The usual IT babble
Posts tagged Thin Clients
Windows XP Embedded, Windows Server 2003 and GPO settings (the solution)
Jun 4th
OK, so about an hour (yeah, yeah; I know .. I shouldn’t be working at that time, but it really gave me sleepless nights) ago, I finally figured out why the hell both my Windows XP Embedded thin clients as well as my Windows Server 2003 systems where showing this real *weird* behaviour when applying group policies, or more precise the user based configuration of a group policy.
The inspiration came to me after reading this and taking a look at regedit myself, where I noticed the entry “Permissions” for the first time ever since I’m using regedit. I also noticed, that the regedit permissions seem to be using the same groups, one would assign to NTFS resources.
That said, it really all boils down to the ntuser.dat (which *IS* HKEY_CURRENT_USER). As I created the profile with a different user than I am using it with (basically, I want ~12.000 users to use this one profile), I needed to change the permissions *INSIDE* regedit to include a group containing all these users. After that, any user could again merge the settings from ntuser.pol into HKEY_CURRENT_USER\Software\Policies, which in return gives you the joy of your fucking policies working again.
TADAAAAAA! About two weeks worth of work spent for such a shitty thing, and noticing it when you’re off work — priceless!
Windows XP Embedded and GPO settings (continued)
May 26th
Well, as I said in my previous post, I do have some weird things happening. Apparently adding the domain user to the local group “Administrators” makes everything just works fine, yet he can’t do administrator like stuff (like turning off the write protection, changing local user accounts, …).
Also, if you’re looking for a smart way of how to add a certain global group (as in Active Directory group) to a local group, try this:
1 | NET LOCALGROUP Administrators /ADD DOMAIN\GROUPNAME |
That simple, doesn’t even need the usual credentials to lookup the object, it apparently bypassed that step *shrug*.
And yet another weird thing is: if I run a certain command from a deployment script, it gives me different result as a manual execution of said script would give me .. *shrug*
1 2 3 4 5 6 | NETDOM JOIN %COMPUTERNAME% /domain:barfoo.org \ /OU:"OU=Thinclients,OU=Computers,DC=barfoo,DC=org" \ /UserD:%ADMIN% /PasswordD:somepass \ /User0: Administrator /Password0:Administrator NET LOCALGROUP Administrators /ADD BARFOO\Domain-Users |
If I put that into a rsp (that is Wyse Device Manager script), it ain’t working. Would I be executing it myself without the WDM, everything works like a charm … *yuck*