Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU

California SBS Dreaming wrote:
Thanks kj for the info and warning. Let me ask you this and I did do
this a while back and this goes back to my original post. I know I
can create a new OU and move the member server to so that it does not
inherit it's GPO from the SBS server.

"I think my problem is that I may have created the new OU at the
wrong level of the forest. The SBS "MyBusiness" OU resides on the
tree under domain.local which is the same level where I create this
new OU (MyCitrix) and moved the W2K3 member server to. I want to be
able to control local policies on the W2K3 server. Did I create the
OU at the wrong level of my forest tree?

Policy is applied in order, Local (nonDCs), Site, Domain, OU(s). So your
Domain policy is going to apply to all computers in the domain. In this
case, individual settings may be superseded at the OU level. You can filter
the default domain policy, but not block it's inheritance because it has no
inheritance - it is a domain policy.

This is why the policy setting that you have is inappropriate at the domain
level.






"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%230DLFsWWIHA.6140@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
I think that is what I want to do kj. I would like to filter these
two policies from inheriting the default domain policies of the SBS
server. I'm not worried that the current rights will no longer be
there. I can reapply them locally. So my next question just to be
safe and sure is where do I filter these two policies?

In GPMC, you would add the server$ account in the "security
filtering" section of the default domain policy. Then use the
delegation and advanced settings to change from *allow* 'apply group
policy" to *deny*. Be very certain that you make this *only* for the
Rachel$ computer account. ( To add computers to the security
filtering, you'll need to change the object types and check the
"Computers" check box first). ..and before doing, I'd sugest a complete
understaning of GPO rules
and security filtering. Test environments are perfect for such
excersises. Incomplete understanding of GPO processing is a leading cause
of
shooting ones own foot.

(I lost a toe or two along the way)


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:OA$O2IVWIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
kj,
Thanks. I know what the reasons are and why. As stated because the
policies I need to manage on the member server is being controlled
by the SBS Default Domain policy. I know all of this already. The
reason why the Remote Desktop Users are part of the SBS Default
Domain Policy it is because I cannot manage it from the local
machine. Do yoe see what I'm saying here. I know all of what is
going on and the reasons why. I certainly do appreciate all of
your input but still my issues are not resolved. Let me try to
ask it another way. How can I make that member to not inherit any
of the SBS Default
Domain Policies. All other policies on the member server I can
manage locally. It's only the 2.
Log on locally and Log on as a Service.

In direct answer to your question, you would need to filter this
particular server from applying the default domain policy through
either a filter or an explicit deny on the policy.
Either method will completly filter applying the default domain
policy to this server. Just to be clear *ALL* settings in that
policy would no longer apply to the filtered server.

...but just my final $.02 worth on this thinking; It's 180 out
from a good, let alone, 'best' group policy practice. (fwiw)



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23j3VIDTWIHA.484@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23fTj8BLWIHA.5208@xxxxxxxxxxxxxxxxxxxxxxx
California SBS Dreaming wrote:
I think this thread is getting too long and the taks I want to
really do is beginning to get more complicated than it should
be. All I want to be able to do is manage the local policies
on the member server and not have it defined by the SBS
server. I created a new OU at the same level as MyBusiness
and called it MyCitrix. I thought that was all that was
needed. When I log onto the member server and open the local
policy editor I cannot manage the "log on locally" and the
"log on as a service" policies. These are being defined by
the SBS server. A few simple questions here. Did I create the
new OU - MyCitrix at the wrong level?
How or what do I need to do to be able to manage these
policies on the member server?

This is was my point. To the best of my knowledge only domain
controllers have a group policy that defines 'log on locally'.
If your 'server' is a domain controller, then that is
appropriate. If it is just a member server, and it hasn't been
inadvertainly
placed in the domain controllers OU, then it should not have
that policy. Unless someone changed the 'out of the box'
settings of course. If you want some help diagnosing *why*
then your participation is
needed. 1) Is the server a DC or *not*? (If you're not sure, we
can help you
make that determination.)

This is not a DC and I am 100% positive about that.

2) On the memeber server, at a command prompt, type the line
below. Then post the gpresult.txt file here.

gpresult /scope computer /z>gpresult.txt

This will detail which policy is setting the 'log on locally'

"MyCitrix" ? Is there something else "special" about this
server?

Nothing special. This is my citrix server hence the name for the
new OU I created. thanks for your assistance.


Microsoft (R) Windows (R) Operating System Group Policy Result
tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 1/17/2008 at 8:52:38 AM



RSOP data for MACCABEE\Administrator on RACHEL : Logging Mode
--------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server
2003, Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and
Settings\Administrator.MACCABEE
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=Rachel,OU=Servers,OU=Computers,OU=MyCitrix,DC=MACCABEE,DC=local
Last time Group Policy was applied: 1/17/2008 at 8:47:51 AM
Group Policy was applied from: abraham.MACCABEE.local
Group Policy slow link threshold: 500 kbps Domain Name: MACCABEE
Domain
Type: Windows 2000 Applied Group Policy Objects
-----------------------------
Small Business Server Domain Password Policy
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Small Business Server Client Computer
Default Domain Policy
Instant Messenger Policy Rule
Local Group Policy

The following GPOs were not applied because they were
filtered out
-------------------------------------------------------------------
Small Business Server Internet Connection Firewall Filtering: Denied
(WMI Filter) WMI Filter: PreSP2 The computer is a part
of the following security groups
-------------------------------------------------------
BUILTIN\Administrators Everyone
IIS_WPG
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
Rachel$
SBS 2003 Servers
Domain Computers

Resultant Set Of Policies for Computer
---------------------------------------


Well, this is what is blocking you.

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Remote Desktop Users

...but this settings locks *every* computer in the domain to
inteeractive logon of only Administrators and RDP users.
Definatly *not* standard, *not* what SBS put in place. This
could have been from a previous domain policy or some other
administrator, but it isn't 'standard' by any means. The
simplest 'work-around" would be to add your special account to
the RDP users group, or this setting in the default domain
policy. Then I'd attempt to find out why and how this setting
got changed to what it is, and begin evaluating the implications of
chaning it
back to 'standard' as well as auditing *all* of the group policy
settings for the domain.


--
/kj

--
/kj

--
/kj

--
/kj


.

Relevant Pages

  • Re: Allowing Mac OSX to connect to shares
    ... Thanks for using the SBS newsgroup. ... I understand that the Mac client workstations can not ... F. Enter the IP address of the server in the WINS server field. ... Expand Group Policy Management. ...
    (microsoft.public.windows.server.sbs)
  • Re: Allowing Mac OSX to connect to shares
    ... > access shared resources on the SBS server box. ... The SBS policy objects will display in the ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... I would like to filter these two ... policies from inheriting the default domain policies of the SBS server. ... Policy it is because I cannot manage it from the local machine. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Server logon problem
    ... I upgraded our current SBS 2003 box to new hardware using SBSMigration.com's ... When it was time to bring the old SBS server offiline and make ... I am getting a group policy error - You do not have permissions to ... The only thing I thought I changed was taking the administrators account ...
    (microsoft.public.windows.server.general)
  • Re: Security Logon/Logoff Events
    ... the full security audit is enabled by default so that you are ... Right-click Small Business Server Auditing Policy and click Edit. ... SBS 2003 creates a GPO on the DC container named Small Business Server ...
    (microsoft.public.windows.server.sbs)
Loading