Re: No Shut Down or Restart for Domain Admins

I ran RSOP.MSC and it producted the same information as the report I included
previously.

Jef

"Jorge Silva" wrote:

Hi
None of the domain admins have access on the PDC to the shut down or
restart
option off the start menu. The only option is to log off. The workstations
and other 2003 server appear to be fine although it looks like the group
policies aren't being propagated to all systems either but that is the
next
issue.

So your problem id that the shutdown option isn't available, correct?
run rsop.msc from your DC and check which policy is responsible to this.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jef Dye" <JefDye@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B89E3F3A-9C4E-4E69-86A2-A61A2176C906@xxxxxxxxxxxxxxxx
Okay, I think I screwed up somewhere and need some help.

None of the domain admins have access on the PDC to the shut down or
restart
option off the start menu. The only option is to log off. The workstations
and other 2003 server appear to be fine although it looks like the group
policies aren't being propagated to all systems either but that is the
next
issue.

I have created a group policy in a development network and imported it
into
the production network when I thought it was ready to go. It works fine in
the development network but had this bizzare fall out of changing the shut
down and restart settings off the start menu in the production
environment.

I am including the group policy settings I have imported into the
production domain for review.

Default Domain Policy
Data collected on: 8/22/2006 10:00:45 AM hide all

Generalhide
Detailshide
Domain production.test.local
Owner PRODUCTION0\Domain Admins
Created 7/5/2006 4:34:12 PM
Modified 8/9/2006 2:28:34 PM
User Revisions 2 (AD), 2 (sysvol)
Computer Revisions 8 (AD), 8 (sysvol)
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status All settings disabled

Linkshide
Location Enforced Link Status Path
production No Enabled production.test.local

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users,
and
computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName
Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
PRODUCTION0\Domain Admins Edit settings, delete, modify security No
PRODUCTION0\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Disabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 20 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 20 minutes

Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes

Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Failure
Audit system events Success, Failure

Local Policies/User Rights Assignmenthide
Policy Setting
Bypass traverse checking BUILTIN\Remote Desktop Users, Everyone
Deny access to this computer from the network BUILTIN\Guests
Deny log on locally guest
Deny log on through Terminal Services guest

Local Policies/Security Optionshide
Accountshide
Policy Setting
Accounts: Limit local account use of blank passwords to console logon only
Enabled

Deviceshide
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Restrict floppy access to locally logged-on user only Enabled

Domain Memberhide
Policy Setting
Domain member: Require strong (Windows 2000 or later) session key Enabled

Interactive Logonhide
Policy Setting
Interactive logon: Do not display last user name Disabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Message text for users attempting BLAH BLAH BLAH.....
Interactive logon: Message title for users attempting to log on "Company
Notification"
Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 2 logons
Interactive logon: Prompt user to change password before expiration 14
days
Interactive logon: Require Domain Controller authentication to unlock
workstation Enabled
Interactive logon: Smart card removal behavior Lock Workstation

Network Accesshide
Policy Setting
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for
network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously COMNAP,
COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, TrkSvr
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves

Network Securityhide
Policy Setting
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: Force logoff when logon hours expire Enabled
Network security: LAN Manager authentication level Send NTLMv2 response
only\refuse LM & NTLM
Network security: LDAP client signing requirements Require signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Enabled
Require message integrity Enabled
Require message confidentiality Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled

Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Enabled
Require message integrity Enabled
Require message confidentiality Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled


Recovery Consolehide
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all
folders
Disabled

Shutdownhide
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Enabled

System Objectshide
Policy Setting
System objects: Default owner for objects created by members of the
Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems
Enabled
System objects: Strengthen default permissions of internal system objects
(e.g. Symbolic Links) Enabled

System Settingshide
Policy Setting
System settings: Optional subsystems

Otherhide
Policy Setting
Network access: Remotely accessible registry paths
System\CurrentControlSet\Control\ProductOptions,
System\CurrentControlSet\Control\Server Applications,
Software\Microsoft\Windows NT\CurrentVersion

Event Loghide
Policy Setting
Maximum application log size 81920 kilobytes
Maximum security log size 81920 kilobytes
Maximum system log size 81920 kilobytes
Prevent local guests group from accessing security log Enabled
Retention method for application log As needed
Retention method for security log As needed
Retention method for system log As needed

Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove
revoked
certificates Disabled
Update certificates that use certificate templates Disabled


Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificateshide
Issued To Issued By Expiration Date Intended Purposes
Administrator Administrator 3/6/2005 11:49:00 AM File Recovery

For additional information about individual settings, launch Group Policy
Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust
Enabled
Client computers can trust the following certificate stores Third-Party
Root
Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs
must
meet the following criteria Registered in Active Directory only

Administrative Templateshide
Systemhide
Policy Setting
Turn off Autoplay Enabled
Turn off Autoplay on: All drives


System/Group Policyhide
Policy Setting
Group Policy refresh interval for computers Enabled
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 60

This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30

Policy Setting
Group Policy refresh interval for domain controllers Enabled
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 64800 minutes (45 days).
Minutes: 5

This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 0

Policy Setting
Registry policy processing Enabled
.

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: Offer Remote Assistance - "Permission denied" - Windows XP SP2
    ... I am on a Novell network. ... > being made from and under the security context of a Local AND Domain ... > Allow logon through Terminal Services Administrators,Remote Desktop Users ... > Back up files and directories Administrators ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Help, Ive been hacked
    ... ID: 540 Source: Security ... > Event Type: Failure Audit ... > Event Category: Account Logon ... Your computer was not able to renew its address from the network ...
    (microsoft.public.windowsxp.security_admin)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • Re: Oh Dear, Where to start?!
    ... > from some of you with appropriate experience in the field of network ... > main focus and priority has been computer security and policy development. ... install certain updates. ...
    (Security-Basics)