Announcement

Collapse
No announcement yet.

Group Policy Question W2K Advanced Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy Question W2K Advanced Server

    A group policy is already in place for users. In Administrative Templates / Users, the Windows search utility, and the shortcut to it in the start menu, is disallowed. I have one user that needs to be able to use Windows search but there may be others who need it later so a group that is allowed the Windows search that I could add other users to later is probably going to be needed. I have created a new GP for this user with the other restrictions in place but allows the search. How can I apply or link this new policy to this one user ? All domain user accounts are in the USERS container in AD. The USERS container Object Class is a container not an OU so I don't have a GP tab in the options for the USERS container. GP was already in place when I inherited this network, I didn't set it up. I'm also kind of a noob with GP. This is Windows 2000 Advanced Server. I tried to install the GPMC with service pack 1 but it won't install on this machine so Ill have to use the AD and MMC tools. This user is currently a member of the "Domain Users" group.
    Last edited by starrouter; 2nd December 2010, 00:47. Reason: changed USER to USERS

  • #2
    Re: Group Policy Question W2K Advanced Server

    GPO question moved to the ... GPO area.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Group Policy Question W2K Advanced Server

      If I create a new OU called SPUsers, and create a new GP for this OU,can I move the user "frank" from where he is now in the container USERS to the new OU SPUsers and have him retain his same Group memberships that he now has ? I don't want his computer to create a new profile for him when he logs on. I'm including a couple of screenshots from AD Users and Computers so you can see how it looks. Right now the "Standard User Policy" looks like it's applied at the top level and the "No Override" option is used. If I create a new OU to put frank in, and apply a new slightly less restrictive policy to it, will the current policy over ride the new one ?

      One more question - since the current policy is applied at the top level instead of on the USERS container, how was it applied to just certain groups like "Domain Users" and not other groups like "Domain Administrators" ? Like I said, I'm not real experienced with GP yet and I don't want to cause frank or myself any unnecessary problem if just asking will prevent it. Anything else I might not have thought of or is there another way to go about this ? Thanks in advance.
      Attached Files
      Last edited by starrouter; 2nd December 2010, 19:02.

      Comment


      • #4
        Re: Group Policy Question W2K Advanced Server

        Hi,

        First of all GPO are not applied on containers. i.e users, built in. Only on Local Site Domain OU.

        Now if you move the user from one ou to another ou group membership doesn't get changed.

        However if GPO is ou bound that GPO will no longer be in effect.

        You can right click the OU and go to properties and check under Group Policy tab to find out if GPO is being applied.

        If GPO is on top level let say domain or based on Group membership then moving user bw OU will not cause any issues.
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Group Policy Question W2K Advanced Server

          Thanks V-2nas.

          Right, the Users is just a container, built in. The exising GPO is applied or linked at the Domain. Now I have created a new OU called SPUsers and linked a new GP at this new OU level and have moved a user from the original USERS continer to the new OU like I was talking about in the images earlier.

          Unfortunately, now when a policy in the new ou GP conflicts with a more restrictive setting in the original domain GP, the original more restrictive policy prevails. That means that I can only make things MORE restrictive with the new GP and not less restrictive which is what I need to do.

          Comment


          • #6
            Re: Group Policy Question W2K Advanced Server

            Hi,

            You can use loopback processing gpo to make it less restrictive.

            Also,

            have you tried blocking inheritance... block inheritance will not work if no override option is marked on toplevel gpo.
            Last edited by v-2nas; 2nd December 2010, 22:48. Reason: inheritance
            Thanks & Regards
            v-2nas

            MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
            Sr. Wintel Eng. (Investment Bank)
            Independent IT Consultant and Architect
            Blog: http://www.exchadtech.blogspot.com

            Show your appreciation for my help by giving reputation points

            Comment


            • #7
              Re: Group Policy Question W2K Advanced Server

              Thanks again,

              I tried 'block inheritance' at the new ou level, and at the top domain level, and the top domain policy still overrides the new ou policy. If you look at the images I posted earlier, the one on the left shows the top level domain policy and it's using 'no override' at the top domain level.

              I wonder if I need to make the top (domain) policy less restrictive and leave no-override in place there, then make the lower ou policy where the more restrictive policies reside ? The only thing about that would be that I would have to move all of the other user accounts into the new ou. I'm a little green with GP so just being cautious by asking first.

              OR - If I turn off "No Override" at the top domain level, would THAT let my lower ou policy work ? Also, is there any problems that could be created by doing that ?

              Which way would be the best to go ?

              .
              Last edited by starrouter; 3rd December 2010, 22:03.

              Comment


              • #8
                Re: Group Policy Question W2K Advanced Server

                Hi,

                No Override policy is basically to force down the policy so matter what those setting must apply. Now you need to check what all setting your top level policy is forcing on all. If those are basic policy they you can uncheck no override option and you shud be good with the setup.

                Secondly as i mentioned earlier you can use loop backprocessing which will take care of your setting. This is one is bit complex as it will force the policy settings from GP even if override is checked on top.
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment


                • #9
                  Re: Group Policy Question W2K Advanced Server

                  OK, got it working. I unchecked the no-override on the top level policy and now I can do what I want with the lower ou policy and it works great. Thank you very much for your assistance, I appreciate it.

                  Out of curiosity, how does loop back processing work ?
                  Last edited by starrouter; 3rd December 2010, 23:41.

                  Comment


                  • #10
                    Re: Group Policy Question W2K Advanced Server

                    Hi,

                    You can give this a read. Easy and Simple to understand.
                    http://kudratsapaev.blogspot.com/200...up-policy.html
                    Thanks & Regards
                    v-2nas

                    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                    Sr. Wintel Eng. (Investment Bank)
                    Independent IT Consultant and Architect
                    Blog: http://www.exchadtech.blogspot.com

                    Show your appreciation for my help by giving reputation points

                    Comment

                    Working...
                    X