[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Implement Group Policy to hide Control Panel Items

Posted on 2006-03-21
38
Medium Priority
?
1,384 Views
Last Modified: 2008-01-09
I have been having hell of problem in hiding or disable Control Panel Items especially Administrator Tools. As I want prevent user from access the Computer Management and other template in Admin Tools. I have try a few solution in EE with no success. I hope someone can help me out.
0
Comment
Question by:aneky
  • 18
  • 12
  • 8
38 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16245084
Administrative Templates\Start Menu and Taskbar\Remove programs on Settings menu

Prevents Control Panel, Printers, and Network Connections from running.  This setting removes the Control Panel, Printers, and Network and Connection folders from Settings on the Start menu, and from My Computer and Windows Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.  However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking My Computer to start System.  Also, see the Disable Control Panel, Disable Display in Control Panel, and Remove Network Connections from Start Menu settings.

Administrative Templates\Control Panel\Prohibit access to the Control Panel
Disables all Control Panel programs.  This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.  This setting also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This setting also removes the Control Panel folder from Windows Explorer.  If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.  Also, see the Remove Display in Control Panel and Remove programs on Settings menu settings.


have you tried those settings? if so what are the issues you are getting


0
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 600 total points
ID: 16245093
Administrative Templates\Control Panel\Hide specified Control Panel applets

Hides specified Control Panel items and folders.  This setting removes Control Panel items (such as Display) and folders (such as Fonts) from the Control Panel window and the Start menu. It can remove Control Panel items you have added to your system, as well as Control Panel items included in Windows 2000 Professional and Windows XP Professional.  To hide a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To hide a folder, type the folder name, such as Fonts.  This setting affects the Start menu and Control Panel window only. It does not prevent users from running Control Panel items.  Also, see the Remove Display in Control Panel setting in User Configuration\Administrative Templates\Control Panel\Display.  If both the Hide specified Control Panel applets setting and the Show only specified Control Panel applets setting are enabled, and the same item appears in both lists, the Show only specified Control Panel applets setting is ignored.  Note: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the %Systemroot%\System32 directory. Note: To create a list of disallowed Control Panel applets, click Show, click Add, and then enter the Control Panel file name (ends with .cpl) or the name displayed under that item in the Control Panel. (e.g., desk.cpl, powercfg.cpl, Printers and Faxes)  Note: This setting does not affect the Categories that are displayed in the new Control Panel Category view in Windows XP. If you want to control which items are displayed in Control Panel, enable the Force classic Control Panel Style setting to remove the Category view, and then use this setting to control which .cpls are not displayed.

Administrative Templates\Control Panel\Show only specified Control Panel applets

Hides all Control Panel items and folders except those specified in this setting.  This setting removes all Control Panel items (such as Network) and folders (such as Fonts) from the Control Panel window and the Start menu. It removes Control Panel items you have added to your system, as well the Control Panel items included in Windows 2000 and Windows XP Professional. The only items displayed in Control Panel are those you specify in this setting.  To display a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To display a folder, type the folder name, such as Fonts.  This setting affects the Start menu and Control Panel window only. It does not prevent users from running any Control Panel items.  Also, see the Remove Display in Control Panel setting in User Configuration\Administrative Templates\Control Panel\Display.  If both the Hide specified Control Panel applets setting and the Show only specified Control Panel applets setting are enabled, the Show only specified Control Panel applets setting is ignored.  Tip: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the %Systemroot%\System32 directory.

another couple of options for you

0
 
LVL 1

Author Comment

by:aneky
ID: 16246053
Well I got a problem that is the change I created in the  Software Restriction Group Policy Object GPO is not push to the client. I did a gpresult which indicate otherwise. Is there anyway to check why the changes I made is not push down to the user in that computer that is join to the domain.

