Computer Configurations vs. User Configurations?

[OverDrive]

In my Group Policy, for some odd reason all of the "computer configurations" that I set (ex. account lockout policy, password policy, etc...) work fine, but the all important "user configurations" (ex. remove "My Computer" icon from the desktop) are not?

Any reasons why this might be??

Thanks in advance
Chance~

 

[markdmac]

Check to see if your users are supposed to be getting it. You have to specifically set Group Policy Permissions on the Security tab.

When viewing your policy in the policy list, instead of clicking edit to get to the policy settings, click Properties. Then click the Security Tab.

The last setting in the list is for Allow or Deny policy application to your users.

 

[zxlmjj]

you should check these things:
1. the users must in the OU that the GPO applyed
2. the users must have the READ and APPLY permission for the GPO
3. check if there are any other GPOs that may have opposite settings

 

[OverDrive]

Mark you must be using Windows 2000 server which is a "bit" different than 2003 server which I am using. I did find the "security settings" on the GPO as you listed, and yes the authenticaed users is in there along with the domain user... and they both have read and apply permissions.

I am still able to change the settings on the Computer side... but ONLY the password functionality seems to be working? <-- I need to do a bit more research on this one.

Also, by default which of the &quot;default&quot; GPO's need to be enforced if any in 2003 server?

I do thank you guys for the help, I wish I could figure this thing out!

Thanks
Chad~

 

[markdmac]

None of the default GPOs need to be enforced. That is solely up to your environment.

 

[OverDrive]

Oh!! I was not aware of that...

What do you mean by my environment?

Is there somewhere else I should look for to see if I am having some type of restrictions on the policies?

Sorry to be such a pesk on this issue...

Thanks guys!
Chance~

 

[markdmac]

The default policies are provided by Microsoft as examples. You can tweak them or delete them as you feel fit. By your environment I mean you need to look at your companies security requirements and edit the policies to fit those needs.

I want to point out too that policies are nto JUST for locking things down. They are a great tool for configuring your environment too. Like adding favorites to IE or setting proxy info etc.

If you think you are getting conflicts from policies, grab a copy of GPRESULT from the Support Tools. Run that on your workstation and it will tell you all of the policies that are configuring it. That might help you isolate things.

One other thought too, are the computers you are trying to lock down in the OU that this policy is located in? If not you will need to make a group for those workstations and add that to the apply list for your policy.

 

[OverDrive]

If I posted my /v and /u results could you see anything out of that that may help you see what might be wrong?

I cannot see anything that is wrong in my initail look into gpresult?

 

[OverDrive]

OK, it is telling me that all my Group Policy settings are coming from a GP called &quot;Local Group Policy&quot; which is not one of my GPO's?

And there are NO settings for any of them (ex. security settings, user settings, etc...) have nothing in them?

Any thoughts?

 

[OverDrive]

Ok, I went into AD Users and Computer and looked in the computers container and saw the client computer listed. So I was going to check the settings and such on it so I right clicked and went to &quot;manage&quot;, I also tried &quot;properties&quot; and this was the error I got?

*computer \\ws-003.accesscontol.local cannot be managed. The network path was not found*

Any reason why this is?

The machine is currently logged on to the server btw...

 

[markdmac]

If you were logged on as a domain admin then you should be able to manage the workstation. The fact that you can't indicates that the domain connection may be corrupt. make the computer a member of a workstation. Delete the machien account on the domain and then re-add the machine.

Please confirm for my information too that this machine is at least a Win2K workstation or XP right?

As an FYI to you, you can run gpresult from a command line and use: GPRESULT >C:\results.txt
That will dump the full report to a text file for you.

 

[OverDrive]

Yes... they are Windows 2k clients.

I removed the computer from the domain, and created the client on a workstation once again. Then rebooted the client and re-joined the domain... the same error happens! EEEEK!

Any thoughts?

THANK YOU!!!

 

[OverDrive]

This is my GPResult...

Not much... I dont think anything is happening!


Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Sunday, January 18, 2004 at 10:45:20 AM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:



Domain Name: accentcontrol
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\cbi

The user is a member of the following security groups:



###############################################################

Last time Group Policy was applied: Sunday, January 18, 2004 at 10:41:07 AM



###############################################################

Computer Group Policy results for:



Domain Name: accentcontrol
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Sunday, January 18, 2004 at 10:38:23 AM


===============================================================


The computer received &quot;Registry&quot; settings from these GPOs:

Local Group Policy


===============================================================
The computer received &quot;EFS recovery&quot; settings from these GPOs:

Local Group Policy

 

[markdmac]

OK, let's make sure we are nto dealing with some obscure Service pack issue. Get your computer up on SP4.

It is clear you are getting NO policies from the domain. I suspect you are not set up correctly on the GPO security.

Can you provide the following.
1. A list of your OU structure and where you have your GPOs.
2. A list of the security settings for each GPO.

By security settings above I mean a fill list of who has read, modify, apply or deny rights to the GPO.

