Windows 2000 Server Group Policy

[SabreSiN]

Hello,
I am quite confused about group policies in Windows 2000 Server. I am want to create 4 users on the Domain. I want one user to be the administrator and 3 users to be regular users. However, I want to set restrictions for 3 of those regular domain users by restricting some features in Windows, such as removing the Control Panel from the taskbar, remove the RUN command from the taskbar, etc.

What I did was, I've done a clean install of Windows 2000 Server on the PC and configured "Active Directory" on it as well. I went to "Active Directory Users and Computers" and double click the Domain, and created an OU (Organizational Unit). I went into the "Users" folder in the Domain and created 4 new users, User1, User2, User3 and User4. I've made "User1" a member of "Domain Admins," which will grant "User1" administrator rights. I moved User2, User3, and User4 into the OU. In the "Users" folder in the Domain, I've created a new group called "Group1". I've right click the OU and chose "Add members to a group..." and picked "Group1". I've went back to each user (User2, User3, and User4) and removed the group "Domain Users" and "Group1" is the primary group. I right clicked on the OU and chose "Properties". Clicked on the "Group Policy" tab and clicked "New". Named the new policy to "UserPolicy" and clicked on "Edit". I've enabled the "Remove RUN from Taskbar" and enabled "Disable Control Panel". Closed the group policy window and applied the settings.

I went to the RUN command and typed in "secedit /refreshpolicy USER_POLICY" and secedit /refreshpolicy MACHINE_POLICY" and clicked ok for both. When I logged into the user account "User2" on the computer with Windows XP Professional installed, the "RUN" command is still available on the taskbar, and the "Control Panel" is available as well, which both are supposed to be disabled.

Any ideas how to apply the group policies so the RUN and Control Panel would not be shown on the taskbar? Am I missing a step here? Does it have anything to do with having Windows XP Professional computers logging into a Windows 2000 Server. Thanks.

-Sabre

 

[CyberGar]

I'm no expert, but I believe the problem lies with you doing this:
" I've went back to each user (User2, User3, and User4) and removed the group "Domain Users" and "Group1" is the primary group."
There are permissions for group policies. By Default Domain Users have the correct permissions to use the policy... Put the users back into this built-in group and see if it works...
This is just a hunch...

 

[SabreSiN]

No it doesn't work, any other suggestions?

 

[infinito]

I have tried the same with Windows 2000 clients... it doesn't work with that either...

So, you and me must be missing something

 

[egolds]

Check security on the GPO. Make sure Authenticated Users have Read and Apply Group Policy (this is the default so it should be set but double check).

 

[gurner]

If i recall you want to create a new OU (Organisational Unit) group under your domain space in the AD Users and Copmuters Snapin (will create the same sort of folder that the Domain Controllers have).

Move your User into here and apply a Group Policy Object to this OU

you know the rest

 

[danomac]

From what I understand, the new OU contains only the group of users, correct?

Group policies will not apply to groups. They apply to computer objects and user objects only. When you create an OU, move the Users from the Users folder to the new OU. (Right-click on the user in the Users folder, and click Move..., and it will ask for an OU to move to.) Then the policies will apply.

Now, the tricky part. If User1, User2, User3, and User4 are in the same OU, the policy will get applied to ALL of them. In otherwords, just because User1 is part of Domain Admins doesn't mean that it isn't affected by the group policy (the admin will lose the Control Panel and Run commands as well.)

The way around this: Right click on the new OU, go to Properties, Go to the security tab, Add the User1 user, and select "Deny" for "Apply Policy". This will make it so that the group policy ONLY applies to User2, User3, and User4.

This way User1 will have the Control Panel and Run command intact.

Daniel.

 

[egolds]

You can filter the GPO by setting security. For example if Users 2 - 3 - 4 are in an OU but Users 2 - 3 are in a Security Group called USERS23 you can apply the GPO to the OU but filter it to the USERS23 group (removing Authenticated users and giving USERS23 Read/Apply Group Policy rights). This effectively limits who in the OU would have the right to apply the group policy.

 

[SabreSiN]

I did added the Users to the OUs but the thing is, the policies doesn't seem to be applying to the users who are under the OUs because the settings that I've changed in the group policy doesn't seem be to taking in effect. I did move the users to the OU and I didn't want to add User1 in the OU because it is an administrator so there is no need because User1 is a member of Domain Admins.

 

[gurner]

I had a little test (it was on our live system, thank good it didnt break, cant justify testing this really)

It seemed to work when creating a test OU called test.domain.co.uk, moving some test accounts to it.

