Solved

Windows Server 2000 - Group Policy

Posted on 2004-04-03
8
351 Views
Last Modified: 2010-04-19
Hi Experts,

I have a problem here with assigning the group policy objects.

From my understanding, GPOs applied from bottom to top in the Group Policy settings. And GPOs higher in the list will have a higher priority.

I have the follwing policies.

Group policy A includes, password policy, audit and user rights policy.

Group policy B includes user desktop policy (for this policy i define users will not b able to see the active directory)

Group policy C defines admins desktop policy. ( this policy will allow admins to view active directory)

I created the policies and applied them on the main OU level that contains four sub OUs. in the following order.

Group Policy 3
Group Policy 2
Group Policy 1

However, when i test it out. Authenticated users are still not restricted by the password policy and non-admins users are still able to view the AD.

Am i wrong in using the following method? Can someone kindly guide and advise if I am right or wrong? And how I should implement the policies?

Thanks.
0
Comment
Question by:JYMarc
8 Comments
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 100 total points
ID: 10751077
Password policy would only work at the domain level....  See the link below for further explaination:

http://www.softstack.com/security/password-policies.html
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 100 total points
ID: 10752622
First, you should be using the new GPMC for analysis..  Within this is the RSOP (Resultant Set of Policy) which will help in discovering what GPO is being applied...

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/rspintro.asp

info is correct too..  Passwork policies are configured only at the Domain Level...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10752645
hmm how did that k get in there..? :)   >>password<<
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Accepted Solution

by:
steve_newby earned 100 total points
ID: 10773751
I always take authenticated users out of Group Policy security permissions.  Instead I would create security groups for each policy, add these groups to the policy with "apply policy" right, and add the users to that group who I want the policy to affect, it allows much greater control of who receives the policy.
It is alos best practice to set "deny" for Domain Admins and Enterprise Admins on each policy...do you really want policies applying when you log onto a server???

Steve
0
 

Author Comment

by:JYMarc
ID: 10820716
Thanks experts ;)

Well i decided to split the points firstly,

1) Thanks to infotrader for informing me that password policy can be set at domain level only. This is important while deciding which policie to apply at which level.

2) Seondly, Fatal_Exception recommended using the new Group Policy Management Console for analysis. I find it useful. Thanks.

3) last but not least, steve_newby's suggestion is good in the sense that i have greater control in deciding which policy affects which group of users.

but regarding ur question, i do not uite udnerstand, i take its i want the policies to be applied when users log on to a domain.

Regards,
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822457
Thanks...

FE
0
 
LVL 2

Expert Comment

by:steve_newby
ID: 10822595
Hi JYMarc,

Thanks for the points.  But regarding my question, it was more of a rhetorical statement, I simply meant that when an account with admin rights logs on to a server you don't want things like desktop lockdown to apply.
Hope that makes sense.
Regards,

Steve
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822661
I thought that was what you meant by that, but wanted you to answer, just to make sure..  :)

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question