Solved

Additional Group Policies in Server 2003

Posted on 2004-09-18
12
181 Views
Last Modified: 2008-01-09
Hi all!

I have the default Group Policy configured to restrict users from running specified apps such as Outlook Express and Windows Messenger.

I'd like to create an additional policy that would restrict users from running Windows Media Player and Real Player, but not apply that policy to a few users who I'd like to allow to still use these media players.

How do I go about doing this? It seems that the Default Policy overrides the addtional one I created.

Thanks.

Clark

0
Comment
Question by:killyman
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 15

Expert Comment

by:adamdrayer
ID: 12091635
If you configured your default domain controller to "enabled" or "disabled" for those particular programs, and you also have the "do not override" checkbox marked, then it your other policies will not take effect.

If the other policy is applied to only specific users or groups, then set the default domain policy to "not configured" for those applications.
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093253
Create a group put the restricted users in it, then create a policy for the restricted users, then go to the  group policy window(not the policy itself) and select properties, go to security and add the restricted group in, then tick the "apply group policy"  and you all done.
this will only force the policy on the users in the group.

0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093265
0
 

Author Comment

by:killyman
ID: 12094409
ColinRoyds,

Thanks for the info. I need to clarify a few things.

First of all, in our Default Domain Policy GPO, we have Outlook Express included in the "Don't run specified Windows applications" section. We also have the Run option removed from the Start menu.

In the security tab of this GPO I have the following:

Authenticated Users (the only one checked to allow for "apply group policy")
CREATOR OWNER
Domain Amins
Enterprise Admins
ENTERPRISE DOMAIN CONTROLLERS
SYSTEM

Now, I've created a new group in AD (called 'mediaplayerban') and have added one user for testing purposes to that group.

Then, while still in AD, I went to the Group Policy tab in the properties box of the domain (ournetwork.local) and created a new Group Policy Object called 'mediaplayerban' and specified wmplayer.exe not to run (in User Configuration > Administrative Templates > System > Don't run specified Windows applications).

Then, I went to the Security tab for the new 'mediaplayerban' GPO and added the 'mediaplayerban' group and checked allow for 'apply group policy'.  I also checked No Override for that GPO.

When I log onto the user's computer(the one in the 'mediaplayerban' group), the Windows Media Player cannot be run which is what I wanted. But, I can run Outlook Express on his computer as well as all the other users' computers. The Run option is still removed from the Start menu, so that's good, I guess.

When I uncheck No Override for the 'mediaplayerban' GPO, then the Outlook Express program cannot be run, but the Widows Media Player can be run. So, it seems that the Default Domain Policy GPO has overridden the 'mediaplayerban' GPO.

Any suggestions?

Thanks,

Clark


0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12095169
clark

on the default domain policy make certain that the mediaplayerban is set to "not specified" then it should not effect the mediaplayerban policy lower down where ou have set it o disabled.
or download the Group Policy Management snap (GPMO) and it will show the result of all GP's on a certain object as it has a result checker built in.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 12097017
Sorry, but you won't be able to do it with this approach. You are trying to create an "additive" policy; in principle, your approach would be correct, but the problem here is that both GPOs will try to write entries to the same key (Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun). The GPO with the higher priority (if defined on the same OU), or the one "closer" to the user (if defined in different OUs) will win; the settings obtained from the other GPO will be ignored.
I'm afraid you'll have to create one dedicated GPO for each combination of programs not to run.
Hint: The Group Policy Management Console makes debugging policies a lot easier.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:killyman
ID: 12114682
Thanks ColinRoyds and oBdA.

I still can't get it to work, as you mentioned oBdA, so... how do I go about creating a dedicated GPO?

I have just installed the Group Policy Management Console.

Clark
0
 

Author Comment

by:killyman
ID: 12114741
Continued...

I have the option in the GPOMC (when I right click on our domain) to create a "New Organizational Unit"... it this what I need to do?

Clark
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 12115873
Take out the banned program entries from the default domain policy (I'd recommend using this one--if at all--only for the most basic settings; instead, create additional GPOs).
In which OU you define your GPOs is basically up to you. Anyway, in the OU you need the GPOs to apply to, create 2 new GPOs. Name one "Ban-All", name the other "Ban-OE-WM" (or whatever you want your naming scheme to look like). Create two security groups, for example G-Pol-Ban-All, G-Pol-Ban-OE-WM. Add the necessary users.
In "Ban-All", you'll disable access to all four of the programs: OE, Messenger, Media Player, Real Player.
In "Ban-OE-WM", disable access to Outlook Express and Windows Messenger only.
On both entries, remove the apply and read permission for "Authenticated Users", apply those permissions to the respective global group instead.
Create further GPOs and groups accordingly if you need other combinations of programs to disable.
With the priority list, you can decide what happens if a user is a member of more than one "Ban" group. If you make the Ban-All the highest in the list, and a user is member of both groups, he will have all programs restricted; if you give the other one the higher priority, he'll have the less restrictive set; that's up to you
0
 

Author Comment

by:killyman
ID: 12123887
Sounds like a plan.

I'll give it a shot and get back to you.

Thanks!

Clark
0
 

Author Comment

by:killyman
ID: 12171849
oBdA

Your suggested method worked flawlessly! Thank you very much!

Under the default domain policy I removed the "read" and "apply" boxes for the authenticated users.

I then created two new policies - one called "ban_all" and the other called "ban_basics."

The "ban_all" policy restricts all the media player software as well as MSN Messenger and Outlook Express from running.

The "ban_basics" policy only restricts MSN Messenger and Outlook Express.

In AD I created two groups - one called "ban_all" and the other called "ban_basics." I then added those groups respectively to the group policies and checked the "read" and "apply" boxes.

All is well. The "ban_basics" members can still use their media players while the rest of the staff (majority) cannot.

Clark
0
 

Author Comment

by:killyman
ID: 12171933
One last detail I forgot to mention...

Under the "ban_all" and "ban_basics" group policies' security settings, I unchecked the boxes for "read" and "apply policy" from the Authenticated Users group. This prevents policy conflicts between the "ban_all" and "ban_basics" groups.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now