Announcement

Collapse
No announcement yet.

Group Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy

    I have never had any real hands-on experience with GP. I read a tutorial and tried to follow the instructions, yet the "rule" was applied ONLY to the server computer that I was sitting at - not to all of the users' workstations at the office.

    My Objective:
    To block users from accessing MySpace.com, porn sites, gambling sites, etc

    Steps Taken:
    1. Went to the main server computer and logged in as the admin
    2. Ran gpedit.msc
    3. User Config -> Windows Settings -> IE Maintenance -> Security Zones and Content Ratings
    4. I clicked "Import the current security zones and privacy settings", then "Modify Settings"
    5. I then added myspace.com & www. myspace.com to the list to test the system


    I first tested the "block" using the server machine I had done all of these steps on. I was blocked from going to MySpace - it had worked.

    When I sat down at one of the users' workstations, I could still access MySpace. I ran gpudate force on this machine & it did not fix the issue.

    Does anybody know what I have done wrong or what I need to do in order to get the website blocks to work?

    Any help appreciated. Thanks

  • #2
    Re: Group Policy

    Is the network domain based?

    If it is, open active directory users and computer. Create an OU and place all the objects you want this policy to apply to

    right click on the OU, click properties then select the group policy tab.

    Create a group policy and edit it with the settings you described.

    Comment


    • #3
      Re: Group Policy

      When you used gpedit.msc, did it ask you whether you wanted to edit group policy for the domain or use the local computer's database? What was your answer?

      What I suspect you have done is create a LOCAL policy in the local database of an individual machine. You need to create a Group Policy Object in the Active Directory, and "link" it to an Organisational Unit.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Group Policy

        Tom is right. By running gpedit.msc, you altered the local policy of the station you were logged in to.
        If your network is domain-based, you should follow Pulsen's advice. I suggest you install and use Group Policy Management Console available from Microsoft. I think you should read Group Policy Frequently Asked Questions, it can give some guides in how and what to do.

        Good luck. Keep the forum posted.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: Group Policy

          The network is domain based - and it makes sense that I only changed the policy on the one computer as opposed to the whole network.

          Sorinso -
          a) How would I know if the Group Policy Mgmt Console is already installed?
          b) If I did not want to download this to the computer, could I do without it?

          Paulsen -
          a) I am not too familiar with OU. Is there a tutorial on the internet with screenshots? I looked around and could not find one for this specifically.
          b) Could I use the active directory to modify other settings such as disallowing users from installing any programs to their HD?

          Comment


          • #6
            Re: Group Policy

            a) How would I know if the Group Policy Mgmt Console is already installed?
            As any other software: Start -> Settings -> Control Panel -> Add/Remove Programs. Or just go to Start -> Run and type gpmc.msc . If you get an error message, then it's not installed.
            If I did not want to download this to the computer, could I do without it?
            Well, you should install this tool on any computer that is part of the domain and run it under the credentials of a user that have permissions to create/edit Group Policy.
            If I did not want to download this to the computer, could I do without it?
            You can see in this Excel file all the settings (and their exact location) that can be altered or influenced by GPO.
            And last, but the most important:
            I am not too familiar with OU. Is there a tutorial on the internet with screenshots? I looked around and could not find one for this specifically
            The short answer is: Yes. See this article: http://www.petri.com/working_with_group_policy.htm.
            The long answer is: Stop right there! Hold your horses! If you are not accustomed with working with Active Directory and Group Policy, you should stop right there. You can do more damage than it can be repaired by doing things in these components, while you do not fully understand what you're doing!
            Get some assistance, start reading and learning these two issues and then do things by yourself.
            Last edited by sorinso; 5th July 2007, 20:16. Reason: Link added...

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Group Policy

              Thanks for the info...
              Here is what I am planning to do:
              1. Identify the OU that my basic users belong to - Let's call it "BASIC" for now
              2. I will then go into the AD, right click 'BASIC' and edit 'BASIC GPO'
              3. Under User Config -> IE Maintenance, I will set certain websites as restricted



              My questions are:
              a) Will this accomplish my goal of restricting certain websites for users?
              b) Could I sit down at a user workstation and do a force gpupdate & test it that way?
              b) Is it poss that my basic users do not belong to an OU?
              b) Does moving new users into the 'BASIC' OU take them out of any other OU's that they may be a part of?

              Comment


              • #8
                Re: Group Policy

                Originally posted by rkahn View Post
                a) Will this accomplish my goal of restricting certain websites for users??
                Yes, as you saw when you edited the local policy.
                Originally posted by rkahn View Post
                b) Could I sit down at a user workstation and do a force gpupdate & test it that way??
                Yes, this is the way to do it. Be sure the user belongs to the OU you linked the GPO to. You can also run gpresults afterward, and see if the new GPO is listed in the Applied GPOs section.
                Originally posted by rkahn View Post
                b) Is it poss that my basic users do not belong to an OU??
                No. By default, any new user is created in the Users container, under the domain it belongs to.
                Originally posted by rkahn View Post
                b) Does moving new users into the 'BASIC' OU take them out of any other OU's that they may be a part of?
                Absolutely. An AD object cannot be in more than one OU in the same time. And I am not talking about hierarchy here...

