none
GPP assigned to Users OU but use Item-Levewl targeting with Computers?

    Question

  • I have a group of machines that I would like to have Lync 2013 NOT autostart.  I can delete the registry key from the reference section below and Lync 2013 will not start (as expected).  These machines have 10-20 unique profiles that also need this key removed.  I was considering creating a Group Policy Preference (GPP) and assign it to the Users OU (as this is a HKCU setting) but use item-level targeting to a security group containing the computers that need the autostart disabled.  This will keep the registry key from being removed from the users primary computer but if they log into one of these machines in the security group it WILL be removed.

    Questions:

    Is applying the GPP to the Users OU and using Item-level filtering to a security group populated with computers the best approach? 

    Will the GPP get processed by all users every time they log in even if they aren't logging into one of the computers in the security group?  Note:  The Users OU would contains all users in the company.

    Reference:

    http://blogs.technet.com/b/rischwen/archive/2013/06/20/lync-2013-client-auto-start-registry-key.aspx

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Lync

    Thanks

    Wednesday, February 18, 2015 8:26 PM

Answers

  • Hi,

    >>Is applying the GPP to the Users OU and using Item-level filtering to a security group populated with computers the best approach? 

    Based on the description, we can prefer this approach to achieve our target.

    >>Will the GPP get processed by all users every time they log in even if they aren't logging into one of the computers in the security group? 

    When users logging onto the computers not in the security group, the GPP Registry item will not be processed, for these computers are filtered out by item-level targeting.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mniccum Friday, February 20, 2015 3:28 PM
    Thursday, February 19, 2015 6:23 AM
    Moderator

All replies

  • Hi,

    >>Is applying the GPP to the Users OU and using Item-level filtering to a security group populated with computers the best approach? 

    Based on the description, we can prefer this approach to achieve our target.

    >>Will the GPP get processed by all users every time they log in even if they aren't logging into one of the computers in the security group? 

    When users logging onto the computers not in the security group, the GPP Registry item will not be processed, for these computers are filtered out by item-level targeting.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mniccum Friday, February 20, 2015 3:28 PM
    Thursday, February 19, 2015 6:23 AM
    Moderator
  • I wanted to mention even though this approach did work, Lync would launch before the GPP would remove the entry from the registry so it would take another logon to get it disabled. This did not meet the requirements. I am still unable to determine how Lync adds the run line entry into a new user profile. I have reviewed .Default and cannot find where it gets added.  This is really a different issue not associated with GPP.

    Thanks

    Friday, February 20, 2015 3:31 PM
  • I wanted to mention even though this approach did work, Lync would launch before the GPP would remove the entry from the registry so it would take another logon to get it disabled. This did not meet the requirements. I am still unable to determine how Lync adds the run line entry into a new user profile. I have reviewed .Default and cannot find where it gets added.  This is really a different issue not associated with GPP.

    Thanks

    Is there any way to get the GPP to run before the lync.exe runs from HKCU\Software\Microsoft\Windows\CurrentVersion\Run? ...or more generically, can I configure GPP to run before the items in the HKCU Run key?  I need that entry gone before it gets processed.

    For new users Lync.exe will launch once, then the GPP removes the entry.  On the next logon Lync no longer runs.  I am trying to get the GPP to remove Lync from running on the first try.

    Thanks

    Monday, February 23, 2015 4:04 PM
  • > Is there any way to get the GPP to run before the lync.exe runs from
    > *HKCU\Software\Microsoft\Windows\CurrentVersion\Run*? ...or more
    > generically, can I configure GPP to run before the items in the HKCU Run
    > key?  I need that entry gone before it gets processed.
     
    GPP is processed BEFORE the Run key, but...
     
    > For new users Lync.exe will launch once, then the GPP removes the
    > entry.  On the next logon Lync no longer runs.  I am trying to get the
    > GPP to remove Lync from running on the first try.
     
    ...Lync seems to use ActiveSetup to populate the Run Entry and to
    immediately start itself. And ActiveSetup is processed AFTER GPP.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:11 PM
  • > Is there any way to get the GPP to run before the lync.exe runs from
    > *HKCU\Software\Microsoft\Windows\CurrentVersion\Run*? ...or more
    > generically, can I configure GPP to run before the items in the HKCU Run
    > key?  I need that entry gone before it gets processed.
     
    GPP is processed BEFORE the Run key, but...
     
    > For new users Lync.exe will launch once, then the GPP removes the
    > entry.  On the next logon Lync no longer runs.  I am trying to get the
    > GPP to remove Lync from running on the first try.
     
    ...Lync seems to use ActiveSetup to populate the Run Entry and to
    immediately start itself. And ActiveSetup is processed AFTER GPP.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    I have already looked in HKLM\Software\Microsoft\Active Setup\Installed Components and didn't see anything related to Lync.  Could it be somewhere else?

    Thanks

    Monday, February 23, 2015 7:55 PM
  • > I have already looked in HKLM\Software\Microsoft\Active Setup\Installed
    > Components and didn't see anything related to Lync.  Could it be
    > somewhere else?
     
    Nothing that I'm aware of... You might use Sysinternals "Autoruns" or
    Sysinternals "Procmon" (capture a boot/logon process).
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 24, 2015 9:59 AM