extremelyignorant
asked on
Group Policy Doesn't Not Work On Client Machines (2000 Server)
When I make changes to the group policy, such as not allowing them to change the wallpaper, the policies will take effect on the server when I log in as a user, however, they will NOT work when I log in as a user on a client machine. (I set-up my users as roaming profiles).
AND,use the Group Policy Objects located in active directory.
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-us/deploy/dgbe_sec_wopt.asp
the security objects in active directory include:
Account Policies
Local Policies
Event Log
Restricted Groups
Systems Services
Registry
File System
Public Key Policies
Internet Protocol Security Policies on Active Directory
and even then I am not sure if you can do what you want done through active directory, you may have inject the reg policies onto the local machine at boot, via logon script, for the local machine.....capeesh?
Sorry, I don't know enough to help you with the scripting.
Setting the local policy on each machine individually(previously mentioned by CrazyOne) will work but if you have 200+ machines this is very time consuming even if you do it remotely.
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-us/deploy/dgbe_sec_wopt.asp
the security objects in active directory include:
Account Policies
Local Policies
Event Log
Restricted Groups
Systems Services
Registry
File System
Public Key Policies
Internet Protocol Security Policies on Active Directory
and even then I am not sure if you can do what you want done through active directory, you may have inject the reg policies onto the local machine at boot, via logon script, for the local machine.....capeesh?
Sorry, I don't know enough to help you with the scripting.
Setting the local policy on each machine individually(previously mentioned by CrazyOne) will work but if you have 200+ machines this is very time consuming even if you do it remotely.
ASKER
I am a little confused. No, I have not set the group policy on each client machine because they are running Windows 2000 Professional. (Do they even have active directory?) What do you mean "Open group policy on the client machines"? The only machine running Win 2000 Server is my actual server. I can ghost pretty effectively so setting the group policy on each machine wouldn't be a problem, if active directory is included with Win 2000 Professional. I guess I was under the wrong assumption that I could set group policies that would prevent users from making changes to local client machines wherever they roamed to.
Your help is appreciated!
Your help is appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
BareFoot,
My clients get IP addresses and interenet access from a separate DHCP server. We are part of a large network. It is my job to manage thirty computers within a lab. I only need to implement group policy and roaming profiles for my needs as a teacher. When I manually enter the IP address of my server in the client's machine, group policy works, however internet access is terminated and I get a security log entry stating that the DHCP server on the large network has denied it. (I don't know what Dynamic DNS is)
My clients get IP addresses and interenet access from a separate DHCP server. We are part of a large network. It is my job to manage thirty computers within a lab. I only need to implement group policy and roaming profiles for my needs as a teacher. When I manually enter the IP address of my server in the client's machine, group policy works, however internet access is terminated and I get a security log entry stating that the DHCP server on the large network has denied it. (I don't know what Dynamic DNS is)
Are you sure you are a domain controller or just a logon server? If you are a logon server only then you can play around with policies all you want and you won't be affecting anything but your own machine. If you have a DC AND you do not have DC Admin rights-only local admin rights, then the same is true. Contact your administrators and ask them if you have a DC with DC rights, I beleive they will say no you do not have the power to make changes that will affect the whole domain.
Here is some stuff for you that should shed some light on your situation:
The following link tells you that you can add custom securty policies using the Security Configuration
Manager
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q214752
It gives an example of a possible custom security policy setting:
[Register Registry Values]
MACHINE\System\CurrentCont
[Strings]
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
I've never used it personally and therefore do not know much about it.
**************************
If you DO have the ability to apply services to your OU(organizational Unit) OR your LAB then this may
help you out also, it describes that the policies are not being applied across the Domain or OU even
when they are implemented from within active directory:
Windows 2000 Client May Not Apply Group Policies (Q246108)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q246108
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q246108
**************************
HOW TO: Keep Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows
2000 (Q315675)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , 2000 SP2 , Server
Microsoft Windows versions 2000 , 2000 SP1 , 2000 SP2 , Advanced Server
--------------------------
IN THIS TASK
SUMMARY
Keeping Group Policies from Applying to Administrator Accounts
SUMMARY
This step-by-step article describes how to keep domain group policies from also applying to administrator
accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior
and security settings for users and computers in a Windows 2000 network, and group policies can be applied
to either users and/or computers, at the site, domain, or organizational unit level.
back to the top
Keeping Group Policies from Applying to Administrator Accounts
In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts,
machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit,
and then applying a group policy at that organizational unit level. However, there may be situations
in which you want to apply a group policy to an entire domain, but you may not want those policy settings
to also apply to administrator accounts or other specific users or groups. The following procedure can
keep a group policy from applying to administrative accounts (or any other group or user account you
specify) by editing the ACL (Access Control List) for the policy:
Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users
and Computers .
