2003 server, GPOs, admin lockdown

OK, I screwed up! I assumed that GPOs only apply to everything below the linked OU (subject to blocking) and that loopback only takes effect if the computer/user GPO containing the loopback is invoked. "What happened next" suggests that if loopback/merge is enabled *anywhere*, it applies to *all* computers and users.

The problem: I work 3 days a week at a nearby school, maintaining the network and computers. Having recently replaced NT4 server with 2003 server and commencing to set-up GPOs, the win98 clients started generating errors. A new GPO was linked to a 4th (bottom) level OU containing 10 XP Pro domain members, user policies were defined and loopback/merge enabled to apply those policies to users logging onto any of the 10 computers. The effect of this was to do nothing for the win98 problem and to apply the policies to the primary domain controller, which means that domain admins can no longer run essential tasks, such as *.msc applications, software audits and "pushed" updates, on this system.

This is not yet catastrophic, as the other two DCs (which do not have gpmc installed) are unaffected and are still able to manage the domain and update GPOs, but the PDC is steadfastly refusing to allow any changed GPOs to be applied to itself, even though running mmc on the PDC and adding the snap-ins shows modelling results that should have the new policies applied (mmc is unable to save anything).

I have a backup from before the problem, but I would prefer to restore only elements that may cure the problem than a blanket "restore everything". I have no problem with editing the registry (it is something that is regularly done in resolving problems with win98 systems) if there are elements that can be changed. As a last resort, I could install/repair or new install, but that would have to wait until the school holidays to prevent disruption to classes.

Any advice would be gratefully received.


PeeGee
--
The reply address is a spam trap. All mail is reported as spam.
"Nothing should be able to load itself onto a computer without the
knowledge or consent of the computer user. Software should also be
able to be removed from a computer easily."
Peter Cullen, Microsoft Chief Privacy Strategist (Computing 18 Aug 05)

--
Posted via a free Usenet account from http://www.teranews.com

.

Relevant Pages

  • Re: Policies having no effect on XP workstation
    ... The convergence time for GPOs can vary dramatically. ... > to the W2K3 server the policies started working. ... >>> opened up AD Users & Computers and could see the ...
    (microsoft.public.windows.group_policy)
  • Re: Policies having no effect on XP workstation
    ... Did you setup policies in GPOs that are linked to BOTH of the OUs? ... policies apply to users OR computers, depending on which portion of the GPO ... > I then created a test user in the Common Scenarios->Users- ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback Processing
    ... What you describe is how group policy inheritance works. ... from above to the OU that the computers are located. ... policies on both the machine and user sides then. ... >I am trying to use loopback processing to enable the screensaver on certain ...
    (microsoft.public.win2000.group_policy)
  • Re: Use AD computer policy to apply local user policy
    ... You could set your machines to run loopback policy and then set the user ... policies on your GPOs that apply to your computers. ... Many of the policies I would like to apply are user policies so ...
    (microsoft.public.windows.server.active_directory)
  • Need help Understanding Loopback Processing
    ... Just a couple of questions regarding loopback. ... I apply a policy to an OU with a computer in it, ... applied to an OU with computers in it, that Loopback processing MUST be set? ... Several policies are applied to an OU with Computers in it. ...
    (microsoft.public.windows.server.active_directory)
Loading