W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR

[Richard Morey]

Hi,

I need some help with the group policy editor.. I have Windows XP Pro
machines connecting to a Windows 2000 Domain Controller. The user accounts
are on the domain controller and I am logging onto the domain from the
client machine without any problem. I have the user profiles mapping the U:
drive to a network share (\\server\userdata\%username%) and that is all
working fine.

My problem is this -- the users are currently unable to move the taskbar
("lock the taskbar" is checked and when I click on it, it does not turn off)
and when the user changes the settings of the start menu to "Classic Start
Menu" the settings takes effect but is lost the next time the user logs in.

I have changed the setting "Disable Changed to the Start Menu and Task Bar"
in the Group Policy editor (through the MMC) to "Disable" for the group
policy for both the DEFAULT DOMAIN POLICY and the DEFAULT DOMAIN CONTROLLER
POLICY, but the user is still unable to make the changes mentioned above.

My question is -- which of the two group policies should I be editting? (or
is there a different one all together?) and have I changed the "Disable
Changed to the Start Menu and Task Bar" setting correctly for what I want to
do? and finally, are there other changes I have to make to give the users
the ability to change the taskbar?

I would also like to redirect the location of the MY DOCUMENTS folder to the
"U:" drive, but when I try changing this on the users desktop, the O/S won't
let me make the change, and when I've tried to change this setting in the
group policy this has not taken effect either.

Finally, I have put myself in the ADMINISTRATORs group on the Win2K server
and even I can't change my taskbar or startmenu..

Thanks

Rich

 

[Steven L Umbach]

First off, make your dns configuration is correct in that domain controllers point
only to themselves or other domain controllers as their preferred dns server in
tcp/ip properties by assigned static IP address as shown by Ipconfig /all. Then
W2K/XP/2003 domain member computers must point only to domain controllers running dns
with the AD domain zone and never an ISP dns server. Run first netdiag and then
dcdiag on your domain controller to see if it configured correctly as a domain
controller. Failed tests/errors/warnings may indicate a problem particularly relating
to dns. Then run netdiag on a domain computer you are having a problem with looking
for the same relating to dns, dc discovery, kerberos, or trust relationship/secure
channel. These are free support tools on the install disk in the support/tools folder
for the appropriate operating system.

The policy you are trying to implement is a "user" configuration policy and therefore
the policy needs to be configured based on the location of the user accounts you want
it to apply to. If they are in the default users container, configure domain GPO. If
they are in an Organizational Unit, then the policy should be configured for that OU.
Group Policy can also apply to an administrator unless that user is in a different
container not subject to the GPO or the GPO is "filtered" to not apply [deny apply]
to the administrators group in the security properties of the GPO. Domain user
configuration of Group Policy will not apply to "local" users logging onto a domain
computer. If you do find the policy also applying to local users check to see it has
been applied in Local Security Policy via gpedit.msc. Use Gpresult to see what GPO's
are being applied to a computer and user while logged onto that domain computer. When
used with the /v switch it will give much more detailed info about policies and
settings being applied to try and track down what is going on. If you do that you may
want to pipe it to a text file as in [ gpresult /v > file.txt ]. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/gpresult.mspx
-- gpresult

 

[Richard Morey]

Thank you for this info! I will take a look at all this on Monday.

Rich

First off, make your dns configuration is correct in that domain controllers point
only to themselves or other domain controllers as their preferred dns server in
tcp/ip properties by assigned static IP address as shown by Ipconfig /all. Then
W2K/XP/2003 domain member computers must point only to domain controllers running dns
with the AD domain zone and never an ISP dns server. Run first netdiag and then
dcdiag on your domain controller to see if it configured correctly as a domain
controller. Failed tests/errors/warnings may indicate a problem particularly relating
to dns. Then run netdiag on a domain computer you are having a problem with looking
for the same relating to dns, dc discovery, kerberos, or trust relationship/secure
channel. These are free support tools on the install disk in the support/tools folder
for the appropriate operating system.

The policy you are trying to implement is a "user" configuration policy and therefore
the policy needs to be configured based on the location of the user accounts you want
it to apply to. If they are in the default users container, configure domain GPO. If
they are in an Organizational Unit, then the policy should be configured for that OU.
Group Policy can also apply to an administrator unless that user is in a different
container not subject to the GPO or the GPO is "filtered" to not apply [deny apply]
to the administrators group in the security properties of the GPO. Domain user
configuration of Group Policy will not apply to "local" users logging onto a domain
computer. If you do find the policy also applying to local users check to see it has
been applied in Local Security Policy via gpedit.msc. Use Gpresult to see what GPO's
are being applied to a computer and user while logged onto that domain computer. When
used with the /v switch it will give much more detailed info about policies and
settings being applied to try and track down what is going on. If you do that you may
want to pipe it to a text file as in [ gpresult /v > file.txt ]. --- Stevehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/gpresult.mspx
-- gpresult

Hi,

I need some help with the group policy editor.. I have Windows XP Pro
machines connecting to a Windows 2000 Domain Controller. The user accounts
are on the domain controller and I am logging onto the domain from the
client machine without any problem. I have the user profiles mapping the U:
drive to a network share (\\server\userdata\%username%) and that is all
working fine.

