Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Additional Group Policies in Server 2003

Posted on 2004-09-18
12
Medium Priority
?
190 Views
Last Modified: 2008-01-09
Hi all!

I have the default Group Policy configured to restrict users from running specified apps such as Outlook Express and Windows Messenger.

I'd like to create an additional policy that would restrict users from running Windows Media Player and Real Player, but not apply that policy to a few users who I'd like to allow to still use these media players.

How do I go about doing this? It seems that the Default Policy overrides the addtional one I created.

Thanks.

Clark

0
Comment
Question by:killyman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 15

Expert Comment

by:adamdrayer
ID: 12091635
If you configured your default domain controller to "enabled" or "disabled" for those particular programs, and you also have the "do not override" checkbox marked, then it your other policies will not take effect.

If the other policy is applied to only specific users or groups, then set the default domain policy to "not configured" for those applications.
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093253
Create a group put the restricted users in it, then create a policy for the restricted users, then go to the  group policy window(not the policy itself) and select properties, go to security and add the restricted group in, then tick the "apply group policy"  and you all done.
this will only force the policy on the users in the group.

0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093265
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:killyman
ID: 12094409
ColinRoyds,

Thanks for the info. I need to clarify a few things.

First of all, in our Default Domain Policy GPO, we have Outlook Express included in the "Don't run specified Windows applications" section. We also have the Run option removed from the Start menu.

In the security tab of this GPO I have the following:

Authenticated Users (the only one checked to allow for "apply group policy")
CREATOR OWNER
Domain Amins
Enterprise Admins
ENTERPRISE DOMAIN CONTROLLERS
SYSTEM

Now, I've created a new group in AD (called 'mediaplayerban') and have added one user for testing purposes to that group.

Then, while still in AD, I went to the Group Policy tab in the properties box of the domain (ournetwork.local) and created a new Group Policy Object called 'mediaplayerban' and specified wmplayer.exe not to run (in User Configuration > Administrative Templates > System > Don't run specified Windows applications).

Then, I went to the Security tab for the new 'mediaplayerban' GPO and added the 'mediaplayerban' group and checked allow for 'apply group policy'.  I also checked No Override for that GPO.

When I log onto the user's computer(the one in the 'mediaplayerban' group), the Windows Media Player cannot be run which is what I wanted. But, I can run Outlook Express on his computer as well as all the other users' computers. The Run option is still removed from the Start menu, so that's good, I guess.

When I uncheck No Override for the 'mediaplayerban' GPO, then the Outlook Express program cannot be run, but the Widows Media Player can be run. So, it seems that the Default Domain Policy GPO has overridden the 'mediaplayerban' GPO.

Any suggestions?

Thanks,

Clark


0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12095169
clark

on the default domain policy make certain that the mediaplayerban is set to "not specified" then it should not effect the mediaplayerban policy lower down where ou have set it o disabled.
or download the Group Policy Management snap (GPMO) and it will show the result of all GP's on a certain object as it has a result checker built in.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 12097017
Sorry, but you won't be able to do it with this approach. You are trying to create an "additive" policy; in principle, your approach would be correct, but the problem here is that both GPOs will try to write entries to the same key (Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun). The GPO with the higher priority (if defined on the same OU), or the one "closer" to the user (if defined in different OUs) will win; the settings obtained from the other GPO will be ignored.
I'm afraid you'll have to create one dedicated GPO for each combination of programs not to run.
Hint: The Group Policy Management Console makes debugging policies a lot easier.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
0
 

Author Comment

by:killyman
ID: 12114682
Thanks ColinRoyds and oBdA.

I still can't get it to work, as you mentioned oBdA, so... how do I go about creating a dedicated GPO?

I have just installed the Group Policy Management Console.

Clark
0
 

Author Comment

by:killyman
ID: 12114741
Continued...

I have the option in the GPOMC (when I right click on our domain) to create a "New Organizational Unit"... it this what I need to do?

Clark
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 12115873
Take out the banned program entries from the default domain policy (I'd recommend using this one--if at all--only for the most basic settings; instead, create additional GPOs).
In which OU you define your GPOs is basically up to you. Anyway, in the OU you need the GPOs to apply to, create 2 new GPOs. Name one "Ban-All", name the other "Ban-OE-WM" (or whatever you want your naming scheme to look like). Create two security groups, for example G-Pol-Ban-All, G-Pol-Ban-OE-WM. Add the necessary users.
In "Ban-All", you'll disable access to all four of the programs: OE, Messenger, Media Player, Real Player.
In "Ban-OE-WM", disable access to Outlook Express and Windows Messenger only.
On both entries, remove the apply and read permission for "Authenticated Users", apply those permissions to the respective global group instead.
Create further GPOs and groups accordingly if you need other combinations of programs to disable.
With the priority list, you can decide what happens if a user is a member of more than one "Ban" group. If you make the Ban-All the highest in the list, and a user is member of both groups, he will have all programs restricted; if you give the other one the higher priority, he'll have the less restrictive set; that's up to you
0
 

Author Comment

by:killyman
ID: 12123887
Sounds like a plan.

I'll give it a shot and get back to you.

Thanks!

Clark
0
 

Author Comment

by:killyman
ID: 12171849
oBdA

Your suggested method worked flawlessly! Thank you very much!

Under the default domain policy I removed the "read" and "apply" boxes for the authenticated users.

I then created two new policies - one called "ban_all" and the other called "ban_basics."

The "ban_all" policy restricts all the media player software as well as MSN Messenger and Outlook Express from running.

The "ban_basics" policy only restricts MSN Messenger and Outlook Express.

In AD I created two groups - one called "ban_all" and the other called "ban_basics." I then added those groups respectively to the group policies and checked the "read" and "apply" boxes.

All is well. The "ban_basics" members can still use their media players while the rest of the staff (majority) cannot.

Clark
0
 

Author Comment

by:killyman
ID: 12171933
One last detail I forgot to mention...

Under the "ban_all" and "ban_basics" group policies' security settings, I unchecked the boxes for "read" and "apply policy" from the Authenticated Users group. This prevents policy conflicts between the "ban_all" and "ban_basics" groups.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question