Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 193
  • Last Modified:

Additional Group Policies in Server 2003

Hi all!

I have the default Group Policy configured to restrict users from running specified apps such as Outlook Express and Windows Messenger.

I'd like to create an additional policy that would restrict users from running Windows Media Player and Real Player, but not apply that policy to a few users who I'd like to allow to still use these media players.

How do I go about doing this? It seems that the Default Policy overrides the addtional one I created.

Thanks.

Clark

0
killyman
Asked:
killyman
  • 6
  • 3
  • 2
  • +1
1 Solution
 
adamdrayerCommented:
If you configured your default domain controller to "enabled" or "disabled" for those particular programs, and you also have the "do not override" checkbox marked, then it your other policies will not take effect.

If the other policy is applied to only specific users or groups, then set the default domain policy to "not configured" for those applications.
0
 
ColinRoydsCommented:
Create a group put the restricted users in it, then create a policy for the restricted users, then go to the  group policy window(not the policy itself) and select properties, go to security and add the restricted group in, then tick the "apply group policy"  and you all done.
this will only force the policy on the users in the group.

0
 
ColinRoydsCommented:
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
killymanAuthor Commented:
ColinRoyds,

Thanks for the info. I need to clarify a few things.

First of all, in our Default Domain Policy GPO, we have Outlook Express included in the "Don't run specified Windows applications" section. We also have the Run option removed from the Start menu.

In the security tab of this GPO I have the following:

Authenticated Users (the only one checked to allow for "apply group policy")
CREATOR OWNER
Domain Amins
Enterprise Admins
ENTERPRISE DOMAIN CONTROLLERS
SYSTEM

Now, I've created a new group in AD (called 'mediaplayerban') and have added one user for testing purposes to that group.

Then, while still in AD, I went to the Group Policy tab in the properties box of the domain (ournetwork.local) and created a new Group Policy Object called 'mediaplayerban' and specified wmplayer.exe not to run (in User Configuration > Administrative Templates > System > Don't run specified Windows applications).

Then, I went to the Security tab for the new 'mediaplayerban' GPO and added the 'mediaplayerban' group and checked allow for 'apply group policy'.  I also checked No Override for that GPO.

When I log onto the user's computer(the one in the 'mediaplayerban' group), the Windows Media Player cannot be run which is what I wanted. But, I can run Outlook Express on his computer as well as all the other users' computers. The Run option is still removed from the Start menu, so that's good, I guess.

When I uncheck No Override for the 'mediaplayerban' GPO, then the Outlook Express program cannot be run, but the Widows Media Player can be run. So, it seems that the Default Domain Policy GPO has overridden the 'mediaplayerban' GPO.

Any suggestions?

Thanks,

Clark


0
 
ColinRoydsCommented:
clark

on the default domain policy make certain that the mediaplayerban is set to "not specified" then it should not effect the mediaplayerban policy lower down where ou have set it o disabled.
or download the Group Policy Management snap (GPMO) and it will show the result of all GP's on a certain object as it has a result checker built in.
0
 
oBdACommented:
Sorry, but you won't be able to do it with this approach. You are trying to create an "additive" policy; in principle, your approach would be correct, but the problem here is that both GPOs will try to write entries to the same key (Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun). The GPO with the higher priority (if defined on the same OU), or the one "closer" to the user (if defined in different OUs) will win; the settings obtained from the other GPO will be ignored.
I'm afraid you'll have to create one dedicated GPO for each combination of programs not to run.
Hint: The Group Policy Management Console makes debugging policies a lot easier.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
0
 
killymanAuthor Commented:
Thanks ColinRoyds and oBdA.

I still can't get it to work, as you mentioned oBdA, so... how do I go about creating a dedicated GPO?

I have just installed the Group Policy Management Console.

Clark
0
 
killymanAuthor Commented:
Continued...

I have the option in the GPOMC (when I right click on our domain) to create a "New Organizational Unit"... it this what I need to do?

Clark
0
 
oBdACommented:
Take out the banned program entries from the default domain policy (I'd recommend using this one--if at all--only for the most basic settings; instead, create additional GPOs).
In which OU you define your GPOs is basically up to you. Anyway, in the OU you need the GPOs to apply to, create 2 new GPOs. Name one "Ban-All", name the other "Ban-OE-WM" (or whatever you want your naming scheme to look like). Create two security groups, for example G-Pol-Ban-All, G-Pol-Ban-OE-WM. Add the necessary users.
In "Ban-All", you'll disable access to all four of the programs: OE, Messenger, Media Player, Real Player.
In "Ban-OE-WM", disable access to Outlook Express and Windows Messenger only.
On both entries, remove the apply and read permission for "Authenticated Users", apply those permissions to the respective global group instead.
Create further GPOs and groups accordingly if you need other combinations of programs to disable.
With the priority list, you can decide what happens if a user is a member of more than one "Ban" group. If you make the Ban-All the highest in the list, and a user is member of both groups, he will have all programs restricted; if you give the other one the higher priority, he'll have the less restrictive set; that's up to you
0
 
killymanAuthor Commented:
Sounds like a plan.

I'll give it a shot and get back to you.

Thanks!

Clark
0
 
killymanAuthor Commented:
oBdA

Your suggested method worked flawlessly! Thank you very much!

Under the default domain policy I removed the "read" and "apply" boxes for the authenticated users.

I then created two new policies - one called "ban_all" and the other called "ban_basics."

The "ban_all" policy restricts all the media player software as well as MSN Messenger and Outlook Express from running.

The "ban_basics" policy only restricts MSN Messenger and Outlook Express.

In AD I created two groups - one called "ban_all" and the other called "ban_basics." I then added those groups respectively to the group policies and checked the "read" and "apply" boxes.

All is well. The "ban_basics" members can still use their media players while the rest of the staff (majority) cannot.

Clark
0
 
killymanAuthor Commented:
One last detail I forgot to mention...

Under the "ban_all" and "ban_basics" group policies' security settings, I unchecked the boxes for "read" and "apply policy" from the Authenticated Users group. This prevents policy conflicts between the "ban_all" and "ban_basics" groups.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now