Re: Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- From: jonathan.elkins@xxxxxxxxx
- Date: 20 Mar 2007 12:42:58 -0700
It contains Authenticated Users (which were added by default) and
gVTT_Everyone: the security group that my test user is a member of.
BALTIMORE: the computer that I'm trying to get this to work on.
I added the group and the computer myself. Authenticated Users was as
you wrote added by default when I created the gpo. I have tried to
resolve my problem by setting permission for all to read and apply and
with full control. Neither do the trick. My gpo will only apply to my
user if he is a member of "Domain Admins"
On Mar 20, 6:57 am, "Dave Nickason [SBS MVP]"
<gwdib...@xxxxxxxxxxxxxxxxxxxxxx> wrote:
I gave this a fairly quick read, and can't see what you've got set for
security filtering. In the Group Policy Management Console, if you select
the GPO in the left pane, what does it say in the right pane, Scope tab,
under Security Filtering? By default, the GPO should contain "authenticated
users." This is where you'd set this, not in Delegation.
<jonathan.elk...@xxxxxxxxx> wrote in message
news:1174183515.630355.260110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello.
I have created a group policy object (gpo) that I would like to apply
to most of the users in my active directory (ad). My problem is the
gpo will only apply if the test user (uTest) is a member of theDomain> Admins(DA) security group. I definitely don't want my users to be in
Domain Admins. I'm trying to restrict access. I don't think putting
people in DA is a good way to do this. Here is somebackground:
A) I am running Windows SBS 2003 SP1 as a file server and domain
controller.
B) The test workstation (and all my workstations) is/are running
Windows XP SP2.
C) uTest (my test user) is also member of only two other security
groups (gVTT_Everyone and gVTT_TNS).
Both groups I have created and have set up with minimum access
to shared folders on my server. uTest is not a member of any
built in security groups or
default groups; except forDomain Adminswhen I want to see the
effect of my gpo.
D) uTest is in an organizational unit (oTest -> uTest).
E) oTest is in an organizational unit also (oVTT -> oTest -> uTest).
F) vtt.local is in my one and only domain (vtt.local - > oVTT ->
oTest -> uTest).
G) My gpo (gpoVTT) is linked to oTest.
H) Sometimes I use Specops Gpupdate to apply my gpo to the
workstation.
I) Sometimes I use Sysinternsals "psexec \\<workstationame>
gpupdate" to
apply gpoVTT to the workstation. Both psexec and specops work as
expected. That is the gpo is applied (but of course only if uTest
is a member of
"Domain Admins"). These tools work well in that many changes are
applied
without me needing to log uTest off or restart the workstation.
On many occasions,
just to be sure, I have loggged uTest off and I have restarted
the test workstation.
J) gpoVTT does the following: restricts the running of some windows
components,
prevents windows updates, hides all drives in windows explorer,
limits what users
can do to their start menus, prevents users from changing their
desk tops, hides
all icons on the desktop, prevents the addition, or deletion of
printers, forces Windows
classic theme, disables screen savers, restricts applets in the
control panel, redirects
my documents, hides start up scripts, forces classic logon, turns
off autoplay, adds
some ports to windows firewall, turns on and prevents users from
turning off windows firewall
(I have disabled the FW so that I can force updates to my test
workstation), And all this
happens if uTest is a member ofDomain Admins. Otherwise it does
not.
I have tried the following in vain to resolve this problem:
1) I have removed all other group policy links on my domain
(vtt.local) and all OU except
for the gpo that I am trying to apply (gpoVTT) and...
2) ...I have not removed gpo "Default Domain Controllers Policy"
from OU "Domain Controllers".
I am a little concerned that if I did I might create serious
problems for myself and my users.
3) I have removed "Default Domain Policy" from the domain.
4) I have set the delegation security on all OUs and the gpo itself
for one of the security groups
that uTest is a member of (gVTT_Everyone) to "Full Control".
5) I have set the delegation security on all OUs and the gpo itself
for uTest himself to "Full Control".
6) I have set the delegation security on all OUs and the gpo itself
for my test workstation
(named BALTIMORE) himself to "Full Control".
7) I have put the workstation that I am testing (name is BALTIMORE)
this on in OU
"oTest" (the same one that the gpo is linked to and uTest is
in).
8) I have left the workstation that I am testing all this on in
"Computers" (it's default location).
9) I have deleted BALTIMORE from the AD and used the "New Object -
Computer" wizard to put it
back.
10) I have deleted uTest and oTest and recreated them and done all
these things again.
11) I have enforced and not enforced the gpo link before applying
it.
12) I have linked gpoVTT to the domain and moved my user there. That
is: I have removed the
user from any organizational units.
13) I have made the test workstation (BALTIMORE) a member ofDomain> Admins.
Nothing I have done allows the gpo to be applied to uTest on BALTIMORE
unless uTest is a member ofDomain Admins. Any suggestions?
Jonathan.- Hide quoted text -
- Show quoted text -
.
- References:
- Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- From: jonathan . elkins
- Re: Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- From: Dave Nickason [SBS MVP]
- Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- Prev by Date: MSMQ service
- Next by Date: Re: Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- Previous by thread: Re: Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- Next by thread: Re: Group Policy Won't Apply Unless User is a Member of Domain Admin. Why?
- Index(es):
Relevant Pages
|