In the left console tree, right-click the name of the domain to which the policy is applied, and then
click Properties .
Click the Group Policy tab.
Click the group policy object that you do not want to apply to administrators. By default, the only
policy that is listed in the window is the Default Domain Policy . If the group or user to which you
do not want policies to apply doesn't appear in the list, use the following procedure:
Click the Add button.
Click the domain in which the account resides.
Find the account, and then click it in the list.
Click the Add button, and then click OK . This prevents the group policy object from being accessed
and applied to the selected group or user account.
Proceed with the remaining steps.
Click Properties , and then click the Security tab.
Click the administrators group (or other group or user) to which you don't want the policy to apply.
In the Permissions windows, click to select the Deny check box for the Apply Group Policy permission.
For additional information about servers or workstations in a non-domain environment (workgroup), click
the article number below to view the article in the Microsoft Knowledge Base:
Q293655 How to Apply Local Policies to all Users Except Administrators
**************************
AND if the admins say they can't do it for you then send them this, which describes giving you permissions
to set group policies in your OU(your lab) only.
HOW TO: Delegate Administration of Group Policies (Q275715)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , Advanced Server
Microsoft Windows versions 2000 , 2000 SP1 , Server
--------------------------
IN THIS TASK
SUMMARY
Grant a User Permission to Change Group Policy
SUMMARY
This article describes how to delegate administration of group policies. When you use a Windows 2000-based
computer, you can delegate the authority of group policies by policy name, for example, the group policy
for a site, domain, or organizational unit. You may want to grant other administrators or users the
permission to modify these policies in the administrators' or users' particular site, domain, or organizational
unit without granting those administrators or users write permissions to create new policies or delete
existing policies.
back to the top
Grant a User Permission to Change Group Policy
To grant a user the permissions to make changes to an existing policy:
Start the Active Directory Users and Computers snap-in for Microsoft Management Console (MMC).
Right-click the site, domain, or organizational unit that you want other users or administrators to
manage, and then click Properties .
On the Group Policy tab, click the policy for which you want to delegate administration, and then click
Properties .
On the Security tab, click Add .
Add the user or group that you want to manage the policy, and then grant the user or group write permission
for the policy.
Quit MMC.
**************************
And this one describes how to troubleshoot the scenario where they HAVE given you permissions to set
group policy on your OU but you still can't do it:
HOW TO: Delegate Administration of Group Policies (Q275715)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , Advanced Server
Microsoft Windows versions 2000 , 2000 SP1 , Server
--------------------------
IN THIS TASK
SUMMARY
Grant a User Permission to Change Group Policy
SUMMARY
This article describes how to delegate administration of group policies. When you use a Windows 2000-based
computer, you can delegate the authority of group policies by policy name, for example, the group policy
for a site, domain, or organizational unit. You may want to grant other administrators or users the
permission to modify these policies in the administrators' or users' particular site, domain, or organizational
unit without granting those administrators or users write permissions to create new policies or delete
existing policies.
back to the top
Grant a User Permission to Change Group Policy
To grant a user the permissions to make changes to an existing policy:
Start the Active Directory Users and Computers snap-in for Microsoft Management Console (MMC).
Right-click the site, domain, or organizational unit that you want other users or administrators to
manage, and then click Properties .
On the Group Policy tab, click the policy for which you want to delegate administration, and then click
Properties .
On the Security tab, click Add .
Add the user or group that you want to manage the policy, and then grant the user or group write permission
for the policy.
Quit MMC.
**************************
Follow this link for some more articles on Group policies:
http://search.support.microsoft.com/search/nlsearch.aspx?Catalog=LCID%3d1033%26CDID%3dEN-US-KB%26PRODLISTSRC%3dON&Product=win2000&Query=organizational%2520group%2520policies%2520&Queryc=organizational+group+policies+&REF=false&srchstep=0&KeywordType=ALL&Titles=false&numDays=&maxResults=25
The following link tells you that you can add custom securty policies using the Security Configuration
Manager
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q214752
It gives an example of a possible custom security policy setting:
[Register Registry Values]
MACHINE\System\CurrentCont
[Strings]
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
I've never used it personally and therefore do not know much about it.
