• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Windows Server 2003 Permission Settings

Hey Everyone,
     I am setting up Windows Server 2003 for my Dad, and I'm almost done. The only problem that I cannot figure out is with permission settings. Here are the things I want to do. Please remember that I need detailed instructions :)

1) I have about 10 users. I need some of them to be restricted from changing the wallpaper and the time and date. How would I go about this?

2) Each computer's time is wrong, and even though I go to the computers to correct it, the time keeps messing up again. How do I make the Windows Sever the "time server" as well, and have all the computers use the "time server" to sync their times.

Thank you so much!
-Adam :)
0
SpinnerAdam
Asked:
SpinnerAdam
  • 8
  • 3
  • 3
  • +1
3 Solutions
 
smacky81Commented:
In relation to setting the time.
You use the following command to set the time to that of the server:

net time \\SERVERNAME /set /yes

You can put this into a batch file on each computer and then place a shortcut to the batch file on each computers start menu, or alternately set a scheduled task that runs it every 30 mins or so, so that if a user changes the time, it will be reverted back by the task.

In relation to preventing changing wallpaper, if you are using Group Po0licise, you can create a group policy and have it applied to the OU for those computers. Alternately you can set a security policy on each local machine preventing access to change it.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
First, did you buy Small Business Server 2003 or or you using standard server (Small Business Server is cheaper and more appropriate than standard server 2003 - it's setup is also vastly different).

Next, to be blunt and NOT intending in any way to insult you - hire a consultant.  I assume you want the server to run effectively and without weird problems and issues?  I'm sure you have expertise in one or more areas, but this may not be it.  IF you WANT to learn about things, that's fine - learn - there are many methods you can use to learn, but learning on a production network is never advisable - especially when what you're doing could SERIOUSLY affect the ENTIRE network.  I'm sorry for being blunt - I'm sure you have expertise in some area(s), but it costs MORE to NOT know what you're doing and try to do it then to hire someone who knows what they are doing and have them do it.  (Managing a server is different from installing a network - just like filling your gas tank is different from rebuilding an engine).

Now, assuming you're going to ignore that advice, HOW did you setup the server?  Workgroup?  Domain?  In a domain, this becomes easier, but is still not "simple" for someone who has never done it.  Restricting the changing of the wallpaper would be done either through mandatory profiles and/or through group policy.  Preventing users from changing the time requires you to make sure the users are NOT administrators on the local machine - but that can be complicated depending on the software used as some software will require your users have administrative rights.  (Hence hiring a pro to do this).

With regards to the time being wrong, in a domain, the time automatically syncs with the domain controller designed with the FSMO role of PDC Emulator.  If you have only one DC, then that's the server that has the role.
0
 
SpinnerAdamAuthor Commented:
Leew, I am not using this machine for production, I want to learn Windows Server 2003 because I want to be more valuable to future employeers. I am a college student majoring in Computer Science. I will in the future, set up my Dad's server (it's just for my house...not running a business).

The server was set up as a Domain. Can you walk be through using the group editor. If I edit the policies on the server computer, will it push through all the users on the workstations? (The users were setup through the server). The users are NOT administrators on the local machines. There is only one Administrator account. I understand a lot about computers, but I much more to learn. If you break it down, I will understand it.

Also, the workstations will automatically know that the time server is the windows server. I read somewhere that I have to specifically tell the computer where the time server is. Is this inncorrect.

Also, that all the computer's DNS information points to the server. I'm not sure if you needed to know that.

Thank you!
-Adam
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
In Active Directory, DNS is VITAL.  The ONLY DNS servers that your workstations and servers should be aware of (in the TCP/IP setting) are the DNS servers running on your Domain Controllers (YES, you CAN Use other DNS servers if they meet certain requirements, but 95% of the networks I've heard of and seen don't so unless you have a COMPELLING reason, don't even think about it).

Active Directory uses DNS to locate resources - including domain controllers - and other network services.  If DNS is incorrectly configured, you WILL have problems with the network, including things like delayed logins and the inability to join the domain.