My problem is this -- the users are currently unable to move the taskbar
("lock the taskbar" is checked and when I click on it, it does not turn off)
and when the user changes the settings of the start menu to "Classic Start
Menu" the settings takes effect but is lost the next time the user logs in.

I have changed the setting "Disable Changed to the Start Menu and Task Bar"
in the Group Policy editor (through the MMC) to "Disable" for the group
policy for both the DEFAULT DOMAIN POLICY and the DEFAULT DOMAIN CONTROLLER
POLICY, but the user is still unable to make the changes mentioned above.

My question is -- which of the two group policies should I be editting? (or
is there a different one all together?) and have I changed the "Disable
Changed to the Start Menu and Task Bar" setting correctly for what I want to
do? and finally, are there other changes I have to make to give the users
the ability to change the taskbar?

I would also like to redirect the location of the MY DOCUMENTS folder to the
"U:" drive, but when I try changing this on the users desktop, the O/S won't
let me make the change, and when I've tried to change this setting in the
group policy this has not taken effect either.

Finally, I have put myself in the ADMINISTRATORs group on the Win2K server
and even I can't change my taskbar or startmenu..

Thanks

Rich

 

[Richard Morey]

Hi --

So I ran the utilities as you suggested and initially got a lot of "FAILED"
messsages. I fixed the DNS configuration, etc. and now everything PASSED
with both NETDIAG and DCDIAG. Once I had the server working I logged into
the machine I am trying to setup with the group policy and ran GPRESULT and
got this message:

"INFO: The policy object does not exist."

So.. Any ideas?

Thanks,

Rich

 

[Steven L Umbach]

Did gpresult run and display that for a particular Group Policy or is that all that
it said when you tried to run it? Make sure you are using the right version of
gpresult for the operating system if it would not run. --- Steve

 

[Richard Morey]

Hi Again..

Disregard my e-mail below.. I forget to change the DNS settings on the
machine to point to the DC.. DOH!

So this is part of what I got when I ran GPRESULT /V ...

USER SETTINGS
--------------
CN=Richard Morey,CN=Users,DC=dunemanagement,DC=internal
Last time Group Policy was applied: N/A
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
DMCIPowerUser

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled



Is the "Local Group Policy" referenced above set on the XP machine or on the
Windows 2000 Server?

Thanks

Rich

 

[Steven L Umbach]

Yes. Local Group Policy means the policy on the computer itself that is invoked via
gpedit.msc which shows that there are two settings applied for user configuration
apparently under administrative templates/Windows components/Windows Explorer. It
shows no user policy being applied from the default domain policy. --- Steve

 

[Richard Morey]

Okay, thanks.. I will look into that on the local machine.

Any idea why? I have policies set up on the win2k server.. Is there
something I possibly have set up incorrectly?

Thanks

Rich

 

[Steven L Umbach]

There is something up if it is not showing using gpresult. Since you made
some configuration changes I suggest that you try to configure a couple more
user configuration settings on your domain policy and then run secedit
/refreshpolicy user_policy /enforce on the domain controller and then logoff
and logon the domain computer as a domain user. Also try running netdiag on
that domain computer to make sure everything looks good for that computer as
far as dns, kerberos, dc discovery, and secuer channel. Gpotool is another
support tool that can be used on domain controllers to check for GPO/sysvol
health. --- Steve

 

[Richard Morey]

Hi --

I ran "secedit /refreshpolicy user_policy /enforce" on the domain controller
and then I logged on to another computer as me. I ran NetDiag and got no
errors so I ran GPRESULT and got this:

USER SETTINGS
--------------
CN=Richard Morey,CN=Users,DC=dunemanagement,DC=internal
Last time Group Policy was applied: 8/31/2004 at 3:05:09 PM
Group Policy was applied from: dunetoo.dunemanagement.internal
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

What is wierd is that I made sure that I am part of the administrators group
but it is not showing as such in the above list. It also doesn't show any of
the Group Policys I have set on the server, although it does map the network
drives, etc. that I have setup in the profile and obviously using my
username/password from the server.

Rich

 

[Richard Morey]

Ok.. now it seems to be working.. I guess the policy refresh thing took
longer than I thought to take effect.

Thanks for all your help!

Rich

 

[Steven L Umbach]

Great! Glad you got it working. I forgot to mention that some settings in Windows XP
may take two logoffs and logons to refresh. Also FYI in the future you can also use
the Group Policy Management tool to manage Group Policy in a Windows 2000 domain from
an XP Pro domain computer. It is a big leap forward in managing Group Policy and the
price is right. See the link below if interested. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx -- also
FYI if you were not aware.