Windows 2003 Server - Group Policy

[ToaDz]

I have setup a domain controller called TOADSRV in my domain called
TOADZ.COM

I have successfully setup AD, DNS and DHCP.

In Active Directory, I have setup several OU's:

1. Finance
2. Corporate
3. Services

I want all users (apart from Administrators and Domain Admins) not to have
access to the My Network Places icon on the desktop, as wel as the Run
command.

How do I configure a group policy?

In AD, do I edit the "Default Domain Policy" for TOADZ.COM or do I configure
a new GPO for each OU?

Please note, that I had a problem creating users with simple passwords and
was able to edit the "Default Domain Policy" for TOADZ.COM and disabled the
password complexity requirements. This worked fine.

Hope someone can help.

Cheers,

T

 

[Chriss3]

Here you have to found out a GPO Design for your Active Directory
Infrastructure. You may planning for doing many settings at the Domain level
and may want to create a new GPO for different settings. Such Security,
Desktop Lock Down and so on.

How ever I don't recommend to modify the Default Domain Policy to much
because it may result in problem for all your computers and users within the
domain. If you have GPOs based on settings you can easy disable them if you
receive some unwanted and unexpected at the clients.

A good way to work is to have a Test OU with one user and computer where you
basically create your GPOs and test them until you feel ready to ship them
to your production users and computer, then link the OU where it should be.
By the way you will learn to familiar with GPOs and may not need a such
solution but its a good way to start.

 

[ToaDz]

Thanks for the reply.

I have created an OU called "TEST" and have placed a user called
"testaccount" into the OU.

In this OU, I have created a new GPO and have set the My Network Places and
My Documents folder to NOT appear by doing the following:

1. Right-click TEST OU and Properties
2. Group Policy tab
3. New and called the GPO "TEST GPO"
4. Edit
5. User Configuration | Administrative Templates | Desktop
6. Enabled "Remove My Documents icon on the desktop" and "Hide My Network
Places icon on desktop"
7. Closed GPO Editor
8. Closed TEST GPO Properties window
9. Close AD Users and Computers

From another machine, I logged in as "testaccount" and the My Documents and
My Network Places icons were still there??

My DC is a Windows 2003 Server and the client PC is running Windows 2000
Professional.

Please note, I'm a newbie Any ideas?

I've tried running "gpupdate /force" at the command prompt and the problem
is still occurring.

Help!

 

[ToaDz]

Sorry, I rebooted the my DC and then it worked.

My question is this..

As mentioned, I have the following OU's:

Finance
Corporate
Services

There is one user in Corporate, who I want to have full administrator access
(no restrictions).

I want all other users in all the OU's to not have access to the "My Network
Places" and "My Documents" icons on the Desktop.

What is the easiest way to accomplish this. If I edit the "Default Domain
Policy" to disable the My Network Places and My Documents folder, this will
work for all users, but what will happen to the user in the Corporate OU,
which I want to have full access?

I'm getting confused now

 

[Chriss3]

Group Policies refresh time is 90-minute intervals by default. You can force
a refresh by use the command line based tool gpupdate on WindowsXP and
Windows Server 2003 Computers. For Windows 2000 Computers see the follow KB:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;227302

Lets talk about your Corporate OU there is a few options you can use. Block
Policy Inheritance can be set to this OU it means no policies from higher
level OUs will inheritance to the Corporate OU even not the default domain
policy or other policies from site objects for example, this may come
infective. How ever its a good way to keep a OU clean from policies and
unwanted and unexpected changes.

Provides step-by-step instructions on how to block policy inheritance:
http://www.microsoft.com/resources/...Serv/2003/enterprise/proddocs/en-us/Block.asp

You can also set No Override to a particular GPO. Lets say you create a
clean GPO for the Corporate OU then set the No Override option, it means
this policy will be in effect over all others.

Prevent a Group Policy object from being overridden:
http://www.microsoft.com/windows2000/en/server/help/NoOverride.htm

How does the Group Policy 'No Override' and 'Block Inheritance' work?
http://www.winnetmag.com/Article/ArticleID/15420/15420.html

I hope this can help you by the way. feel free to post back. Have a nice
day!

 

[Mark Ramey]

You can apply the policy at the OU level. If you create a policy for example
with the name "Desktops" and apply it at an OU level you can take the same
policy and link it to other OU's as well. To do this from the Group Policy
tab click on Add. Go to the All tab and select your policy and Ok. This will
link one group policy to multiple OU's. Just be aware that any settings that
are changed will apply gobally to all the users not just the one OU.

If you have on person that you do not want the policy to apply to and want
them to have no restrictions from the policy settings click on the
Properties of the policy and go to the Security tab. Add the user and
specify the Deny on the Apply Group Policy right.

Mark