group policy enforcement.

I made all users administrators of the local machines by adding domain users to the local adminstrator group.  This was done because of permission problems with software applications requiring users to have administrative rights to the local machines folders.  I then created a group policy called security which is enforced which blocks users access to modify the network connections.  The users are still able to modify and or change the network connections.  It is as if because the domain user is part of the local admin group, this overides the domain policy.  Help
LVL 1
kaparaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ZabagaRCommented:
Make sure you're updating your policy before testing.  It will update upon reboot but you can force it with the "gpupdate" command:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

There is also a little utility called "gpresult", and it is fnd in the Windows 2000 server resource kit.  You can see what's happening with your policies.

Policies apply in the order of -> Local -> Site -> Domain -> OU.............OU being at the top of the food chain and local the lowest.  So your domain policy should not be out done by the local.  Make sure you set the policy properly....applied it to the users or groups needed....the basic stuff.

ZabagaRCommented:
oh.....the Microsoft Group Policy Management Console is pretty neat too:

http://www.petri.co.il/download_gpmc.htm

I like this link because it lists links to a lot of resource kit downloads, admin packs, support tools....
Kevin HaysIT AnalystCommented:
Why not deploy the software packages through GPO and not worry about permissions problems for the most part.  You can also set the Always installed with elevated privileges in both user and computer configuration.

You can also set registry settings so the "domain users" can have write/modify/delete access to the specified object.  Same goes with File that is under the computer configuration also.  You can set a file path so that users can have the appropriate access to it.

If all possible I would remove them from the local admin group if you can.  You can restrict users from modifying or even being able to see anything with the network connections via GPO also.

I have used gpresult along with replmon, both are good tools.  Replmon you can see if the sysvol and gpo versions match, if they do then you are good to go, if not you have a problem.

I also really like the GPMC.  You can run this tool if you have windows xp sp1 or above so you can create all the gpo's from your machine for the domain.  This also includes all the new settings for XP and 2003 which is nice, especially being able to disable the xp firewall with xp sp2 via GPO.

You didn't specifiy if machines were xp or 2000.  If they are xp then I would run gpupdate /force and reboot 2 times to make sure the settings take affect.  Windows XP doesn't fully load the network connections which is why it boots up much faster than 2000.

Computers must be placed in the OU which you have computer configuration settings.
Users must be placed the same way.

Good Luck,

Kevin



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

kaparaAuthor Commented:
I ran gpresult and the only GP listed under security was Default Domain Policy.  When I unlinked the Default Domain Policy in GPEDIT Security result was blank.

Last time Group Policy was applied: Tuesday, July 12, 2005 at 11:27:47 AM
Group Policy was applied from: testserver.test.local

===============================================================

The computer received "Registry" settings from these GPOs:

        Default Domain Policy
        Test Security

===============================================================
The computer received "Security" settings from these GPOs:

        Default Domain Policy

===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Default Domain Policy
        Test Security

C:\Program Files\Resource Kit>
Kevin HaysIT AnalystCommented:
You placed either your computers or users in the OU that you were setting the GPO's right?
ZabagaRCommented:
Hey, slappy, the ability to prevent users from making modifications to their network properties is a User based policy setting - as opposed to a computer based setting.  So, you'd need to apply the policy to users not computers.....but you may already know that....I just want to make sure.

Just in case you're clicking something wrong, make sure you're doing something similar to this:

1. Right click & obtain properties of the domain (in ADUC of course)
2. Click Group Policy tab
3. Select your domain policy
4. Click Properties
5. Click Security tab
6.  Make sure your users and/or groups you want to be effected are listed here - plus make sure they have the checkbox for "apply group policy" marked.

For to be sure, you could also set the "No Override" on the policy.  Do that by going back to step 3. Click the options tab. Click the "no override" box.
Kevin HaysIT AnalystCommented:
^, if you were meaning if I knew it was in users, of course I did.  That was a general statement to inform someone that either the computers or users needed to be under that OU according to which section they were setting the properties on.  I've seen way too many people especially with the computer section of a GPO that sets some policies in there, but forgets that the computers have to be under the OU for it to even work.

Anyway, I still believe kapara should remove them from the local admin group and find another solution.

Oh, have you given the group policy management tool for GPO's a try yet?  I find it FAR better than using the regular method I was using to create/edit my policies.

Kevin
Kevin HaysIT AnalystCommented:
It would be nice for the poster to reply with his solution if it wasn't one of the above listed from the experts.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.