HI ALL
I've got this problem:
in my network there are 3 domain controllers with active directory, I would set security policies on a group of COMPUTERS of my domain.
So I created a global security group and I put about 20 computer accounts into it. Then I put my group into an OU and I tried to set a policy to this group.
I would like to deny logon locally on this group of computers, to a group of users.
When I set the policy, with "block inheritance" flag, I did the command secedit /refreshpolicy machine_policy to propagate immediately the policy settings to the others DC's. So in the Event Viewer I can see the SceCli Event ID that told me "Security policy in the Group policy object are applied succesfully".
BUT IT'S COMPLETELY FALSE
I can make the logon on computers with one of the users
that I would like to deny it!!!
Another information is this: if I set an User Policy, this is applied quickly and works fine!! For example a logon script applied to a user works perfectly after 5 minutes!!
I add also /enforce to the secedit command but the situation doesn't change!!
Please help me, I'm going to break all my domain forest with a hammer.
Mosce
I've got this problem:
in my network there are 3 domain controllers with active directory, I would set security policies on a group of COMPUTERS of my domain.
So I created a global security group and I put about 20 computer accounts into it. Then I put my group into an OU and I tried to set a policy to this group.
I would like to deny logon locally on this group of computers, to a group of users.
When I set the policy, with "block inheritance" flag, I did the command secedit /refreshpolicy machine_policy to propagate immediately the policy settings to the others DC's. So in the Event Viewer I can see the SceCli Event ID that told me "Security policy in the Group policy object are applied succesfully".
BUT IT'S COMPLETELY FALSE
I can make the logon on computers with one of the users
that I would like to deny it!!!
Another information is this: if I set an User Policy, this is applied quickly and works fine!! For example a logon script applied to a user works perfectly after 5 minutes!!
I add also /enforce to the secedit command but the situation doesn't change!!
Please help me, I'm going to break all my domain forest with a hammer.
Mosce