C:\Documents and Settings\aneky>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/21/2006 at 7:11:56 PM


RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\aneky
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SAPL-JAMESKOH$
        Domain Computers


USER SETTINGS
--------------

    Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Software Restriction Group Policy Object

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL


The following are the configuration I set in the Software Restriction Policy.

User Configuration
---------------------

Windows Settings
---------------------

Scripts
---------------------

Logon

Name      Parameters
mapdrive.bat             (net use P: \\bc2l\test)

Security Settings
-------------------

Public Key Policies/Autoenrollment Settings
-------------------------------------------------

Policy      Setting
----------------
Enroll certificates automatically      Enabled

Renew expired certificates, update pending certificates, and remove revoked certificates      Disabled

Update certificates that use certificate templates   Disabled

Software Restriction Policies/Additional Rules
---------------------------------------------------

C:\Program Files\Messenger\msmsgs.exe
Security Level      Disallowed

C:\Program Files\Yahoo!\Messenger\YPager.exe
Security Level      Disallowed

C:\Windows\System32\format.exe
Security Level      Disallowed

Administrative Templates
-----------------------------

Start Menu and Taskbar
-----------------------------

Remove Run menu from Start Menu                Enabled


System/Group Policy
-----------------------

Group Policy refresh interval for users                     Enabled

This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes:      90

This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.

The range is 0 to 1440 minutes (24 hours)
Minutes:      30

System/Scripts
------------------

Run logon scripts visible      Enabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-ins
-------------------------------------------------------------------------------------------------

Local Users and Groups            Disabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-ins/Group Policy
----------------------------------------------------------------------------------------------------------------

Group Policy Management           Disabled

Windows Components/Windows Installer
-----------------------------------------------

Prevent removable media source for any install      Enabled

JayJay, I did try the method u advised but it just doesn't work. I dunno why the policy is not applied at all. I need all the help I can get.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 51

Expert Comment

by:Netman66
ID: 16248062
Reboot the PC a few times.  Sometimes that's all it takes.

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16252225
gpupdate /force

also if you set computer policies then you will need to reboot as netman said and sometimes it seems to take a few times - very intermittent issue   but a known issue with windows
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 900 total points
ID: 16252475
Some of the multiple reboot issues are on XP when it uses Fastboot (basically cached credentials) to log the user in while the network stack initializes in the background (it's supposed to speed up the boot - but with today's fast CPUs, SATA drives and DDR2 I don't think normal people would even notice a difference).  The policies are staged in the background also when the network initializes and because some of the policy changes are for the computer they don't apply until next reboot since the OS is up already.

You can disable this default behavior here:

Computer Configuration>Administrative Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED.

This is linked at the domain level.

The setting forces XP to wait for the stack to initialize then present the user with the logon box.  This gives the policy the opportunity to apply first time around.

0
 
LVL 1

Author Comment

by:aneky
ID: 16253590
What I did is I unjoin the computer from the domain and rejoin again. Then the GPO is applied, however it is not complete applied as the simple logon script mapdrive.bat ( net use P: \\bc2l\public) did not run.

Before I check in the AD under Computers I cannot locate the computer name of the computer I joined to domain. After I disjoin and rejoin back to the domain, I still cannot locate the computer name under Computer in AD. Could this be part of the problem why the GPO not applied.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16253601
indeed it could   maybe try changing the computer name and run the network ID wizard
0
 
LVL 1

Author Comment

by:aneky
ID: 16253975
Netman66

I did try out your suggestion, it work my logon script manage to run; but it take minutes before the Logon screen is displayed. It did apply all the policy I created in the GPO. However, the users over here will not find it acceptable to wait for minutes before they can login into their computer.

How can I make every setting I set in the GPO is implemented into the client computer and yet dun need to sacrifice time taken for the login screen to come up?

