RE: Group Policy Delegation
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Fri, 29 Dec 2006 09:09:36 GMT
Hello Customer,
Thank you for posting here.
According to your description, I understand that you can not change the
firewall setting via change delegation of GPO. If I have misunderstood the
problem, please don't hesitate to let me know.
Based on my research, the GPO under the Domain container will only apply on
DC (SBS server), if you want to apply the GPO setting for domain clients,
please create a GPO under the domain.local.
If the customer installed the update 872769, there is an existing GPO
"Small Business Server Windows Firewall" is enabled and linked to Domain
level on the SBS Server by default.
1. I would like to mention that, to use the Windows XP SP2 computers in SBS
2003 environment, you may want to apply the update of KB872769 so that the
firewall settings can be automatically defined by the Windows group policy:
872769 You cannot configure Windows Firewall settings or Security Center
settings on a Windows XP Service Pack 2-based client computer that is in a
Windows Small Business Server 2003-based network
http://support.microsoft.com/?id=872769
2, Then we can modify the existing GPO under domain.local (Small Bussiness
Server Windows Firewall) instead of create a new GPO.
Meanwhile, the Delegation permission is not the function for controlling
who will apply this GPO. Please use Security Filtering to control which
user will apply this GPO:
1. Please select Small Bussiness Server Windows Firewall under domain.local
2. In right pane, select Scope tap
3. In the Security filtering, please select the user account or groups who
need to apply this GPO.
4. Ran gpupdate /force on the server
5. Log off and log on one time and client machine.
If the issue persists, please kindly help me collect some information for
further investigation:
1. Please let me know the detail purpose of your action.
2. Is there any error when you did it?
3. Save the application event log and system event log as evt files on the
problematic machines and send to my mailbox: v-terliu@xxxxxxxxxxxxx
4. Please also gather gpresult outcome on problematic machine (run gpresult
in command line)
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Mr Happy" <cdollar@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Group Policy Delegation
| Date: 28 Dec 2006 10:05:10 -0800
| Organization: http://groups.google.com
| Lines: 15
| Message-ID: <1167329110.360367.300890@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 216.91.91.38
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1167329116 20298 127.0.0.1 (28 Dec 2006
18:05:16 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Thu, 28 Dec 2006 18:05:16 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: h40g2000cwb.googlegroups.com; posting-host=216.91.91.38;
| posting-account=vhiMdw0AAAAwcQ9CcWQkpQ7Is60Nf2-M
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca
giganews.com!nntp.giganews.com!postnews.google.com!h40g2000cwb.googlegroups
com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:6938
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I am having problems delegating a GPO for a test user account.
|
| I created a "Firewall" GPO under the Domain container. Then with
| the Firewall GPO selected in the left pain of Group Policy Management
| Console, I went to the Delegation tab and clicked Advanced. I selected
| Authenticated users and removed the Allow check for Apply Group Policy.
| I then selected the test group and added the Allow check for Apply
| Group Policy.
|
| I Linked and Enforced the policy, then opened a command prompt and ran
| gpupdate /force on the server and did the same on the test machine. I
| even rebooted the machine and the firewall has not changed.
|
| Any Ideas on what I am doing wrong or forgetting?
|
|
.
- References:
- Group Policy Delegation
- From: Mr Happy
- Group Policy Delegation
- Prev by Date: Re: ExMerge - What am I doing wrong?
- Next by Date: RE: Fax Cover Page - More than 1 page possible?
- Previous by thread: Group Policy Delegation
- Next by thread: Exchange SP2?
- Index(es):
Relevant Pages
|
