Solved

Windows Server 2000 - Group Policy

Posted on 2004-04-03
8
370 Views
Last Modified: 2010-04-19
Hi Experts,

I have a problem here with assigning the group policy objects.

From my understanding, GPOs applied from bottom to top in the Group Policy settings. And GPOs higher in the list will have a higher priority.

I have the follwing policies.

Group policy A includes, password policy, audit and user rights policy.

Group policy B includes user desktop policy (for this policy i define users will not b able to see the active directory)

Group policy C defines admins desktop policy. ( this policy will allow admins to view active directory)

I created the policies and applied them on the main OU level that contains four sub OUs. in the following order.

Group Policy 3
Group Policy 2
Group Policy 1

However, when i test it out. Authenticated users are still not restricted by the password policy and non-admins users are still able to view the AD.

Am i wrong in using the following method? Can someone kindly guide and advise if I am right or wrong? And how I should implement the policies?

Thanks.
0
Comment
Question by:JYMarc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 100 total points
ID: 10751077
Password policy would only work at the domain level....  See the link below for further explaination:

http://www.softstack.com/security/password-policies.html
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 100 total points
ID: 10752622
First, you should be using the new GPMC for analysis..  Within this is the RSOP (Resultant Set of Policy) which will help in discovering what GPO is being applied...

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/rspintro.asp

info is correct too..  Passwork policies are configured only at the Domain Level...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10752645
hmm how did that k get in there..? :)   >>password<<
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 2

Accepted Solution

by:
steve_newby earned 100 total points
ID: 10773751
I always take authenticated users out of Group Policy security permissions.  Instead I would create security groups for each policy, add these groups to the policy with "apply policy" right, and add the users to that group who I want the policy to affect, it allows much greater control of who receives the policy.
It is alos best practice to set "deny" for Domain Admins and Enterprise Admins on each policy...do you really want policies applying when you log onto a server???

Steve
0
 

Author Comment

by:JYMarc
ID: 10820716
Thanks experts ;)

Well i decided to split the points firstly,

1) Thanks to infotrader for informing me that password policy can be set at domain level only. This is important while deciding which policie to apply at which level.

2) Seondly, Fatal_Exception recommended using the new Group Policy Management Console for analysis. I find it useful. Thanks.

3) last but not least, steve_newby's suggestion is good in the sense that i have greater control in deciding which policy affects which group of users.

but regarding ur question, i do not uite udnerstand, i take its i want the policies to be applied when users log on to a domain.

Regards,
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822457
Thanks...

FE
0
 
LVL 2

Expert Comment

by:steve_newby
ID: 10822595
Hi JYMarc,

Thanks for the points.  But regarding my question, it was more of a rhetorical statement, I simply meant that when an account with admin rights logs on to a server you don't want things like desktop lockdown to apply.
Hope that makes sense.
Regards,

Steve
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822661
I thought that was what you meant by that, but wanted you to answer, just to make sure..  :)

0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question