Newbie policy & security groups ?: SBS/Win 2003 AD

Archived from groups: microsoft.public.win2000.security (More info?)

I hope someone can pinpoint what I am doing wrong in the following:

In AD, I create an OU, create a user policy to do obvious desktop things
like remove run menu, and I assign/link the policy to the OU. Other than
this policy, there is only the default policies which come with SBS 2003.

If I move a user object to the OU, then log the user onto an XP client, the
policy is applied as expected.

Here is the problem: if I create a global or domain security group and add
this user to the group, and move the security group to the OU the policy is
not applied when this user logs on.

Additional symptom: When this user logs on in the 2nd scenario, besides the
custom policy not being applied, it appears that a previous domain policy
which has been removed is trying to apply. It was a software install policy
that results in a message when the user logs on saying "you have to be an
admin to install software".

One more thing: I cannot run the group policy results in SBS for this user
and computer. I receive "rpc server unavailble" errors, but all the
appropriate services are running.

Thanks for anything--Gina
5 answers Last reply
More about newbie policy security groups 2003
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The user or computer that you are applying the Group Policy to must be in
    the OU. It should not matter where the groups are as Group Policy does not
    apply to groups - only users and computers but groups can be used to manage
    who Group Policy applies to via changing the "apply" permission for the
    Group Policy. Use only global groups if you are trying to manage Group
    Policy apply permissions. The rpc unavailable error could mean that the
    computer that you are trying to run the RSOP for is not turned on, it has a
    firewall enabled on it, or there is a name resolution problem. See the link
    below on Active Directory dns as proper dns configuration in the domain is
    critical for Group Policy and everything else to work properly. The support
    tools netdiag and dcdiag are very helpful in tracking down domain/networking
    problems that can contribute to Group Policy problems. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- dns
    FAQ
    http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
    and how to install support tools.

    "Gina" <Gina@discussions.microsoft.com> wrote in message
    news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
    >I hope someone can pinpoint what I am doing wrong in the following:
    >
    > In AD, I create an OU, create a user policy to do obvious desktop things
    > like remove run menu, and I assign/link the policy to the OU. Other than
    > this policy, there is only the default policies which come with SBS 2003.
    >
    > If I move a user object to the OU, then log the user onto an XP client,
    > the
    > policy is applied as expected.
    >
    > Here is the problem: if I create a global or domain security group and
    > add
    > this user to the group, and move the security group to the OU the policy
    > is
    > not applied when this user logs on.
    >
    > Additional symptom: When this user logs on in the 2nd scenario, besides
    > the
    > custom policy not being applied, it appears that a previous domain policy
    > which has been removed is trying to apply. It was a software install
    > policy
    > that results in a message when the user logs on saying "you have to be an
    > admin to install software".
    >
    > One more thing: I cannot run the group policy results in SBS for this
    > user
    > and computer. I receive "rpc server unavailble" errors, but all the
    > appropriate services are running.
    >
    > Thanks for anything--Gina
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you Steven. What you said about policy applying only to users and
    computers I finally discovered on a google forum. I am amazed that with all
    the reading I have been doing lately, that simple fact was not apparent.
    What is confusing to me is that with the GPMC, you can use security groups to
    apply policy through filtering, right?

    I will look into your suggestions on the RPC problem. Thank you very much.
    --Gina

    "Steven L Umbach" wrote:

    > The user or computer that you are applying the Group Policy to must be in
    > the OU. It should not matter where the groups are as Group Policy does not
    > apply to groups - only users and computers but groups can be used to manage
    > who Group Policy applies to via changing the "apply" permission for the
    > Group Policy. Use only global groups if you are trying to manage Group
    > Policy apply permissions. The rpc unavailable error could mean that the
    > computer that you are trying to run the RSOP for is not turned on, it has a
    > firewall enabled on it, or there is a name resolution problem. See the link
    > below on Active Directory dns as proper dns configuration in the domain is
    > critical for Group Policy and everything else to work properly. The support
    > tools netdiag and dcdiag are very helpful in tracking down domain/networking
    > problems that can contribute to Group Policy problems. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- dns
    > FAQ
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
    > and how to install support tools.
    >
    > "Gina" <Gina@discussions.microsoft.com> wrote in message
    > news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
    > >I hope someone can pinpoint what I am doing wrong in the following:
    > >
    > > In AD, I create an OU, create a user policy to do obvious desktop things
    > > like remove run menu, and I assign/link the policy to the OU. Other than
    > > this policy, there is only the default policies which come with SBS 2003.
    > >
    > > If I move a user object to the OU, then log the user onto an XP client,
    > > the
    > > policy is applied as expected.
    > >
    > > Here is the problem: if I create a global or domain security group and
    > > add
    > > this user to the group, and move the security group to the OU the policy
    > > is
    > > not applied when this user logs on.
    > >
    > > Additional symptom: When this user logs on in the 2nd scenario, besides
    > > the
    > > custom policy not being applied, it appears that a previous domain policy
    > > which has been removed is trying to apply. It was a software install
    > > policy
    > > that results in a message when the user logs on saying "you have to be an
    > > admin to install software".
    > >
    > > One more thing: I cannot run the group policy results in SBS for this
    > > user
    > > and computer. I receive "rpc server unavailble" errors, but all the
    > > appropriate services are running.
    > >
    > > Thanks for anything--Gina
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Security groups have always been used to filter Group Policy. That is not
    unique to GPMC. By default authenticated users have the apply permission to
    a Group Policy but you can modify that to your needs. The free Windows 2003
    Server Deployment Kit is some of the best reading around for Windows 2003.
    It is divided up into may chapters as shown in the link below. --- Steve