JayJay

Well it my fault I move the computer to another OU which I wanted to test out another policy that why I couldn't find it Computers under AD.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16254015
how about DNS settings on the client? is it pointing towards your DC?
0
 
LVL 1

Author Comment

by:aneky
ID: 16254069
We are using dhcp for the client computer. The first line of the DNS IP setting is the DC IP address.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16254091
good good as that can often slow down log on times if its not pointing in the right directions - which settings arent holding now?
0
 
LVL 1

Author Comment

by:aneky
ID: 16254462
Problem is the GPO only apply to client PC if I apply Netman66 solution that is

You can disable this default behavior here:

Computer Configuration>Administrative Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED.

But if I apply this setting, it will take 4 mins before I can see the logon screen after I boot up the PC. If I dun apply this setting, my GPO cannot apply to the computer.

Jay & Net, please advice me what should I do so that I could have faster logon screen with GPO applied properly when the user login?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16254594
you havent edited any of the security features on the policy itself have you? is the policy sitting at the domain root?
0
 
LVL 1

Author Comment

by:aneky
ID: 16254696
This is not the domain root GPO. This GPO I set is applied only on the OU level. I set disable enforce on the domain root GPO and set the OU GPO to enforce.
0
 
LVL 1

Author Comment

by:aneky
ID: 16254717
Nope I didn't  edit the security features on the policy.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16262710
If it's taking that long, then either you have far too many GPOs to process on startup, your script is hanging, or you have ISP DNS settings on the clients.

You should NOT have any ISP DNS settings anywhere inside your LAN - only on the Forwarder tab of your DNS server.

Also, make sure all of your servers are correctly registered with your DNS server - especially, the DCs underneath _msdcs.


0
 
LVL 1

Author Comment

by:aneky
ID: 16264855
I only have 2 GPO that is enabled under the OU which is

Default Domain Policy
Software Restriction Group Policy Object

No, there is no client that have ISP DNS settings.

I did a test yesterday. In the first round, if I login as domain user the GPO will not apply. Then, I went to comand prompt to run gpupdate /force. At the second round, I logout after completing gpupdate and login again as domain user. The GPO then will applied. This is the only way I can get the GPO to apply.

If I shutdown the laptop and restart it and login. The GPO will not apply. What could be the cause of this?


0
 
LVL 51

Expert Comment

by:Netman66
ID: 16276099
Your Group Policy must think that you're on a slow link.

If you run GPRESULT from one of these machines, right near the beginning of the output it tells you what it "thinks" the link is.

Can you post a gpresult here?

0
 
LVL 1

Author Comment

by:aneky
ID: 16276647
Netman66

This the gpresult I get after login from the machines that is startup from cold.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.

C:\Documents and Settings\aneky>

If I run gpresult again after this, I will be able get the result as shown below.

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/21/2006 at 7:11:56 PM


RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\aneky
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 3/21/2006 at 7:02:56 PM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SAPL-JAMESKOH$
        Domain Computers


USER SETTINGS
--------------

    Last time Group Policy was applied: 3/21/2006 at 7:08:23 PM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Software Restriction Group Policy Object

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL


The following are the configuration I set in the Software Restriction Policy.

User Configuration
---------------------

Windows Settings
---------------------

Scripts
---------------------

Logon

Name     Parameters
mapdrive.bat             (net use P: \\bc2l\test)

Security Settings
-------------------

Public Key Policies/Autoenrollment Settings
-------------------------------------------------

Policy     Setting
----------------
Enroll certificates automatically     Enabled

Renew expired certificates, update pending certificates, and remove revoked certificates     Disabled

Update certificates that use certificate templates   Disabled

Software Restriction Policies/Additional Rules
---------------------------------------------------

C:\Program Files\Messenger\msmsgs.exe
Security Level     Disallowed

C:\Program Files\Yahoo!\Messenger\YPager.exe
Security Level     Disallowed

C:\Windows\System32\format.exe
Security Level     Disallowed

Administrative Templates
-----------------------------

Start Menu and Taskbar
-----------------------------

Remove Run menu from Start Menu               Enabled


System/Group Policy
-----------------------

Group Policy refresh interval for users                    Enabled

This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes:     90

This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.

The range is 0 to 1440 minutes (24 hours)
Minutes:     30

System/Scripts
------------------

Run logon scripts visible     Enabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-ins
-------------------------------------------------------------------------------------------------

Local Users and Groups           Disabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-ins/Group Policy
----------------------------------------------------------------------------------------------------------------

Group Policy Management          Disabled

Windows Components/Windows Installer
-----------------------------------------------

Prevent removable media source for any install     Enabled

The problem is weird so I dunno wat wrong. if based on the subsequent gpresult, it didn't indicate the machines in slow link. I hope you can help me diagnose out what the problem Netman.

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16276702
>>>>>>
C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.

is this profile specific? if you log on with a different user do you get the same set of issues??
0
 
LVL 1

Author Comment

by:aneky
ID: 16277081
well I only create 1 domain user account under this GPO. I did not create any other domain user implementing this GPO.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16284396
You just copied the GPRESULT you first posted.

Please do a current one.

Also, where is this policy linked?

0
 
LVL 1

Author Comment

by:aneky
ID: 16297213
Netman.

OK. Sorry I kinda lazy. This is a current one with gpresult all execute in consecutive. The "Software Restriction Group Policy Object" GPO is enforce while the "Default Domain Policy" is set to link.  


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.

C:\Documents and Settings\aneky>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/27/2006 at 10:48:27 AM


RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\aneky
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=COM
    Last time Group Policy was applied: 3/27/2006 at 10:46:50 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SAPL-JAMESKOH$
        Domain Computers


USER SETTINGS
--------------
    CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=COM
    Last time Group Policy was applied: 3/27/2006 at 10:48:27 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16307010
How many machines are affected by this problem?

I'm also a little wary of the ERROR: Access Denied thing you see the first run.

0
 
LVL 1

Author Comment

by:aneky
ID: 16307500
Well it is prevalent in all the machine as they all are running WinXP Pro SP2. The issue seem to reflect in the same way why the GPO dun apply in the first instance, while it will apply after I login for a while.

The urgency of gpresult is of least importance as my main problem is the GPO dun apply  Computer Configuration>Administrative Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED. But if I enable this it will take ages for the machine to login, if based on the GPRESULT, the client I login to  the domain is not connected on a slow link. If I set to asynchronous update the GPO will not apply.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16315306
Hmmm...

Can you try this on ONE test PC?

http://support.microsoft.com/kb/244474/en-us

Let me know if the problem goes away.

I suspect there is switching problems and this may confirm it.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16315326
I should stress, do not yet use the ADM template that is provided.  Manually change one PC to see if this is actually the cause.

Set this again:

Configuration>Administrative Templates>System>Logon :: Always wait for the network at computer startup and logon = ENABLED
0
 
LVL 1

Author Comment

by:aneky
ID: 16317146
Netman

I have make the changes to the registry as well as add the gpo setting you indicate and run gpupdate /force. Then I shutdown the computer and start it up again. I came to the login screen rather quick which I suspect the GPO did not apply. I check it again with gpresult. The first run of the result I got Access Denied. It go through all the process until "Creating the RSOP session for HQ\aneky" then it stop and prompt with Access Denied.

I run it a second time. Seem like the processing lack in speed compare to the time I haven't tweak the registry setting in the machine. However, the gpresult is process fully. Here is the result I copied out

C:\Documents and Settings\aneky>gpresult
ERROR: Access Denied.