**************************
If you DO have the ability to apply services to your OU(organizational Unit) OR your LAB then this may
help you out also, it describes that the policies are not being applied across the Domain or OU even
when they are implemented from within active directory:
Windows 2000 Client May Not Apply Group Policies (Q246108)
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q246108
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q246108
**************************
HOW TO: Keep Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows
2000 (Q315675)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , 2000 SP2 , Server
Microsoft Windows versions 2000 , 2000 SP1 , 2000 SP2 , Advanced Server
--------------------------
IN THIS TASK
SUMMARY
Keeping Group Policies from Applying to Administrator Accounts
SUMMARY
This step-by-step article describes how to keep domain group policies from also applying to administrator
accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior
and security settings for users and computers in a Windows 2000 network, and group policies can be applied
to either users and/or computers, at the site, domain, or organizational unit level.
back to the top
Keeping Group Policies from Applying to Administrator Accounts
In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts,
machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit,
and then applying a group policy at that organizational unit level. However, there may be situations
in which you want to apply a group policy to an entire domain, but you may not want those policy settings
to also apply to administrator accounts or other specific users or groups. The following procedure can
keep a group policy from applying to administrative accounts (or any other group or user account you
specify) by editing the ACL (Access Control List) for the policy:
Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users
and Computers .
In the left console tree, right-click the name of the domain to which the policy is applied, and then
click Properties .
Click the Group Policy tab.
Click the group policy object that you do not want to apply to administrators. By default, the only
policy that is listed in the window is the Default Domain Policy . If the group or user to which you
do not want policies to apply doesn't appear in the list, use the following procedure:
Click the Add button.
Click the domain in which the account resides.
Find the account, and then click it in the list.
Click the Add button, and then click OK . This prevents the group policy object from being accessed
and applied to the selected group or user account.
Proceed with the remaining steps.
Click Properties , and then click the Security tab.
Click the administrators group (or other group or user) to which you don't want the policy to apply.
In the Permissions windows, click to select the Deny check box for the Apply Group Policy permission.
For additional information about servers or workstations in a non-domain environment (workgroup), click
the article number below to view the article in the Microsoft Knowledge Base:
Q293655 How to Apply Local Policies to all Users Except Administrators
**************************
AND if the admins say they can't do it for you then send them this, which describes giving you permissions
to set group policies in your OU(your lab) only.
HOW TO: Delegate Administration of Group Policies (Q275715)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , Advanced Server
Microsoft Windows versions 2000 , 2000 SP1 , Server
--------------------------
IN THIS TASK
SUMMARY
Grant a User Permission to Change Group Policy
SUMMARY
This article describes how to delegate administration of group policies. When you use a Windows 2000-based
computer, you can delegate the authority of group policies by policy name, for example, the group policy
for a site, domain, or organizational unit. You may want to grant other administrators or users the
permission to modify these policies in the administrators' or users' particular site, domain, or organizational
unit without granting those administrators or users write permissions to create new policies or delete
existing policies.
back to the top
Grant a User Permission to Change Group Policy
To grant a user the permissions to make changes to an existing policy:
Start the Active Directory Users and Computers snap-in for Microsoft Management Console (MMC).
Right-click the site, domain, or organizational unit that you want other users or administrators to
manage, and then click Properties .
On the Group Policy tab, click the policy for which you want to delegate administration, and then click
Properties .
On the Security tab, click Add .
Add the user or group that you want to manage the policy, and then grant the user or group write permission
for the policy.
Quit MMC.
**************************
And this one describes how to troubleshoot the scenario where they HAVE given you permissions to set
group policy on your OU but you still can't do it:
HOW TO: Delegate Administration of Group Policies (Q275715)
--------------------------
The information in this article applies to:
Microsoft Windows versions 2000 , 2000 SP1 , Advanced Server
Microsoft Windows versions 2000 , 2000 SP1 , Server
--------------------------
IN THIS TASK
SUMMARY
Grant a User Permission to Change Group Policy
SUMMARY
This article describes how to delegate administration of group policies. When you use a Windows 2000-based
computer, you can delegate the authority of group policies by policy name, for example, the group policy
for a site, domain, or organizational unit. You may want to grant other administrators or users the
permission to modify these policies in the administrators' or users' particular site, domain, or organizational
unit without granting those administrators or users write permissions to create new policies or delete
existing policies.
back to the top
Grant a User Permission to Change Group Policy
To grant a user the permissions to make changes to an existing policy:
Start the Active Directory Users and Computers snap-in for Microsoft Management Console (MMC).
Right-click the site, domain, or organizational unit that you want other users or administrators to
manage, and then click Properties .
On the Group Policy tab, click the policy for which you want to delegate administration, and then click
Properties .
On the Security tab, click Add .
Add the user or group that you want to manage the policy, and then grant the user or group write permission
for the policy.
Quit MMC.
**************************
Follow this link for some more articles on Group policies:
http://search.support.microsoft.com/search/nlsearch.aspx?Catalog=LCID%3d1033%26CDID%3dEN-US-KB%26PRODLISTSRC%3dON&Product=win2000&Query=organizational%2520group%2520policies%2520&Queryc=organizational+group+policies+&REF=false&srchstep=0&KeywordType=ALL&Titles=false&numDays=&maxResults=25
The Crazy One