 

[OverDrive]

Does this help?? I could try and post it on the net somewhere or email it? This looks a bit cluttered?

*****************

Computer Configuration Summaryhide
Generalhide
Computer name accentcontrols\DELLSERVER
Domain accentcontrols.local
Site Default-First-Site-Name
Last time Group Policy was processed 1/17/2004 9:31:39 AM

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
Default Domain Controllers Policy accentcontrols.local/Domain Controllers AD (6), Sysvol (6)
Small Business Server Auditing Policy accentcontrols.local/Domain Controllers AD (2), Sysvol (2)
Default Domain Policy accentcontrols.local AD (129), Sysvol (129)

Denied GPOshide
Name Link Location Reason Denied
Local Group Policy Local Empty
Small Business Server Domain Password Policy accentcontrols.local Disabled Link
Small Business Server Lockout Policy accentcontrols.local Disabled Link
Small Business Server Client Computer accentcontrols.local Disabled Link
Small Business Server Remote Assistance Policy accentcontrols.local Disabled Link
Accent Controls User Policy accentcontrols.local Disabled Link

Security Group Membership when Group Policy was appliedhide
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
S-1-5-21-1047778095-1056689148-2281946710-1009
S-1-5-21-1047778095-1056689148-2281946710-1130
S-1-5-21-1047778095-1056689148-2281946710-516
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
S-1-5-21-1047778095-1056689148-2281946710-1131
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status Last Process Time
Group Policy Infrastructure Success 1/17/2004 9:31:39 AM
EFS recovery Success (no data) 1/17/2004 9:21:39 AM
Registry Success 1/17/2004 9:21:35 AM
Security Success 1/17/2004 9:21:39 AM

User Configuration Summaryhide
Generalhide
User name accentcontrols\executive
Domain accentcontrols.local
Last time Group Policy was processed 1/17/2004 9:21:35 AM

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
Default Domain Policy accentcontrols.local AD (5), Sysvol (5)

Denied GPOshide
Name Link Location Reason Denied
Local Group Policy Local Empty
Small Business Server Domain Password Policy accentcontrols.local Disabled Link
Small Business Server Lockout Policy accentcontrols.local Disabled Link
Small Business Server Client Computer accentcontrols.local Disabled Link
Small Business Server Remote Assistance Policy accentcontrols.local Disabled Link
Accent Controls User Policy accentcontrols.local Disabled Link

Security Group Membership when Group Policy was appliedhide
accentcontrols\Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
accentcontrols\Group Policy Creator Owners
accentcontrols\Domain Admins
accentcontrols\SBS Mobile Users
accentcontrols\SBS Report Users
accentcontrols\Schema Admins
accentcontrols\Enterprise Admins
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status Last Process Time
Group Policy Infrastructure Success 1/17/2004 9:21:35 AM
Registry Success 1/17/2004 9:21:35 AM

Computer Configurationhide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting Winning GPO
Enforce password history 6 passwords remembered Default Domain Policy
Maximum password age 365 days Default Domain Policy
Minimum password age 1 days Default Domain Policy
Minimum password length 6 characters Default Domain Policy
Password must meet complexity requirements Disabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy

Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 4 invalid logon attempts Default Domain Policy
Reset account lockout counter after 15 minutes Default Domain Policy

Account Policies/Kerberos Policyhide
Policy Setting Winning GPO
Enforce user logon restrictions Enabled Default Domain Policy
Maximum lifetime for service ticket 600 minutes Default Domain Policy
Maximum lifetime for user ticket 10 hours Default Domain Policy
Maximum lifetime for user ticket renewal 7 days Default Domain Policy
Maximum tolerance for computer clock synchronization 5 minutes Default Domain Policy

Local Policies/Audit Policyhide
Policy Setting Winning GPO
Audit account logon events Success Default Domain Controllers Policy
Audit account management Success Default Domain Controllers Policy
Audit directory service access No auditing Small Business Server Auditing Policy
Audit logon events Success, Failure Small Business Server Auditing Policy
Audit object access No auditing Default Domain Controllers Policy
Audit policy change Success Default Domain Controllers Policy
Audit privilege use No auditing Default Domain Controllers Policy
Audit process tracking No auditing Default Domain Controllers Policy
Audit system events Success Default Domain Controllers Policy

