Sign in with
Sign up | Sign in
Your question

user and administrator policies

Tags:
  • Domain
  • Workstations
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
August 19, 2005 7:52:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

i'm trying to set up a win2k3 server and restrict user policies. i have
followed kb816100 that says it will prevent group policies from flowing to
administrators. this is my first try at using policies to lock down the
workstations in a school lab. the workstations are winxp machines. the way i
understand policies is that whatever i set at the domain level will flow to
the workstation that is logged into the domain. correct?

whenever i try to restrict, say the run item from appearing on the menu, as
soon as i put that restriction in place the run item is gone from the menu.
i'm logged in as administrator on the server, which is an ad domain server.

here's what i have set in the security tab per the kb:
administrator mchs\administrator deny group policy
administrators mchs\administrators deny group policy
authenticated users apply group policy
brad (brad@mchs.local) deny group policy
creator owner no policy selected
domain administrators deny group policy
enterprise administrators deny group policy
enterprise domain controllers no policy selected
soscc (soscc@mchs.local) deny group policy
system no policy selected
wayne (wayne@mchs.local) deny group policy

i added administrator, brad, wayne, and soscc to the list, all of the other
groups were in the list. do i need to add the group users to this list?
--
lost a few miles from nowhere...

More about : user administrator policies

Anonymous
August 20, 2005 7:10:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

All you really need to do is give "administrators" deny for apply.
Administrator, domain admins, and enterprise admins are all members of the
administrators group [or should be]. If the users that you listed are not in
any administrator group for the domain then create a global group for them,
add them to the global group, and then give that global group deny
permission for apply.

Yes domain level policy can flow down to all users/computers in the domain
except for settings defined for domain controllers in Domain Controller
Security Policy. If you have created an Organizational Unit with a Group
Policy with defined settings then those settings will override the same
defined settings in the domain Group Policy with the notable exception that
account/password policy can be applied only at the domain level for domain
users.

Be sure to install Group Policy Management Console on your domain controller
as it will make managing and troubleshooting Group Policy much easier. You
can also use Resultant Set of Policy to see exactly what settings are being
applied to a user and from what GP. It can also display information about
filtering of GP which is what you are attempting to do.

http://www.microsoft.com/windowsserver2003/gpmc/default...

I don't know how much you know about Active Directory but it is imperative
that your dns is configured correctly for the domain or all sorts of
problems will arise including inconsistent of application of Group Policy.
See the link below for more info on dns for an Active Directory domain and
use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
experiencing problems in your domain. Netdiag and gpresult can also be using
on all domain computers. Also frequently check the logs on your domain
controller and any computer via Event Viewer that is experiencing problems
for helpful information

http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- AD
dns FAQ

FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
via Group Policy with hash, certificate, and path rules to manage what
software a user can install or run on his computer. You can also start with
a default allowed or disallowed rule and then create the exceptions. SRP is
very powerful but takes some time to figure out how to use correctly. See
the link below if interested and keep in mind that desktop shortcuts are
considered a program as far as SRP is concerned which can trip you up if
you start with the default disallowed rule. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/m...

"soscc" <soscc@discussions.microsoft.com> wrote in message
news:3689B2BB-C9C7-4784-951F-55036836A85D@microsoft.com...
> i'm trying to set up a win2k3 server and restrict user policies. i have
> followed kb816100 that says it will prevent group policies from flowing to
> administrators. this is my first try at using policies to lock down the
> workstations in a school lab. the workstations are winxp machines. the way
> i
> understand policies is that whatever i set at the domain level will flow
> to
> the workstation that is logged into the domain. correct?
>
> whenever i try to restrict, say the run item from appearing on the menu,
> as
> soon as i put that restriction in place the run item is gone from the
> menu.
> i'm logged in as administrator on the server, which is an ad domain
> server.
>
> here's what i have set in the security tab per the kb:
> administrator mchs\administrator deny group policy
> administrators mchs\administrators deny group policy
> authenticated users apply group policy
> brad (brad@mchs.local) deny group policy
> creator owner no policy selected
> domain administrators deny group policy
> enterprise administrators deny group policy
> enterprise domain controllers no policy selected
> soscc (soscc@mchs.local) deny group policy
> system no policy selected
> wayne (wayne@mchs.local) deny group policy
>
> i added administrator, brad, wayne, and soscc to the list, all of the
> other
> groups were in the list. do i need to add the group users to this list?
> --
> lost a few miles from nowhere...
Anonymous
August 20, 2005 7:21:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I forgot to add that it can take up to two hours for Group Policy changes to
apply to domain computers/users. After you make changes to GP use the
command gpupdate to refresh the GP on the domain controller and then do the
same on the computer you are testing or reboot or logoff/logon as the case
may be depending on if you are changing computer or user configuration. The
links below explain more about gpupdate and how GP is refreshed. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsser...
http://www.microsoft.com/technet/prodtechnol/windowsser...

