Group Policy Not Working

Try to make the change in an existing policy and see if that applies. How
ever Group Policies can only applies to OUs, Domains and Sites, also some of
the settings to the local computer. They can't be set on a peer user basis.
The particular user must be in the OU with the Policy
--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

Post by Dave Marden
I have been asking this question in Windows SBS 2003 newsgroups so far
to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have Windows Server 2003, and
I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction for 1 user, just
to try to make it work. What I did is enforced Prohibit access to control
panel (I figured it would be easy to check). I created a GPO named John
Doe, then I put it last in the list under domainname.local, which happens to
be 7. Upon logging on as John Doe the control panel is still present. I
checked it on a client computer. The users are in the SBSUsers OU, and I
put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on the users in my
domain.
I went into Group Policy Relusts, and upon generating results on this
Policy, and under Applied GPO's it doesn't even show up, and under Denied
GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made sure it was set up
the
same as the other default policies, but it still doesn't work.
I can't seem to figure this out and would really appreciate any help you
could give me.
Any help appreciated,

Dave Marden

2004-02-04 00:26:37 UTC

It does apply in the other GPO's.

This is what it looks like in my Server Console -> Group Policy Management.

This is what it looks like in my Server Console -> Group Policy Management.

Forest: Mardens.local
Domains
Mardens.local
Default Domain Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Domain Controllers
Default Domain Controllers Policy
Small Business Server Auditing Policy
MyBusiness
Users
SBS High Rights
High Rights
SBS Low Rights
Low Rights
Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
High Rights
Low Rights
Small Business Server Auditing Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy

Under Group Policy Objects -> High Rights
Scope ->
Location - SBS High Rights
Enforced - No
Link Enabled - Yes
Path Mardens.local/MyBusiness/Users/SBS High Rights
Security Filter - Authenticated Users

Details
GPO Status
Enabled

Settings ->
Computer Configuration (Enabled)
No Settings Defined
User Configuration (Enabled)
Admin Temp
Control Panel
Policy
Prohibit access to the Control Panel
Enabled

Delegation ->
Authenticated Users -> Read(From Security Filtering) -> Inherited -> No
Domain Admins -> Edit Settings, delete, modify security -> Inherited -> No
Enterprise Admins -> Edit Settings, delete, modify security ->
Inherited -> No
Enterprise Domain Controllers -> Read -> Inherited -> No
System -> Edit settings, delete, modify security

Temporarily I have it set up in High Rights, but this is actually one of
the things I ultimately plan to put in Low Rights. I would really
appreciate any help with this. Hopefully there is something here obvious to
someone. Please help, any ideas appreciated.

Dave Marden
***@nospam.mardenfamily.com

P.S. The attachment is a notepad file just in case this doesn't show
correct formatting on your newsreader.

Post by Chriss3
Try to make the change in an existing policy and see if that applies. How
ever Group Policies can only applies to OUs, Domains and Sites, also some of
the settings to the local computer. They can't be set on a peer user basis.
The particular user must be in the OU with the Policy
--
Regards,
Christoffer Andersson
No email replies please - reply in the newsgroup
http://www.itsystem.se/employers.asp?ID=1

and

Post by Dave Marden
I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction for 1 user, just
to try to make it work. What I did is enforced Prohibit access to control
panel (I figured it would be easy to check). I created a GPO named John
Doe, then I put it last in the list under domainname.local, which

happens

Post by Chriss3
to

Post by Dave Marden
be 7. Upon logging on as John Doe the control panel is still present.

Post by Dave Marden
checked it on a client computer. The users are in the SBSUsers OU, and I
put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on the users in my
domain.
I went into Group Policy Relusts, and upon generating results on this
Policy, and under Applied GPO's it doesn't even show up, and under Denied
GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made sure it was set up
the
same as the other default policies, but it still doesn't work.
I can't seem to figure this out and would really appreciate any help

you

Post by Dave Marden
could give me.
Any help appreciated,

Roger Abell [MVP]

2004-02-04 04:20:40 UTC

X-posted to SBS, as you indicate that you have tried there hitherto

Dave,

Lets go back to your situation where you defined a new GPO
(which IMHO is what you do want to do, so that the SBS supplied
GPOs are left intact and as they were).

You may link a GPO any number of places, to the Domain or to
OU(s) within the domain.
If you link to the domain, then all computers and users are within
the scope of that GPO. If you link to an OU then only the computers
and users that are within that OU or its descendent OU(s) are within
the scope of that GPO.

So, if you set this control panel policy in a new GPO, setting it in
the Users section of the GPO, then that GPO will need to be linked
to the OU that contains the accounts that should be affected (or to
the domain to affect all accounts). The similar situation applies for
computer policies, linking them to an OU that contains the computer
objects that should be affected (or the domain for all).

