Re: user and administrator policies
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/20/05
- Previous message: Toyjunkie: "KB823353 with Outlook Express 6.0 in Win2K"
- In reply to: soscc: "user and administrator policies"
- Next in thread: Steven L Umbach: "Re: user and administrator policies"
- Reply: Steven L Umbach: "Re: user and administrator policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Aug 2005 03:10:31 -0500
All you really need to do is give "administrators" deny for apply.
Administrator, domain admins, and enterprise admins are all members of the
administrators group [or should be]. If the users that you listed are not in
any administrator group for the domain then create a global group for them,
add them to the global group, and then give that global group deny
permission for apply.
Yes domain level policy can flow down to all users/computers in the domain
except for settings defined for domain controllers in Domain Controller
Security Policy. If you have created an Organizational Unit with a Group
Policy with defined settings then those settings will override the same
defined settings in the domain Group Policy with the notable exception that
account/password policy can be applied only at the domain level for domain
users.
Be sure to install Group Policy Management Console on your domain controller
as it will make managing and troubleshooting Group Policy much easier. You
can also use Resultant Set of Policy to see exactly what settings are being
applied to a user and from what GP. It can also display information about
filtering of GP which is what you are attempting to do.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
I don't know how much you know about Active Directory but it is imperative
that your dns is configured correctly for the domain or all sorts of
problems will arise including inconsistent of application of Group Policy.
See the link below for more info on dns for an Active Directory domain and
use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
experiencing problems in your domain. Netdiag and gpresult can also be using
on all domain computers. Also frequently check the logs on your domain
controller and any computer via Event Viewer that is experiencing problems
for helpful information
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
dns FAQ
FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
via Group Policy with hash, certificate, and path rules to manage what
software a user can install or run on his computer. You can also start with
a default allowed or disallowed rule and then create the exceptions. SRP is
very powerful but takes some time to figure out how to use correctly. See
the link below if interested and keep in mind that desktop shortcuts are
considered a program as far as SRP is concerned which can trip you up if
you start with the default disallowed rule. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
"soscc" <soscc@discussions.microsoft.com> wrote in message
news:3689B2BB-C9C7-4784-951F-55036836A85D@microsoft.com...
> i'm trying to set up a win2k3 server and restrict user policies. i have
> followed kb816100 that says it will prevent group policies from flowing to
> administrators. this is my first try at using policies to lock down the
> workstations in a school lab. the workstations are winxp machines. the way
> i
> understand policies is that whatever i set at the domain level will flow
> to
> the workstation that is logged into the domain. correct?
>
> whenever i try to restrict, say the run item from appearing on the menu,
> as
> soon as i put that restriction in place the run item is gone from the
> menu.
> i'm logged in as administrator on the server, which is an ad domain
> server.
>
> here's what i have set in the security tab per the kb:
> administrator mchs\administrator deny group policy
> administrators mchs\administrators deny group policy
> authenticated users apply group policy
> brad (brad@mchs.local) deny group policy
> creator owner no policy selected
> domain administrators deny group policy
> enterprise administrators deny group policy
> enterprise domain controllers no policy selected
> soscc (soscc@mchs.local) deny group policy
> system no policy selected
> wayne (wayne@mchs.local) deny group policy
>
> i added administrator, brad, wayne, and soscc to the list, all of the
> other
> groups were in the list. do i need to add the group users to this list?
> --
> lost a few miles from nowhere...
- Previous message: Toyjunkie: "KB823353 with Outlook Express 6.0 in Win2K"
- In reply to: soscc: "user and administrator policies"
- Next in thread: Steven L Umbach: "Re: user and administrator policies"
- Reply: Steven L Umbach: "Re: user and administrator policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
