Link to home
Start Free TrialLog in
Avatar of dano992
dano992

asked on

windows 2003 GPO

i have windows 2003  active directory
i trying to create a new policy for as group of users
created a OU
created a windows group, with the users
created ne gpo for the OU

the new policy is not taking affect
if i go to group policy manager and look at the OU, i see the new policy and the default domain polcy
which one takes precedence.

hou do i get the new one to take affect
Avatar of Swapnil Prajapati
Swapnil Prajapati
Flag of India image

You probably need to issue command gpupdate /force and then if asked need to log off the users or need to restart the system.
The policy will eventually update on its own but follow what swap 101982 said and reboot the pc.
I guess you configured the User configuration and not only the Computer configuration in the GPO?

From the GPMC, run a Group Policy Result and see if you spot something.
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
By default policies are applied SITE->DOMAIN->OU and the one that gets applied last wins - so the OU policy will take presidence.

BTW - if its a password policy then you can only have ONE PER DOMAIN in Windows 2003 - the one at the DOMAIN, if you apply a password policy at the OU it will have NO EFFECT.
Avatar of dano992
dano992

ASKER

its a policy to disable local login to  a couple of users accounts
you can also run an RSoP report in GPMC to help you troubleshoot.
Avatar of dano992

ASKER

how do i run rsop report?
Avatar of dano992

ASKER

i ran GPRESULT.EXE
and i can see that my new policy is under:

the following GPOs were not applied because they were filtered out
filtering: not applied (empty)

what now?
Avatar of dano992

ASKER

maybe i didi this wrong
can someone give the process to create a (GPO) policy for a group of users to not be able to remote desktop remote into a group of computers.

i have a OU with the users
also have a OU with the computers

if anyone has the steps , it would be awsome
In the policy object you've configured, you need to change the following under the computer config.

Drill down to this path:
Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Connections

Change this setting:
Set "Allow users to connect remotely using Remote Desktop Services" to DISABLED

Make sure your policy object containing this setting is applied to the OU your computers are in. Then perform a gpupdate on one of the computers. Next, To verify it worked, goto right click "My Computer" choose properties, then click on the "Remote" tab. "Don't allow connections to this computer" should be selected and the interface should be greyed out, so the users cannot change the setting. I highly recommend creating a test OU and policy object first, then putting a single computer in the OU before changing settings for the entire domain.