In a domain environment that has been configured properly, the workstations and other DCs synchronize their time with the PDC emulator - there should be NO NEED to configure anything else.  AD uses Kerberos for authentication and Kerberos requires the time on network systems to be "close".  AS such, AD automatically has workstations and servers get the time from the PDC emulator.

Is your server running in a virtual machine? (Virtual PC/VMWare)

I would suggest you look over articles and how-to references at the following sites:
www.visualwin.com
www.petri.co.il
www.windowsnetworking.com

When it comes to Group Policy, it IS possible that you could set ALL policies in one single policy template - HOWEVER, this is generally not recommended.  In general, I recommend you create a NEW policy for each group type of settings.  For example, if you want to define a specific wallpaper, then make a new GPO (Group Policy Object) that only defines the wallpaper - OR defines ONLY Display properties - but do not roll other functions into the same policy.
0
 
SpinnerAdamAuthor Commented:
Can you direct me to the place that can show me how to specifically add a new GPO for wallpaper and time and date, and apply it to my users?

Thank you for you help :)
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not specifically to wall paper - this should be a good clue though - http://support.microsoft.com/kb/327998
I don't generally lock wallpaper down, so it's not a setting I focus on.  With regards to the time, I've explained that - it's not a group policy setting.  If the time is not properly synchronizing, you need to check your server and workstation event logs for clues.
0
 
SpinnerAdamAuthor Commented:
The link you gave me is only for the local computer, and I do not see teh GPO in the list as Microsoft provides. I tried looking all over the intenet for this answer. How would I set it all that all the users (non Administrators) in the domain cannot change their wallpaper or display settings?
0
 
SpinnerAdamAuthor Commented:
Also, when I open gpedit.msc, I only see policies for the local computer and not the domain (my domain is called MAIN). How can I open gpedit.msc for my domain?

Maybe this will help me edit the setting?
0
 
Narayan_singhCommented:
On domain controller
go to active directory users and computers
right click DomainName and create Organizational Unit (OU)
place all the users in this OU
right click on the OU and go to gropu Policy tab
Click New once you create GPO click Edit
GPO editor will open
go to
Computer Configuration -> Windows Settings -> Security Settings -> Local Settings -->User Rights Assignment
Click on Change System Time on the Right -> Add or Remove the Users or groups that you want to be able to change the time

For restricting Users from Changing Wall paper
got to
User Configuration\Administrative Templates\Control Panel\Display
on right Pane double click Prevent Changing Wallpaper and enable it

0
 
SpinnerAdamAuthor Commented:
Thank you. I think I am almost there. I see the setting that says "Change system time". Even though no users are defined for that GPO, they can still change the time. How can I make a GPO that functions to "Not allow changes to system time"? Can Iink the GPO to the users like this? Also, can you help me to make a GPO that accomplishes this function?

I see the wallpaper option, but nothing that allows be to select the users that it applies to or the "OU". How do I do this?
0
 
Narayan_singhCommented:
Drag and drop all the users to the OU that you created and when you apply these GPOs to the OU it will be applied to all the users in the OU
just configure the GPO for "Change system time" and only users specified there will be able to change the time
0
 
SpinnerAdamAuthor Commented:
Wow, everything works! The only weird thing is that if a user does something that is restricted, a dialouge box comes up saying something like "These settings are restricted by the Administrator" and then the user clicks ok, and the same box comes up again, once the user hits ok (for the second time) the box goes away and doesn't come back. Do you know how to fix this?
0
 
SpinnerAdamAuthor Commented:
One more thing: How do I excluded only 1 user from the GPO? I added them to the OU, but I wasnt to exclude them from one GPO.

Thank you!
0
 
Narayan_singhCommented:
which one you want them to exclude from ?
if it is change time you can just add that user in the add users tab in that GPO
or else create a New OU and place that user in that new OU and create one gpo thus that user is applied with one group policy only
0
 
SpinnerAdamAuthor Commented:
Ahh, I see. thank you!!!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now