Group and Domain Policy objects 1

[Tels]

Well, I've gone and jumped in at the deep end. I'm guessing most people on this forum probably know the answer to the next question, I don't as I've only just got started on Win2000 from Win NT4.

How do you set global group policies??? I've tried setting policies on groups, computers, containers (containing groups and computers) from the MMC console on the server, and it never seems to filter through to the computers I'm trying to secure.... It's one of those situations where I have no manual, and no starting point.

Any help would be well appreciated, the network I am working on is small, (10-15 users) and I just want to know how to use Active Directory to lock down the vulnerable bits on all the computers (such as the 'run' command on the taskbar) without having to go round and do all of them one by one............

 

[Stevehewitt]

Create a Organisational Unit in AD Users and Comps, put all of the users you want restricted in there. Now right click the OU and and click properties. Now Click Group Policies or something like that (The last to your right) and click on the one named Default Group Policy. Click edit. Now click away until your happy that your users cant mess things up and away you are!

Enjoy! Steve Hewitt
IT Administrator

Windows 2000 Microsoft Certified System Engineer

http://welcome.to/stevehewitt

 

[Tels]

Aye, tried that... tested it by putting in a logon message (and message title..) in the security options. Pain as it is, it doesn't appear when it should!! I figure that policy can only be applied to computers as the screen pops up b4 anybody logs on. The only settings that seem to be of any immediate use are in the 'administrative templates' subfolder, if I change these, will those changes be applied to the OU, and all the users in that OU??? the use of the word 'template' confuses me (at least without a manual it does)

The idea is to set a policy on the server, shoot across to a nearby client, reset, login and hopefully see the changes automatically pop up, but so far no joy!! Thanx for the tip though....

 

[welshguy]

3times ,

First of all check you're getting group policies applied.
Get the gpresult tool from the resource kit and run on client machine and see if any changes are being applied.

My guess is that you're not getting any of these policies being applied - no1 culprit is DNS (check DNS set up on server correctly and clients pointing to correct DNS server) You must have DNS to use the active directory and
group policies.

You can also use this technique to create a log to see what's going on thread616-104650

Sounds like you are setting up the policies correctly just not being applied. You can set the group policies up as Steve says on an OU or if you want it to affect everyone by default - just set up the policy at domain level.

Incidentally the administrative templates are sort of add-ins to group policy settings. You can load/create new ones they are stored by default in c:\winnt\inf directory - there are quite a few standard ones there. You can load them by right clicking on admin templates and add/remove.

Hope some of this makes sense and helps !!!

 

[reddigger]

I have Group Policies installed on my OU and they work great. The only thing that I'm having problems with is that I told the policy to not allow Common Programs and User Programs on the start menu but I'm still seeing some kind of default programs showing up. i.e. Accessories, Startup, Internet Explorer and Outlook Express. The Startup group has the same programs in it as the user programs but I totally deleted the Programs folder under that user in windows explorer. I checked out other users that are listed in the windows explorer under documents and settings and no one has Programs that look like that. Any ideas why the Program group is still even showing up?

 

[Tels]

The reason those policies never worked is that clients were configured manually, not via DHCP.
When a client registers via DHCP, the DNS on the server is updated, as is WINS. From there, Active Directory is updated. I didn't know this when I started my Win2K pilgrimage last year.

Thanks you all for wonderful advice....

Tels (aka 3times)

reddigger, I am not sure on the Policy's failure to remove the programs group, but some policies can interact with one another. If you haven't done already, read the explanations on each policy as you set them to see any potential policy conflicts.
I'm on my way to visit Active Directory now.. if I find a solution for this today I will let you know. Win2000 Network Administrator

 

[FrankBSmith]

Go to "Active Directory - Users and Computers"
right click your mouse and go to the properties of "YOUR domain" -> go to the tab of "Group Policy" -> edit the "default domain policy" to enable the option "do not display ..." -> change "properties" of the "default domain policy" to enable "administrator" to APPLY policies" -> close everything and reboot the server.

Hope this helps