Announcement

Collapse
No announcement yet.

Hyena Launched Group Policy Editor Corrupts GPOs?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hyena Launched Group Policy Editor Corrupts GPOs?

    Active Directory 2003 SP2, running Hyena v7.2 from Windows XP SP2. Logged into XP as a "user" using Run As to launch Hyena as a domain admin.

    While using Hyena to view OUs, go to Properties, Group Policies and "Edit" a group policy, it looks as if items in the GP that were just "viewed" were actually changed. The items/settings were opened to see what all the options were and the Explanations. Then Cancel was clicked to get back out. But later in the day it was found that the changed settings that were "viewed" were actually enforced.

    Any issues with Hyena being run with Run As, or launching Group Policy Editor? Is this GPE part of Hyena or just whatever is installed on the workstation?

    Thanks -- Dana Brigham
    National Science Foundation

  • #2
    Re: Hyena Launched Group Policy Editor Corrupts GPOs?

    The command that Hyena runs to edit policy objects is this:

    mmc c:\windows\system32\gpedit.msc /gpobject:LDAP://CN={...},CN=Policies,CN=System,DC=YourDomain,DC=co m

    The part in {...} is the 'Unique Name' which you can see if you click on the Properties button for any policy.

    The gpedit.msc is installed on all computers.

    Hyena does not actually update any settings in the group policy, as MIcrosoft does not clearly document the protocol to do so, which is why Hyena runs the group policy editor (gpedit.msc) to carry out those actions. The only items that Hyena modifies are the AD attributes for the policy.

    What I can't tell from your description of what happened, is if you looked at the settings in gpedit of a policy and made some changes to see the descriptive text, then closed gpedit and came back to Hyena. Clicking Cancel in Hyena at this point would not have any affect on anything done in gpedit as those changes are independent of Hyena.

    ADU&C works the same way, running gpedit.msc when you click the Edit button. Any changes made in gpedit will be saved independent of anything done in ADU&C.

    If I am not understanding this right, let me know exactly what you did as a simple example, and I can try to reproduce. In my test just now, I used the security settings (password age) for my test.

    Let me know if you have any questions on this and thanks for reporting this problem.
    Kevin Stanush
    SystemTools Software Inc.

    Comment


    • #3
      Re: Hyena Launched Group Policy Editor Corrupts GPOs?

      Thank you -- I thought that Hyena just launched the local MS-provided group policy editor and MMC, just wanted to make sure. The issue seems to be the editor/MMC, not Hyena.

      Thanks!

      Dana

      Comment


      • #4
        Re: Hyena Launched Group Policy Editor Corrupts GPOs?

        By the way -- I checked with Microsoft Premier Support and they did say that they do not support using the GPEDIT MMC from Windows XP for modifying domain group policies, only local policies on the workstation.

        Is there a way that I can disable how Hyena launches the local GPEDIT to prevent our admins from using it with Hyena on Windows XP to update domain group policies?

        Thanks -- Dana

        Comment


        • #5
          Re: Hyena Launched Group Policy Editor Corrupts GPOs?

          There isn't any way to modify it, but in the next update (including the next beta), I'll add a registry option for specifying the command that Hyena uses, in case you want to run a different MMC application for instance.

          You can also maybe access the shell properties for a container by selecting the Shell Properties option on the menu. There is a bug in Windows/AD that may cause the Group Policy tab to disappear if you click on it, but you can see if it works for you. This bypasses Hyena's usage of the policy editor and will instead use Microsoft's .
          Kevin Stanush
          SystemTools Software Inc.

          Comment


          • #6
            Re: Hyena Launched Group Policy Editor Corrupts GPOs?

            While looking at this further, I was testing the GPMC console and from what I could tell, Microsoft still uses gpedit.msc to modify the contents of policies. When Microsoft told you that they don't want you to use/don't support using gpedit.msc on domain policies, I'm curious what they did suggest you to use to edit these policies ?

            Also, there are still a lot of users who don't use the newer GPMC, as its optional. So if you have the basic tools installed, all you have is gpedit.msc to modify policies. Maybe I'm missing something.

            We use to have a Premier support contract, but when they outsourced it to you-know-where that was the end of that. Hopefully, your support is better than what we used to get.
            Kevin Stanush
            SystemTools Software Inc.

            Comment


            • #7
              Re: Hyena Launched Group Policy Editor Corrupts GPOs?

              <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
              <span style="font-weight: bold">While looking at this further, I was testing the GPMC console and from what I could tell, Microsoft still uses gpedit.msc to modify the contents of policies. When Microsoft told you that they don't want you to use/don't support using gpedit.msc on domain policies, I'm curious what they did suggest you to use to edit these policies ?

              Also, there are still a lot of users who don't use the newer GPMC, as its optional. So if you have the basic tools installed, all you have is gpedit.msc to modify policies. Maybe I'm missing something.

              We use to have a Premier support contract, but when they outsourced it to you-know-where that was the end of that. Hopefully, your support is better than what we used to get.</span></div></div>

              They said that the supported method was to only use the GPEDIT.MSC on the exact same platform as AD -- so in our case only on Server 2003 systems, not the GPEDIT.MSC on our Windows XP workstations.

              Yeah -- it now takes a *week* to get a good technical answer that used to take 24 hours!

              Thanks -- Dana

              Comment


              • #8
                Re: Hyena Launched Group Policy Editor Corrupts GPOs?

                The only problem with that answer is that there isn't any way for a customer to know this and the installation of the administration tools (ie ADMINPAK.MSI, Active Directory Users and Computers) use gpedit.msc, so this reply from Microsoft does not make much sense. The newer GPMC tool also seems to use gpedit.msc and you can install it on anything.

                I assume they want you to remote into a Windows 2003 server with terminal services and run gpedit there ?
                Kevin Stanush
                SystemTools Software Inc.

                Comment


                • #9
                  Re: Hyena Launched Group Policy Editor Corrupts GPOs?

                  <div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
                  <span style="font-weight: bold">The only problem with that answer is that there isn't any way for a customer to know this and the installation of the administration tools (ie ADMINPAK.MSI, Active Directory Users and Computers) use gpedit.msc, so this reply from Microsoft does not make much sense. The newer GPMC tool also seems to use gpedit.msc and you can install it on anything.

                  I assume they want you to remote into a Windows 2003 server with terminal services and run gpedit there ?</span></div></div>

                  That's what they told us (same level of support tech as you mentioned earlier). I'll hammer them on it....

                  Thanks -- Dana

                  Comment


                  • #10
                    Re: Hyena Launched Group Policy Editor Corrupts GPOs?

                    Hah -- now they're telling me that downloading and installing the GPMC is the supported way from XP to edit domain group policies -- but it doesn't update the MMC or the GPEDIT.MSC -- so I asked them why one engineer said not to use GPEDIT on XP to edit domain policies and now another engineer says it is fine....

                    Sheesh!

                    Dana

                    Comment

                    Working...
                    X