user and administrator policies

Archived from groups: microsoft.public.win2000.security (More info?)

i'm trying to set up a win2k3 server and restrict user policies. i have
followed kb816100 that says it will prevent group policies from flowing to
administrators. this is my first try at using policies to lock down the
workstations in a school lab. the workstations are winxp machines. the way i
understand policies is that whatever i set at the domain level will flow to
the workstation that is logged into the domain. correct?

whenever i try to restrict, say the run item from appearing on the menu, as
soon as i put that restriction in place the run item is gone from the menu.
i'm logged in as administrator on the server, which is an ad domain server.

here's what i have set in the security tab per the kb:
administrator mchs\administrator deny group policy
administrators mchs\administrators deny group policy
authenticated users apply group policy
brad (brad@mchs.local) deny group policy
creator owner no policy selected
domain administrators deny group policy
enterprise administrators deny group policy
enterprise domain controllers no policy selected
soscc (soscc@mchs.local) deny group policy
system no policy selected
wayne (wayne@mchs.local) deny group policy

i added administrator, brad, wayne, and soscc to the list, all of the other
groups were in the list. do i need to add the group users to this list?
--
lost a few miles from nowhere...
2 answers Last reply
More about user administrator policies
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    All you really need to do is give "administrators" deny for apply.
    Administrator, domain admins, and enterprise admins are all members of the
    administrators group [or should be]. If the users that you listed are not in
    any administrator group for the domain then create a global group for them,
    add them to the global group, and then give that global group deny
    permission for apply.

    Yes domain level policy can flow down to all users/computers in the domain
    except for settings defined for domain controllers in Domain Controller
    Security Policy. If you have created an Organizational Unit with a Group
    Policy with defined settings then those settings will override the same
    defined settings in the domain Group Policy with the notable exception that
    account/password policy can be applied only at the domain level for domain
    users.

    Be sure to install Group Policy Management Console on your domain controller
    as it will make managing and troubleshooting Group Policy much easier. You
    can also use Resultant Set of Policy to see exactly what settings are being
    applied to a user and from what GP. It can also display information about
    filtering of GP which is what you are attempting to do.

    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

    I don't know how much you know about Active Directory but it is imperative
    that your dns is configured correctly for the domain or all sorts of
    problems will arise including inconsistent of application of Group Policy.
    See the link below for more info on dns for an Active Directory domain and
    use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
    experiencing problems in your domain. Netdiag and gpresult can also be using
    on all domain computers. Also frequently check the logs on your domain
    controller and any computer via Event Viewer that is experiencing problems
    for helpful information

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
    dns FAQ

    FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
    via Group Policy with hash, certificate, and path rules to manage what
    software a user can install or run on his computer. You can also start with
    a default allowed or disallowed rule and then create the exceptions. SRP is
    very powerful but takes some time to figure out how to use correctly. See
    the link below if interested and keep in mind that desktop shortcuts are
    considered a program as far as SRP is concerned which can trip you up if
    you start with the default disallowed rule. --- Steve

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

    "soscc" <soscc@discussions.microsoft.com> wrote in message
    news:3689B2BB-C9C7-4784-951F-55036836A85D@microsoft.com...
    > i'm trying to set up a win2k3 server and restrict user policies. i have
    > followed kb816100 that says it will prevent group policies from flowing to
    > administrators. this is my first try at using policies to lock down the
    > workstations in a school lab. the workstations are winxp machines. the way
    > i
    > understand policies is that whatever i set at the domain level will flow
    > to
    > the workstation that is logged into the domain. correct?
    >
    > whenever i try to restrict, say the run item from appearing on the menu,
    > as
    > soon as i put that restriction in place the run item is gone from the
    > menu.
    > i'm logged in as administrator on the server, which is an ad domain
    > server.
    >
    > here's what i have set in the security tab per the kb:
    > administrator mchs\administrator deny group policy
    > administrators mchs\administrators deny group policy
    > authenticated users apply group policy
    > brad (brad@mchs.local) deny group policy
    > creator owner no policy selected
    > domain administrators deny group policy
    > enterprise administrators deny group policy
    > enterprise domain controllers no policy selected
    > soscc (soscc@mchs.local) deny group policy
    > system no policy selected
    > wayne (wayne@mchs.local) deny group policy
    >
    > i added administrator, brad, wayne, and soscc to the list, all of the
    > other
    > groups were in the list. do i need to add the group users to this list?
    > --
    > lost a few miles from nowhere...
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    I forgot to add that it can take up to two hours for Group Policy changes to
    apply to domain computers/users. After you make changes to GP use the
    command gpupdate to refresh the GP on the domain controller and then do the
    same on the computer you are testing or reboot or logoff/logon as the case
    may be depending on if you are changing computer or user configuration. The
    links below explain more about gpupdate and how GP is refreshed. --- Steve

