| Author | Messages | |
kevinbrunson
Posts:44
 | | 02/18/2008 9:56 AM |
| If you use KiXtart for scripting, you can use the command SetConsole("Hide") to make the script disappear when it runs. KiXtart also prevents users from closing the script before it completes by logging off the session if the script is closed before it finishes.
You can also set up Group Policy (User Configuration>Administrative Templates>System>Scripts) to adjust logon script behavior. If you set "Run legacy logon scripts hidden" to enabled, then it hides the script entirely.
kb
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jitendra Kumar Sharma
Sent: Sunday, February 17, 2008 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [ActiveDir Digest]
Hi,
How can i hide logon script, from users, or disable the X button on
the top of the script.
Regards,
Jitendra sharma
On Feb 18, 2008 9:31 AM, List Server <ActiveDir-owner@mail.activedir.org> wrote:
> ---------------------------------------------------------
>
> From: "prankmonkey" <prankmonkey@gmail.com>
> Subject: RE: [ActiveDir] Vista sp1 GPMC
> Date: Sun, 17 Feb 2008 21:53:48 +1100
> Reply-To: ActiveDir@mail.activedir.org
> I am anxiously awaiting the release of the updated GPMC + the GP =
> Preferences CSE for Vista and XPSP2. Hurry up MS!
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org =
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, =
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Saturday, 16 February 2008 7:12 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Vista sp1 GPMC
>
> Update: Remote Server Administrator Tools (RSAT) for Vista SP1 - Windows =
>
> Server 2008 blog by Kurt Roggen [BE]:
> http://trycatch.be/blogs/roggenk/archive/2007/11/28/update-remote-server-=
> administrator-tools-rsat-for-vista-sp1.aspx
>
>
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> > You had to be in the Server 2008 beta I think?
> >
> > Now that you reminded me I can snag it from the 2k8 beta site. It is=20
> > there.. I'll ask what the eta is for the release.
> >
> > Tim Vander Kooi wrote:
> >> SP1 has been in Beta for some time now though. RSAT should have been=20
> >> available during the Beta period so that those of us trying to use=20
> >> SP1 Beta could still manage our Vista GPOs. Very worst case they=20
> >> should have gone RTM and become available at the same time. To have=20
> >> Server 2008 and Vista SP1 both RTMed and available but no RSAT to=20
> >> manage them just doesn't make sense, not from the stand point of=20
> >> those of us using them.
> >> Tim
> >>
> >> -----Original Message-----
> >> From: ActiveDir-owner@mail.activedir.org=20
> >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha=20
> >> Weerasinghe
> >> Sent: Friday, February 15, 2008 1:31 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Vista sp1 GPMC
> >>
> >> RSAT requires SP1. So IMO there is no point releasing before SP1 =
> (RTM)
> >> is released.
> >>
> >> M@
> >>
> >> On 15/02/2008, Tim Vander Kooi <tvanderkooi@expl.com> wrote:
> >> =20
> >>>
> >>> In my ever so humble opinion not releasing RSAT PRIOR to SP1 for=20
> >>> Vista was a
> >>> less than intelligent move, but those of us with that opinion got=20
> >>> out-voted.
> >>>
> >>> Tim
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> From: ActiveDir-owner@mail.activedir.org
> >>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> >>> Jef Kazimer
> >>> Sent: Friday, February 15, 2008 11:41 AM
> >>> To: activedir@mail.activedir.org
> >>> Subject: RE: [ActiveDir] Vista sp1 GPMC
> >>>
> >>>
> >>>
> >>>
> >>> Hopefully we will see the release of RSAT once Vista SP1 hits the=20
> >>> public. 
> >>>
> >>> Jef Kazimer
> >>> -------
> >>> http://www.jeftek.com
> >>> ________________________________
> >>>
> >>>
> >>> =20
> >>>> Date: Fri, 15 Feb 2008 09:37:54 -0800
> >>>> From: matheesha@gmail.com
> >>>> To: ActiveDir@mail.activedir.org
> >>>> Subject: Re: [ActiveDir] Vista sp1 GPMC
> >>>>
> >>>> GPMC wont be standalone. Comes with the Remote Server Admin tools=20
> >>>> (RSAT).
> >>>>
> >>>> Unfortunately beta page on connect seems to be down.