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23cqGC4VpFHA.1416@TK2MSFTNGP09.phx.gbl...
> All you really need to do is give "administrators" deny for apply.
> Administrator, domain admins, and enterprise admins are all members of the
> administrators group [or should be]. If the users that you listed are not
> in any administrator group for the domain then create a global group for
> them, add them to the global group, and then give that global group deny
> permission for apply.
>
> Yes domain level policy can flow down to all users/computers in the domain
> except for settings defined for domain controllers in Domain Controller
> Security Policy. If you have created an Organizational Unit with a Group
> Policy with defined settings then those settings will override the same
> defined settings in the domain Group Policy with the notable exception
> that account/password policy can be applied only at the domain level for
> domain users.
>
> Be sure to install Group Policy Management Console on your domain
> controller as it will make managing and troubleshooting Group Policy much
> easier. You can also use Resultant Set of Policy to see exactly what
> settings are being applied to a user and from what GP. It can also display
> information about filtering of GP which is what you are attempting to do.
>
> http://www.microsoft.com/windowsserver2003/gpmc/default...
>
> I don't know how much you know about Active Directory but it is imperative
> that your dns is configured correctly for the domain or all sorts of
> problems will arise including inconsistent of application of Group Policy.
> See the link below for more info on dns for an Active Directory domain and
> use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
> experiencing problems in your domain. Netdiag and gpresult can also be
> using on all domain computers. Also frequently check the logs on your
> domain controller and any computer via Event Viewer that is experiencing
> problems for helpful information
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
> AD dns FAQ
>
> FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
> via Group Policy with hash, certificate, and path rules to manage what
> software a user can install or run on his computer. You can also start
> with a default allowed or disallowed rule and then create the exceptions.
> SRP is very powerful but takes some time to figure out how to use
> correctly. See the link below if interested and keep in mind that desktop
> shortcuts are considered a program as far as SRP is concerned which can
> trip you up if you start with the default disallowed rule. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/m...
>
> "soscc" <soscc@discussions.microsoft.com> wrote in message
> news:3689B2BB-C9C7-4784-951F-55036836A85D@microsoft.com...
>> i'm trying to set up a win2k3 server and restrict user policies. i have
>> followed kb816100 that says it will prevent group policies from flowing
>> to
>> administrators. this is my first try at using policies to lock down the
>> workstations in a school lab. the workstations are winxp machines. the
>> way i
>> understand policies is that whatever i set at the domain level will flow
>> to
>> the workstation that is logged into the domain. correct?
>>
>> whenever i try to restrict, say the run item from appearing on the menu,
>> as
>> soon as i put that restriction in place the run item is gone from the
>> menu.
>> i'm logged in as administrator on the server, which is an ad domain
>> server.
>>
>> here's what i have set in the security tab per the kb:
>> administrator mchs\administrator deny group policy
>> administrators mchs\administrators deny group policy
>> authenticated users apply group policy
>> brad (brad@mchs.local) deny group policy
>> creator owner no policy selected
>> domain administrators deny group policy
>> enterprise administrators deny group policy
>> enterprise domain controllers no policy selected
>> soscc (soscc@mchs.local) deny group policy
>> system no policy selected
>> wayne (wayne@mchs.local) deny group policy
>>
>> i added administrator, brad, wayne, and soscc to the list, all of the
>> other
>> groups were in the list. do i need to add the group users to this list?
>> --
>> lost a few miles from nowhere...
>
>
!