user and administrator policies

[Guest]

i'm trying to set up a win2k3 server and restrict user policies. i have
followed kb816100 that says it will prevent group policies from flowing to
administrators. this is my first try at using policies to lock down the
workstations in a school lab. the workstations are winxp machines. the way i
understand policies is that whatever i set at the domain level will flow to
the workstation that is logged into the domain. correct?

whenever i try to restrict, say the run item from appearing on the menu, as
soon as i put that restriction in place the run item is gone from the menu.
i'm logged in as administrator on the server, which is an ad domain server.

here's what i have set in the security tab per the kb:
administrator mchs\administrator deny group policy
administrators mchs\administrators deny group policy
authenticated users apply group policy
brad ([email protected]) deny group policy
creator owner no policy selected
domain administrators deny group policy
enterprise administrators deny group policy
enterprise domain controllers no policy selected
soscc ([email protected]) deny group policy
system no policy selected
wayne ([email protected]) deny group policy

i added administrator, brad, wayne, and soscc to the list, all of the other
groups were in the list. do i need to add the group users to this list?

 

[Steven L Umbach]

All you really need to do is give "administrators" deny for apply.
Administrator, domain admins, and enterprise admins are all members of the
administrators group [or should be]. If the users that you listed are not in
any administrator group for the domain then create a global group for them,
add them to the global group, and then give that global group deny
permission for apply.

Yes domain level policy can flow down to all users/computers in the domain
except for settings defined for domain controllers in Domain Controller
Security Policy. If you have created an Organizational Unit with a Group
Policy with defined settings then those settings will override the same
defined settings in the domain Group Policy with the notable exception that
account/password policy can be applied only at the domain level for domain
users.

Be sure to install Group Policy Management Console on your domain controller
as it will make managing and troubleshooting Group Policy much easier. You
can also use Resultant Set of Policy to see exactly what settings are being
applied to a user and from what GP. It can also display information about
filtering of GP which is what you are attempting to do.

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

I don't know how much you know about Active Directory but it is imperative
that your dns is configured correctly for the domain or all sorts of
problems will arise including inconsistent of application of Group Policy.
See the link below for more info on dns for an Active Directory domain and
use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
experiencing problems in your domain. Netdiag and gpresult can also be using
on all domain computers. Also frequently check the logs on your domain
controller and any computer via Event Viewer that is experiencing problems
for helpful information

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --- AD
dns FAQ

FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
via Group Policy with hash, certificate, and path rules to manage what
software a user can install or run on his computer. You can also start with
a default allowed or disallowed rule and then create the exceptions. SRP is
very powerful but takes some time to figure out how to use correctly. See
the link below if interested and keep in mind that desktop shortcuts are
considered a program as far as SRP is concerned which can trip you up if
you start with the default disallowed rule. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

 

[Steven L Umbach]

I forgot to add that it can take up to two hours for Group Policy changes to
apply to domain computers/users. After you make changes to GP use the
command gpupdate to refresh the GP on the domain controller and then do the
same on the computer you are testing or reboot or logoff/logon as the case
may be depending on if you are changing computer or user configuration. The
links below explain more about gpupdate and how GP is refreshed. --- Steve

http://www.microsoft.com/technet/pr...elp/b846f817-e308-442c-bcde-daa4a99c1ecf.mspx
http://www.microsoft.com/technet/pr...ons/b904dc05-56d7-4651-87df-c6a0c06a1802.mspx

All you really need to do is give "administrators" deny for apply.
Administrator, domain admins, and enterprise admins are all members of the
administrators group [or should be]. If the users that you listed are not
in any administrator group for the domain then create a global group for
them, add them to the global group, and then give that global group deny
permission for apply.

Yes domain level policy can flow down to all users/computers in the domain
except for settings defined for domain controllers in Domain Controller
Security Policy. If you have created an Organizational Unit with a Group
Policy with defined settings then those settings will override the same
defined settings in the domain Group Policy with the notable exception
that account/password policy can be applied only at the domain level for
domain users.

Be sure to install Group Policy Management Console on your domain
controller as it will make managing and troubleshooting Group Policy much
easier. You can also use Resultant Set of Policy to see exactly what
settings are being applied to a user and from what GP. It can also display
information about filtering of GP which is what you are attempting to do.

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

I don't know how much you know about Active Directory but it is imperative
that your dns is configured correctly for the domain or all sorts of
problems will arise including inconsistent of application of Group Policy.
See the link below for more info on dns for an Active Directory domain and
use the support tools netdiag, dcdiag, gpresult, and gpotool when you are
experiencing problems in your domain. Netdiag and gpresult can also be
using on all domain computers. Also frequently check the logs on your
domain controller and any computer via Event Viewer that is experiencing
problems for helpful information

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 ---
AD dns FAQ

FYI Windows 2003 and XP Pro can use Software Restriction Policies managed
via Group Policy with hash, certificate, and path rules to manage what
software a user can install or run on his computer. You can also start
with a default allowed or disallowed rule and then create the exceptions.
SRP is very powerful but takes some time to figure out how to use
correctly. See the link below if interested and keep in mind that desktop
shortcuts are considered a program as far as SRP is concerned which can
trip you up if you start with the default disallowed rule. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

i'm trying to set up a win2k3 server and restrict user policies. i have
followed kb816100 that says it will prevent group policies from flowing
to
administrators. this is my first try at using policies to lock down the
workstations in a school lab. the workstations are winxp machines. the
way i
understand policies is that whatever i set at the domain level will flow
to
the workstation that is logged into the domain. correct?

whenever i try to restrict, say the run item from appearing on the menu,
as
soon as i put that restriction in place the run item is gone from the
menu.
i'm logged in as administrator on the server, which is an ad domain
server.

here's what i have set in the security tab per the kb:
administrator mchs\administrator deny group policy
administrators mchs\administrators deny group policy
authenticated users apply group policy
brad ([email protected]) deny group policy
creator owner no policy selected
domain administrators deny group policy
enterprise administrators deny group policy
enterprise domain controllers no policy selected
soscc ([email protected]) deny group policy
system no policy selected
wayne ([email protected]) deny group policy

i added administrator, brad, wayne, and soscc to the list, all of the
other
groups were in the list. do i need to add the group users to this list?