How to create custom computer policy adm from registry

The problem:

Had to change the default regional settings on windows server 2003 so an application would show data correctly, it was installed as US regional settings but was used in EU. So come to find out that windows does not have a system-wide regional setting. At installation the default profile is set with what was picked at installation. And that default profile is used for all user accounts that get created so after an account is created it stores its own regional settings (currency, date, time, etc). Well come to find out that this is all stored in the registry and we have the option to do a login script, local GPO, domain level GPO, or just delete all the current user profiles. I went with local GPO as it was only for a few systems.

Waring: Make sure you backup your system before you do the steps below and if you don’t know what you’re doing in the registry you may not want to do this as it could destroy your system.

The fix:

  1. Make a copy of registry as a backup
  2. Make the change as the current user, to the regional settings you want (control panel>regional and language options) on advanced tab check apply all settings to current user and default profile (this will change it for your userid and all new ones)
  3. Make a copy of new changes (export reg key HKEY_CURRENT_USER>Control Panel>International) Note: HKEY_USERS>.DEFAULT>Control Panel>International is the default user settings but you DON’T want to copy this one.
  4. user a reg to .adm converter tool or create the .adm yourself (RegToADM from the nuts.exe package from http://yizhar.mvps.org/)
  5. copy new adm file to C:\windows\inf
  6. open gpedit.msc
  7. add your new .adm file to the User Configuration>Administrative Templates (right click add/remove templates, then add and find your new .adm file)
  8. change your filter options (have administrative templates highlighted and view>filtering, uncheck only show policy settings that can be fully managed. Otherwise you will not see your settings)
  9. enable all your new settings (go to your newly created folder under User Configuration>Administrative Templates that the .adm file created, this will now update all current user profiles with the new settings after they login)
  10. May need to reboot if its not working well with your applications

Helpful links if you need more help

http://support.microsoft.com/kb/924852
http://support.microsoft.com/?kbid=323639
http://www.windowsitpro.com/article/registry2/jsi-tip-0311-regional-settings-in-the-registry-
http://yizhar.mvps.org/
http://support.microsoft.com/kb/225087
https://www.youtube.com/watch?v=Up0Sd_R8KNM
https://groups.google.com/forum/?fromgroups#!topic/microsoft.public.win2000.group_policy/HbN-0gfR_MU
https://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx?Redirected=true

Advertisements

How to join linux to AD

There is a great article how to join Linux systems to AD at

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

Adding an OA to AD

Do to the lack of documents stating anything about this step, im bloging it for anyone that is having a problem with it.

With in the Onboard Administrator

Go to Users/Authentication> Directory Settings

  1. Check the “Enable LDAP Authentication”
  2. Add your LDAP/AD address to “Directory Server Address” like the IP of your LDAP server or AD domain controller.
  3. Add your SSL port number to “Directory Server SSL Port” the default is 636 if you are using SSL 
  4. In “Search Context 1″ list the LDAP location where your userids are kept, like (OU=xxxx,OU=xxx,DC=xxx) etc
  5. Check “Use NT Account Name Mapping” (DOMAIN\username) if using AD

Go to Users/Authentication> Directory Groups

  1. Click on New
  2. Create the group name of the group from LDAP you would like to add access to in “Group Name”
  3. Assign it a access level at “Privilege Level”
  4. Assign it devise access below (Note if it is Privilege Level Administrator you will want to check all fields other wise you will not have full access)

Before

After

Recommended Step:

Go to Users/Authentication> Local Users

And add a common Local Admin incase your directory server is not available, then just follow the steps for access you did for creating the directory group on the local admin account like the screen shots above.

Adding iOL2 to AD

NOTE: for you to beable to use DOMAIN\Username or username@domain you must enable “Initialize and scrip activeX” with in IE security settings other wise you can only use the desplayed name used in LDAP

Under Administration>Security>Directory Settings

Authentication Settings

Click Use Directory Default Schema

Directory Server Settings

  1. For Directory Server Address add your LDAP or AD servers name in here
  2. Directory Server LDAP Port if using SSL add SSL port, the default is 636
  3. Directory User Context 1 add the location of your userids from LDAP, in the form (OU=xxx,OU=xxx,DC=xxx)