RE: GPO's applied but not working

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]")
Date: Tue, 14 Feb 2006 06:50:41 GMT

Dear Customer,

Thank you for posting to the SBS Newsgroup.

I understand that you want to know how to remove the "remove run menu from
start menu" and "Prohibit access to the Control Panel" from one client
workstation.

I have performed a test on my test machine, and the test was success.
Please note that "remove run menu from start menu" and "Prohibit access to
the Control Panel" locate at User Configuration\Administrative Templates,
so we need to apply to the User OU, not Computer OU. From your description,
I understand that you created an OU which includes User accounts and
Computer account, I suggest that you create an OU which only contains user
account and test the issue again.

Here are my steps:

============

"Remove run menu from start menu":

a. On the SBS Server, open Group Policy Management.
b. Expand to Forest\Domains\Yourdomain.local\Group Policy Objects.
c. Right click Group Policy Objects, select New.
d. Name the new Group Policy Object.
e. Right click the Group Policy Object and select Edit.
f. In the Group Policy Object Editor. Expand to User
Configuration\Administrative Templates\Start Menu and Taskbar.
g. On the right pane, double click "Remove run menu from start menu", and
select Enable.
h. Expand to Active Directory Users and
Computers\Yourdomain.local\MyBusiness\Users.
i. Right click Users and select New -> Organizational Unit and name it.
j. Move those user accounts you want to apply this GPO to the New OU just
created in step i.
k. Link the GPO you created at step d to this New OU (Group Policy
Management\Forest\Domains\Yourdomain.local\MyBusiness\Users).
l. Go to Start -> Run "gpupdate /force".
m. Test the issue again.

NOTE: The group policy is not being applied to the Guest or Administrator
account on Windows 2000 or Windows XP on a stand alone or workgroup machine.

NOTE: We do not suggest that customers enable the Run menu item. This is
because when you use \\<computer name> in the Address box of Windows
Explorer, it loads the RUN function. The \\<computer name> will not work
after we disable RUN to secure the system.

============

"Prohibit access to the Control Panel":

To Disable Control Panel, please refer to my steps above, and configure
following Group Policy Object:

User Configuration\Administrative Templates\Control Panel\Prohibit access
to the Control Panel.

Here is a reference article on Windows 2000 Terminal Server introduces
similar scenario, please see:

278295 How to Lock Down a Windows 2000 Terminal Server Session
http://support.microsoft.com/?id=278295

Please take your time to perform the steps. If you have any updates, please
feel free to let me know. I am looking forward to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Thread-Topic: GPO's applied but not working
thread-index: AcYw+4x5lPJ01lGqQFGBUPv1U9iicQ==
X-WBNR-Posting-Host: 67.149.118.70
From: "=?Utf-8?B?S21hbmZyb213ZXN0bGFuRA==?="

<KmanfromwestlanD@xxxxxxxxxxxxxxxxxxxxxxxxx>

Subject: GPO's applied but not working
Date: Mon, 13 Feb 2006 16:13:57 -0800
Lines: 29
Message-ID: <070E34F2-2C88-4753-9158-7407430C3B72@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:244227
X-Tomcat-NG: microsoft.public.windows.server.sbs

I have SBS 2003 Tech Net DVD version installed and running on a single IDE
drive with 1 Gig of RAM and a 2.0 processor. I have an OU created and one
computer account in that OU and 3 users in the same OU. This entire setup

for testing, exploring etc. (and yes the Tech Net DVD would not boot but I
worked around that problem)

I have created a GOP called MyGPO and linked it to MyOU and have set MyGPO
to restrict access to the control panel and to remove the run command from
the start menu.
I have applied this GPO, rebooted pc that is assigned to the OU and also
logged in and out several times with all three user ID's that are assigned

the OU.

The control panel is not restricted and the run command is on the start

bar.

I have ran the Group Policy Modeling Wizard on each user in the OU and all
indicate the following:
Applied GPOâ??s : Default Domain Policy, then No Control Panel or Run Bar
Denied GPOâ??s: Several are denied but the reason is Empty or Disabled

GPO.

(Lockout Policy and Remote Assistance Policy are the two
disabled)
I checked the Default Domain Policy and there isnâ??t anything configured

for

the two items in MyGPO.

What on earth could be causing MyGPO to no work?

Prev by Date: RE: Opening ISA ports for internal software IP telephones
Next by Date: Re: Non-domain connection problem
Previous by thread: RE: Opening ISA ports for internal software IP telephones
Next by thread: RE: Modem volume being reset by Fax Sharing program..ned to turn off
Index(es):
- Date
- Thread

Relevant Pages

Re: Missing desktop tab in display control panel
... it does not restrict the Control Panel. ... Windows 2000 Group Policy Registry Table: ... >Windows 2000 Group Policy Registry Table: ...
(microsoft.public.windowsxp.customize)
Re: System does not displyal switch user names
... Control Panel, User Accounts, Change the way users log on or off. ... >>The default Administrator user name is Administrator. ... >>Please reply only to the newsgroup so all may benefit. ...
(microsoft.public.windowsxp.security_admin)
RE: Fail to load scdb.dll
... I did that same problem it is not allowing to go into the control panel. ... > you start SBS 2003. ... > | Welcome to SBS newsgroup. ... > | all Microsoft Services". ...
(microsoft.public.windows.server.sbs)
Re: Control Panel message when XP Pro starts up
... Dave Patrick ....Please no email replies - reply in newsgroup. ... Microsoft MVP [Windows] ... |I get a message that says "Please go to control panel and configure system ...
(microsoft.public.windowsxp.perform_maintain)
Re: Problem with password local security policy
... That seems to be the way it works in Windows 2000. ... suggest is that you use Group Policy to hide Control Panel applets that you ...
(microsoft.public.win2000.security)