Solved

Applying policies in server 2003

Posted on 2009-04-03
13
335 Views
Last Modified: 2013-11-21
I am a new user to the group policy object editor and would like to apply some policies to certain groups of users.

I want all but two users to not have the ability to shut down the server (these are thin clients).

Also, I want all the thin client users screen resollution to be higher, or at least give them the option to change their screen resolution.  Right now it's impossible to change the screen res. on all users except for my username, and I'm not sure why that is.

Thanks,

Ken Poole
A-1 Electric Motor Service
0
Comment
Question by:a1electric
  • 8
  • 5
13 Comments
 
LVL 9

Expert Comment

by:tl121000
ID: 24068887
So it seems you want GPO's based on the user rather then the computer.
 You will use GPO user configuration policies..

The best way to learn GPO in my experience is to  go through each computer and user container (from top to bottom) and read the explanation on the right of each setting you click on.
 GPOs our simple yet very powerful ways to control your environment.
 
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24069487
For the display seetings use this article for understanding
You can explicitly enable the copntrol panel and disable everything but the display settings, so users can change desktops settings.  
 
*** The thin clients that I have seen (Wyse and HP t5135)...  if you logon to the thin client itself  as an admin (not RDp'ed hosted OS), you should be able to change the settings under a display tab and save them.  Thsi way the emualtion will follow the config of the actual thin client and not the remote OS.
 
 
 
0
 

Author Comment

by:a1electric
ID: 24079712
I can see in that link where it talks about showing or hiding the settings tab, but the problem I'm having is that the tab is there, there is just no way to move the settings bar for certain users.

I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows.

I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows.
0
 

Author Comment

by:a1electric
ID: 24079872
Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator.

Once I make the policy, how to I applly it to certain users - everyone except administrator?
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24110852


"...I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows."
What kind of thin client do you have, as some thin client allow syou to login to the actual unit itself and change display (and other) settings?

".I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows."
Go to display setting in the GPO and change the display settings to a higher resolution

".Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator. "
Did you make this policy changes to the default domain policy?
If so, put the administrator in a different OU and prevent GPO inheritence from the default domain.  Your basically sealing off the oU with administrators.. there are a few ways you can do this
or

simply move the admin account out of the effected OU's group policy

0
 

Author Comment

by:a1electric
ID: 24117616
ok, i figured out the display problem

"Did you make this policy changes to the default domain policy?"

That's a good question.  Here's what I did: I opened gpedit.msc.  Then under administrative, Start menu and taskbar, I enabled "Remove and Prevent Access to the Shut Down Command."
That's it.  I didn't know how to apply this to individual users, computers or OUs (and still don't).  
After exiting gpedit.msc, the Shut Down command was unavailble for all users, including Administrator.

"put the administrator in a different OU and prevent GPO inheritence from the default domain."

I know this seems elementary, but I did a lot of stuff like this with Netware 5 and it just isn't as straightforward with Microsoft.  I'm not sure how to go about moving administrator out of an OU and what OU I should put it in if I do that.

Attached is the screen of Active Directory users and computers.

Thanks

Ken Poole
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 9

Accepted Solution

by:
tl121000 earned 250 total points
ID: 24118474
In your Active Directory Users and Computrers , simply move the Administrator out of the effected OU.  However if you did make the shutdown and display settings on the default domain policy (see below) you will have to do follow the options below.
To check and see if the default domain policy was configured as such - go to gpedit.msc and click below the domain name - you will see the default domain policy, which then collapses into a computers and users tree.
  • If you applied these changes to the default domain policy under user, then you have two options to alleviate the administrator not having display and shutdown rights.
or
  • Clear the changes you made on the default domain policy concerning shotdown and display settings
    • Create another OU in Active Directories and Computers for the users who need to be limited with Diplay settings (i.e. ThinCLientUsers)
      • Move these users into the OU using Active Directory Users and Computers.
0
 

Author Comment

by:a1electric
ID: 24118585
I'm going to take this one small step at a time until I get a clear picture:

"go to gpedit.msc and click below the domain name "

I do not see a domain name in gpedit.msc - see attached screen shot.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24119282
No attached screen shot - try again?
0
 

Author Comment

by:a1electric
ID: 24122837
ok, for some reason the file won't attach.

But this is what I've done so far:

Made a new OU called Administrators and put the administrator and my user into that container.

Blocked inheritance to that container.

Enabled "Remove and prevent access to the Shut Down Command"  under Default Domain Policy, User Configuration, Administrative Templates, Start Menu and Taskbar.

But, the Shut Down command is gone for the two users I put in the new OU, and I want those two users to see the Shut Down command.
0
 

Author Comment

by:a1electric
ID: 24122864
well, at least i'm on to something - it's just the opposite of what I want - all users except the two in the new ou have the shutdown command (??)
0
 

Author Comment

by:a1electric
ID: 24122878
ok, now no one has access to the shut down command - which is a little better - i just have to figure out why the two users in the new ou are inheriting this policy when i blocked inheritance in this container
0
 

Author Comment

by:a1electric
ID: 24122890
got it!
needed to create a new group policy object under the administrators ou

thanks for the help and beginners tutoring
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Know what services you can and cannot, should and should not combine on your server.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now