Group policy user config
If I make a Group policy and in the settings tab there is no settings defined in the computer config but in the user config is where I have settings applied.
In the scope section should this be applied to computers or users? or does it not matter?
Hope this makes sense
Users, and computer settings applies to computers. Otherwise it doesnt apply the policy (unless you're using loopback)
For reference, if you're setting a User setting on a computer OU (because the options between the two sections are different, but you need to define something by logged on location) you need to go to computer config > admin templates > system > group policy > User group policy loopback processing mode, and set it to merge.
Setting it to replace means the log on will ignore all user settings defined at a user level and just use the settings defined in that computer GPO. useful if you're setting up a very locked down location.
All your GPOs with empty sections should have said empty section disabled as well, to speed up processing; on the Details tab of a group policy, change the GPO Status from Enabled to "Computer config disabled" (where you only have settings under User) or "User config disabled" (where you only have settings under Computer). Just makes logons a little bit quicker.
Ok guys Im so close I can almost taste it.
Been having a poke about in regedit and my problem is in current users > software > office >14 > common > vbaoff (1)
and in local machine > software > office >14 >common >vbaoff (1)
if im an admin i can go in and turn them both to 0 and problem solved.
if im a normal user ( i have allowed access to regedit for this) i can only update the current user when i go to local machine and try to change i get an error
I have now got a group policy that uses the admin templates so
computer config > policies > admin templates > microsoft office 2010(machine) >disable VBA for Office > disabled (needs to be disabled to enable it, well done microsoft)
and user config > policies . admin templates > microsoft office 2012 > disable vba for office > disable
i have given the security filtering to just one test member of staff logging on a computer and goint to regedit it looks like the current user setting has changed but the locam machine setting has not.
Is there anyway around this?
Really depends how your OUs are setup. Generally speaking you'd create an OU labelled Curric, then create sub OUs labelled Users and another called Workstations for example. Typically you'd link your main Curric GPO to Curric, but anything else more specific such as deploying MSIs or other system settings could be linked to the Workstations OU. Hope this makes sense!
Originally Posted by MattDLEA
So you have the settings in a GPO, with something set in both computer config and user config, applied to a computer OU, with security filtering set to a user group?
If so, then your computer would also need to be a member of said security group. Alternatively, add Domain Computers alongside it.
If you're still having problems, and you know the reg key you need to set, you could use Group Policy Preferences to set the key (lets you set HKLM and HKCU keys without needing to grant security access to regedit, which you're better off not doing)
Thanks for helping sonofsanta
correct i have both computer and user config applied in on group policy in the security filtering I have removed authenticated users and have added matt ( test user) and now PC17 which is the computer i have tested it on.
restarted computer a few times and still no luck with the LM key. i have logged on as admin and done gpupdate /force which but still the value is 1 not 0