Re: Need Verification for 2003 Policy

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/05/05

Next message: charles: "Re: 10 winxp computer locked by Software Restrictions"
Previous message: Kurt Roggen: "Re: Creating ADM Templates"
In reply to: toureg69_at_yahoo.com: "Need Verification for 2003 Policy"
Next in thread: toureg69_at_yahoo.com: "Re: Need Verification for 2003 Policy"
Reply: toureg69_at_yahoo.com: "Re: Need Verification for 2003 Policy"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 5 Feb 2005 16:46:02 -0600

Anything that you define in Domain Security Policy will override settings in
Local Security Policy of domain computers as you have experienced. The work
around is to do this a the OU level as you have suggested if you do not want
it to apply to all domain computers or have specific needs for a group of
domain computers. For instance create a OU with it's own GPO for computers
or servers that you to restrict for logon locally and move those computer
accounts into that OU instead on configuring at the domain level. It does
not make sense to configure the Domain Security Policy to allow only
administrators to logon to domain computers as that will prevent regular
users from being able to logon. --- Steve

<toureg69@yahoo.com> wrote in message
news:1107642128.219564.150590@g14g2000cwa.googlegroups.com...
> All,
>
> Here is the scenario: We have a Windows 2003 AD environment. We have
> not implemented any GPOs and only use the Default Domain Policy.
>
> We modified the Default Domain Policy -> User Rights Assigments ->
> Allow Logon Locally and Act As Part of the Operating System. In these
> two (2) options, we indicated the Domain Admins and Administrators
> groups.
>
> Now here is the issue:
>
> When any Domain Admin account logs into the domain, they cannot modify
> the Local Security Policy for the two "User Rights Assignments" that I
> listed above. The icons next to those rights is a Server with a scroll
> in front of it, meaning that this right is inherited from the Default
> Domain Policy. The other rights have the icon that looks like binary
> numbers.
>
> Aside from using OUs to override the Default Domain Policy, is there
> any way to get around this within a 2003 AD environment?
>
> Any feed back is very much appreciated.
>
> Thanks!
>

Next message: charles: "Re: 10 winxp computer locked by Software Restrictions"
Previous message: Kurt Roggen: "Re: Creating ADM Templates"
In reply to: toureg69_at_yahoo.com: "Need Verification for 2003 Policy"
Next in thread: toureg69_at_yahoo.com: "Re: Need Verification for 2003 Policy"
Reply: toureg69_at_yahoo.com: "Re: Need Verification for 2003 Policy"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Implementing Restricted groups
... They are not a group type but is a security policy to enforce group ... membership on domain computers under the scope of influence of the policy. ... it for instance for administrators and add just the domain admins group. ...
(microsoft.public.win2000.security)
Policy forcing domain computers to have PW screen saver
... I am looking for help with setting a security policy ... forceing domain computers to use PW protected screen saver ...
(microsoft.public.win2000.security)