grunseit
asked on
XP users of Windows 2000
I have a W2K server + a few XP rrofessional clients.
I have imported the adm templates into W2K for use in group policies.
I created a simple policy that changes screen colour and disables control panel for a certain user.
When the user logs in the policy does not work. Why??
I have imported the adm templates into W2K for use in group policies.
I created a simple policy that changes screen colour and disables control panel for a certain user.
When the user logs in the policy does not work. Why??
night_monkey
have you put that user account into an ou and applied your policy to the ou?
This is a quirk in 2k In the policies you have 3 option remove control panel, show only specified applets or hide applets.
One of them doesnt work and its not alway the same one. I dont know what country you are in but it may be law that you have to allow users to change screen size.
Allow the control panel and hide the applets if that doesnt work for you use the other one show only some. This way it will work. As the other user suggested create a OU and add the users to a group and to the ou and apply the policy to the ou. If it still doesnt work you may be inherting polices there is a check box to disable that on the policy.
One of them doesnt work and its not alway the same one. I dont know what country you are in but it may be law that you have to allow users to change screen size.
Allow the control panel and hide the applets if that doesnt work for you use the other one show only some. This way it will work. As the other user suggested create a OU and add the users to a group and to the ou and apply the policy to the ou. If it still doesnt work you may be inherting polices there is a check box to disable that on the policy.
samuria, your first suggestion may be true (i'm not certain about that one), but actually, you can't apply group policy to groups. i know it's that you should be able to, but "group" policy doesn't work in that way. it has to be applied to ous that have specific user or computer accounts, ad sites, or to the whole domain.
the only way to get around this is to play with the security settings. for example, if the admin has an ou with a bunch of user accounts and he only wants it to be applied to one specific user without having to move that user account to another ou, the admin has to go to the security settings for the policy and choose "deny" for all of the users or groups that he doesn't want the policy for the intended user account to apply to. or he can remove the read or appy settings.
i could be wrong, but i'm pretty certain this is the case, because i had to research this subject for a problem i was having on my network very recently.
from serverwatch.com:
"Strangely enough, you cannot link Group Policies to Win2000 groups (a bit of misnomer). You might think of trying placing groups into OUs in order to bypass this limitation, but unfortunately this will not help either. Groups placed in OU are not affected by processing of group policies (only users and computers). However, you can apply GPOs to groups based on the DACLs (Discretionary Access Control List entries) assigned to groups (or other Win2000 security principals, such as computers or users) using Security tab of GPO's properties. This is done by checking Allow column for Read and Apply Group Policy permissions for groups you want to have GPO applied to."
this is essentially what i just explained, but i added it here so that you guys could see it from a different source.
-nm
the only way to get around this is to play with the security settings. for example, if the admin has an ou with a bunch of user accounts and he only wants it to be applied to one specific user without having to move that user account to another ou, the admin has to go to the security settings for the policy and choose "deny" for all of the users or groups that he doesn't want the policy for the intended user account to apply to. or he can remove the read or appy settings.
i could be wrong, but i'm pretty certain this is the case, because i had to research this subject for a problem i was having on my network very recently.
from serverwatch.com:
"Strangely enough, you cannot link Group Policies to Win2000 groups (a bit of misnomer). You might think of trying placing groups into OUs in order to bypass this limitation, but unfortunately this will not help either. Groups placed in OU are not affected by processing of group policies (only users and computers). However, you can apply GPOs to groups based on the DACLs (Discretionary Access Control List entries) assigned to groups (or other Win2000 security principals, such as computers or users) using Security tab of GPO's properties. This is done by checking Allow column for Read and Apply Group Policy permissions for groups you want to have GPO applied to."
this is essentially what i just explained, but i added it here so that you guys could see it from a different source.
-nm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.