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDME_overview.asp

    "Gina" <Gina@discussions.microsoft.com> wrote in message
    news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
    > Thank you Steven. What you said about policy applying only to users and
    > computers I finally discovered on a google forum. I am amazed that with
    > all
    > the reading I have been doing lately, that simple fact was not apparent.
    > What is confusing to me is that with the GPMC, you can use security groups
    > to
    > apply policy through filtering, right?
    >
    > I will look into your suggestions on the RPC problem. Thank you very
    > much.
    > --Gina
    >
    > "Steven L Umbach" wrote:
    >
    >> The user or computer that you are applying the Group Policy to must be in
    >> the OU. It should not matter where the groups are as Group Policy does
    >> not
    >> apply to groups - only users and computers but groups can be used to
    >> manage
    >> who Group Policy applies to via changing the "apply" permission for the
    >> Group Policy. Use only global groups if you are trying to manage Group
    >> Policy apply permissions. The rpc unavailable error could mean that the
    >> computer that you are trying to run the RSOP for is not turned on, it has
    >> a
    >> firewall enabled on it, or there is a name resolution problem. See the
    >> link
    >> below on Active Directory dns as proper dns configuration in the domain
    >> is
    >> critical for Group Policy and everything else to work properly. The
    >> support
    >> tools netdiag and dcdiag are very helpful in tracking down
    >> domain/networking
    >> problems that can contribute to Group Policy problems. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
    >> dns
    >> FAQ
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    >> netdiag
    >> and how to install support tools.
    >>
    >> "Gina" <Gina@discussions.microsoft.com> wrote in message
    >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
    >> >I hope someone can pinpoint what I am doing wrong in the following:
    >> >
    >> > In AD, I create an OU, create a user policy to do obvious desktop
    >> > things
    >> > like remove run menu, and I assign/link the policy to the OU. Other
    >> > than
    >> > this policy, there is only the default policies which come with SBS
    >> > 2003.
    >> >
    >> > If I move a user object to the OU, then log the user onto an XP client,
    >> > the
    >> > policy is applied as expected.
    >> >
    >> > Here is the problem: if I create a global or domain security group and
    >> > add
    >> > this user to the group, and move the security group to the OU the
    >> > policy
    >> > is
    >> > not applied when this user logs on.
    >> >
    >> > Additional symptom: When this user logs on in the 2nd scenario,
    >> > besides
    >> > the
    >> > custom policy not being applied, it appears that a previous domain
    >> > policy
    >> > which has been removed is trying to apply. It was a software install
    >> > policy
    >> > that results in a message when the user logs on saying "you have to be
    >> > an
    >> > admin to install software".
    >> >
    >> > One more thing: I cannot run the group policy results in SBS for this
    >> > user
    >> > and computer. I receive "rpc server unavailble" errors, but all the
    >> > appropriate services are running.
    >> >
    >> > Thanks for anything--Gina
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes Steven, I am new to GPO, and the fact about sec groups was lost on me in
    the volumes of articles I have been reading. I guess it's one of those
    fundemental laws no one bothers to mention anymore.

    Regarding the RPC error--my problem was that I need to allow remote
    administration on the XP client. I created a policy for XP machines that did
    that and got the RSoP wizard to run. However, I'm using SBS 2003, and when
    the wizard completes and I click the "finish" button, it says "generating
    report..." and hangs the server management GUI. Any ideas on that?