Notice that the category of policy needs to match the kind of object,
User or Computer, that is within the scope of the GPO.

Now, it is not that simple.

First, there is security filtering, which you find in the Delegation
tab of GPMC. By default Authenticated Users has Read (and Apply)
which means that all Users and Computers will be affected by the
GPO. If this security group filtering is changed, then the GPO will
only be applied onto those objects that are both within the scope
of the GPO and also listed in the security setting as having Read
and Apply (note that the last half of this is mask in the GPMC display
for Delegation unless you look with the Advance button's view).
Remember, Authenticated Users includes all accounts, whether
User or Computer objects.

And still, it is even a bit less simple than this.

When there are multiple GPOs applied to an object then the
application is done in order. You stated that your custom was
the last (of 7) listed. If you mean it was at the bottom of the list
this means it was the first applied - and any of the 6 that came
after it could have overwritten the policy you were using as a
test case. Highest in the list, last to apply, wins . . .

at least in absence (even more less simple) of a GPO being
enforced.
When a GPO is enforced its settings cannot be overwritten by
conflicting policy settings in GPOs that are applied later. This
was earlier referred to has the GPO being set for No Override.

Clear as mud ??
OK, so then we will not go into WMI filtering, which can make
it even less direct.

You are right in trying to use the group policy results feature
in the GPMC tool. This cuts through all of the details for you
about security group filtering, scope of application, overwriting
settings from higher priority GPOs, etc..
I suspect that what you reported seeing was because of where
your initial test GPO was linked, and what was as a consequence
within its scope.
--
Roger

Post by Dave Marden
It does apply in the other GPO's.
This is what it looks like in my Server Console -> Group Policy Management.
This is what it looks like in my Server Console -> Group Policy Management.
Forest: Mardens.local
Domains
Mardens.local
Default Domain Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Domain Controllers
Default Domain Controllers Policy
Small Business Server Auditing Policy
MyBusiness
Users
SBS High Rights
High Rights
SBS Low Rights
Low Rights
Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
High Rights
Low Rights
Small Business Server Auditing Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Under Group Policy Objects -> High Rights
Scope ->
Location - SBS High Rights
Enforced - No
Link Enabled - Yes
Path Mardens.local/MyBusiness/Users/SBS High Rights
Security Filter - Authenticated Users
Details
GPO Status
Enabled
Settings ->
Computer Configuration (Enabled)
No Settings Defined
User Configuration (Enabled)
Admin Temp
Control Panel
Policy
Prohibit access to the Control Panel
Enabled
Delegation ->
Authenticated Users -> Read(From Security Filtering) -> Inherited -> No
Domain Admins -> Edit Settings, delete, modify security -> Inherited -> No
Enterprise Admins -> Edit Settings, delete, modify security ->
Inherited -> No
Enterprise Domain Controllers -> Read -> Inherited -> No
System -> Edit settings, delete, modify security
Temporarily I have it set up in High Rights, but this is actually one of
the things I ultimately plan to put in Low Rights. I would really
appreciate any help with this. Hopefully there is something here obvious to
someone. Please help, any ideas appreciated.
Dave Marden
P.S. The attachment is a notepad file just in case this doesn't show
correct formatting on your newsreader.

Post by Chriss3
Try to make the change in an existing policy and see if that applies.
However Group Policies can only applies to OUs, Domains and Sites,
also some of the settings to the local computer. They can't be set
on a peer user basis.
The particular user must be in the OU with the Policy
--
Regards,
Christoffer Andersson
No email replies please - reply in the newsgroup
http://www.itsystem.se/employers.asp?ID=1

Post by Dave Marden
control panel (I figured it would be easy to check). I created a GPO
named John Doe, then I put it last in the list under domainname.local,
which happens to be 7. Upon logging on as John Doe the control
panel is still present. I checked it on a client computer. The users
are in the SBSUsers OU, and I put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on the users in my
domain.
I went into Group Policy Relusts, and upon generating results on
this Policy, and under Applied GPO's it doesn't even show up, and
under Denied GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made sure it
was set up the same as the other default policies, but it still
doesn't work.
I can't seem to figure this out and would really appreciate any
help you could give me.
Any help appreciated,
Dave Marden

(***@nospam.mardenfamily.com)

2004-02-04 07:03:23 UTC

Roger:

Excellent post.

Dave,

Lets go back to your situation where you defined a new GPO
(which IMHO is what you do want to do, so that the SBS supplied
GPOs are left intact and as they were).

You may link a GPO any number of places, to the Domain or to
OU(s) within the domain.
If you link to the domain, then all computers and users are within
the scope of that GPO. If you link to an OU then only the computers
and users that are within that OU or its descendent OU(s) are within
the scope of that GPO.

