need a way to import 2000 gp into 2003 server

[ajay]

i want to know is there a way to import a default gp for 2000sever into my
new 2003 domain ...reason is that with the default domain gp all my wks are
lock down (limited access and right ) and i can not seem to raised the
level example no permisson to manage netowrk settings, make vpn
connections, install applications .......this is what i want in the future
but for now im locking laptops down with the 2003 gp and all my users a
crying .....please help

 

[Steven L Umbach]

By default there are no user configuration settings defined on Group Policy when you
set up a domain. Computer/security policy settings are defined mostly in Local
Security Policy and Domain Controller Security Policy [mainly user rights
assignments] for domain controllers , while domain policy defining account/password
policies. What you are talking about seems to be mostly an issue with user group
membership in that users need to be administrators on their local computers to do all
that you mention [in W2K]. If it suits your needs you can add the users domain
account to their local administrators or power users group on their computer. You can
use "restricted groups" in security policy at the OU level to modify the membership
of the local administrators/power users groups of computers in the OU. First I would
try adding users to the Network Configuration Operators group on their local
computers to allow them to manage networking properties and consider using Group
Policy to publish or assign .msi applications to them before letting them all be
local administrators. Users usually do cry when they can't clutter up their computers
with unathorized applications, file swapping programs, chat programs, spyware,
etc. --- Steve

 

[ajay]

thank you so much for the reply

i have the default dc policy and the default domain policy added to my AD
should i delete or remove the default domain policy and just leave the one
for DC

By default there are no user configuration settings defined on Group Policy when you
set up a domain. Computer/security policy settings are defined mostly in Local
Security Policy and Domain Controller Security Policy [mainly user rights
assignments] for domain controllers , while domain policy defining account/password
policies. What you are talking about seems to be mostly an issue with user group
membership in that users need to be administrators on their local computers to do all
that you mention [in W2K]. If it suits your needs you can add the users domain
account to their local administrators or power users group on their computer. You can
use "restricted groups" in security policy at the OU level to modify the membership
of the local administrators/power users groups of computers in the OU. First I would
try adding users to the Network Configuration Operators group on their local
computers to allow them to manage networking properties and consider using Group
Policy to publish or assign .msi applications to them before letting them all be
local administrators. Users usually do cry when they can't clutter up their computers
with unathorized applications, file swapping programs, chat programs, spyware,
etc. --- Steve

i want to know is there a way to import a default gp for 2000sever into my
new 2003 domain ...reason is that with the default domain gp all my wks are
lock down (limited access and right ) and i can not seem to raised the
level example no permisson to manage netowrk settings, make vpn
connections, install applications .......this is what i want in the future
but for now im locking laptops down with the 2003 gp and all my users a
crying .....please help

 

[Steven L Umbach]

No. Never remove your default policies. The domain policy applies to the domain while
the domain controller policy applies only to the domain controller container where
all the domain controllers are by default. However any policy setting "defined" at
the domain level will also apply to the domain controller container if the same
setting is not defined in the domain controller policy. Note that mostly that will
only be computer configuration as users by default do not exists in the domain
controller container, nor should they be moved into it. --- Steve

thank you so much for the reply

i have the default dc policy and the default domain policy added to my AD
should i delete or remove the default domain policy and just leave the one
for DC

By default there are no user configuration settings defined on Group Policy when you
set up a domain. Computer/security policy settings are defined mostly in Local
Security Policy and Domain Controller Security Policy [mainly user rights
assignments] for domain controllers , while domain policy defining account/password
policies. What you are talking about seems to be mostly an issue with user group
membership in that users need to be administrators on their local computers to do all
that you mention [in W2K]. If it suits your needs you can add the users domain
account to their local administrators or power users group on their computer. You can
use "restricted groups" in security policy at the OU level to modify the membership
of the local administrators/power users groups of computers in the OU. First I would
try adding users to the Network Configuration Operators group on their local
computers to allow them to manage networking properties and consider using Group
Policy to publish or assign .msi applications to them before letting them all be
local administrators. Users usually do cry when they can't clutter up their computers
with unathorized applications, file swapping programs, chat programs, spyware,
etc. --- Steve

i want to know is there a way to import a default gp for 2000sever into my
new 2003 domain ...reason is that with the default domain gp all my wks are
lock down (limited access and right ) and i can not seem to raised the
level example no permisson to manage netowrk settings, make vpn
connections, install applications .......this is what i want in the future
but for now im locking laptops down with the 2003 gp and all my users a
crying .....please help

