Re: Default Domain Controllers Policy
- From: "Steven Hutchinson" <it1@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Jun 2006 23:27:54 +0100
Hi Lara,
I was only looking to change the Local Security Policy on servers that have
applications installed that require specific accounts to be granted rights
only on that server. In other circumstances, I have created an OU and GPO
for groups of member servers such as Citrix servers and defined much more
detailed policies.
Steven
"lforbes" <lforbes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52A63BA2-ABD4-479A-BEB8-6D802DAADE42@xxxxxxxxxxxxxxxx
Hi,
What OS are you using? If you are Using Windows 2003 Server than download
the Group Policy Management Console.
It has this AMAZING little feature at the bottom which basically shows you
all the settings that are applying to a user or a computer. It runs a
simulation and then shows you all the settings.
Now, the ONLY way that the Default Domain Controllers Policy would be
appling to the Computers is if the Computer OU was inside the Default
Domain
Controllers OU Or if the Default Domain Controllers policy was linked to
the
Computers OU. You can find out this simply by creating a "new" OU for
computers and moving all the computers into it.
Why are you trying to change Local Settings? Local Settings are always
overridden by Group Policies starting with the Default Domain Policy and
then
the Group Policies of the OU's. I would leave the Local Settings alone. It
is
far better to just create OU's and Group Policies for computers and set
any
settings you need there.
This also stops any hugh problems caused by Local Policies.
Cheers,
Lara
"Steven Hutchinson" wrote:
Hi Mark,
Thanks for confirming this. Can you suggest any reason why this policy is
being applied to all computers in our domain and possibly how I can go
about
preventing this?
"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%231hqdLomGHA.4164@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Steven Hutchinson schrieb:
It would seem that our Default Domain Controllers Policy is being
applied
to
all computers in our domain.
No good idea.
As far as I know this should not be the case and should only be
applied
to
Domain Controllers.
Absolutly right.
Can anyone confirm this to me as it is causing a few problems?
For sure. Because a domain controller is much more restrictiv
configured
like "logon locally" and other permissions it is not recommended to
apply the DefDomConPol to the clients, becaus ea "user" needs to work
on a client.
If you want to allow a user logon on that client and you edit the
DefDomConPol, then he is able to logon locally on a DC aswell.
In most cases you don´t wnat that.
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
.
- References:
- Default Domain Controllers Policy
- From: Steven Hutchinson
- Re: Default Domain Controllers Policy
- From: Mark Heitbrink [MVP]
- Re: Default Domain Controllers Policy
- From: Steven Hutchinson
- Re: Default Domain Controllers Policy
- From: lforbes
- Default Domain Controllers Policy
- Prev by Date: IT group vs Production group....
- Next by Date: Re: Logon Scripts - CScript vs WScript?
- Previous by thread: Re: Default Domain Controllers Policy
- Next by thread: Re: Default Domain Controllers Policy
- Index(es):
Relevant Pages
|
