Sign in with
Sign up | Sign in
Your question

Newbie policy & security groups ?: SBS/Win 2003 AD

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 8, 2005 11:03:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I hope someone can pinpoint what I am doing wrong in the following:

In AD, I create an OU, create a user policy to do obvious desktop things
like remove run menu, and I assign/link the policy to the OU. Other than
this policy, there is only the default policies which come with SBS 2003.

If I move a user object to the OU, then log the user onto an XP client, the
policy is applied as expected.

Here is the problem: if I create a global or domain security group and add
this user to the group, and move the security group to the OU the policy is
not applied when this user logs on.

Additional symptom: When this user logs on in the 2nd scenario, besides the
custom policy not being applied, it appears that a previous domain policy
which has been removed is trying to apply. It was a software install policy
that results in a message when the user logs on saying "you have to be an
admin to install software".

One more thing: I cannot run the group policy results in SBS for this user
and computer. I receive "rpc server unavailble" errors, but all the
appropriate services are running.

Thanks for anything--Gina
Anonymous
a b 8 Security
March 8, 2005 7:50:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The user or computer that you are applying the Group Policy to must be in
the OU. It should not matter where the groups are as Group Policy does not
apply to groups - only users and computers but groups can be used to manage
who Group Policy applies to via changing the "apply" permission for the
Group Policy. Use only global groups if you are trying to manage Group
Policy apply permissions. The rpc unavailable error could mean that the
computer that you are trying to run the RSOP for is not turned on, it has a
firewall enabled on it, or there is a name resolution problem. See the link
below on Active Directory dns as proper dns configuration in the domain is
critical for Group Policy and everything else to work properly. The support
tools netdiag and dcdiag are very helpful in tracking down domain/networking
problems that can contribute to Group Policy problems. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- dns
FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and how to install support tools.

"Gina" <Gina@discussions.microsoft.com> wrote in message
news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
>I hope someone can pinpoint what I am doing wrong in the following:
>
> In AD, I create an OU, create a user policy to do obvious desktop things
> like remove run menu, and I assign/link the policy to the OU. Other than
> this policy, there is only the default policies which come with SBS 2003.
>
> If I move a user object to the OU, then log the user onto an XP client,
> the
> policy is applied as expected.
>
> Here is the problem: if I create a global or domain security group and
> add
> this user to the group, and move the security group to the OU the policy
> is
> not applied when this user logs on.
>
> Additional symptom: When this user logs on in the 2nd scenario, besides
> the
> custom policy not being applied, it appears that a previous domain policy
> which has been removed is trying to apply. It was a software install
> policy
> that results in a message when the user logs on saying "you have to be an
> admin to install software".
>
> One more thing: I cannot run the group policy results in SBS for this
> user
> and computer. I receive "rpc server unavailble" errors, but all the
> appropriate services are running.
>
> Thanks for anything--Gina
Anonymous
a b 8 Security
March 9, 2005 11:43:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you Steven. What you said about policy applying only to users and
computers I finally discovered on a google forum. I am amazed that with all
the reading I have been doing lately, that simple fact was not apparent.
What is confusing to me is that with the GPMC, you can use security groups to
apply policy through filtering, right?

I will look into your suggestions on the RPC problem. Thank you very much.
--Gina

"Steven L Umbach" wrote:

> The user or computer that you are applying the Group Policy to must be in
> the OU. It should not matter where the groups are as Group Policy does not
> apply to groups - only users and computers but groups can be used to manage
> who Group Policy applies to via changing the "apply" permission for the
> Group Policy. Use only global groups if you are trying to manage Group
> Policy apply permissions. The rpc unavailable error could mean that the
> computer that you are trying to run the RSOP for is not turned on, it has a
> firewall enabled on it, or there is a name resolution problem. See the link
> below on Active Directory dns as proper dns configuration in the domain is
> critical for Group Policy and everything else to work properly. The support
> tools netdiag and dcdiag are very helpful in tracking down domain/networking
> problems that can contribute to Group Policy problems. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- dns
> FAQ
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
> and how to install support tools.
>
> "Gina" <Gina@discussions.microsoft.com> wrote in message
> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
> >I hope someone can pinpoint what I am doing wrong in the following:
> >
> > In AD, I create an OU, create a user policy to do obvious desktop things
> > like remove run menu, and I assign/link the policy to the OU. Other than
> > this policy, there is only the default policies which come with SBS 2003.
> >
> > If I move a user object to the OU, then log the user onto an XP client,
> > the
> > policy is applied as expected.
> >
> > Here is the problem: if I create a global or domain security group and
> > add
> > this user to the group, and move the security group to the OU the policy
> > is
> > not applied when this user logs on.
> >
> > Additional symptom: When this user logs on in the 2nd scenario, besides
> > the
> > custom policy not being applied, it appears that a previous domain policy
> > which has been removed is trying to apply. It was a software install
> > policy
> > that results in a message when the user logs on saying "you have to be an
> > admin to install software".
> >
> > One more thing: I cannot run the group policy results in SBS for this
> > user
> > and computer. I receive "rpc server unavailble" errors, but all the
> > appropriate services are running.
> >
> > Thanks for anything--Gina
>
>
>
Related resources
Anonymous
a b 8 Security
March 10, 2005 12:46:20 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Security groups have always been used to filter Group Policy. That is not
unique to GPMC. By default authenticated users have the apply permission to
a Group Policy but you can modify that to your needs. The free Windows 2003
Server Deployment Kit is some of the best reading around for Windows 2003.
It is divided up into may chapters as shown in the link below. --- Steve

