Undefined settings

[Mike]

Hi, What happens on the client end when I set a previously defined domain
GPO setting to not defined?



Eg, Computer/Windows Settings/ Local Policies/User Rights Assignment/ Log
on as a service is currently defined as Administrators. If I change this
setting to not defined in the domain GPO what will the result be at the
client end? Will it keep the previous domain GPO setting (of Administrators)
or will it revert back to empty as it is in the setup security template?



PS: I'm in a pure Windows 2000 AD with mixed (2000/XP) clients. Will the
result be any different for XP and 2000?



PSS: Will the result be the same if I move the client to a different OU
which has a different policy applied with the same not defined scenario?

 

[Mark Heitbrink [MVP]]

Hi,

Eg, Computer/Windows Settings/ Local Policies/User Rights Assignment/ Log
on as a service is currently defined as Administrators. If I change this
setting to not defined in the domain GPO what will the result be at the
client end?

The setting from the clients LGPO will be take efect.
If you didn´t change the local secpol.msc on the client,
then the MS Default behavior form installation will pe present.

PS: I'm in a pure Windows 2000 AD with mixed (2000/XP) clients. Will the
result be any different for XP and 2000?

Same on 2000, XP and 2003

PSS: Will the result be the same if I move the client to a different OU
which has a different policy applied with the same not defined scenario?

Yes. It´s the same procedure. If you set it back to "not defined" within
the policy or in a different one in another scope, where you move the
computer to, aslong the computeraccount is not longer inside the scope
of the origin GPO.

Mark

 

[Mike]

Excellent. I was really hoping that to be the answer

Just wanting to clarify your first answer re secpol.msc - changing it would
involves physically logging on to the client pc, running secpol.msc and
manually changing the setting? I've never done this. All our settings have
been defined through group policy. I do have some client applications that
on installation have added so extra user rights assignments, based on your
answer these should stay? (once I set the gpo to not defined)

Thanks Mark.

Regards,
Mike.

 

[Mark Heitbrink [MVP]]

Hi,

Just wanting to clarify your first answer re secpol.msc - changing it would
involves physically logging on to the client pc, running secpol.msc and
manually changing the setting? I've never done this.

Good boy ...

All our settings have been defined through group policy. I do have some client
applications that on installation have added so extra user rights
assignments, based on your answer these should stay?
(once I set the gpo to not defined)

Yes, e.g. if you have a Server with an IIS, the IUSR and IWAM account
add themself inside the LGPO during setup. They will still be there,
or appear again, after resetting the GPO.

Mark

 

[Mike]

Terrific. Thanks for your advice Mark.

Hi,


Good boy ...


Yes, e.g. if you have a Server with an IIS, the IUSR and IWAM account
add themself inside the LGPO during setup. They will still be there,
or appear again, after resetting the GPO.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.