> >>>>
> >>>> HTH
> >>>>
> >>>> M@
> >>>>
> >>>> On 14/02/2008, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> >>>> <sbradcpa@pacbell.net> wrote:
> >>>> =20
> >>>>> TechNet Plus Blog : TechNet Plus: Vista SP1 available for =
> Download:
> >>>>>
> >>>>> =20
> >>> =
> http://blogs.technet.com/technetplussubscriptions/archive/2008/02/14/tech=
> net-plus-vista-sp1-available-for-download.aspx=20
> >>>
> >>> =20
> >>>>> Does anyone happen to know when the GPMC standalone installer will =
> be
> >>>>> out (remember if you install SP1 the GPMC is removed so you can't=20
> >>>>> edit
> >>>>> Vista group policy.
> >>>>>
> >>>>> (hang on..me have Vista Enterprise I'm legal for a virtual! I =
> think!
> >>>>> Yes? If so never mind as that's how I can get around this.)
> >>>>> List info : http://www.activedir.org/List.aspx
> >>>>> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >>>>> List archive: http://www.activedir.org/ma/default.aspx
> >>>>>
> >>>>> =20
> >>>> List info : http://www.activedir.org/List.aspx
> >>>> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >>>> List archive: http://www.activedir.org/ma/default.aspx
> >>>> =20
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >> =
> .+-=EF=BF=BDw=EF=BF=BD=EF=BF=BDi=EF=BF=BD=EF=BF=BD0=EF=BF=BD-=EF=BF=BD=EF=
> =BF=BD+=EF=BF=BD=EF=BF=BD=EF=BF=BD=D6=AC=EF=BF=BD=12=EF=BF=BD=EF=BF=BD@B=1B=
> m=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=06=EF=BF=BD=EF=BF=BD+=EF=BF=BDv*=EF=
> =BF=BD=0F=CB=8A=EF=BF=BDE=01=06=EF=BF=BD=EF=BF=BD=12=EF=BF=BD=D6=ABr=18=EF=
> =BF=BDz=1Bm=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=06=EF=BF=BD=EF=BF=BD+=EF=BF=
> =BDv*=EF=BF=BD=0F=EF=BF=BDk=EF=BF=BD^}=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=
> )x=3D=3D=3D=20
> >>
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> ---------------------------------------------------------
>
> Date: Sun, 17 Feb 2008 23:56:02 +0530
> From: "Kamlesh Parmar" <kamleshap@gmail.com>
> Subject: [ActiveDir] Minor security issue on win 2008 RODC
> Reply-To: ActiveDir@mail.activedir.org
> ------=_Part_2688_31083143.1203272762178
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> I did this on Eval copy of 2008.
>
> I was just looking into RODC feature and how one can provide local admin
> privileges to manage the physical server without handing out domain admin
> rights.
> I found that, when someone is added to administrators role on RODC, she can
> change the permission on NTDS folder even though she is given only READ
> permission.
>
> Are you guys seeing this on production 2008 DCs?
>
> --
> Kamlesh
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Argue for your limitations, and sure enough, they're yours.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ------=_Part_2688_31083143.1203272762178
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> I did this on Eval copy of 2008.
I was just looking into RODC feature and how one can provide local admin privileges to manage the physical server without handing out domain admin rights.
I found that, when someone is added to administrators role on RODC, she can change the permission on NTDS folder even though she is given only READ permission.
>
Are you guys seeing this on production 2008 DCs?<br clear="all">
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ------=_Part_2688_31083143.1203272762178--
> ---------------------------------------------------------
>
> From: "Gabriele Scolaro" <gabro@gabro.net>
> Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> Date: Mon, 18 Feb 2008 03:05:19 +0100
> Reply-To: ActiveDir@mail.activedir.org
> Darren, thank you for the time you dedicated to my issue.
>
> I tried to use a simple REG_SZ in place of a REG_MULTI_SZ, but remote
> scanning via DCOM does not work. :-(
> It requires a REG_MULTI_SZ. Period.
>
> I hate to modify registry hacks with a machine start-up script.... but =
> now I
> realize why it is written: "COM+ Settings: The COM+ endpoint registry
> settings for the Windows Update Agent can be configured through Group =
> Policy
> as part of a startup script".
