Re: Windows 2003 Server - Group Policy

From: Chriss3 (noSpamHere_at_chrisse.se)
Date: 04/18/04 

Date: Sun, 18 Apr 2004 15:34:34 +0200

Group Policies refresh time is 90-minute intervals by default. You can force
a refresh by use the command line based tool gpupdate on WindowsXP and
Windows Server 2003 Computers. For Windows 2000 Computers see the follow KB:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;227302

Lets talk about your Corporate OU there is a few options you can use. Block
Policy Inheritance can be set to this OU it means no policies from higher
level OUs will inheritance to the Corporate OU even not the default domain
policy or other policies from site objects for example, this may come
infective. How ever its a good way to keep a OU clean from policies and
unwanted and unexpected changes.

Provides step-by-step instructions on how to block policy inheritance:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Block.asp

You can also set No Override to a particular GPO. Lets say you create a
clean GPO for the Corporate OU then set the No Override option, it means
this policy will be in effect over all others.

Prevent a Group Policy object from being overridden:
http://www.microsoft.com/windows2000/en/server/help/NoOverride.htm

How does the Group Policy 'No Override' and 'Block Inheritance' work?
http://www.winnetmag.com/Article/ArticleID/15420/15420.html

I hope this can help you by the way. feel free to post back. Have a nice
day! 

-- 
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"ToaDz" <toadz@hotmail.com> skrev i meddelandet
news:4082179f$0$16592$5a62ac22@freenews.iinet.net.au...
> Sorry, I rebooted the my DC and then it worked.
>
> My question is this..
>
> As mentioned, I have the following OU's:
>
> Finance
> Corporate
> Services
>
> There is one user in Corporate, who I want to have full administrator
access
> (no restrictions).
>
> I want all other users in all the OU's to not have access to the "My
Network
> Places" and "My Documents" icons on the Desktop.
>
> What is the easiest way to accomplish this. If I edit the "Default Domain
> Policy" to disable the My Network Places and My Documents folder, this
will
> work for all users, but what will happen to the user in the Corporate OU,
> which I want to have full access?
>
> I'm getting confused now :)
>
>
>
> "ToaDz" <toadz@hotmail.com> wrote in message
> news:408211ea$0$16589$5a62ac22@freenews.iinet.net.au...
> > Thanks for the reply.
> >
> > I have created an OU called "TEST" and have placed a user called
> > "testaccount" into the OU.
> >
> > In this OU, I have created a new GPO and have set the My Network Places
> and
> > My Documents folder to NOT appear by doing the following:
> >
> > 1. Right-click TEST OU and Properties
> > 2. Group Policy tab
> > 3. New and called the GPO "TEST GPO"
> > 4. Edit
> > 5. User Configuration | Administrative Templates | Desktop
> > 6. Enabled "Remove My Documents icon on the desktop" and "Hide My
Network
> > Places icon on desktop"
> > 7. Closed GPO Editor
> > 8. Closed TEST GPO Properties window
> > 9. Close AD Users and Computers
> >
> > From another machine, I logged in as "testaccount" and the My Documents
> and
> > My Network Places icons were still there??
> >
> > My DC is a Windows 2003 Server and the client PC is running Windows 2000
> > Professional.
> >
> > Please note, I'm a newbie :) Any ideas?
> >
> > I've tried running "gpupdate /force" at the command prompt and the
problem
> > is still occurring.
> >
> > Help!
> >
> >
> > "Chriss3" <noSpamHere@chrisse.se> wrote in message
> > news:ukddmDQJEHA.2680@TK2MSFTNGP11.phx.gbl...
> > > Here you have to found out a GPO Design for your Active Directory
> > > Infrastructure. You may planning for doing many settings at the Domain
> > level
> > > and may want to create a new GPO for different settings. Such
Security,
> > > Desktop Lock Down and so on.
> > >
> > > How ever I don't recommend to modify the Default Domain Policy to much
> > > because it may result in problem for all your computers and users
within
> > the
> > > domain. If you have GPOs based on settings you can easy disable them
if
> > you
> > > receive some unwanted and unexpected at the clients.
> > >
> > > A good way to work is to have a Test OU with one user and computer
where
> > you
> > > basically create your GPOs and test them until you feel ready to ship
> them
> > > to your production users and computer, then link the OU where it
should
> > be.
> > > By the way you will learn to familiar with GPOs and may not need a
such
> > > solution but its a good way to start.
> > >
> > > -- 
> > > Regards
> > > Christoffer Andersson
> > >
> > > No email replies please - reply in the newsgroup
> > > ------------------------------------------------
> > > http://www.chrisse.se - Active Directory Tips
> > >
> > > "ToaDz" <toadz@hotmail.com> skrev i meddelandet
> > > news:4081f4bd$0$16572$5a62ac22@freenews.iinet.net.au...
> > > > I have setup a domain controller called TOADSRV in my domain called
> > > > TOADZ.COM
> > > >
> > > > I have successfully setup AD, DNS and DHCP.
> > > >
> > > > In Active Directory, I have setup several OU's:
> > > >
> > > > 1. Finance
> > > > 2. Corporate
> > > > 3. Services
> > > >
> > > > I want all users (apart from Administrators and Domain Admins) not
to
> > have
> > > > access to the My Network Places icon on the desktop, as wel as the
Run
> > > > command.
> > > >
> > > > How do I configure a group policy?
> > > >
> > > > In AD, do I edit the "Default Domain Policy" for TOADZ.COM or do I
> > > configure
> > > > a new GPO for each OU?
> > > >
> > > > Please note, that I had a problem creating users with simple
passwords
> > and
> > > > was able to edit the "Default Domain Policy" for TOADZ.COM and
> disabled
> > > the
> > > > password complexity requirements. This worked fine.
> > > >
> > > > Hope someone can help.
> > > >
> > > > Cheers,
> > > >
> > > > T
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Group polices not getting implemented on XP professional
    ... I have tried the things but still not getting policies on clients, ... Tahnks & Regards ... This setting should be found on the XP machine under the local policy. ... Upgrading Windows 2000 Group Policy for Windows XP ...
    (microsoft.public.win2000.active_directory)
  • Re: Help with using GPO to configure XP Firewall
    ... I guess my first question is what objects are in the OU to which the policy ... the Windows Firewall comes with some default exceptions. ... I still cannot get the GPO to work though. ... > installed Server 2003 Administration Pack on my Windows XP SP2 PC. ...
    (microsoft.public.win2000.active_directory)
  • Re: Help with using GPO to configure XP Firewall
    ... I guess my first question is what objects are in the OU to which the policy ... the Windows Firewall comes with some default exceptions. ... I still cannot get the GPO to work though. ... > installed Server 2003 Administration Pack on my Windows XP SP2 PC. ...
    (microsoft.public.win2000.active_directory)
  • Re: Help with using GPO to configure XP Firewall
    ... I guess my first question is what objects are in the OU to which the policy ... the Windows Firewall comes with some default exceptions. ... I still cannot get the GPO to work though. ... > installed Server 2003 Administration Pack on my Windows XP SP2 PC. ...
    (microsoft.public.win2000.active_directory)
  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)