    Thanks Steven. --Gina
    "Steven L Umbach" wrote:

    > Security groups have always been used to filter Group Policy. That is not
    > unique to GPMC. By default authenticated users have the apply permission to
    > a Group Policy but you can modify that to your needs. The free Windows 2003
    > Server Deployment Kit is some of the best reading around for Windows 2003.
    > It is divided up into may chapters as shown in the link below. --- Steve
    >
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDME_overview.asp
    >
    > "Gina" <Gina@discussions.microsoft.com> wrote in message
    > news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
    > > Thank you Steven. What you said about policy applying only to users and
    > > computers I finally discovered on a google forum. I am amazed that with
    > > all
    > > the reading I have been doing lately, that simple fact was not apparent.
    > > What is confusing to me is that with the GPMC, you can use security groups
    > > to
    > > apply policy through filtering, right?
    > >
    > > I will look into your suggestions on the RPC problem. Thank you very
    > > much.
    > > --Gina
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> The user or computer that you are applying the Group Policy to must be in
    > >> the OU. It should not matter where the groups are as Group Policy does
    > >> not
    > >> apply to groups - only users and computers but groups can be used to
    > >> manage
    > >> who Group Policy applies to via changing the "apply" permission for the
    > >> Group Policy. Use only global groups if you are trying to manage Group
    > >> Policy apply permissions. The rpc unavailable error could mean that the
    > >> computer that you are trying to run the RSOP for is not turned on, it has
    > >> a
    > >> firewall enabled on it, or there is a name resolution problem. See the
    > >> link
    > >> below on Active Directory dns as proper dns configuration in the domain
    > >> is
    > >> critical for Group Policy and everything else to work properly. The
    > >> support
    > >> tools netdiag and dcdiag are very helpful in tracking down
    > >> domain/networking
    > >> problems that can contribute to Group Policy problems. --- Steve
    > >>
    > >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
    > >> dns
    > >> FAQ
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    > >> netdiag
    > >> and how to install support tools.
    > >>
    > >> "Gina" <Gina@discussions.microsoft.com> wrote in message
    > >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
    > >> >I hope someone can pinpoint what I am doing wrong in the following:
    > >> >
    > >> > In AD, I create an OU, create a user policy to do obvious desktop
    > >> > things
    > >> > like remove run menu, and I assign/link the policy to the OU. Other
    > >> > than
    > >> > this policy, there is only the default policies which come with SBS
    > >> > 2003.
    > >> >
    > >> > If I move a user object to the OU, then log the user onto an XP client,
    > >> > the
    > >> > policy is applied as expected.
    > >> >
    > >> > Here is the problem: if I create a global or domain security group and
    > >> > add
    > >> > this user to the group, and move the security group to the OU the
    > >> > policy
    > >> > is
    > >> > not applied when this user logs on.
    > >> >
    > >> > Additional symptom: When this user logs on in the 2nd scenario,
    > >> > besides
    > >> > the
    > >> > custom policy not being applied, it appears that a previous domain
    > >> > policy
    > >> > which has been removed is trying to apply. It was a software install
    > >> > policy
    > >> > that results in a message when the user logs on saying "you have to be
    > >> > an
    > >> > admin to install software".
    > >> >
    > >> > One more thing: I cannot run the group policy results in SBS for this
    > >> > user
    > >> > and computer. I receive "rpc server unavailble" errors, but all the
    > >> > appropriate services are running.
    > >> >
    > >> > Thanks for anything--Gina
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I really do not know exactly why that is happening. I know it can take up to
    a few minutes for RSOP to complete. I do know that for XP Pro computers that
    the built in firewall if enabled will interfere with RSOP logging mode for
    that target computer. The XP firewall can be configured to allow access to
    file and print sharing ports. If you can not telnet into a XP computer of
    yours for port 139 or 445 TCP then the firewall is probably blocking access.
    To use telnet try at the command line " telnet xxx.xxx.xxx.xxx 139" for
    example to test port 139 TCP using the actual IP address of the target
    computer. If the port is available you will get a blank screen with a
    blinking cursor. If not you will get an access denied message.

    Another potential problem is if your domain controller or domain clients are
    misconfigured as far as dns. For Active Directory, the domain controller
    must point to itself as it's preferred dns server and the domain computers
    must point to only the domain controller as their preferred dns server and
    as shown with ipconfig /all. NEVER list an ISP dns server in the list of
    preferred dns servers for any domain computer. The domain client computer
    should be able to ping the domain controller by it's IP address and fully
    qualified domain name as in dc1.mydomain.com. The domain controller must
    also be able to ping the domain clients in the same way. There are support
    tools called netdiag and dcdiag that can help in determining if the domain
    controller and domain clients are configured correctly and can communicate
    correctly with the domain controller. Dcdiag is only for domain controllers
    while netdiag is for both. Also always make it a habit to check Event Viewer
    on your domain controller and domain clients whenever you are having
    problems as often pertinent errors are recorded that can give you a clue as
    to the problem. The links below may help. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- a
    must read on AD dns
    http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag.
    Pertains to W2003 also, just be sure to install from the disk for the
    appropriate operating system.