> http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx
>
> Anyway, it is an hole that it is not possible to set REG_MULTI_SZ with =
> comma
> separated values via GPO, even using a custom SCERegVl.INF.
> BUMMER!!!
>
> Gabriele.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: marted=EC 5 febbraio 2008 18.42
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> >=20
> > Gabriele-
> > Well, despite the docs stating support for MULTI_SZ, I was not able to
> > get
> > the LISTBOX Part to support that. I may spend a little more time
> > digging
> > into it but it will likely take a while. Sorry about that. I suppose
> > the
> > other GP-based option is to create the reg file and distribute it =
> using
> > Computer Startup Scripts--not exactly elegant.
> >=20
> > Darren
> >=20
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> > Scolaro
> > Sent: Sunday, February 03, 2008 11:19 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> >=20
> > Hi Darren,
> >=20
> > I gave a try with the LISTBOX part in ADM but I was able to manage
> > REG_SZ
> > only, not REG_MULTI_SZ.
> > Yes please, if you have some hints for that, give me the pointers! I
> > would
> > appreciate that a lot!
> >=20
> > Regards,
> > Gabriele
> >=20
> >=20
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > > Sent: domenica 3 febbraio 2008 6.19
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> > >
> > > Gabriele-
> > >
> > > In addition to Guy's advice below, I just remembered that you can
> > > actually
> > > use ADMs to set MULTI_SZ values. You would use a LISTBOX part to do
> > > this in
> > > fact. So it is do-able via ADM. Let me know if you want some =
> pointers
> > > on
> > > this.
> > >
> > > Darren
> > >
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Guy
> > Teverovsky
> > > Sent: Saturday, February 02, 2008 5:36 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> > >
> > > It's even worse...
> > >
> > > I have just tried adding an entry like this:
> > > RegType: 1 (REG_SZ)
> > > Display Type: 4 (Multivalued)
> > >
> > > The behavior I have observed:
> > > - UI presents a dialog for multi-value entries (multiline)
> > > - the value in the registry is created as REG_MULTI_SZ (ok, so why
> > was
> > > I
> > > asked about RegType if the UI just ignores me ?)
> > > - commas are converted to spaces in the registry
> > >
> > > Setting the entry to REG_MULTI_SZ and String gives single-line =
> dialog
> > > in
> > > GPEDIT UI and treats commas as value separators (produces multi-
> > valued
> > > data in the registry)
> > >
> > > Guy
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> > > Scolaro
> > > Sent: Saturday, February 02, 2008 11:14 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> > >
> > > Darren, surely I use the Port Exception list, but by default MBSA
> > talks
> > > to
> > > the remote PC Windows Update service through a port that DCOM
> > > dynamically
> > > allocates, thus I have to set a registry key on the remote computer
> > to
> > > make
> > > the DCOM port allocation STATIC.
> > >
> > > Any idea on how to push some REG_MULTI_SZ registry hacks (that
> > contains
> > > commas!) to computers via GPO?
> > > Have you ever seen this problem?
> > >
> > > Thanks - Gabriele.
> > >
> > > > -----Original Message-----
> > > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > > > Sent: sabato 2 febbraio 2008 19.36
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> > > >
> > > > Gabriele-
> > > > Any reason why you're not just using the Port Exceptions policy
> > built
> > > > into
> > > > the ADMs for Windows Firewall?
> > > >
> > > > Darren
> > > >
> > > > -----Original Message-----
> > > > From: ActiveDir-owner@mail.activedir.org
> > > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> > > > Scolaro
> > > > Sent: Saturday, February 02, 2008 10:27 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] REG_MULTI_SZ with commas in SCERegVl.INF
> > > >
> > > > Let me tell the whole "sad" story.
> > > >
> > > > I wanted to enhance my Windows Firewall GPO configuration so that
> > > MBSA
> > > > was
> > > > allowed to remotely scan a Windows XP box in the Domain.
> > > >
> > > > I carefully followed ALL the recommendations at
> > > > http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx (Q.
> > How
> > > > can I
> > > > scan a computer that is protected by a firewall?) and finally I =
> was
> > > > able to
> > > > MBSA-scan a remote machine by setting the following registry key:
> > > > HKEY_LOCAL_MACHINE\Software\Classes
> > > > \AppID\{B366DEBE-645B-43A5-B865-
> > > > DDD82C345492}\Endpoints\"ncacn_ip_tcp,0,4321
> > > > " [REG_MULTI_SZ] (4321 is the port number I've randomly chosen to
> > > use).