Local Policies/User Rights Assignmenthide
Policy Setting Winning GPO
Access this computer from the network accentcontrols\IWAM_DELL-NQMTWODVA2, Everyone, accentcontrols\IUSR_DELL-NQMTWODVA2, accentcontrols\IWAM_DELL-NQMTWODVA2, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access, accentcontrols\IUSR_DELL-NQMTWODVA2, accentcontrols\IIS_WPG Default Domain Controllers Policy
Act as part of the operating system Default Domain Controllers Policy
Add workstations to domain Authenticated Users Default Domain Controllers Policy
Adjust memory quotas for a process accentcontrols\IWAM_DELL-NQMTWODVA2, LOCAL SERVICE, NETWORK SERVICE, accentcontrols\IWAM_DELL-NQMTWODVA2, Administrators Default Domain Controllers Policy
Allow log on locally accentcontrols\IUSR_DELL-NQMTWODVA2, Administrators, Backup Operators, Account Operators, Server Operators, Print Operators, accentcontrols\IUSR_DELL-NQMTWODVA2, accentcontrols\IIS_WPG Default Domain Controllers Policy
Back up files and directories Administrators, Backup Operators, Server Operators Default Domain Controllers Policy
Bypass traverse checking Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access Default Domain Controllers Policy
Change the system time Administrators, Server Operators Default Domain Controllers Policy
Create a pagefile Administrators Default Domain Controllers Policy
Create a token object Default Domain Controllers Policy
Create permanent shared objects Default Domain Controllers Policy
Debug programs Administrators Default Domain Controllers Policy
Deny access to this computer from the network accentcontrols\SUPPORT_388945a0 Default Domain Controllers Policy
Deny log on as a batch job Default Domain Controllers Policy
Deny log on as a service Default Domain Controllers Policy
Deny log on locally accentcontrols\SBS Remote Operators, accentcontrols\SUPPORT_388945a0, accentcontrols\SBS STS Worker Default Domain Controllers Policy
Enable computer and user accounts to be trusted for delegation Administrators Default Domain Controllers Policy
Force shutdown from a remote system Administrators, Server Operators Default Domain Controllers Policy
Generate security audits LOCAL SERVICE, NETWORK SERVICE Default Domain Controllers Policy
Increase scheduling priority Administrators Default Domain Controllers Policy
Load and unload device drivers Administrators, Print Operators Default Domain Controllers Policy
Lock pages in memory Default Domain Controllers Policy
Log on as a batch job accentcontrols\IWAM_DELL-NQMTWODVA2, LOCAL SERVICE, accentcontrols\IUSR_DELL-NQMTWODVA2, accentcontrols\IWAM_DELL-NQMTWODVA2, accentcontrols\IIS_WPG, accentcontrols\SUPPORT_388945a0, accentcontrols\IUSR_DELL-NQMTWODVA2, accentcontrols\IIS_WPG Default Domain Controllers Policy
Log on as a service NETWORK SERVICE Default Domain Controllers Policy
Manage auditing and security log accentcontrols\Exchange Enterprise Servers, Administrators Default Domain Controllers Policy
Modify firmware environment values Administrators Default Domain Controllers Policy
Profile single process Administrators Default Domain Controllers Policy
Profile system performance Administrators Default Domain Controllers Policy
Remove computer from docking station Administrators Default Domain Controllers Policy
Replace a process level token accentcontrols\IWAM_DELL-NQMTWODVA2, LOCAL SERVICE, NETWORK SERVICE, accentcontrols\IWAM_DELL-NQMTWODVA2 Default Domain Controllers Policy
Restore files and directories Administrators, Backup Operators, Server Operators Default Domain Controllers Policy
Shut down the system Administrators, Backup Operators, Server Operators, Print Operators Default Domain Controllers Policy
Synchronize directory service data Default Domain Controllers Policy
Take ownership of files or other objects Administrators Default Domain Controllers Policy

Local Policies/Security Optionshide
Domain Controllerhide
Policy Setting Winning GPO
Domain controller: LDAP server signing requirements None Default Domain Controllers Policy

Domain Memberhide
Policy Setting Winning GPO
Domain member: Digitally encrypt or sign secure channel data (always) Enabled Default Domain Controllers Policy

Microsoft Network Serverhide
Policy Setting Winning GPO
Microsoft network server: Digitally sign communications (always) Enabled Default Domain Controllers Policy
Microsoft network server: Digitally sign communications (if client agrees) Enabled Default Domain Controllers Policy

Network Securityhide
Policy Setting Winning GPO
Network security: Force logoff when logon hours expire Disabled Default Domain Policy
Network security: LAN Manager authentication level Send NTLM response only Default Domain Controllers Policy

Public Key Policies/Autoenrollment Settingshide
Policy Setting Winning GPO
Enroll certificates automatically Enabled [Default setting]
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled


Public Key Policies/Encrypting File Systemhide
Propertieshide
Winning GPO [Default setting]
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificateshide
Issued To Issued By Expiration Date Intended Purposes Winning GPO
Administrator Administrator 9/14/2006 12:05:53 PM File Recovery Default Domain Policy

For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Winning GPO [Default setting]
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

User Configurationhide
Administrative Templateshide
Desktophide
Policy Setting Winning GPO
Remove My Computer icon on the desktop Enabled Default Domain Policy

 

[OverDrive]

Also, could this possibly result from a DNS issue I have been having?

reference:

thread96-752666

 

[markdmac]

Lot of information here but not one thing I really need to see. I am looking for the security settings.

Should be something like this:

User/Group Read Modify List Apply Deny
Authenticated users X X
Administrators X X X X