Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Server 2000 - Group Policy

Posted on 2004-04-03
8
Medium Priority
?
377 Views
Last Modified: 2010-04-19
Hi Experts,

I have a problem here with assigning the group policy objects.

From my understanding, GPOs applied from bottom to top in the Group Policy settings. And GPOs higher in the list will have a higher priority.

I have the follwing policies.

Group policy A includes, password policy, audit and user rights policy.

Group policy B includes user desktop policy (for this policy i define users will not b able to see the active directory)

Group policy C defines admins desktop policy. ( this policy will allow admins to view active directory)

I created the policies and applied them on the main OU level that contains four sub OUs. in the following order.

Group Policy 3
Group Policy 2
Group Policy 1

However, when i test it out. Authenticated users are still not restricted by the password policy and non-admins users are still able to view the AD.

Am i wrong in using the following method? Can someone kindly guide and advise if I am right or wrong? And how I should implement the policies?

Thanks.
0
Comment
Question by:JYMarc
8 Comments
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 300 total points
ID: 10751077
Password policy would only work at the domain level....  See the link below for further explaination:

http://www.softstack.com/security/password-policies.html
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 300 total points
ID: 10752622
First, you should be using the new GPMC for analysis..  Within this is the RSOP (Resultant Set of Policy) which will help in discovering what GPO is being applied...

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/rspintro.asp

info is correct too..  Passwork policies are configured only at the Domain Level...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10752645
hmm how did that k get in there..? :)   >>password<<
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 2

Accepted Solution

by:
steve_newby earned 300 total points
ID: 10773751
I always take authenticated users out of Group Policy security permissions.  Instead I would create security groups for each policy, add these groups to the policy with "apply policy" right, and add the users to that group who I want the policy to affect, it allows much greater control of who receives the policy.
It is alos best practice to set "deny" for Domain Admins and Enterprise Admins on each policy...do you really want policies applying when you log onto a server???

Steve
0
 

Author Comment

by:JYMarc
ID: 10820716
Thanks experts ;)

Well i decided to split the points firstly,

1) Thanks to infotrader for informing me that password policy can be set at domain level only. This is important while deciding which policie to apply at which level.

2) Seondly, Fatal_Exception recommended using the new Group Policy Management Console for analysis. I find it useful. Thanks.

3) last but not least, steve_newby's suggestion is good in the sense that i have greater control in deciding which policy affects which group of users.

but regarding ur question, i do not uite udnerstand, i take its i want the policies to be applied when users log on to a domain.

Regards,
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822457
Thanks...

FE
0
 
LVL 2

Expert Comment

by:steve_newby
ID: 10822595
Hi JYMarc,

Thanks for the points.  But regarding my question, it was more of a rhetorical statement, I simply meant that when an account with admin rights logs on to a server you don't want things like desktop lockdown to apply.
Hope that makes sense.
Regards,

Steve
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822661
I thought that was what you meant by that, but wanted you to answer, just to make sure..  :)

0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question