• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

Applying policies in server 2003

I am a new user to the group policy object editor and would like to apply some policies to certain groups of users.

I want all but two users to not have the ability to shut down the server (these are thin clients).

Also, I want all the thin client users screen resollution to be higher, or at least give them the option to change their screen resolution.  Right now it's impossible to change the screen res. on all users except for my username, and I'm not sure why that is.

Thanks,

Ken Poole
A-1 Electric Motor Service
0
a1electric
Asked:
a1electric
  • 8
  • 5
1 Solution
 
tl121000Commented:
So it seems you want GPO's based on the user rather then the computer.
 You will use GPO user configuration policies..

The best way to learn GPO in my experience is to  go through each computer and user container (from top to bottom) and read the explanation on the right of each setting you click on.
 GPOs our simple yet very powerful ways to control your environment.
 
0
 
tl121000Commented:
For the display seetings use this article for understanding
You can explicitly enable the copntrol panel and disable everything but the display settings, so users can change desktops settings.  
 
*** The thin clients that I have seen (Wyse and HP t5135)...  if you logon to the thin client itself  as an admin (not RDp'ed hosted OS), you should be able to change the settings under a display tab and save them.  Thsi way the emualtion will follow the config of the actual thin client and not the remote OS.
 
 
 
0
 
a1electricAuthor Commented:
I can see in that link where it talks about showing or hiding the settings tab, but the problem I'm having is that the tab is there, there is just no way to move the settings bar for certain users.

I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows.

I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
a1electricAuthor Commented:
Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator.

Once I make the policy, how to I applly it to certain users - everyone except administrator?
0
 
tl121000Commented:


"...I'm not sure I'm following you about logging on to the thin client as an admin.  My setup here is that there is no logging on to the thin client itself, only to the remote session of windows."
What kind of thin client do you have, as some thin client allow syou to login to the actual unit itself and change display (and other) settings?

".I have changed the settings of the thin client before logging into windows to a better screen resolution, but that resoultion doesn't apply after logging into windows."
Go to display setting in the GPO and change the display settings to a higher resolution

".Also, I did have the policy for there to be no shutdown option available, but then I wasn't even able to shut down the server when logged in as administrator. "
Did you make this policy changes to the default domain policy?
If so, put the administrator in a different OU and prevent GPO inheritence from the default domain.  Your basically sealing off the oU with administrators.. there are a few ways you can do this
or

simply move the admin account out of the effected OU's group policy

0
 
a1electricAuthor Commented:
ok, i figured out the display problem

"Did you make this policy changes to the default domain policy?"

That's a good question.  Here's what I did: I opened gpedit.msc.  Then under administrative, Start menu and taskbar, I enabled "Remove and Prevent Access to the Shut Down Command."
That's it.  I didn't know how to apply this to individual users, computers or OUs (and still don't).  
After exiting gpedit.msc, the Shut Down command was unavailble for all users, including Administrator.

"put the administrator in a different OU and prevent GPO inheritence from the default domain."

I know this seems elementary, but I did a lot of stuff like this with Netware 5 and it just isn't as straightforward with Microsoft.  I'm not sure how to go about moving administrator out of an OU and what OU I should put it in if I do that.

Attached is the screen of Active Directory users and computers.

Thanks

Ken Poole
0
 
tl121000Commented:
In your Active Directory Users and Computrers , simply move the Administrator out of the effected OU.  However if you did make the shutdown and display settings on the default domain policy (see below) you will have to do follow the options below.
To check and see if the default domain policy was configured as such - go to gpedit.msc and click below the domain name - you will see the default domain policy, which then collapses into a computers and users tree.
  • If you applied these changes to the default domain policy under user, then you have two options to alleviate the administrator not having display and shutdown rights.
or
  • Clear the changes you made on the default domain policy concerning shotdown and display settings
    • Create another OU in Active Directories and Computers for the users who need to be limited with Diplay settings (i.e. ThinCLientUsers)
      • Move these users into the OU using Active Directory Users and Computers.
0
 
a1electricAuthor Commented:
I'm going to take this one small step at a time until I get a clear picture:

"go to gpedit.msc and click below the domain name "

I do not see a domain name in gpedit.msc - see attached screen shot.
0
 
tl121000Commented:
No attached screen shot - try again?
0
 
a1electricAuthor Commented:
ok, for some reason the file won't attach.

But this is what I've done so far:

Made a new OU called Administrators and put the administrator and my user into that container.

Blocked inheritance to that container.

Enabled "Remove and prevent access to the Shut Down Command"  under Default Domain Policy, User Configuration, Administrative Templates, Start Menu and Taskbar.

But, the Shut Down command is gone for the two users I put in the new OU, and I want those two users to see the Shut Down command.
0
 
a1electricAuthor Commented:
well, at least i'm on to something - it's just the opposite of what I want - all users except the two in the new ou have the shutdown command (??)
0
 
a1electricAuthor Commented:
ok, now no one has access to the shut down command - which is a little better - i just have to figure out why the two users in the new ou are inheriting this policy when i blocked inheritance in this container
0
 
a1electricAuthor Commented:
got it!
needed to create a new group policy object under the administrators ou

thanks for the help and beginners tutoring
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now