Re: Machine policy when user logged onto local machine

From: Steven L Umbach (sumbach@ameritech.net)
Date: 03/29/03 

From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Sat, 29 Mar 2003 19:45:20 GMT

     No because the machine is still a member of the domain no matter if
you log into the domain or local machine. If you can not see effective
settings, then it sounds like domain policy has never propagated to the
client. Try to change a setting on the local machine policy and do a
refresh. I have found out that sometimes gets things happening. --- Steve

"Martin" <x@y.z> wrote in message
news:#ZGs24h9CHA.824@TK2MSFTNGP11.phx.gbl...
> Hi again Steve,
>
> Interesting point about effective settings. I cannot see these anywhere.
> NB most of the time I'm logged in on a local machine account, not a domain
> account, would that account for no effective settings column?
>
> Thanks for the info on re secedit /refreshpolicy machine_policy /enforce.
I
> had just been rebooting the client to force it to take the new policy.
I'm
> still learning the Active Directory ropes.
>
> I've disabled the security policy for the moment until I've got a better
> understanding of the other issues involved. I want to be able to logon to
> the client locally without getting event log errors.
>
> Thanks again
> Martin
>
>
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:lAlha.475$kd1.407558@newssrv26.news.prodigy.com...
> > Hi Martin. As I mentioned in another post to you, I would use
> dcdiag
> > and netdiag to make sure dc and workstations are set up correctly. The
> > domain policy should propagate to domain computers unless they are
located
> > in an OU that has an overriding policy. If you check local security
> policy
> > on a client machine, you should see local settings and effective
settings
> > for user rights and security options. If effective settings are
different
> > than local settings then policies from the domain are propagating
assuming
> > you have made any changes. Changes to domain policy will not be
reflected
> > immediately in client computers. Many changes can take up to two hours
to
> > show up. After making a change on a dc run [secedit /refreshpolicy
> > machine_policy /enforce] on the dc. Wait a minute or so and reboot
domain
> > client. Group policies not propagating can be a result of physical
network
> > problems, firewalls, dns misconfiguration, breakdown in secure channel,
> > incompatable security options , problems with sysvol on dc, and other
> issues
> > of course. --- Steve
> >
> > "Martin" <x@y.z> wrote in message
> > news:OR3hVNh9CHA.2040@TK2MSFTNGP10.phx.gbl...
> > > That's what I thought, but I seen no sign of the IPSec policy having
> been
> > > applied. I get no warning when I open the IPSec policies on the local
> > > computer that the domain IPSec policy will override it. - Any ideas
why
> > that
> > > would be?
> > >
> > > Thanks
> > > Martin
> > >
> > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > news:Njjha.283$kd1.372334@newssrv26.news.prodigy.com...
> > > > Yes it will. Machine policy is applied before you even log
> > n. ---
> > > > Steve
> > > >
> > > > "Martin" <x@y.z> wrote in message
> > > > news:OW2Phof9CHA.1612@TK2MSFTNGP11.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I know there are computer based policies and user based policies.
> > > > > I have an domain security IPSec policy, which I presume will work
> it's
> > > way
> > > > > down to a computer based policy rather than a user based policy.
> > > > >
> > > > > My question is, if I log onto a computer that is in the domain,
but
> I
> > > log
> > > > > onto it locally - ie. I don't log onto the domain, will that
> computer
> > > > still
> > > > > get computer based policies applied? Specifically should by domain
> > > > security
> > > > > IPSec policy apply - I see know sign that it is.
> > > > >
> > > > > Thanks
> > > > > Martin
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... Possibly delete the Default Domoan Controller Policy (As it did not ... settings as applied by the wizard cannot be trusted or that is why ... with client logon failures. ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
  • Re: NTP question
    ... If you have configured some policy settings, set them to "Not defined" and check on the client with gpresult /v that it is removed correctly. ... For PEERS choose an external time server, either with the name or ip ...
    (microsoft.public.windows.server.general)
  • Re: NTP question
    ... If you have configured some policy settings, set them to "Not defined" and check on the client with gpresult /v that it is removed correctly. ... If the old settings still appear, you have to change the policy to the opposite, if you configure an "Enabled" change it to "Disabled" and so on, run the client update and after the change is done set it to "Not defined". ... For PEERS choose an external time server, either with the name or ip ...
    (microsoft.public.windows.server.general)
  • Re: Password policy
    ... So you are saying that I should use the Default Domain Policy GP; ... as you can get "Computer Configuration" and "User Configuration" settings to ... replicate to all domain computers. ... The GP is now replicating to client domain computers ...
    (microsoft.public.win2000.security)
  • RE: Windows Update Server question/problem
    ... Windows Update settings on clients thru SBS group policy. ... SBS have Windows Update group policy for all client ...
    (microsoft.public.windows.server.sbs)