http://www.microsoft.com/resources/documentation/Window...

"Gina" <Gina@discussions.microsoft.com> wrote in message
news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
> Thank you Steven. What you said about policy applying only to users and
> computers I finally discovered on a google forum. I am amazed that with
> all
> the reading I have been doing lately, that simple fact was not apparent.
> What is confusing to me is that with the GPMC, you can use security groups
> to
> apply policy through filtering, right?
>
> I will look into your suggestions on the RPC problem. Thank you very
> much.
> --Gina
>
> "Steven L Umbach" wrote:
>
>> The user or computer that you are applying the Group Policy to must be in
>> the OU. It should not matter where the groups are as Group Policy does
>> not
>> apply to groups - only users and computers but groups can be used to
>> manage
>> who Group Policy applies to via changing the "apply" permission for the
>> Group Policy. Use only global groups if you are trying to manage Group
>> Policy apply permissions. The rpc unavailable error could mean that the
>> computer that you are trying to run the RSOP for is not turned on, it has
>> a
>> firewall enabled on it, or there is a name resolution problem. See the
>> link
>> below on Active Directory dns as proper dns configuration in the domain
>> is
>> critical for Group Policy and everything else to work properly. The
>> support
>> tools netdiag and dcdiag are very helpful in tracking down
>> domain/networking
>> problems that can contribute to Group Policy problems. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
>> dns
>> FAQ
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>> netdiag
>> and how to install support tools.
>>
>> "Gina" <Gina@discussions.microsoft.com> wrote in message
>> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
>> >I hope someone can pinpoint what I am doing wrong in the following:
>> >
>> > In AD, I create an OU, create a user policy to do obvious desktop
>> > things
>> > like remove run menu, and I assign/link the policy to the OU. Other
>> > than
>> > this policy, there is only the default policies which come with SBS
>> > 2003.
>> >
>> > If I move a user object to the OU, then log the user onto an XP client,
>> > the
>> > policy is applied as expected.
>> >
>> > Here is the problem: if I create a global or domain security group and
>> > add
>> > this user to the group, and move the security group to the OU the
>> > policy
>> > is
>> > not applied when this user logs on.
>> >
>> > Additional symptom: When this user logs on in the 2nd scenario,
>> > besides
>> > the
>> > custom policy not being applied, it appears that a previous domain
>> > policy
>> > which has been removed is trying to apply. It was a software install
>> > policy
>> > that results in a message when the user logs on saying "you have to be
>> > an
>> > admin to install software".
>> >
>> > One more thing: I cannot run the group policy results in SBS for this
>> > user
>> > and computer. I receive "rpc server unavailble" errors, but all the
>> > appropriate services are running.
>> >
>> > Thanks for anything--Gina
>>
>>
>>
Anonymous
a b 8 Security
March 10, 2005 9:15:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes Steven, I am new to GPO, and the fact about sec groups was lost on me in
the volumes of articles I have been reading. I guess it's one of those
fundemental laws no one bothers to mention anymore.

Regarding the RPC error--my problem was that I need to allow remote
administration on the XP client. I created a policy for XP machines that did
that and got the RSoP wizard to run. However, I'm using SBS 2003, and when
the wizard completes and I click the "finish" button, it says "generating
report..." and hangs the server management GUI. Any ideas on that?