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b846f817-e308-442c-bcde-daa4a99c1ecf.mspx
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/b904dc05-56d7-4651-87df-c6a0c06a1802.mspx

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%23cqGC4VpFHA.1416@TK2MSFTNGP09.phx.gbl...
    > All you really need to do is give "administrators" deny for apply.
    > Administrator, domain admins, and enterprise admins are all members of the
    > administrators group [or should be]. If the users that you listed are not
    > in any administrator group for the domain then create a global group for
    > them, add them to the global group, and then give that global group deny
    > permission for apply.
    >
    > Yes domain level policy can flow down to all users/computers in the domain
    > except for settings defined for domain controllers in Domain Controller
    > Security Policy. If you have created an Organizational Unit with a Group
    > Policy with defined settings then those settings will override the same
    > defined settings in the domain Group Policy with the notable exception
    > that account/password policy can be applied only at the domain level for
    > domain users.
    >
    > Be sure to install Group Policy Management Console on your domain
    > controller as it will make managing and troubleshooting Group Policy much
    > easier. You can also use Resultant Set of Policy to see exactly what
    > settings are being applied to a user and from what GP. It can also display
    > information about filtering of GP which is what you are attempting to do.
    >
    > http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
    >
    > I don't know how much you know about Active Directory but it is imperative
    > that your dns is configured correctly for the domain or all sorts of
    > problems will arise including inconsistent of application of Group Policy.
    > See the link below for more info on dns for an Active Directory domain and
    > use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
    > experiencing problems in your domain. Netdiag and gpresult can also be
    > using on all domain computers. Also frequently check the logs on your
    > domain controller and any computer via Event Viewer that is experiencing
    > problems for helpful information
    >
    > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
    > AD dns FAQ
    >
    > FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
    > via Group Policy with hash, certificate, and path rules to manage what
    > software a user can install or run on his computer. You can also start
    > with a default allowed or disallowed rule and then create the exceptions.
    > SRP is very powerful but takes some time to figure out how to use
    > correctly. See the link below if interested and keep in mind that desktop
    > shortcuts are considered a program as far as SRP is concerned which can
    > trip you up if you start with the default disallowed rule. --- Steve
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    >
    > "soscc" <soscc@discussions.microsoft.com> wrote in message
    > news:3689B2BB-C9C7-4784-951F-55036836A85D@microsoft.com...
    >> i'm trying to set up a win2k3 server and restrict user policies. i have
    >> followed kb816100 that says it will prevent group policies from flowing
    >> to
    >> administrators. this is my first try at using policies to lock down the
    >> workstations in a school lab. the workstations are winxp machines. the
    >> way i
    >> understand policies is that whatever i set at the domain level will flow
    >> to
    >> the workstation that is logged into the domain. correct?
    >>
    >> whenever i try to restrict, say the run item from appearing on the menu,
    >> as
    >> soon as i put that restriction in place the run item is gone from the
    >> menu.
    >> i'm logged in as administrator on the server, which is an ad domain
    >> server.
    >>
    >> here's what i have set in the security tab per the kb:
    >> administrator mchs\administrator deny group policy
    >> administrators mchs\administrators deny group policy
    >> authenticated users apply group policy
    >> brad (brad@mchs.local) deny group policy
    >> creator owner no policy selected
    >> domain administrators deny group policy
    >> enterprise administrators deny group policy
    >> enterprise domain controllers no policy selected
    >> soscc (soscc@mchs.local) deny group policy
    >> system no policy selected
    >> wayne (wayne@mchs.local) deny group policy
    >>
    >> i added administrator, brad, wayne, and soscc to the list, all of the
    >> other
    >> groups were in the list. do i need to add the group users to this list?
    >> --
    >> lost a few miles from nowhere...
    >
    >
Ask a new question

Read More

Domain Workstations Windows