Re: Loopback replace mode
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 09/02/04
- Next message: Mark Williams [MSFT]: "Re: SP2 blocking tools and GPO"
- Previous message: Mark Renoden [MSFT]: "Re: copy or move group policy"
- In reply to: Simon Geary: "Loopback replace mode"
- Next in thread: Roger Abell [MVP]: "Re: Loopback replace mode"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 3 Sep 2004 09:12:45 +1000
Hi Simon
User Rights Assignment takes place in the computer configuration section of
the GPO. Based on this, loopback shouldn't be required (I would have
thought anyway). From the Windows Server 2003 help:
For security settings which are defined by more than one policy, the
following order of precedence, from highest to lowest, is observed:
Organizational Unit Policy
Domain Policy
Site Policy
Local computer Policy
For example, a workstation that is joined to a domain will have its local
security settings overridden by the domain policy wherever there is a
conflict. Likewise, if the same workstation is a member of an Organizational
Unit, the settings applied from the Organizational Unit's policy will
override both the domain and local settings. If the workstation is a member
of more than one Organizational Unit, then the Organizational Unit that
immediately contains the workstation has the highest order of precedence.
Based on this, the OU settings should win.
The only problem comes from the "No override". My guess would be that this
prevents you from successfully setting the User Rights at the OU level. I'm
only unsure because I've only ever had to worry about it for Administrative
Template policy bits in the past but common sense says it would work the
same.
You might be better to either turn off "No override" or separate the
shutdown setting from the existing domain level policy, create a new GPO
that sets shutdown at the domain level and don't set "No override" for this
new GPO.
HTH
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Simon Geary" <simon_geary@hotmail.com> wrote in message news:OlPp$3OkEHA.636@TK2MSFTNGP12.phx.gbl... > My situation is this: > Windows 2000 domain with a GPO set at the domain level. No override is > enabled on this policy. > One of the settings in the domain level policy allows Authenticated Users > to shut down the system. > For one of the OUs that holds some Citrix servers, I want to change this > so that only Domain Admins can shut down servers in that OU. > > My plan is this: > On the OU, enable loopback replace mode with a setting that only Domain > Admins can shut down servers. > > Will this work? The end result I want is for only Domain Admins to be able > to shut down the servers in that OU. I believe that the replace mode will > remove Authenticated Users' rights to shut down the servers but am not so > sure because of the no override setting on the domain level policy. >
- Next message: Mark Williams [MSFT]: "Re: SP2 blocking tools and GPO"
- Previous message: Mark Renoden [MSFT]: "Re: copy or move group policy"
- In reply to: Simon Geary: "Loopback replace mode"
- Next in thread: Roger Abell [MVP]: "Re: Loopback replace mode"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
