renewed every year.
My question is, is there any way around this? Is such a major change really necessary for what amounts to accessing a file inside the program's own bundle (and another in its Application Support folder?)
EDIT: As was pointed out to me on the Apple Developer forum, you don't need a provisioning profile as long as you prefix the group name with the development team identifier. This still won't make it build out of the box, though. You will still need a developer account and set a team on every target.
I had missed that you are supposed to have a team identifier as the prefix for the group name. That still doesn't solve the problem that my project will no longer build out of the box for anyone who downloads it from Github, but it answers the question asked in the subject line.
Has anyone experienced a situation in Kentico where the admin portal is broken? I've attached an image where you can see the styling is completely missing.
Typically an issue with 1 or many of the following:
In general, installation failed
No permissions granted to the IIS_IUSRS to the directory in the file system
The directory/file does not exist in the file system
Macros need to be resigned due to a change to the CMSHashStringSalt key in the web.config
Improper website set up/configuration in IIS
Caching
UPDATE
Remembered a few other things:
Check the /App_Themes director and make sure you have the following themes
Design
Default
Global
It may be best to copy those three themes from another installation with the same version and hotfix.
My site is hosted on Azure. I need to programmatically turn off Internet Explorer's default enhanced security configuration settings whenever I repave or redeploy a new box on Azure.
How do I do this?
I found this article on another site http://jetlounge.net/blogs/teched/archive/2009/10/25/fix-ie-esc-won-t-turn-off-internet-explorer-enhanced-security.aspx. It included the following command line syntax, but on my local box I couldn't find the IEHARDEN.INF file it referred to. I also don't think this solution is Azure-specific.
rundll32.exe setupapi.dll,InstallHinfSection IESoftenAdmin 128 %windir%\inf\IEHARDEN.INF
I need to turn off these default hardening settings under Azure because I have a 3rd party IE screen capture DLL that needs to execute Javascript on webpages.
I think that this approach, shaped in a Windows Azure StartupTask running in Elevated execution context will help you.
Just remember that the .bat or .cmd file you create needs to be UTF8 encoded. There used to be some issues with the batch files if they are not UTF8.
UPDATE
I decided to update the answer, because it would have been too long for a second comment. I want to first make clear that I do not intend to offend anyone and the next is just mine personal view and thoughts.
Well, I mine vision might be (is) distorted through mine prism. But, I think that these specifics has nothing to do with Windows Azure itself.
These are OS related configuration specifics and the approach would be one and the same (with some variations) regardless of a (hosting/cloud) provider. If you had to deploy your solution to a dedicated (or virtual) server, you would had to create some kind of scheduled task, or startup task to make these configuration changes. Or even interactively login to make these changes.
Since Windows Azure offers the StartUp Task, it is up to us (developers) to decide what to do and how to shape the OS according to our needs.
The OS configuration changes that one can possibly need are only limited by the total ammount of all available Windows Server 2008/R2 configuration options. I personally do not believe that these needs to be reflected in Windows Azure documentation by any means. They have their place in Windows Server documentation. It is arguable which are "commonly used", because what might be common for one, might also be "never needed" for others ...
I am having a huge problem with the eventlog on my server. Right let me first of all explain the setup.
I have a domain setup with 2 computers
One computer is running IIS the other is a workstation. The IIS is running Win2k3 the workstation Win XP.
The IIS computer is hosting a website which uses Windows Impersonation and tries to log an entry to the eventlog for a custom log file called MyApp and a custom event source MySource
I have a domain user called MyUser who is just a member of Domain Users.
Single Sign On is working 100% because I can write out the logged in user to the page fine.
When I visit the IIS page from the workstation I get one of the following messages (sometimes I get the first sometimes the second)
1) The handle is invalid
2) Cannot open log for source 'MySource'. You may not have write access.
So to try and fix this I have tried all of the following:
Granted the Everyone user FullControl to C:\windows\system32\config\MyApp.evt file
Granted the everyone user FullControl to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
In the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp\CustomSD I appended the following string (A;;0x0002;;;AU), (the reason for this can be read here http://fgheysels.blogspot.com/2008/01/cannot-open-log-for-source-0-on-windows.html)
I am now totally out of ideas of how to fix this. Has anyone else come across this and have you tried anything else.