 

[ajay]

ok thanks well tell me this..... im in AD and we have at the domain level
....default domain gp and default dc gp linked... Is this default DC gp
supose to be linked there or only under the OU for DC's could this be my
problem

No. Never remove your default policies. The domain policy applies to the domain while
the domain controller policy applies only to the domain controller container where
all the domain controllers are by default. However any policy setting "defined" at
the domain level will also apply to the domain controller container if the same
setting is not defined in the domain controller policy. Note that mostly that will
only be computer configuration as users by default do not exists in the domain
controller container, nor should they be moved into it. --- Steve

thank you so much for the reply

i have the default dc policy and the default domain policy added to my AD
should i delete or remove the default domain policy and just leave the one
for DC

By default there are no user configuration settings defined on Group Policy when you
set up a domain. Computer/security policy settings are defined mostly

in
Local

Security Policy and Domain Controller Security Policy [mainly user rights
assignments] for domain controllers , while domain policy defining account/password
policies. What you are talking about seems to be mostly an issue with

user
group

membership in that users need to be administrators on their local computers to do all
that you mention [in W2K]. If it suits your needs you can add the

users
domain

account to their local administrators or power users group on their computer. You can
use "restricted groups" in security policy at the OU level to modify

the
membership

of the local administrators/power users groups of computers in the OU. First I would
try adding users to the Network Configuration Operators group on their local
computers to allow them to manage networking properties and consider

using
Group

Policy to publish or assign .msi applications to them before letting

them
all be

local administrators. Users usually do cry when they can't clutter up their computers
with unathorized applications, file swapping programs, chat programs, spyware,
etc. --- Steve


i want to know is there a way to import a default gp for 2000sever

into
my

new 2003 domain ...reason is that with the default domain gp all my

wks
are

lock down (limited access and right ) and i can not seem to raised the
level example no permisson to manage netowrk settings, make vpn
connections, install applications .......this is what i want in the future
but for now im locking laptops down with the 2003 gp and all my users a
crying .....please help

 

[Steven L Umbach]

In a default installation the domain policy is linked only to the domain container
and the domain controller policy to only the domain controller. --- Steve

ok thanks well tell me this..... im in AD and we have at the domain level
...default domain gp and default dc gp linked... Is this default DC gp
supose to be linked there or only under the OU for DC's could this be my
problem

No. Never remove your default policies. The domain policy applies to the domain while
the domain controller policy applies only to the domain controller container where
all the domain controllers are by default. However any policy setting "defined" at
the domain level will also apply to the domain controller container if the same
setting is not defined in the domain controller policy. Note that mostly that will
only be computer configuration as users by default do not exists in the domain
controller container, nor should they be moved into it. --- Steve

thank you so much for the reply

i have the default dc policy and the default domain policy added to my AD
should i delete or remove the default domain policy and just leave the one
for DC
By default there are no user configuration settings defined on Group
Policy when you
set up a domain. Computer/security policy settings are defined mostly in
Local
Security Policy and Domain Controller Security Policy [mainly user rights
assignments] for domain controllers , while domain policy defining
account/password
policies. What you are talking about seems to be mostly an issue with user
group
membership in that users need to be administrators on their local
computers to do all
that you mention [in W2K]. If it suits your needs you can add the users
domain
account to their local administrators or power users group on their
computer. You can
use "restricted groups" in security policy at the OU level to modify the
membership
of the local administrators/power users groups of computers in the OU.
First I would
try adding users to the Network Configuration Operators group on their
local
computers to allow them to manage networking properties and consider using
Group
Policy to publish or assign .msi applications to them before letting them
all be
local administrators. Users usually do cry when they can't clutter up
their computers
with unathorized applications, file swapping programs, chat programs,
spyware,
etc. --- Steve


i want to know is there a way to import a default gp for 2000sever into
my
new 2003 domain ...reason is that with the default domain gp all my wks
are
lock down (limited access and right ) and i can not seem to raised the
level example no permisson to manage netowrk settings, make vpn
connections, install applications .......this is what i want in the
future
but for now im locking laptops down with the 2003 gp and all my users a
crying .....please help