Group Policy Problem

  • Thread starter Thread starter Frankie
  • Start date Start date
F

Frankie

This goes out to any networking people. I'm stuck on a problem w/
administering Group Policies (GP).
I'll first explain the setup I have:

The Domain Controller is running 2000 Server (Server1)
The member system is running 2000 Pro (galvatron)
The domain is cybertron.com

I have a user on the Pro system (user1) who logs onto cybertron.com as
([email protected]) which it has no problem doing.

I installed Active Directory (AD) on the Server system.

I go into Active Directory Users and Computers (ADUC) where I created an
Organizational Unit (OU) named ONE. I added user1 into that OU and created a
GP in that OU named REMOVERUN. I then went to Edit that GP and enabled the
REMOVE RUN FROM START MENU. I've tried running secedit /refreshpolicy
user_policy /enforce from Server1 which it says it has refreshed the policy,
I've even restarted the Pro system and then log back into the domain as
(e-mail address removed) and the Run command is still present.

Now I've also added a GP at the Domain level of cybertron.com and removed
the Run command then I log onto Server1 w/ the Administrator account and the
Run command is gone.

I'm not sure what I'm doing incorrect. I've followed the Windows textbooks,
I follow my cbtnuggets videos and still no luck. I'm thinking its something
minor but not sure what it could be.

If anyone has any experience running a 2000 Network Environment and can lend
a hand please let me know. This is on a test network in my home. Both
systems are connected to a Router and I use a KVM to switch from each
system. I set this up about a week ago to get more hands on w/ AD and
doesn't seem to be working for me. Thanks for any input.
 
Frankie,

It sounds as if your test is correct. We apply GPO's in the following
order:

Local, Site, Domain, Organizational Unit

In your scenario, the OU called "One" has a GPO linked to it called
REMOVERUN.

In the GPO REMOVERUN, you have enabled the Remove Run From Start Menu in the
USER CONFIGURATION section of the GPO

You have moved a user called "USER1" to the OU called "One"


Now, the way this should work, is that when User1 logs onto any workstation
in the domain, they should not have the run command on the start menu.


If all this is true, and the run menu still appears, then we need to look at
the following items:

1. Is NO OVERIDE selected at the domain level preventing any setting from
the OU level taking place?
2. Is the client that you log onto getting policies correct? IE, in your
test, did the same machine recieve the setting at the domain level and not
the OU?
3. Is the DNS configuration of the client pointing to a DC for DNS
resolution?

Another thing that we may want to do is get a GPRESULT from the machine that
USER1 is logged onto after they log on. This is a resource kit utility.
GPresult will generate output that tells us what policies where applied to
the computer, and what policies where applied to the user currently logged
on. Based on that information, we can continue troubleshooting.

--
Gary J. Griffin, MSCE/MCSE
Enterprise Platform Support
Directory Services, Microsoft Corporation
 
-----Original Message-----
This goes out to any networking people. I'm stuck on a problem w/
administering Group Policies (GP).
I'll first explain the setup I have:

The Domain Controller is running 2000 Server (Server1)
The member system is running 2000 Pro (galvatron)
The domain is cybertron.com

I have a user on the Pro system (user1) who logs onto cybertron.com as
([email protected]) which it has no problem doing.
I have the same problem, not sure why, if i find out i will email you.
I installed Active Directory (AD) on the Server system.

I go into Active Directory Users and Computers (ADUC) where I created an
Organizational Unit (OU) named ONE. I added user1 into that OU and created a
GP in that OU named REMOVERUN. I then went to Edit that GP and enabled the
REMOVE RUN FROM START MENU. I've tried running secedit /refreshpolicy
user_policy /enforce from Server1 which it says it has refreshed the policy,
I've even restarted the Pro system and then log back into the domain as
(e-mail address removed) and the Run command is still present.

Now I've also added a GP at the Domain level of cybertron.com and removed
the Run command then I log onto Server1 w/ the Administrator account and the
Run command is gone.

I'm not sure what I'm doing incorrect. I've followed the Windows textbooks,
I follow my cbtnuggets videos and still no luck. I'm thinking its something
minor but not sure what it could be.

If anyone has any experience running a 2000 Network Environment and can lend
a hand please let me know. This is on a test network in my home. Both
systems are connected to a Router and I use a KVM to switch from each
system. I set this up about a week ago to get more hands on w/ AD and
doesn't seem to be working for me. Thanks for any input.

--
(e-mail address removed)


.
 
Back
Top