    "Gina" <Gina@discussions.microsoft.com> wrote in message
    news:AE05352E-F9AF-4F23-AA64-8BB6A7B13D43@microsoft.com...
    > Yes Steven, I am new to GPO, and the fact about sec groups was lost on me
    > in
    > the volumes of articles I have been reading. I guess it's one of those
    > fundemental laws no one bothers to mention anymore.
    >
    > Regarding the RPC error--my problem was that I need to allow remote
    > administration on the XP client. I created a policy for XP machines that
    > did
    > that and got the RSoP wizard to run. However, I'm using SBS 2003, and
    > when
    > the wizard completes and I click the "finish" button, it says "generating
    > report..." and hangs the server management GUI. Any ideas on that?
    >
    > Thanks Steven. --Gina
    > "Steven L Umbach" wrote:
    >
    >> Security groups have always been used to filter Group Policy. That is not
    >> unique to GPMC. By default authenticated users have the apply permission
    >> to
    >> a Group Policy but you can modify that to your needs. The free Windows
    >> 2003
    >> Server Deployment Kit is some of the best reading around for Windows
    >> 2003.
    >> It is divided up into may chapters as shown in the link below. --- Steve
    >>
    >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDME_overview.asp
    >>
    >> "Gina" <Gina@discussions.microsoft.com> wrote in message
    >> news:80075A15-14F6-4D0E-A889-E688B0FE9BA3@microsoft.com...
    >> > Thank you Steven. What you said about policy applying only to users
    >> > and
    >> > computers I finally discovered on a google forum. I am amazed that
    >> > with
    >> > all
    >> > the reading I have been doing lately, that simple fact was not
    >> > apparent.
    >> > What is confusing to me is that with the GPMC, you can use security
    >> > groups
    >> > to
    >> > apply policy through filtering, right?
    >> >
    >> > I will look into your suggestions on the RPC problem. Thank you very
    >> > much.
    >> > --Gina
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> The user or computer that you are applying the Group Policy to must be
    >> >> in
    >> >> the OU. It should not matter where the groups are as Group Policy does
    >> >> not
    >> >> apply to groups - only users and computers but groups can be used to
    >> >> manage
    >> >> who Group Policy applies to via changing the "apply" permission for
    >> >> the
    >> >> Group Policy. Use only global groups if you are trying to manage Group
    >> >> Policy apply permissions. The rpc unavailable error could mean that
    >> >> the
    >> >> computer that you are trying to run the RSOP for is not turned on, it
    >> >> has
    >> >> a
    >> >> firewall enabled on it, or there is a name resolution problem. See the
    >> >> link
    >> >> below on Active Directory dns as proper dns configuration in the
    >> >> domain
    >> >> is
    >> >> critical for Group Policy and everything else to work properly. The
    >> >> support
    >> >> tools netdiag and dcdiag are very helpful in tracking down
    >> >> domain/networking
    >> >> problems that can contribute to Group Policy problems. --- Steve
    >> >>
    >> >>
    >> >> ttp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
    >> >> dns
    >> >> FAQ
    >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    >> >> netdiag
    >> >> and how to install support tools.
    >> >>
    >> >> "Gina" <Gina@discussions.microsoft.com> wrote in message
    >> >> news:31952EEB-F3F6-45A0-96DE-A18CDC8440E7@microsoft.com...
    >> >> >I hope someone can pinpoint what I am doing wrong in the following:
    >> >> >
    >> >> > In AD, I create an OU, create a user policy to do obvious desktop
    >> >> > things
    >> >> > like remove run menu, and I assign/link the policy to the OU. Other
    >> >> > than
    >> >> > this policy, there is only the default policies which come with SBS
    >> >> > 2003.
    >> >> >
    >> >> > If I move a user object to the OU, then log the user onto an XP
    >> >> > client,
    >> >> > the
    >> >> > policy is applied as expected.
    >> >> >
    >> >> > Here is the problem: if I create a global or domain security group
    >> >> > and
    >> >> > add
    >> >> > this user to the group, and move the security group to the OU the
    >> >> > policy
    >> >> > is
    >> >> > not applied when this user logs on.
    >> >> >
    >> >> > Additional symptom: When this user logs on in the 2nd scenario,
    >> >> > besides
    >> >> > the
    >> >> > custom policy not being applied, it appears that a previous domain
    >> >> > policy
    >> >> > which has been removed is trying to apply. It was a software
    >> >> > install
    >> >> > policy
    >> >> > that results in a message when the user logs on saying "you have to
    >> >> > be
    >> >> > an
    >> >> > admin to install software".
    >> >> >
    >> >> > One more thing: I cannot run the group policy results in SBS for
    >> >> > this
    >> >> > user
    >> >> > and computer. I receive "rpc server unavailble" errors, but all the
    >> >> > appropriate services are running.
    >> >> >
    >> >> > Thanks for anything--Gina
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
Ask a new question

Read More

Policy Security Windows