Thanks Steven. --Gina
"Steven L Umbach" wrote:

> Security groups have always been used to filter Group Policy. That is not
> unique to GPMC. By default authenticated users have the apply permission to
> a Group Policy but you can modify that to your needs. The free Windows 2003
> Server Deployment Kit is some of the best reading around for Windows 2003.
> It is divided up into may chapters as shown in the link below. --- Steve
>
> http://www.microsoft.com/resources/documentation/Window...
>
> "Gina" <Gina@discussions.microsoft.com> wrote in message
> news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
> > Thank you Steven. What you said about policy applying only to users and
> > computers I finally discovered on a google forum. I am amazed that with
> > all
> > the reading I have been doing lately, that simple fact was not apparent.
> > What is confusing to me is that with the GPMC, you can use security groups
> > to
> > apply policy through filtering, right?
> >
> > I will look into your suggestions on the RPC problem. Thank you very
> > much.
> > --Gina
> >
> > "Steven L Umbach" wrote:
> >
> >> The user or computer that you are applying the Group Policy to must be in
> >> the OU. It should not matter where the groups are as Group Policy does
> >> not
> >> apply to groups - only users and computers but groups can be used to
> >> manage
> >> who Group Policy applies to via changing the "apply" permission for the
> >> Group Policy. Use only global groups if you are trying to manage Group
> >> Policy apply permissions. The rpc unavailable error could mean that the
> >> computer that you are trying to run the RSOP for is not turned on, it has
> >> a
> >> firewall enabled on it, or there is a name resolution problem. See the
> >> link
> >> below on Active Directory dns as proper dns configuration in the domain
> >> is
> >> critical for Group Policy and everything else to work properly. The
> >> support
> >> tools netdiag and dcdiag are very helpful in tracking down
> >> domain/networking
> >> problems that can contribute to Group Policy problems. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
> >> dns
> >> FAQ
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
> >> netdiag
> >> and how to install support tools.
> >>
> >> "Gina" <Gina@discussions.microsoft.com> wrote in message
> >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
> >> >I hope someone can pinpoint what I am doing wrong in the following:
> >> >
> >> > In AD, I create an OU, create a user policy to do obvious desktop
> >> > things
> >> > like remove run menu, and I assign/link the policy to the OU. Other
> >> > than
> >> > this policy, there is only the default policies which come with SBS
> >> > 2003.
> >> >
> >> > If I move a user object to the OU, then log the user onto an XP client,
> >> > the
> >> > policy is applied as expected.
> >> >
> >> > Here is the problem: if I create a global or domain security group and
> >> > add
> >> > this user to the group, and move the security group to the OU the
> >> > policy
> >> > is
> >> > not applied when this user logs on.
> >> >
> >> > Additional symptom: When this user logs on in the 2nd scenario,
> >> > besides
> >> > the
> >> > custom policy not being applied, it appears that a previous domain
> >> > policy
> >> > which has been removed is trying to apply. It was a software install
> >> > policy
> >> > that results in a message when the user logs on saying "you have to be
> >> > an
> >> > admin to install software".
> >> >
> >> > One more thing: I cannot run the group policy results in SBS for this
> >> > user
> >> > and computer. I receive "rpc server unavailble" errors, but all the
> >> > appropriate services are running.
> >> >
> >> > Thanks for anything--Gina
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
March 10, 2005 3:14:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I really do not know exactly why that is happening. I know it can take up to
a few minutes for RSOP to complete. I do know that for XP Pro computers that
the built in firewall if enabled will interfere with RSOP logging mode for
that target computer. The XP firewall can be configured to allow access to
file and print sharing ports. If you can not telnet into a XP computer of
yours for port 139 or 445 TCP then the firewall is probably blocking access.
To use telnet try at the command line " telnet xxx.xxx.xxx.xxx 139" for
example to test port 139 TCP using the actual IP address of the target
computer. If the port is available you will get a blank screen with a
blinking cursor. If not you will get an access denied message.

Another potential problem is if your domain controller or domain clients are
misconfigured as far as dns. For Active Directory, the domain controller
must point to itself as it's preferred dns server and the domain computers
must point to only the domain controller as their preferred dns server and
as shown with ipconfig /all. NEVER list an ISP dns server in the list of
preferred dns servers for any domain computer. The domain client computer
should be able to ping the domain controller by it's IP address and fully
qualified domain name as in dc1.mydomain.com. The domain controller must
also be able to ping the domain clients in the same way. There are support
tools called netdiag and dcdiag that can help in determining if the domain
controller and domain clients are configured correctly and can communicate
correctly with the domain controller. Dcdiag is only for domain controllers
while netdiag is for both. Also always make it a habit to check Event Viewer
on your domain controller and domain clients whenever you are having
problems as often pertinent errors are recorded that can give you a clue as
to the problem. The links below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- a
must read on AD dns
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag.
Pertains to W2003 also, just be sure to install from the disk for the
appropriate operating system.


