[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Windows Server 2000 - Group Policy

Posted on 2004-04-03
8
Medium Priority
?
379 Views
Last Modified: 2010-04-19
Hi Experts,

I have a problem here with assigning the group policy objects.

From my understanding, GPOs applied from bottom to top in the Group Policy settings. And GPOs higher in the list will have a higher priority.

I have the follwing policies.

Group policy A includes, password policy, audit and user rights policy.

Group policy B includes user desktop policy (for this policy i define users will not b able to see the active directory)

Group policy C defines admins desktop policy. ( this policy will allow admins to view active directory)

I created the policies and applied them on the main OU level that contains four sub OUs. in the following order.

Group Policy 3
Group Policy 2
Group Policy 1

However, when i test it out. Authenticated users are still not restricted by the password policy and non-admins users are still able to view the AD.

Am i wrong in using the following method? Can someone kindly guide and advise if I am right or wrong? And how I should implement the policies?

Thanks.
0
Comment
Question by:JYMarc
8 Comments
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 300 total points
ID: 10751077
Password policy would only work at the domain level....  See the link below for further explaination:

http://www.softstack.com/security/password-policies.html
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 300 total points
ID: 10752622
First, you should be using the new GPMC for analysis..  Within this is the RSOP (Resultant Set of Policy) which will help in discovering what GPO is being applied...

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/rspintro.asp

info is correct too..  Passwork policies are configured only at the Domain Level...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10752645
hmm how did that k get in there..? :)   >>password<<
0
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

 
LVL 2

Accepted Solution

by:
steve_newby earned 300 total points
ID: 10773751
I always take authenticated users out of Group Policy security permissions.  Instead I would create security groups for each policy, add these groups to the policy with "apply policy" right, and add the users to that group who I want the policy to affect, it allows much greater control of who receives the policy.
It is alos best practice to set "deny" for Domain Admins and Enterprise Admins on each policy...do you really want policies applying when you log onto a server???

Steve
0
 

Author Comment

by:JYMarc
ID: 10820716
Thanks experts ;)

Well i decided to split the points firstly,

1) Thanks to infotrader for informing me that password policy can be set at domain level only. This is important while deciding which policie to apply at which level.

2) Seondly, Fatal_Exception recommended using the new Group Policy Management Console for analysis. I find it useful. Thanks.

3) last but not least, steve_newby's suggestion is good in the sense that i have greater control in deciding which policy affects which group of users.

but regarding ur question, i do not uite udnerstand, i take its i want the policies to be applied when users log on to a domain.

Regards,
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822457
Thanks...

FE
0
 
LVL 2

Expert Comment

by:steve_newby
ID: 10822595
Hi JYMarc,

Thanks for the points.  But regarding my question, it was more of a rhetorical statement, I simply meant that when an account with admin rights logs on to a server you don't want things like desktop lockdown to apply.
Hope that makes sense.
Regards,

Steve
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822661
I thought that was what you meant by that, but wanted you to answer, just to make sure..  :)

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question