Announcement

Collapse
No announcement yet.

Why the default domain policy does not apply to Administrators

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why the default domain policy does not apply to Administrators

    Hi,

    I've just taken over from another IT company, a new client who has a Server 2003 DC, and a monolithic GPO where every policy setting is in the default domain policy up at the top of the tree. For example, all control panel applets are hidden except the mouse and sounds.

    The policy works as expected for all members of the Students security group, but somehow does not apply when I logon as a Domain Admin and I cannot work out how it gets filtered out. When I login to a PC as a Domain Admin, I run gpresult and it clearly states that the policy was applied, not filtered out, and no errors. Surprisingly, I can see all control panel applets so somehow it's not being applied.

    This is as we want it to be, i.e. students are banned from most applets but Domain Admins are able to run them all. But I need to find out why/how Domain Admins can run all applets, while students are correctly restricted. I have looked in filtering, and it says there the policy is applied only to the following groups:
    Domain Admins
    Students
    Teachers
    Domain Users

    So I can't figure out how the policy is not being applied to Domain Admins.

    There is no "blocking" of the policy further down the GPMC tree that I can see. There are only the two policies that you see by default, the default domain policy and the default domain controllers policy and he has put everything, it seems, into the default domain policy.

    Is there anywhere else that I have to look to try and discover whereabouts the previous IT guy setup some clever way to prevent the policy applying to Domain Admins?

    Thank you.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: Why the default domain policy does not apply to Administrators

    In the GPMC, try running the Group Policy Results wizard against the computer / user account in question. This will show the effective settings and list the "Winning GPO" which will show where a specific setting is coming from. Hopefully this will shed some light on things.
    blog.techscrawl.com

    Comment


    • #3
      Re: Why the default domain policy does not apply to Administrators

      Thanks for that tip - I forgot about that tool! I'll give it a go tomorrow when I'm onsite visitng them and see what I can find out. Many thanks.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Why the default domain policy does not apply to Administrators

        Here's what it was: I right clicked the Default Domain Policy in GPMC and selected Edit.

        Then at the very top of the tree, in the Group Policy Object Editor, right click > Properties > Security and I saw that the security setting for the "Administrator" account was "Deny".
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Why the default domain policy does not apply to Administrators

          Check the permissions on the GPO and also on the files.. I think you can do something like deny people in administrators the right to read the file from sysvol and it will prevent the GPO from being applied..

          Dirty hack for local policies that someone might've tried at a domain level..
          VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

          Comment


          • #6
            Re: Why the default domain policy does not apply to Administrators

            Yup, you're right - it was permissions on the GPO as per my post #4

            I have also discovered that all users are members of the Domain Admins security group. Oh dear, I do have a lot of tidying up to do on this one!
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment

            Working...
            X