Group Policy 101 - using a GPO to lockdown the guest account in an SBS 2003 domain

IamStumped used Ask the Experts™
I keep trying to do this and don't get anywhere.  

I want the domain guest account to be able to log into a computer on the sbs domain and only be able to surf and as little else as possible - no control panel, no my docs, no etc...

I did the following on the server, but when I log into a desktop as guest, I still get control panel, my docs, run, etc.

on the sbs server, i went into server management, advanced,  group policy management, under group policy objects, made a new GPO called guest lockdown.  double click and on scope page, took out authenticated users and added 'guests' (which guest is a member).

right click on the GPO, choose edit.

Just go through all the choices and enable all the lockdown items I want under user config, admin templates, enable things like

Once I have the GPO set, close it , drag it to the domain.local folder where all the other links are (default this, default that, etc.) and create a link there.  open a run window, go gpupdate /force then when that's done, log in as guest on a desktop and still get the run command and all the things I was trying to block.

where am I messing up?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Did you link it to an OU?
If you edited User configurations was it linked to an OU that contained the users?
If you edited Computer Configurations was it an OU that contained the appropriate computers?
Did you apply gpupdate /force on the server  or workstation? Server automatically updates every 5 minutes and the workstations every 90 minutes. Gpupdate /force refreshes immediately, but only on the device on which you run it.

Run GPResult on the workstation to see if the policy was applied.
In addition to what RobWill mentioned about linking the GPO to the users OU. Run rsop.msc on the workstation to see if the policies are being pulled down from the domain. If you are getting red X's or yellow exclamation marks on the User policies section, then you may need to further diagnose the issue.

Sometimes it is also useful to check your DNS settings, and make sure that all DNS / WINS server entries, as well as appended DNS suffixes on the workstation are present.


did I llink to an OU?  I linked it to the domain?  in the same place as all the default gpo links are - at the top of the domain.
For what I want (restrict guest account) I only did things in the cuser config part of the GPO
i did force on the server earlier.  after reading this, I did gpupdate force on the desktop as admin, then logged back in as guest.  

It went through a window of personalizing settings like when a new user comes onto the machine.  but I still had all the settings, run command, etc.

When I run command box with run as and use admin credentials, it reports back for admin GP (and shows that 'guest lockdown' gpo did not run because of filtering: denied (security).  I can't seem to get it to show results for guest.  That's a good sign that at least the GPO is linked somewhat in the right place?!

when I just run command box, I keep getting login failure - unknown user or bad password.

I tried gpresult /s computer 6 /u domain\guest /p password and it gives the same unknwon user or bad password.

wtithout those switches, it says login failure also.  

11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.


hondan - thanks.  when logged into WS as guest, I ran cmd.  then in that typed rsop.msc.  says I don't have permission to perform this operation.

then I run as administrator for a  command window, rsop.msc opens and shows details for admin.

arghhh!  How do you change it to do rsop for guest!?


weird.  I found a page that says start mmc, then add the add-in rsop.  then start it and it walks through what machine / user you want.  logged in as guest and run as admin, the mmc takes admin as the current user... guest is not in the list of 'other users'.

and when I log off / log on as guest again, i get the personalizing settings window like  the 1st time.  but still get run command, etc.
Top Expert 2013
If you right click on the policy it does show linked, correct?
Some policies do not take effect until a 3rd logon, thou I have never seen more than 2 logons.
There may be some permissions issues with the guest account. I have never seen it enabled on a domain. That account does have additional restrictions.
Top Expert 2013
Further on the permissions issue. It seems the Guest account is not a member of the domain users group. Therefore they may not have read and execute permissions for the necessary changes. You could try adding that account to the domain users group as a test, but there could be security issues with doing so.


rob: yes, the policy shows linked.

taking your last comment - that guest is not a domain user, I created 'visitor', it's in domain user group and I added it to domain guests (tehre's also a guests group - what the difference is, I don't know... something for later).  and the GPO applies to domain guests.

ran a force on the desktop, logged in as visitor and I got the locked down machine I was looking for.

A couple more things though:

most everything is gone, except printers is still in the start menu (and nothing else, other than IE).  Where is that to remove that?
And if I save something from inside IE, I can browse the network.  Where can I remove network access?

All the settings I made in GPO are in the user config.  Nothing in computer config.  I am not clear on what the differences are.

Visitor logs in any machine and this GPO applies.  So things in computer would apply to that computer while that user is logged in (and not retained when another user logs in?) and so would the user config?

somewhere I saw that a gpo that the security filtering applies to a user (at any machine they log into), you only use user config.  For a GPO that has security filtering for a computer, then computer settings would apply?  not the case?

Would I want to deny the domain guests from all the shared folders?  Or is there a way to just block them from browsing network in the save box?  'cause the account does need to get into the server for some things.  Just not let the user interactively see those files / run those apps?
Top Expert 2013
User configurations apply to users, computer configurations apply to computers. Many options are available in both. You only want to affect users so I would stick to user configs. It is possible to apply computer configs to specific users using "loopback" processing but that gets elaborate.

I am not familiar with the domain guest and guest groups. I assume these do not belong to the domain user group so they will not have access to any domain shares unless specifically granted that privilege.  Domain Guest group would apply to all domain machines ( I would use this) Guest group would likely apply to local machine only.

Removing users from the domain Users group should still allow them to browse the network, but not access any shared resources.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial