Solved

group policy settings applying when not configured

Posted on 2007-12-05
3
202 Views
Last Modified: 2010-03-17
I've recently taken on a job managing an windows 2003 active directory environment and I've encountered something I think is a bit odd.  When I log on as the domain administrator account it appears to be massively locked down in that the desktop and taskbar is locked and only Programs and Log Off appears in the start menu.  This occurs when I create any new account and I can only disable the restrictions if I create a group policy in an OU and disable these settings.  But I don't understand where these restrictions are coming from because these settings are not configured in the domain policy.  So I can't do much for the administrator account because this is in the Users container which is not an OU.  Am I mssing something obvious here?  Is this normal behaviour?  When I use RSoP and GPMC all these settings are not configured.  I've even created a new OU, blocked inheritance, created a computer account and a user account and still the restrictions apply!
0
Comment
Question by:davidmsolo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
CasUK earned 500 total points
ID: 20410249
It sounds to me like the default user account is locked down. The restrictions are probably locked before you start group policy - which is why it doesn't show up in RSoP.

When you create the accounts, are you doing this on one computer? If so, delete the user profile and try to create the account on another system.

If that is the problem, you could replace the default account by copying it from another computer system (C:\Documents and Settings\Default User on XP)
0
 

Author Comment

by:davidmsolo
ID: 20410352
This didn't resolve the problem unfortunately.  I tried creating a new local user on a PC and when I logged in with that account everything was fine (i.e. all the icons on the start menu were there) and presumably any new local user accounts will use the default profile.  I then tried copying this local user profile into the default user, deleted the domain account profile I was using to test then logged in as this account.  It does not have a roaming profile so it should use the default user profile but everything was locked down as before.  I also tried previously setting up a PC from scratch rather than using our images and still it appears locked down.
0
 

Author Comment

by:davidmsolo
ID: 20411365
You were right about the default user account being locked down.  But I've just discovered that you can set up a default user profile in the netlogon folder on the domain controller so every time a new user logs on they use this profile rather than the default user profile on the local machine.  I did not know you could do this!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question