C:\Documents and Settings\aneky>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/29/2006 at 9:17:32 AM


RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\aneky
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 3/29/2006 at 9:16:58 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SAPL-JAMESKOH$
        Domain Computers


USER SETTINGS
--------------

    Last time Group Policy was applied: 3/29/2006 at 9:16:51 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
0
 
LVL 1

Author Comment

by:aneky
ID: 16317324
Updates:

I shutdown the machine 2nd time and restart. The GPO kick in and it took about 3 mins for the machine to display the login message. Once in I try running the gpresult and it display in a jiffy as shown below.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\aneky>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/29/2006 at 9:54:06 AM


RSOP results for HQ\aneky on SAPL-JAMESKOH : Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\aneky
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SAPL-JAMESKOH,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=COM
    Last time Group Policy was applied: 3/29/2006 at 9:53:57 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SAPL-JAMESKOH$
        Domain Computers


USER SETTINGS
--------------
    CN=Test Account,OU=Test Domain Policy,DC=HQ,DC=BC2L,DC=COM
    Last time Group Policy was applied: 3/29/2006 at 9:51:37 AM
    Group Policy was applied from:      BC2L.HQ.BC2L.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Software Restriction Group Policy Object
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
0
 
LVL 1

Author Comment

by:aneky
ID: 16317378
Netman:

I timed the how long it takes the machine to display the login screen. Seem like after applying the registry tweak, the logon screen took about 2min 17sec as compared to previous whole 5 mins for it appear. So what do you think is probable cause for this issue.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16322264
It sounds like this may be the problem.

Your startup time is not unreasonable at all now - in fact, I have mostly P4 - 3.2GB machines with SATA drives that take at least that long.

Since you effectively forced Kerberos to use TCP rather than UDP, that packet sizes can be better controlled.  Some switching equipment can cause problems if not setup properly to allow large UDP traffic.

You can safely create that ADM file and copy it to the Templates folder on the server.  You can create a new GPO at the domain level and import this template into it then make the setting changes so that the entire domain will work off TCP rather than UDP Kerberos traffic.

Do NOT import this into the Default Domain Policy - create a new GPO and do if from there.

If you have a complex switch or VLAN configuration you might want to get the network people involved too.  They might be able to "sniff" the traffic and confirm what we are seeing.  If you are using Hubs rather than switches, then this might be the problem too.

NM
0
 
LVL 1

Author Comment

by:aneky
ID: 16328492
Netman,

Unfortunately, I brought the test machine (laptop) home  but when I arrive in office and startup to login it took more than 5 minutes comming to infinity as compared to the time I timed previously. I practically need to pull out the lan cable in order to see the login screen. I dun think the solution you gave me woirk though as the timing for the login screen appear seem to be erratic.

No we did not implement vlan here as it is only a 50 strength company. but we using different type of dumb switch to extend the number more port out.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16333366
I think you need to look at the switch layout.  If you have a hub connected to a single port on a switch then you will have issues on the hub.

If you plug the laptop into the main switch directly (or the same one the server is on) will it log on any different?

0
 
LVL 1

Author Comment

by:aneky
ID: 16357157
Netman,

The condition worsen. Today, it does not even prompt for the login scfreen at all. I tried connecting to the switch which the server is connected it improved to 1mins 40 secs. But I not sure if the result is accurate as it is based on 1 test.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16370792
Hard to say.

I would unplug the power to all the switches and the router.  Wait one minute.  Start by powering up the router, then each switch one by one.

It sounds like (maybe) the routing tables are getting corrupt.

0
 
LVL 1

Author Comment

by:aneky
ID: 16377535
But I don't think it is routing table corruption as the dc server and clients all fall under the same subnet address.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16380111
Each switch (if not a basic switch) will build a table up in their memory.  Routing is not just for going outside your own subnet.  A switch has the capacity of "learning" where an IP address is in relation to each port - and thus can "route" directly between hosts rather than forward the packets to the router to be bounced back inside.

Of course, all this is a little more complex but you get the idea.

Reset your switches and see what happens.  

This sounds like a network issue - either switching on at the router.  Something isn't right there.

Your server and clients all perform as expected when they can communicate with each other.

0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Screencast - Getting to Know the Pipeline

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question