Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU

California SBS Dreaming wrote:
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23fTj8BLWIHA.5208@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
I think this thread is getting too long and the taks I want to
really do is beginning to get more complicated than it should be.
All I want to be able to do is manage the local policies on the
member server and not have it defined by the SBS server. I created
a new OU at the same level as MyBusiness and called it MyCitrix. I
thought that was all that was needed. When I log onto the member
server and open the local policy editor I cannot manage the "log on
locally" and the "log on as a service" policies. These are being
defined by the SBS server. A few simple questions here.
Did I create the new OU - MyCitrix at the wrong level?
How or what do I need to do to be able to manage these policies on
the member server?

This is was my point. To the best of my knowledge only domain
controllers have a group policy that defines 'log on locally'. If
your 'server' is a domain controller, then that is appropriate. If
it is just a member server, and it hasn't been inadvertainly placed
in the domain controllers OU, then it should not have that policy.
Unless someone changed the 'out of the box' settings of course.

If you want some help diagnosing *why* then your participation is
needed. 1) Is the server a DC or *not*? (If you're not sure, we can help
you
make that determination.)

This is not a DC and I am 100% positive about that.

2) On the memeber server, at a command prompt, type the line below.
Then post the gpresult.txt file here.

gpresult /scope computer /z>gpresult.txt

This will detail which policy is setting the 'log on locally'

"MyCitrix" ? Is there something else "special" about this server?

Nothing special. This is my citrix server hence the name for the new
OU I created. thanks for your assistance.


Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 1/17/2008 at 8:52:38 AM



RSOP data for MACCABEE\Administrator on RACHEL : Logging Mode
--------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003,
Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and
Settings\Administrator.MACCABEE
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=Rachel,OU=Servers,OU=Computers,OU=MyCitrix,DC=MACCABEE,DC=local
Last time Group Policy was applied: 1/17/2008 at 8:47:51 AM
Group Policy was applied from: abraham.MACCABEE.local
Group Policy slow link threshold: 500 kbps
Domain Name: MACCABEE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Small Business Server Domain Password Policy
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Small Business Server Client Computer
Default Domain Policy
Instant Messenger Policy Rule
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
IIS_WPG
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
Rachel$
SBS 2003 Servers
Domain Computers

Resultant Set Of Policies for Computer
---------------------------------------


Well, this is what is blocking you.

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Remote Desktop Users

....but this settings locks *every* computer in the domain to inteeractive
logon of only Administrators and RDP users. Definatly *not* standard, *not*
what SBS put in place. This could have been from a previous domain policy or
some other administrator, but it isn't 'standard' by any means. The simplest
'work-around" would be to add your special account to the RDP users group,
or this setting in the default domain policy.

Then I'd attempt to find out why and how this setting got changed to what it
is, and begin evaluating the implications of chaning it back to 'standard'
as well as auditing *all* of the group policy settings for the domain.


--
/kj


.

Relevant Pages

  • Re: Allowing Mac OSX to connect to shares
    ... Thanks for using the SBS newsgroup. ... I understand that the Mac client workstations can not ... F. Enter the IP address of the server in the WINS server field. ... Expand Group Policy Management. ...
    (microsoft.public.windows.server.sbs)
  • RE: Auditing a User Account
    ... Make an ASR backup of the server. ... Make a current system state backup of the server. ... The System state backup should be made before any change is allowed on the SBS 2003 server, ... Open the Group Policy Management Console. ...
    (microsoft.public.windows.server.sbs)
  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant access companyweb
    ... > any other web site on the SBS server. ... Was your SBS server clean installation or upgraded from SBS 2000 or NT? ... Delete any disabled group policy. ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Can this command: aspnet_regiis.exe -i create issues?
    ... Please make sure Server Service is running on the SBS server. ... This issue may occur when a procedure to repair the Group Policy objects ... Windows Small Business Server 2003 computer has not been performed or was ...
    (microsoft.public.windows.server.sbs)