What's happening ? Group Policy problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Ok, i'm pretty new to active directory but I'm doing some test and found
something that is very strange.

I have a client machine (windows XP) as well as a windows 2003 server
(Domain controller) and I have added my client machine in the domain. I have
added a group policy in the domain controller which has the authenticated
user has the security filtering.

Let's say that I define the change system clock policy in computer
configuration, windows settings, security settings, local policies, user
rights to be no one.

It is doing the good behaviour when i'm logging to my domain in my client
machine (I can't change the system clock) but the problem is even if i'm
connecting LOCALY to my client machine, i STILL can't change my system clock.

It's seems that the domain group policy override my client pc when i'm
logging localy.

How come ? How can we explain that ? any info on that is very much
appreciated.

thanks
 
abuck said:
Ok, i'm pretty new to active directory but I'm doing some test and found
something that is very strange.

I have a client machine (windows XP) as well as a windows 2003 server
(Domain controller) and I have added my client machine in the domain. I
have
added a group policy in the domain controller which has the authenticated
user has the security filtering.

Let's say that I define the change system clock policy in computer
configuration, windows settings, security settings, local policies, user
rights to be no one.

It is doing the good behaviour when i'm logging to my domain in my client
machine (I can't change the system clock) but the problem is even if i'm
connecting LOCALY to my client machine, i STILL can't change my system
clock.
Click to expand...

What do you mean? With a LOCAL account defined on the client
computer?

(Domain) Group Policies have no control over non-Domain users --
except by controlling the machine itself.

User policies affect domain users -- Computer Policies affect domain
computers.

BUT the domain policy still affects that domain machine as a computer
which MAY restrict what a user can do.
 
Thanks for respond, very appreciated. Here's more explication:

When I was applying some Computer group policy in my domain (domain
controler), it is affecting my entire computer even if I am not logging on to
my domain (with my client machine).

I was wondering if it was normal that my domain can change policy that
change the behaviour of my workstation even if it is disconnected from the
domain. (Conncted to a workgroup by example).

thanks
 
Thanks for respond, very appreciated. Here's more explication:

When I was applying some Computer group policy in my domain (domain
controler), it is affecting my entire computer even if I am not logging on to
my domain (with my client machine).

I was wondering if it was normal that my domain can change policy that
change the behaviour of my workstation even if it is disconnected from the
domain. (Conncted to a workgroup by example).

thanks
 
abuck said:
Thanks for respond, very appreciated. Here's more explication:

When I was applying some Computer group policy in my domain (domain
controler), it is affecting my entire computer even if I am not logging on
to
my domain (with my client machine).

I was wondering if it was normal that my domain can change policy that
change the behaviour of my workstation even if it is disconnected from the
domain. (Conncted to a workgroup by example).
Click to expand...

Did you take the computer OUT of the domain (it can't be in a workgroup
until you do that)?
 
No I didn't unlink the domain in my workstation. I am just not choosing my
domain when logging on. (i'm choosing login as "my computer" instead of login
as "my domain".
 
abuck said:
No I didn't unlink the domain in my workstation. I am just not choosing my
domain when logging on. (i'm choosing login as "my computer" instead of
login
as "my domain".
Click to expand...

So the computer is still in the domain and all policies linked to the
computer
and with computer settings will affect that computer -- and indirectly the
users who logon there.

By logging into a "local computer account" you are merely bypassing
policies linked to the users and having user settings.
 
Actually, after doing severals tests, I think I know what's happening.

Because my computer is in the domain, all of my users in local computer is
in the autorized users of the domain so the policy gets applied to my
computer even if i'm logging to my local user because the scop of the policy
is "autorized users".

If i'm wrong, let me know !

thanks.
 
abuck said:
Actually, after doing severals tests, I think I know what's happening.

Because my computer is in the domain, all of my users in local computer is
in the autorized users of the domain so the policy gets applied to my
computer even if i'm logging to my local user because the scop of the
policy
is "autorized users".

If i'm wrong, let me know !
Click to expand...

No, that is what I have been telling you.

You linked a GPO which affected the COMPUTER, and thereby
affected the users (any user) of that computer INDIRECTLY.
 
abuck said:
Let's say that I define the change system clock policy in computer
configuration, windows settings, security settings, local policies,
user rights to be no one.
Click to expand...
How come ? How can we explain that ? any info on that is very much
appreciated.
Click to expand...

That's why it's called "System Time", any policy that is set on the Computer
Policy for changing the System Time, affects all users of the System.
By default, only Administrators and Power users can change the System Time,
if you apply a policy that changes the default policy, the policy applies to
all users, domain and local.
Even if you remove the system from the domain, the policy remains until the
policy is changed within the local policy.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Back
Top