So, if you set this control panel policy in a new GPO, setting it in
the Users section of the GPO, then that GPO will need to be linked
to the OU that contains the accounts that should be affected (or to
the domain to affect all accounts). The similar situation applies for
computer policies, linking them to an OU that contains the computer
objects that should be affected (or the domain for all).

Notice that the category of policy needs to match the kind of object,
User or Computer, that is within the scope of the GPO.

Now, it is not that simple.

First, there is security filtering, which you find in the Delegation
tab of GPMC. By default Authenticated Users has Read (and Apply)
which means that all Users and Computers will be affected by the
GPO. If this security group filtering is changed, then the GPO will
only be applied onto those objects that are both within the scope
of the GPO and also listed in the security setting as having Read
and Apply (note that the last half of this is mask in the GPMC display
for Delegation unless you look with the Advance button's view).
Remember, Authenticated Users includes all accounts, whether
User or Computer objects.

And still, it is even a bit less simple than this.

When there are multiple GPOs applied to an object then the
application is done in order. You stated that your custom was
the last (of 7) listed. If you mean it was at the bottom of the list
this means it was the first applied - and any of the 6 that came
after it could have overwritten the policy you were using as a
test case. Highest in the list, last to apply, wins . . .

at least in absence (even more less simple) of a GPO being
enforced.
When a GPO is enforced its settings cannot be overwritten by
conflicting policy settings in GPOs that are applied later. This
was earlier referred to has the GPO being set for No Override.

Clear as mud ??
OK, so then we will not go into WMI filtering, which can make
it even less direct.

You are right in trying to use the group policy results feature
in the GPMC tool. This cuts through all of the details for you
about security group filtering, scope of application, overwriting
settings from higher priority GPOs, etc..
I suspect that what you reported seeing was because of where
your initial test GPO was linked, and what was as a consequence
within its scope.

--
Roger

Roger Abell

2004-02-05 01:45:13 UTC

Post by CZ
Excellent post.

Thanks CZ.
It is a simple topic, but one with many little "features".

--
Roger

Dave Marden

2004-02-04 11:26:58 UTC

I ran into this in the Small Business Server Client
Computer GPO, and was wondering if it may be part or all
of my problem. When looking at the GPO, under Computer
Configuration -> Admin Templates -> Extra Registry
Settings ->:

Display names for some settings cannot be found. You
might be able to resolve this issue by updating the .ADM
files used by Group Policy Management.
-> Setting:
->
software\microsoft\windowsnt\currentversion\winlogon\SyncFo
regroundPolicy
-> State:
-> 1

I went looking through Microsofts knowledge base and found
an article. What I am wondering is whether this could be
causing me the problems that I am having? Also how do I
fix it, or should I just do one of the things it mentions?

Here is the article from the knowledge base:

SUMMARY
In Enterprise environments, there may be hundreds of Group
Policy objects that you want to deploy in a domain. Each
Group Policy object is stored in the Sysvol share of each
domain controller. By default, a copy of the
Administrative Templates (.adm) files are copied to each
policy object in the file path:
%systemroot%\sysvol\domainname\Policies\POLICYGUID\Adm

In Windows Server 2003, the size of the Administrative
Templates has grown. As a result, the set of
Administrative Templates has grown to almost 1.75 MB. When
you multiply this size by each Policy that Sysvol
contains, you can see that much space is devoted to these
templates.

Based on these facts, Administrators may want to use two
Group Policy settings that reduce some of the strain that
this Sysvol size growth causes. You must make sure that
you set the settings correctly. If you do not, you may not
be able to manage the Administrative Templates settings on
some Group Policy objects. The two settings are Always use
local ADM files for Group Policy Editor and Turn off
automatic update of ADM files.

To locate these settings, in Group Policy expand Computer
Configuration, expand Administrative Templates, expand
System, and then expand Group Policy. Complete
descriptions of these settings are included in the "More
Information" section of this article.

The following list of scenarios describes how Group Policy
behaves after you modify the settings:
Scenario 1:

Turn off Automatic Update of ADM files is enabled:
Always use local ADM files for Group Policy Editor is
enabled:
Local Administrative Template files (.ADM files) are not
copied to SYSVOL.
Displays the settings in Group Policy by using the
local .adm files in %systemroot%\inf.
Scenario 2:

Turn off Automatic Update of ADM files is enabled:
Always use local ADM files for Group Policy Editor is
disabled:
Local copies of .adm files are not copied to SYSVOL.
Displays the settings based on the .adm files located in
SYSVOL
On this setting, if the SYSVOL copies of the .adm files
are deleted, then you cannot view or edit the
Administrative Templates section of Group Policy. If the
copies of the .adm files in SYSVOL are Windows 2000
versions, new settings are not available in the policy.
Scenario 3:

Turn off Automatic Update of ADM files is disabled:
Always use local ADM files for Group Policy Editor is
enabled:
Local copies of the .adm files are copied to SYSVOL.
Displays the settings based on the .adm files located in
the %Systemroot%\inf folder.
Scenario 4:

Turn off Automatic Update of ADM files is disabled:
Always use local ADM files for Group Policy Editor is
disabled:
Local copies of the .adm files present in the %Systemroot%
\inf folder are not copied to SYSVOL
Copies of the .adm files in SYSVOL determine policy
In this scenario, the automatic method of upgrading policy
templates is disabled, but the client continues to
reference SYSVOL for the .adm files. If you must upgrade a
template, you must do so manually.