The error, as you seem to have found already, relates to writing to event sources or creating them. I would suggest you try the following.
You did not indicate if the event source exists in the registry or weather the .evt files ware created by the system or if you put them on the machine, so it is hard to determine at which point you are stuck.
You also did not mention if this works on some developer's machine, in which case you can compare the registries and even create the keys manually if you have to.
Have a look under ...\Eventlog if a key for your log has been created (MyApp?).
Have a look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp.
There should be a key called Sources. Does your source appear in here?
If these entries do not exist the error is that your user does not have permissions to create the custom log and source.
In the error message it should indicate a ThreadIdentity parameter, which should indicate which user account it is attempting to use to do this. You can also open the permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog and query the "Effective Permissions" for this particular user to ensure it effectively really has full control.
Try granting full control to the entire directory C:\windows\system32\config\ and not just the .evt file as the system needs to create some additional files here as well.
Lastly you can try and enable anonymous access to the website and run it as the machine/Domain administrator user once so all the keys get created before setting it back to the way you like it. You could also try enabling impersonation in the web.config file to ensure that it is not running without a windows identity. These ones you should all be able to undo once the correct keys and files have been created.
Let us know what you find after this and we can take it further.
Well after many hrs of trying to solve this I appear to have a solution which works.
First of all I had to allow the Authenticated Users group write access to the event log. I advice you backup your registry before continuing.
Run regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Open the subkey which matches the EventLog you are writing to (so I will pick Application)
On the right you will see the registry strings, locate one called CustomSD
Right click and modify it.
Append to the end (A;;0x2;;;AU) (I will explain this later)
Save the changes (I don't know if you need to reboot or not)
So that will mean Authenticated Users can write to the Application event log. I needed to apply one more change.
Open the Domain GPO or local computer GPO
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Assignments > Manage auditing and security log
Go to its Properties window
Select Define these policy settings
Add the Administrator group
Add the Authenticated Users group
Save and do a gpupdate /force for the affected computer.
That is the only way I could get it to allow my website users to write to the event log.
I mentioned in part 1 step 6 I would explain the string we added. Please see this page for more details http://support.microsoft.com/kb/323076
Our lead programmer likes to install tools on a shared network drive to minimize effort when updating. He recently installed Eclipse to the network drive, but when I run it, I get a window that says Workspace in use or cannot be created, choose a different one. After clicking OK, I get a window that gives me a drop down menu with only one item, the workspace on his machine. I can then browse to the workspace on my machine, click OK, and Eclipse continues to start up and run just fine. There's a check box in that second window that says Use this workspace as the default that I've checked after browsing and selecting my workspace, but the next time I start up Eclipse, it reverts back to the lead's workspace.
Are we violating some assumption that Eclipse makes about the install? We're on a Linux network, if it makes a difference.
Setup the shared eclipse such that it can not be modified by the users accessing it. This should (if I recall correctly) force eclipse into a "Shared User, Hands Off" mode and default to storing settings per user account.
Do not share Workspaces (or Projects) -- this will only break things horribly -- use a different strategy such as a proper revision control system.
Perhaps this documentation will be helpful.
"""The set up for this [shared] scenario requires making the install area read-only for regular users. When users start Eclipse, this causes the configuration area to automatically default to a directory under the user home dir. If this measure is not taken, all users will end up using the same location for their configuration area, which is not supported."""
I would try to run Eclipse locally as well as over the network. Using a shared network drive may make Eclipse more painful than it sometimes is. A development environment should work for the developer, even at the expense of a slightly more complicated setup.
Eclipse stores a lot of settings, including the workspace list, in it's installation directory (especially the "configuration" directory). It's hard to say how well sharing the installation will work, but I wouldn't be surprised if there were a number of issues caused by "fighting" between Eclipse instances running on different developer's workstations.
To fix the particular issue you're having, you could set up a separate startup script that passes your workspace as a command-line argument to Eclipse, bypassing the workspace selection dialog you're seeing.