> > > >
> > > > The problem arose when I decided to create a custom GPO ADM to =
> push
> > > the
> > > > registry hack to all PCs.
> > > > REG_MULTI_SZ is not supported in ADM! :-(
> > > >
> > > > After some meditation, I thought a REG_MULTI_SZ registry hack =
> might
> > > be
> > > > distributed with a customized SCERegVl.INF to be managed within =
> the
> > > GPO
> > > > Security Configuration Editor
> > > (http://support.microsoft.com/kb/214752)
> > > >
> > > > So I added the following line (7=3DREG_MULTI_SZ & 4=3DMultivalued) =
> and
> > I
> > > > registered the change with "regsvr32 scecli.dll":
> > > > MACHINE\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-
> > > > DDD82C345492}\Endpoi
> > > > nts,7,"DCOM: Windows Update Agent - Remote Access Static Port
> > > > Assignement
> > > > (format: ncacn_ip_tcp,0,x)",4
> > > >
> > > > I was able to see the new entry in the GPO Security Configuration
> > > > Editor and
> > > > I was able to add my value as well (ncacn_ip_tcp,0,4321)!
> > > >
> > > > BUT GUESS WHAT? If I open the registry editor I see that "commas"
> > are
> > > > removed from the value and are replaced by a space char between
> > > > quotation
> > > > marks!
> > > > :-(
> > > >
> > > > This is what I see in the RegEd pane:
> > > > Name Type Data
> > > > Endpoints REG_MULTI_SZ ncacn_ip_tcp" "0" "4321
> > > >
> > > > This is what I see if I double click "Endpoints" value:
> > > > Value Name:
> > > > Endpoints
> > > > Value Data:
> > > > ncacn_ip_tcp"
> > > > "0"
> > > > "4321
> > > >
> > > > This is the "bugged reg" export:
> > > > Windows Registry Editor Version 5.00
> > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B366DEBE-645B-43A5-
> > B865-
> > > > DDD82C34
> > > > 5492}]
> > > > @=3D"Windows Update Agent - Remote Access"
> > > >
> > >
> > =
> "Endpoints"=3Dhex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,69,00,70,00,5f,0=
>
> > > > 0,74,
> > > > 00,\
> > > >
> > > >
> > >
> > =
> 63,00,70,00,22,00,00,00,22,00,30,00,22,00,00,00,22,00,34,00,33,00,32,00
> > > > ,31,\
> > > > 00,00,00,00,00
> > > >
> > > > This is how the reg export should like: (with manually set values)
> > > > Windows Registry Editor Version 5.00
> > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B366DEBE-645B-43A5-
> > B865-
> > > > DDD82C34
> > > > 5492}]
> > > >
> > >
> > =
> "Endpoints"=3Dhex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,69,00,70,00,5f,0=
>
> > > > 0,74,
> > > > 00,\
> > > > =
> 63,00,70,00,2c,00,30,00,2c,00,34,00,33,00,32,00,31,00,00,00,00,00
> > > >
> > > >
> > > > It looks like the Security Configuration Editor cannot handle the
> > > comma
> > > > hex
> > > > 2c value.
> > > > I've tried to use a "String" display-type #2 in place of a
> > > > "Multivalued" #4,
> > > > but it does not work either, the only difference is that quotation
> > > > marks are
> > > > removed from the registry value (the comma is replaced by a space
> > > char
> > > > only).
> > > >
> > > > Now I feel like to be in a blind alley, I think it is not possible
> > to
> > > > use
> > > > GPO Editor to push a reg setting which is REG_MULTI_SZ and =
> contains
> > > > comma
> > > > separated value.
> > > > Am I really correct???
> > > >
> > > > Any other viable suggestion to properly configure MBSA & Windows
> > > > Firewall,
> > > > that is not import the reg with a script, would be very much
> > > > appreciated!
> > > >
> > > > Regards,
> > > > Gabriele
> > > >
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > > >
> > > > List info : http://www.activedir.org/List.aspx
> > > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> >=20
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >=20
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|