Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Applying policies in server 2003

Posted on 2009-04-03
13
Medium Priority
?
354 Views
Last Modified: 2013-11-21
I am a new user to the group policy object editor and would like to apply some policies to certain groups of users.

I want all but two users to not have the ability to shut down the server (these are thin clients).

Also, I want all the thin client users screen resollution to be higher, or at least give them the option to change their screen resolution.  Right now it's impossible to change the screen res. on all users except for my username, and I'm not sure why that is.

Thanks,

Ken Poole
A-1 Electric Motor Service
0
Comment
Question by:a1electric
  • 8
  • 5
13 Comments
 
LVL 9

Expert Comment

by:tl121000
ID: 24068887
So it seems you want GPO's based on the user rather then the computer.
 You will use GPO user configuration policies..

The best way to learn GPO in my experience is to  go through each computer and user container (from top to bottom) and read the explanation on the right of each setting you click on.
 GPOs our simple yet very powerful ways to control your environment.
 
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24069487
For the display seetings use this article for understanding
You can explicitly enable the copntrol panel and disable everything but the display settings, so users can change desktops settings.  
 
*** The thin clients that I have seen (Wyse and HP t5135)...  if you logon to the thin client itself  as an admin (not RDp'ed hosted OS), you should be able to change the settings under a display tab and save them.  Thsi way the emualtion will follow the config of the actual thin client and not the remote OS.
 
 
 
0
 

Author Comment

by:a1electric
ID: 24079712
I can see in that link where it talks about showing or hiding the settings tab, but the problem I'm having is that the tab is there, there is just no way to move the settings bar for certain users.

I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows.

I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:a1electric
ID: 24079872
Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator.

Once I make the policy, how to I applly it to certain users - everyone except administrator?
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24110852


"...I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows."
What kind of thin client do you have, as some thin client allow syou to login to the actual unit itself and change display (and other) settings?

".I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows."
Go to display setting in the GPO and change the display settings to a higher resolution

".Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator. "
Did you make this policy changes to the default domain policy?
If so, put the administrator in a different OU and prevent GPO inheritence from the default domain.  Your basically sealing off the oU with administrators.. there are a few ways you can do this
or

simply move the admin account out of the effected OU's group policy

0
 

Author Comment

by:a1electric
ID: 24117616
ok, i figured out the display problem

"Did you make this policy changes to the default domain policy?"

That's a good question.  Here's what I did: I opened gpedit.msc.  Then under administrative, Start menu and taskbar, I enabled "Remove and Prevent Access to the Shut Down Command."
That's it.  I didn't know how to apply this to individual users, computers or OUs (and still don't).  
After exiting gpedit.msc, the Shut Down command was unavailble for all users, including Administrator.

"put the administrator in a different OU and prevent GPO inheritence from the default domain."

I know this seems elementary, but I did a lot of stuff like this with Netware 5 and it just isn't as straightforward with Microsoft.  I'm not sure how to go about moving administrator out of an OU and what OU I should put it in if I do that.

Attached is the screen of Active Directory users and computers.

Thanks

Ken Poole
0
 
LVL 9

Accepted Solution

by:
tl121000 earned 1000 total points
ID: 24118474
In your Active Directory Users and Computrers , simply move the Administrator out of the effected OU.  However if you did make the shutdown and display settings on the default domain policy (see below) you will have to do follow the options below.
To check and see if the default domain policy was configured as such - go to gpedit.msc and click below the domain name - you will see the default domain policy, which then collapses into a computers and users tree.
  • If you applied these changes to the default domain policy under user, then you have two options to alleviate the administrator not having display and shutdown rights.
or
  • Clear the changes you made on the default domain policy concerning shotdown and display settings
    • Create another OU in Active Directories and Computers for the users who need to be limited with Diplay settings (i.e. ThinCLientUsers)
      • Move these users into the OU using Active Directory Users and Computers.
0
 

Author Comment

by:a1electric
ID: 24118585
I'm going to take this one small step at a time until I get a clear picture:

"go to gpedit.msc and click below the domain name "

I do not see a domain name in gpedit.msc - see attached screen shot.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 24119282
No attached screen shot - try again?
0
 

Author Comment

by:a1electric
ID: 24122837
ok, for some reason the file won't attach.

But this is what I've done so far:

Made a new OU called Administrators and put the administrator and my user into that container.

Blocked inheritance to that container.

Enabled "Remove and prevent access to the Shut Down Command"  under Default Domain Policy, User Configuration, Administrative Templates, Start Menu and Taskbar.

But, the Shut Down command is gone for the two users I put in the new OU, and I want those two users to see the Shut Down command.
0
 

Author Comment

by:a1electric
ID: 24122864
well, at least i'm on to something - it's just the opposite of what I want - all users except the two in the new ou have the shutdown command (??)
0
 

Author Comment

by:a1electric
ID: 24122878
ok, now no one has access to the shut down command - which is a little better - i just have to figure out why the two users in the new ou are inheriting this policy when i blocked inheritance in this container
0
 

Author Comment

by:a1electric
ID: 24122890
got it!
needed to create a new group policy object under the administrators ou

thanks for the help and beginners tutoring
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question