"Gina" <Gina@discussions.microsoft.com> wrote in message
news:AE05352E-F9AF-4F23-AA64-8BB6A7B13D43@microsoft.com...
> Yes Steven, I am new to GPO, and the fact about sec groups was lost on me
> in
> the volumes of articles I have been reading. I guess it's one of those
> fundemental laws no one bothers to mention anymore.
>
> Regarding the RPC error--my problem was that I need to allow remote
> administration on the XP client. I created a policy for XP machines that
> did
> that and got the RSoP wizard to run. However, I'm using SBS 2003, and
> when
> the wizard completes and I click the "finish" button, it says "generating
> report..." and hangs the server management GUI. Any ideas on that?
>
> Thanks Steven. --Gina
> "Steven L Umbach" wrote:
>
>> Security groups have always been used to filter Group Policy. That is not
>> unique to GPMC. By default authenticated users have the apply permission
>> to
>> a Group Policy but you can modify that to your needs. The free Windows
>> 2003
>> Server Deployment Kit is some of the best reading around for Windows
>> 2003.
>> It is divided up into may chapters as shown in the link below. --- Steve
>>
>> http://www.microsoft.com/resources/documentation/Window...
>>
>> "Gina" <Gina@discussions.microsoft.com> wrote in message
>> news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
>> > Thank you Steven. What you said about policy applying only to users
>> > and
>> > computers I finally discovered on a google forum. I am amazed that
>> > with
>> > all
>> > the reading I have been doing lately, that simple fact was not
>> > apparent.
>> > What is confusing to me is that with the GPMC, you can use security
>> > groups
>> > to
>> > apply policy through filtering, right?
>> >
>> > I will look into your suggestions on the RPC problem. Thank you very
>> > much.
>> > --Gina
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> The user or computer that you are applying the Group Policy to must be
>> >> in
>> >> the OU. It should not matter where the groups are as Group Policy does
>> >> not
>> >> apply to groups - only users and computers but groups can be used to
>> >> manage
>> >> who Group Policy applies to via changing the "apply" permission for
>> >> the
>> >> Group Policy. Use only global groups if you are trying to manage Group
>> >> Policy apply permissions. The rpc unavailable error could mean that
>> >> the
>> >> computer that you are trying to run the RSOP for is not turned on, it
>> >> has
>> >> a
>> >> firewall enabled on it, or there is a name resolution problem. See the
>> >> link
>> >> below on Active Directory dns as proper dns configuration in the
>> >> domain
>> >> is
>> >> critical for Group Policy and everything else to work properly. The
>> >> support
>> >> tools netdiag and dcdiag are very helpful in tracking down
>> >> domain/networking
>> >> problems that can contribute to Group Policy problems. --- Steve
>> >>
>> >>
>> >> ttp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
>> >> dns
>> >> FAQ
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>> >> netdiag
>> >> and how to install support tools.
>> >>
>> >> "Gina" <Gina@discussions.microsoft.com> wrote in message
>> >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
>> >> >I hope someone can pinpoint what I am doing wrong in the following:
>> >> >
>> >> > In AD, I create an OU, create a user policy to do obvious desktop
>> >> > things
>> >> > like remove run menu, and I assign/link the policy to the OU. Other
>> >> > than
>> >> > this policy, there is only the default policies which come with SBS
>> >> > 2003.
>> >> >
>> >> > If I move a user object to the OU, then log the user onto an XP
>> >> > client,
>> >> > the
>> >> > policy is applied as expected.
>> >> >
>> >> > Here is the problem: if I create a global or domain security group
>> >> > and
>> >> > add
>> >> > this user to the group, and move the security group to the OU the
>> >> > policy
>> >> > is
>> >> > not applied when this user logs on.
>> >> >
>> >> > Additional symptom: When this user logs on in the 2nd scenario,
>> >> > besides
>> >> > the
>> >> > custom policy not being applied, it appears that a previous domain
>> >> > policy
>> >> > which has been removed is trying to apply. It was a software
>> >> > install
>> >> > policy
>> >> > that results in a message when the user logs on saying "you have to
>> >> > be
>> >> > an
>> >> > admin to install software".
>> >> >
>> >> > One more thing: I cannot run the group policy results in SBS for
>> >> > this
>> >> > user
>> >> > and computer. I receive "rpc server unavailble" errors, but all the
>> >> > appropriate services are running.
>> >> >
>> >> > Thanks for anything--Gina
>> >>
>> >>
>> >>
>>
>>
>>
!