Undefined settings

  • Thread starter Thread starter Mike
  • Start date Start date
M

Mike

Hi, What happens on the client end when I set a previously defined domain
GPO setting to not defined?



Eg, Computer/Windows Settings/ Local Policies/User Rights Assignment/ Log
on as a service is currently defined as Administrators. If I change this
setting to not defined in the domain GPO what will the result be at the
client end? Will it keep the previous domain GPO setting (of Administrators)
or will it revert back to empty as it is in the setup security template?



PS: I'm in a pure Windows 2000 AD with mixed (2000/XP) clients. Will the
result be any different for XP and 2000?



PSS: Will the result be the same if I move the client to a different OU
which has a different policy applied with the same not defined scenario?
 
Hi,
Eg, Computer/Windows Settings/ Local Policies/User Rights Assignment/ Log
on as a service is currently defined as Administrators. If I change this
setting to not defined in the domain GPO what will the result be at the
client end?
Click to expand...

The setting from the clients LGPO will be take efect.
If you didn´t change the local secpol.msc on the client,
then the MS Default behavior form installation will pe present.
PS: I'm in a pure Windows 2000 AD with mixed (2000/XP) clients. Will the
result be any different for XP and 2000?
Click to expand...

Same on 2000, XP and 2003
PSS: Will the result be the same if I move the client to a different OU
which has a different policy applied with the same not defined scenario?
Click to expand...

Yes. It´s the same procedure. If you set it back to "not defined" within
the policy or in a different one in another scope, where you move the
computer to, aslong the computeraccount is not longer inside the scope
of the origin GPO.

Mark
 
Excellent. I was really hoping that to be the answer :)

Just wanting to clarify your first answer re secpol.msc - changing it would
involves physically logging on to the client pc, running secpol.msc and
manually changing the setting? I've never done this. All our settings have
been defined through group policy. I do have some client applications that
on installation have added so extra user rights assignments, based on your
answer these should stay? (once I set the gpo to not defined)

Thanks Mark.

Regards,
Mike.
 
Hi,
Just wanting to clarify your first answer re secpol.msc - changing it would
involves physically logging on to the client pc, running secpol.msc and
manually changing the setting? I've never done this.
Click to expand...

Good boy ... :-)
All our settings have been defined through group policy. I do have some client
applications that on installation have added so extra user rights
assignments, based on your answer these should stay?
(once I set the gpo to not defined)
Click to expand...

Yes, e.g. if you have a Server with an IIS, the IUSR and IWAM account
add themself inside the LGPO during setup. They will still be there,
or appear again, after resetting the GPO.

Mark
 
Terrific. Thanks for your advice Mark.


Mark Heitbrink said:
Hi,


Good boy ... :-)


Yes, e.g. if you have a Server with an IIS, the IUSR and IWAM account
add themself inside the LGPO during setup. They will still be there,
or appear again, after resetting the GPO.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
Click to expand...
 
Back
Top