GPO OBJECT ACCESS

[Guest]

Help...
i have a win2k3 enterprize server. i have created a ou that i have put the
managers/user object in. i have created a global security group within that
ou and made the managers members of that group.
i created a gpo for that ou. i turned object acces audit failure and success
in the computer portion of the gpo.
i also removed the control panel from the user section in the gpo.

i have gone to my ntfs volume and chose the folder that i wanted to audit. i
choose to ( for trouble shooting ) audit the everyone group.

now they have no control panel as designed but no events in the
event/security log.

if i enable objet access from the domain level the events are recorded.

i have no overide or block inheritance.

 

[Guest]

i have also put the computer account in the same ou as the managers.

 

[Steven L Umbach]

Try rebooting the computer and using gpresult on it to see if it reports the
computer in the new OU and what Group Policies are applying to it and last
time applied. Maybe you have some lag in replication of security policy to
the new computer. If it still does not work, run the netdiag support tool on
that computer to see if it reports any problems with dns/dc
discovery/kerberos/secure channel. --- Steve

 

[Guest]

Steve, thank for the reply. I have tried netdiag and dcgiag. all is perfect.
what is strange is that in the GPO => computer config => security settings
=> local policies => security options => interactive login.... these are
applied perfectly.

 

[Steven L Umbach]

Joey.

With the computer in your OU and when you run gpresult on that computer it
should show it in that OU and that the computer portion of the policy for
that GPO has been applied to it recently. If it does not try to first reboot
the computer. Another thing to consider is that by default the security log
is small and when full will not record any more events until it is manually
cleared so I would clear the security log and increase the size of it to at
least 5 mb. You should see a lot of event ID's 560 and 562 for object access
when it starts working after you try to access the folder you are auditing.
I would also check the Local Security Policy on the computer you put into
the OU to see if auditing of object access for success and failure is shown
as the setting for XP Pro/w2003 or the effective setting for W2K. You will
also find the Group Policy Management Console very helpful in determining
what is going on with Group Policy for a certain computer/user/OU/GPO. If
you have not downloaded it yet, give it a try. -- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx