Group Policy on stand-alone Windows 2003 Server

  • Thread starter Thread starter Jay Scovill
  • Start date Start date
J

Jay Scovill

Riddle me this batman.

I've a Windows 2003 Server that exists in a DMZ. No Active Directory. I
want to apply group policy to every user that logs onto this machine EXCEPT
local administrators.

I edit the group policy located in c:\windows\system32\grouppolicy for the
changes I want applied.

I then deny all access to this directory to the local administrators group.

I explicity give read access to this directory to the users I want to have
the group policy applied to.

So the permissions look like: Administrators Deny all, System Full Control
all, userA Read

This is where the weirdness starts. I have ONE account that is in the
administrators group that the policy DOESN'T get applied to. All is fine.

But I created two other accounts and added them to the local administrator
group but the group policy is still applied to them. They are members of
the administrator group only, just like the one account that doesn't get GP
applied.

Another wierd thing is that for the account that GP DOESN'T get applied to
I can't read the c:\windows\system32\grouppolicy directory or edit the
group policy through the mmc console. Just as should be expected.

BUT for the other two accounts (including the builtin local admin account)
I can't read the directory BUT I CAN edit the group policy through the mmc
console.

So why are my permissions being applied to this directory so
inconsistently?

Any ideas?
 
How to apply local policies to all users except administrators in a
workgroup setting in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;q293655

--
+----------------------------------+
I reply at the news groups only on weekends. If you need to contact
me, Im available on MSN Messenger at heygautam at hotmail
Thanks
Gautam Anand
+----------------------------------+
| Riddle me this batman.
|
| I've a Windows 2003 Server that exists in a DMZ. No Active
Directory. I
| want to apply group policy to every user that logs onto this machine
EXCEPT
| local administrators.
|
| I edit the group policy located in c:\windows\system32\grouppolicy
for the
| changes I want applied.
|
| I then deny all access to this directory to the local administrators
group.
|
| I explicity give read access to this directory to the users I want
to have
| the group policy applied to.
|
| So the permissions look like: Administrators Deny all, System Full
Control
| all, userA Read
|
| This is where the weirdness starts. I have ONE account that is in
the
| administrators group that the policy DOESN'T get applied to. All is
fine.
|
| But I created two other accounts and added them to the local
administrator
| group but the group policy is still applied to them. They are
members of
| the administrator group only, just like the one account that doesn't
get GP
| applied.
|
| Another wierd thing is that for the account that GP DOESN'T get
applied to
| I can't read the c:\windows\system32\grouppolicy directory or edit
the
| group policy through the mmc console. Just as should be expected.
|
| BUT for the other two accounts (including the builtin local admin
account)
| I can't read the directory BUT I CAN edit the group policy through
the mmc
| console.
|
| So why are my permissions being applied to this directory so
| inconsistently?
|
| Any ideas?
|
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;q293655
Click to expand...


Thanks, this worked but why it works makes no sense to me. If the policy
in that folder gets applied everytime a user logs on (I've turned off
background policy processing) why does it not get applied to Administrators
when they logon after copying the restricted policy back to that folder?

Is my understanding of the behaviour of group policy on a stand-alone
machine flawed? I understood that if you turned off background GP
processing the policy in that dir gets applied to ANY user with read access
to that directory when the logon.

This method, which I was using originally, makes more sense but doesn't
work as expected:

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Misc
ellaneous/LockdownbygroupusingLocalComputerPolicywithoutActiveDirectory.htm
l
 
Back
Top