windows 20000 problem

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

Hi NG,

When I log into one of my servers as the domain administrator, the
administrator is locked down the same way as any of my domain users are
locked down by a group policy I have applied to the domain.

The group policy has not been applied to any organisational units that
contain the server or the administrator so I ran the GPRESULT.exe tool from
the windows 2000 resource kit to see if this could tell me what group
policies have neen applied and although the session is locked down it
doesn't display any GP's that could have been applied (domain user policy
hasn't been applied)

any ideas I am stumped

Thanks in advance

Steve
 
Domain policy will also apply to users and computers in Organizational Units if
overriding settings are not defined in the OU. If the administrator is in a different
container than the OU then try reversing the settings in that OU or try enabling
"block inheritance" or that OU. Keep in mind that block inheritance can not block
higher level GPO's that have "no override" enabled. Otherwise try filtering Group
Policy that you have configured to not apply to the administrators group by selecting
Group Policy/properties/security and give deny permissions to the administrators
group for apply policy. See the link below for more details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
 
Steve,

Thanks for you reply much appreciated...

I know that the computer is not being locked down by group policies which is
what is puzzling me more than anything. If I log onto any other PC as
administrator then it is fine it is just this PC in particular. I have tried
absolutely everything in my knowledge which is why I have posted to the
NG's. I have even disjoined the server from the domain and re-added again to
no avial. The PC is in the same OU as all the other servers that aren't DC's
and the administrator is in an OU where the policy doesnt apply. I have
also checked local policies for the PC and there is nothing amiss here
either. If you are as stumped as I am then I think I am going to have to
rebuild which I don't really want to do as this is our intranet server. The
PC is not locked down if i log in as local admin and the domain admin is
part of the local admin group on the PC

weird isn't it

Steve
 
So you are saying the problem is on just this one particular server that is
in an OU with other servers that do not lock down the domain admin account.
Hmm. The part about logging in as local account that bypasses this policy
indicates that it is being applied somewhere in the domain/OU and not local
policy - at least user policy. If loopback processing [computer
configuration] is applied to the OU or maybe even at local level, that could
give the user different configuration policy based on the container that the
computer is in. You may want to check that though it is doubtful. You might
try enabling debug logging to view userenv.log file and running netdiag [on
install cd in support/tools folder - run setup] on that computer looking for
any failed tests that may be pertinent as well as looking at application and
system logs in Event Viewer for any clues. --- Steve

http://support.microsoft.com/?id=231287
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708
 
Back
Top