Group Policy 1

[splat78423]

I setup a group policy but for whatever reason it is not "locking down" the clients. For example, the policy is enabled and I believe I have set the appropriate permissions but users can still access the control panel. Does anyone here have some basic guidelines I can follow to troubleshoot group policy? I also want to turn off the ability for users to right click on the desktop, what is the best policy setting for this feature?

 

[Daveyd123]

Are the users/workstations in the OU(s) that the GPO is applied to?

 

[porkchopexpress]

Where have you linked the GPO?

Did you set this in the Users Conficuration area of the GPO and is the GPO applied at an OU containing your users?

 

[splat78423]

i linked the gpo to a user group and gave the group the appropriate permissions. so in other words, yes, I think I did all that............I also ran a gpupdate /force command and made sure that my workstations are synchronizing correctly and still no go. When I setup the policy via gpedit.msc locally on the clients I dont have a problem. But I have fifty computers on my network and need to apply the policy from the server side for obvios reasons. Funny, I remember it being easier in NT 4.

 

[Daveyd123]

What do you mean you linked the GPO to a Group? Are you using GPMC? You should link the GPO to the OU that the users/workstations are in

 

[58sniper]

When logged on as a user that should be "locked down", run gpresult from a CMD prompt and see if the policy is listed in the "Applied Group Policy Objects" section.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[splat78423]

I'll check that right away but I have a feeling that i wont find the policy listed. I believe I have a linking problem. When I open the group policy object editor and right click the gPO and choose properties from the menu and then click the links tab and then find now, I do not get a list of links to the GPO. My GPO is setup as is my OU but it looks as if the missing link should fix the problem. How do I do this?

 

[58sniper]

In the GPMC, right click on your OU and choose link an "existing policy GPO" and then choose the policy.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[splat78423]

Alright, we got it! It was a linking problem. I was trying to link to a group instead of the OU. Thanks alot for the great responses and timely assistance. As always, the tek-tips community comes through on my programming and networking questions...Thanks alot gentlemen.

 

[markdmac]

I want to caution you that you should rethink what you are doing. It is not a good policy to block access to the control panel as you could be opening yourself up to a law suit by not providing access to accessibility and mouse applets.

Rather than block control panel, use the policy that allows you to specify which applets are allowed. Allow access to:

Main.cpl (Mouse & Keyboard to allow left handers to reverse the buttons)
Access.cpl (Accessibility options)

Additionally I recommend providing access to:
MLCFG32.CPL (To Allow your help desk to troubleshoot outlook profile issues without the need to undo the policy).

By specifying to ALLOW access to the above applets and all others will be blocked.

I hope you find this post helpful.

Regards,

Mark

 

[porkchopexpress]

I'll second Marks suggestion there you will find that in may countries it is now law that accessibility features for visually or physically impaired users are available.

Also whan you put on your Mr Nice hat it makes sence