Re: Group Policy Delegation
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Mon, 08 Jan 2007 07:46:29 GMT
Hello Customer,
Thank you for kind update.
I'm glad to hear that things are working correctly for you now. Thank you
very much for sharing out your resolution.
Per my research, your resolution is good. Meanwhile, GPO will apply on
different accounts and different computers depend on several reasons:
a. Where the GPO link to. If it links to domain.local, it will apply to all
computers include SBS. If it links to Domain Controllers, it will only
apply on SBS server. You can see the Links box under the Scope tab of each
GPO.
b. Security Filtering. You can see it under Scope tab too. It will let you
which groups, users, or computers will apply this GPO. You can modify the
list as your request.
c. WMI Filtering.
Additional info:
HOW TO: Delegate Authority for Editing a Group Policy Object (GPO)
http://support.microsoft.com/?id=221577
Administering Group Policy with the GPMC
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
Frequently Asked Questions About the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
I am just standing to see whether there is anything further I can do for
you. If you have any concerns, please feel free to let me know. I am glad
to be of assistance. :-)
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Mr Happy" <cdollar@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Group Policy Delegation
| Date: 5 Jan 2007 13:19:58 -0800
| Organization: http://groups.google.com
| Lines: 30
| Message-ID: <1168031998.092925.229940@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1167329110.360367.300890@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <2R99TkyKHHA.2304@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 216.91.91.38
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1168032006 17970 127.0.0.1 (5 Jan 2007
21:20:06 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Fri, 5 Jan 2007 21:20:06 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: s80g2000cwa.googlegroups.com; posting-host=216.91.91.38;
| posting-account=vhiMdw0AAAAwcQ9CcWQkpQ7Is60Nf2-M
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca
giganews.com!nntp.giganews.com!postnews.google.com!s80g2000cwa.googlegroups
com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:8471
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| "Please let me know the detail purpose of your action."
|
| I trying to I am trying to control the local windows firewall on the
| workstations. Enabling certain ports to be opened and specific
| programs to be disabled.
|
|
| I double checked my settings and tried a different approach. I added
| the computer name to the deligation list then added the Apply Group
| Policy check for it alone.
|
| It worked!
|
| I tried once more to apply the policy to Authenticated users and
| brought down the entire corporation. (oops)
|
| After removing the policy and enabling the company to work, I checked
| the Domain controller firewall. It is dissabled, because a alternate
| firewall is being used by the server. I enabled it for a second and
| found the same problem as in having the policy enabled, So I added the
| server to the list and denied the right to Apply Group Policy for the
| Firewall GPo. When I enabled the policy for Authenticated users it
| worked properly.
|
| I guess my question is this...
|
| Is it considered "Standard Policy" to remove the Domain Servers and/or
| Administrative accounts from All policies in general or policies like a
| firewall policy?
|
|
.
- References:
- Re: Group Policy Delegation
- From: Mr Happy
- Re: Group Policy Delegation
- Prev by Date: Re: Email Question - multiple reading same box at once?
- Next by Date: Re: Two SBS 2003 Servers in Single Domain
- Previous by thread: Re: Group Policy Delegation
- Next by thread: How do i restrict users from logging in to a PC
- Index(es):
Relevant Pages
|
