Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU

I think that is what I want to do kj. I would like to filter these two
policies from inheriting the default domain policies of the SBS server. I'm
not worried that the current rights will no longer be there. I can reapply
them locally. So my next question just to be safe and sure is where do I
filter these two policies?

"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:OA$O2IVWIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
kj,
Thanks. I know what the reasons are and why. As stated because the
policies I need to manage on the member server is being controlled by
the SBS Default Domain policy. I know all of this already. The reason
why the Remote Desktop Users are part of the SBS Default Domain
Policy it is because I cannot manage it from the local machine. Do
yoe see what I'm saying here. I know all of what is going on and the
reasons why. I certainly do appreciate all of your input but still my
issues are not resolved. Let me try to ask it another way.

How can I make that member to not inherit any of the SBS Default
Domain Policies. All other policies on the member server I can manage
locally. It's only the 2.
Log on locally and Log on as a Service.

In direct answer to your question, you would need to filter this
particular server from applying the default domain policy through either a
filter or an explicit deny on the policy.
Either method will completly filter applying the default domain policy to
this server. Just to be clear *ALL* settings in that policy would no
longer apply to the filtered server.

...but just my final $.02 worth on this thinking; It's 180 out from a
good, let alone, 'best' group policy practice. (fwiw)



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23j3VIDTWIHA.484@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23fTj8BLWIHA.5208@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
I think this thread is getting too long and the taks I want to
really do is beginning to get more complicated than it should be.
All I want to be able to do is manage the local policies on the
member server and not have it defined by the SBS server. I created
a new OU at the same level as MyBusiness and called it MyCitrix. I
thought that was all that was needed. When I log onto the member
server and open the local policy editor I cannot manage the "log
on locally" and the "log on as a service" policies. These are
being defined by the SBS server. A few simple questions here.
Did I create the new OU - MyCitrix at the wrong level?
How or what do I need to do to be able to manage these policies on
the member server?

This is was my point. To the best of my knowledge only domain
controllers have a group policy that defines 'log on locally'. If
your 'server' is a domain controller, then that is appropriate. If
it is just a member server, and it hasn't been inadvertainly placed
in the domain controllers OU, then it should not have that policy.
Unless someone changed the 'out of the box' settings of course.

If you want some help diagnosing *why* then your participation is
needed. 1) Is the server a DC or *not*? (If you're not sure, we
can help you
make that determination.)

This is not a DC and I am 100% positive about that.

2) On the memeber server, at a command prompt, type the line below.
Then post the gpresult.txt file here.

gpresult /scope computer /z>gpresult.txt

This will detail which policy is setting the 'log on locally'

"MyCitrix" ? Is there something else "special" about this server?

Nothing special. This is my citrix server hence the name for the new
OU I created. thanks for your assistance.


Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 1/17/2008 at 8:52:38 AM



RSOP data for MACCABEE\Administrator on RACHEL : Logging Mode
--------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003,
Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and
Settings\Administrator.MACCABEE
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=Rachel,OU=Servers,OU=Computers,OU=MyCitrix,DC=MACCABEE,DC=local
Last time Group Policy was applied: 1/17/2008 at 8:47:51 AM Group
Policy was applied from: abraham.MACCABEE.local Group Policy
slow link threshold: 500 kbps Domain Name: MACCABEE Domain Type:
Windows 2000 Applied Group Policy Objects
-----------------------------
Small Business Server Domain Password Policy
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Small Business Server Client Computer
Default Domain Policy
Instant Messenger Policy Rule
Local Group Policy

The following GPOs were not applied because they were filtered
out
-------------------------------------------------------------------
Small Business Server Internet Connection Firewall Filtering: Denied
(WMI Filter) WMI Filter: PreSP2 The computer is a part of the
following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
IIS_WPG
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
Rachel$
SBS 2003 Servers
Domain Computers

Resultant Set Of Policies for Computer
---------------------------------------


Well, this is what is blocking you.

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Remote Desktop Users

...but this settings locks *every* computer in the domain to
inteeractive logon of only Administrators and RDP users. Definatly
*not* standard, *not* what SBS put in place. This could have been
from a previous domain policy or some other administrator, but it
isn't 'standard' by any means. The simplest 'work-around" would be
to add your special account to the RDP users group, or this setting
in the default domain policy. Then I'd attempt to find out why and how
this setting got changed to
what it is, and begin evaluating the implications of chaning it back
to 'standard' as well as auditing *all* of the group policy settings
for the domain.


--
/kj

--
/kj



.

Relevant Pages

  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... OU and move the member server to so that it does not inherit it's GPO from ... policies from inheriting the default domain policies of the SBS ... section of the default domain policy. ... In direct answer to your question, you would need to filter this ...
    (microsoft.public.windows.server.sbs)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... inherit it's GPO from the SBS server. ... Policy is applied in order, Local, Site, Domain, OU. ... safe and sure is where do I filter these two policies? ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS DCOM
    ... The doamin policies cahnged, but the local policies of the ... steps to reset the group policy objects to default, ... there are only 9 default group policies on the SBS server. ... Small Business Server Auditing Policy ...
    (microsoft.public.windows.server.sbs)
  • Re: RRAS 2003 default policies - what are they good for ????
    ... Default policies are usually pretty basic. ... default remote access policy lets a Microsoft client connect. ... > After I have installed the RRAS server, ...
    (microsoft.public.win2000.ras_routing)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... policies from inheriting the default domain policies of the SBS ... you would add the server$ account in the "security filtering" ... section of the default domain policy. ...
    (microsoft.public.windows.server.sbs)