                Sorin Solomon


                In order to succeed, your desire for success should be greater than your fear of failure.
                -

                Comment


                • #9
                  Re: Group Policy

                  Sorin -
                  Thanks so much for that info.

                  I will try that tomorrow when I return to work.

                  Just a couple more questions:
                  a) Does a change to the User Config require a computer to reboot?
                  b) When you said:
                  No. By default, any new user is created in the Users container, under the domain it belongs to.
                  Let's assume that all of my Basic Users are in the Users container - what are the branches when you open 'Users' under the domain? What would I right click to edit the GPO?
                  c) May seem silly to ask, but the administrators would be in a different OU than the basic users, correct?
                  d) Some of the users have IE 6, others have IE 7 - will the restriction apply to all of them?
                  Last edited by rkahn; 5th July 2007, 23:11. Reason: addt'l ques

                  Comment


                  • #10
                    Re: Group Policy

                    Originally posted by rkahn View Post
                    a) Does a change to the User Config require a computer to reboot?
                    No, in the worst case, a logoff. After you changed a setting in the GPO that applies on a specific computer/user, you can run gpupdate (with or without the /force parameter) to update the settings. Depending on the settings that have changed, the computer will ask you to logoff. Additional info regarding gpupdate here.
                    Originally posted by rkahn View Post
                    b) Let's assume that all of my Basic Users are in the Users container - what are the branches when you open 'Users' under the domain? What would I right click to edit the GPO?
                    What do you mean by "branches"? To give you an exact answer, I need to know if you are using GPMC or not.
                    Originally posted by rkahn View Post
                    c) May seem silly to ask, but the administrators would be in a different OU than the basic users, correct?
                    "Would be"? Depends. As I said in my previous answer, all users are created by default in the same container. You can move them later as you like.
                    Note: when you create a GPO, you need to link it to at least one container/OU. By default, the GPO will apply to all Authenticated Users in the specific container. If you want to apply the policy only on specific users/computers in the container, you need to use something called Security Filtering. This way, you can have all the users in the same container and apply GPOs selectively.
                    Originally posted by rkahn View Post
                    d) Some of the users have IE 6, others have IE 7 - will the restriction apply to all of them?
                    The setting you are talking about should be relevant to both versions of Internet Explorer. Only options added to IE7 won't be relevant to the older version of the browser. In this case, the setting will be ignored.


                    Additional article you should read: Overview of Group Policy Infrastructure and Mechanics

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment


                    • #11
                      Re: Group Policy

                      I should point out that the "Users" container is a Container - NOT AN OU - and Group Policy CANNOT be linked to containers. Users will have to be moved into an OU to apply group policy to them.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Group Policy

                        Thank you, Tom, for the clarification.
                        Indeed, from my explanations one might understand that a GPO can be linked to a container. And that is, of course, not true.
                        rkahn, take a look at the two attached screenshots.
                        In aduc.jpg you can see the Active Directory Users and Computers. You can see the difference between icons of containers (like Users, Computers and so on) and icons of Organizational Units (like the JustAnOU I created). To OUs you can link GPO, to containers you can't.
                        Take a look at the second screenshot. It shows the GPMC window. Under the name of the domain (solomons.home - dummy domain, a playground ) you can see only the OUs you can link GPOs to. Observe that none of the containers is listed.

                        I hope that his clarifies the issue.
                        Last edited by sorinso; 9th November 2007, 21:29.

                        Sorin Solomon


                        In order to succeed, your desire for success should be greater than your fear of failure.
                        -

                        Comment


                        • #13
                          Re: Group Policy

                          There is no Group Policy listed when I right-click the OU that contains my users. There is a GP listed though when I right-click the OU called "workstations". I modified the Group Policy for the workstations which lists all of the computers' names here. I then sat down at one of the computers (rebooted it) and the website block changes did not apply.

                          I ran gpresult at this computer & it said that Computer - Workstation GP applied, User - Default Domain Policy applied

                          What should I do from here?
                          Last edited by rkahn; 6th July 2007, 14:49.

                          Comment


                          • #14
                            Re: Group Policy

                            Problem solved. There was another GP that took "priority" over the GP that I changed.

                            I will advise if I have any addt'l ques - thanks so much!!!

                            Comment


                            • #15
                              Re: Group Policy

                              Originally posted by rkahn View Post
                              There is no Group Policy listed when I right-click the OU that contains my users.
                              Which is what? Is it a container? Or an OU?

                              Originally posted by rkahn View Post
                              What should I do from here?
                              Can you please post a screenshot of the GPO ? It will be easier to understand the set-up you did so far. Don't forget to erase any info you don't want on the Internet (for instance, the name of your domain...)

                              Sorin Solomon


                              In order to succeed, your desire for success should be greater than your fear of failure.
                              -

                              Comment

                              Working...
                              X