Our Default Domain policy being domain.co.uk

then added a NEW Group policy to the OU (right click it>Properties>Group Policy>New)

Moved some test user accounts and test machines into it (yes they both went in, probably should tidy it up into sub folders if it was implemented properly)

Applied GPO and it seemed to work, dunno if it was the Machines or users, couldn't really test it.

At this stage these machine i believe would be machine1.test.domain.co.uk instead of the previous machine1.domain.co.uk

 

[gurner]

machine1.test.domain.co.uk as in Active Directory location not DNS namespace

Also after 'Properties' of the OU and the addition of the Policy, you might want to highlight the Policy and select 'Properties' of it and go to Links, making sure that it has the test1.domain.co.uk OU as its link

 

[SabreSiN]

the links are there correctly. It is Domain.com and OU.Domain.com. I even added the computers and groups into the OU. The policy still doesn't take in effect, but when I didn't filter out the administrators, the administrators are missing the control panel and Run command from taskbar (as it should be for User2, User3, and User4). It seems to be happening locally but not when users log into the domain on their computers. Any ideas why my policy isn't working? Am I missing something here?

 

[egolds]

By locally I assume you mean when the administrator logs on to the Domain Controller? What about when the administrator logs onto another workstation?

RECAP:
Domain.local
OU.Domain.local (GPO resides here)
User1 (member of UsersGROUP)
User2 (member of UsersGROUP)
User3 (member of UsersGROUP)
Users.Domain.local
Administrator (member DomainAdmins,EntAdmins....)

Since we are dealing with user configuration here where the computers are doesn't matter.

If the GPO is at the OU.Domain.local level it will apply to every one in the OU. Keep in mind GPO filtering and that everyone for whom you want the GPO to apply must have Read and Apply Group Policy access. By default this is set to Authorized users (i.e. all users in an OU). If you have changed the Authorized Users access in security for the GPO check that. It sounds like security is the issue here.

 

[SabreSiN]

I must be missing something in windows 2000 server configurations because no matter how I apply the policy, it doesn't seem to work for any user, who belongs to the OU, who logs onto their machines by connecting to the domain. I'm probably missing something in the windows 2000 server components or something but I don't know what...

NewDomain.com
OU.NewDomain.com (GPO Resides here)
User2 (member of Domain Users)
User3 (member of Domain Users)
User4 (member of Domain Users)
Users.NewDomain.com
Administrator (member DomainAdmins,EntAdmins....)
User1

That is what the structure looks like right now.

I also gave all workstations and servers IP address, submask and gateway IPs.
When I log onto User2, User3 or User4, I can still see control panel and RUN command in the taskbar. In the GPO, I disabled control panel and RUN command from the taskbar.

When I apply the policy to NewDomain.com (Domain), the administrator (that is logged onto the Domain Controller) is missing the control panel and run command. But when I log as administrator on a workstation called Computer1 in NewDomain (Domain), I can see control panel and Run command. Obviously group policy is not working...

 

[egolds]

What happens when User 2 - 3 or 4 logs onto the Domain Controller?

Who or which groups have Read/Apply Group Policy rights?

 

[SabreSiN]

I can't log onto user2, user3 nor user4 onto the domain controller because it says that they do not have permission to log on locally. Authenticated users have read and apply group policy rights.

 

[SabreSiN]

This is the error message when I try to log onto the domain controller as user2, user3, or user4:

"The Local Policy of the System does not permit you to logon interactively."

 

[tlcscousin]

1)did you set the policy under machine or user if under machine the target machine has to be rebooted to acquire the policies.
2) for logon interactively Look at Microsoft knowledgebase article 247989 and find the correct answer to this question.

 

[MrFireStarter]

Hi Guys,

I am running a domain controller (AD) in my server within my company. is there any ways beside than making the workstation to join in the domain controller. what exactly i want here is, all the workstation to login within their own local machine and i dont want the workstation to join by loggin in the domain controller. but yet, i would still like to apply the security, so that whenever a users runs the UNC path inorder to open a specific folder within the domain controller, i want it to make it such a way so that the users login and password to popup. does anyone know how to go about his issues.

 

[egolds]

These two settings are only User Configuration so machine placement doesn't matter. Try modifyig the Domain Controller security to allow User2 - 3 - 4 to log on to the Domain Controller. Once you do this see if the GPO applies when they log on to the DC.

If you don't want to modify your DC log on locally settings just add User2 - 3 - 4 to an Admins group to allow them to log on to the DC. Once user2 - 3 - 4 can log onto the DC see if the GPO applies.