I am going nuts here, please help.

Thanks In Advance,
Dave Marden

Roger Abell [MVP]

2004-02-04 14:00:38 UTC

Hi Dave,

I do not believe either of the two items you mention in this
post are related to your original issue where you attempted
to get a custom GPO to behave as expected.

The major issue in this new post, the settings to control the
efficiencies due to Adm template file size, is IMO something
that you should not be concerned about.
In the typical SBS environment, which is by definition a single
site, the network connectivity is not at issue as in a multi-site
scenario, and also it is typically always possible (in fact it will
be so if you have not modified the default mmc snapin behaviors
or when there is only one DC) that the Adm files are local to the
machine upon which the mmc snap-in tool is focused.
IOW, I would suggest that you just leave adm template behavior
in its default settings. Also, it is not part of your initial issue.

The other thing you raise in this new post is the fact that it is
possible to make registry settings in a GPO in a manner such
that "friendly display" is not possible because there is a mismatch
either with the adm file or the sceregvl.inf file on the system where
the GPO is being displayed. What happens is that there is a setting,
which is fully applicable, but for which the display routine cannot
locate "human friendly" naming information to display.
The specific key you mentioned is not likely to have conflicted
with the settings that you mentioned attempting with your custom
GPO. However, if you see this when viewing the GPO(s) in the same
way when you are logged into the DC, this may indicate that some
adm file is out-of-date, or rather one of the customizations of SBS
has taken a hit from later W2k3 updates.

Roger

Post by Dave Marden
I ran into this in the Small Business Server Client
Computer GPO, and was wondering if it may be part or all
of my problem. When looking at the GPO, under Computer
Configuration -> Admin Templates -> Extra Registry
Display names for some settings cannot be found. You
might be able to resolve this issue by updating the .ADM
files used by Group Policy Management.
->
software\microsoft\windowsnt\currentversion\winlogon\SyncFo
regroundPolicy
-> 1
I went looking through Microsofts knowledge base and found
an article. What I am wondering is whether this could be
causing me the problems that I am having? Also how do I
fix it, or should I just do one of the things it mentions?
SUMMARY
In Enterprise environments, there may be hundreds of Group
Policy objects that you want to deploy in a domain. Each
Group Policy object is stored in the Sysvol share of each
domain controller. By default, a copy of the
Administrative Templates (.adm) files are copied to each
%systemroot%\sysvol\domainname\Policies\POLICYGUID\Adm
In Windows Server 2003, the size of the Administrative
Templates has grown. As a result, the set of
Administrative Templates has grown to almost 1.75 MB. When
you multiply this size by each Policy that Sysvol
contains, you can see that much space is devoted to these
templates.
Based on these facts, Administrators may want to use two
Group Policy settings that reduce some of the strain that
this Sysvol size growth causes. You must make sure that
you set the settings correctly. If you do not, you may not
be able to manage the Administrative Templates settings on
some Group Policy objects. The two settings are Always use
local ADM files for Group Policy Editor and Turn off
automatic update of ADM files.
To locate these settings, in Group Policy expand Computer
Configuration, expand Administrative Templates, expand
System, and then expand Group Policy. Complete
descriptions of these settings are included in the "More
Information" section of this article.
The following list of scenarios describes how Group Policy
Always use local ADM files for Group Policy Editor is
Local Administrative Template files (.ADM files) are not
copied to SYSVOL.
Displays the settings in Group Policy by using the
local .adm files in %systemroot%\inf.
Always use local ADM files for Group Policy Editor is
Local copies of .adm files are not copied to SYSVOL.
Displays the settings based on the .adm files located in
SYSVOL
On this setting, if the SYSVOL copies of the .adm files
are deleted, then you cannot view or edit the
Administrative Templates section of Group Policy. If the
copies of the .adm files in SYSVOL are Windows 2000
versions, new settings are not available in the policy.
Always use local ADM files for Group Policy Editor is
Local copies of the .adm files are copied to SYSVOL.
Displays the settings based on the .adm files located in
the %Systemroot%\inf folder.
Always use local ADM files for Group Policy Editor is
Local copies of the .adm files present in the %Systemroot%
\inf folder are not copied to SYSVOL
Copies of the .adm files in SYSVOL determine policy
In this scenario, the automatic method of upgrading policy
templates is disabled, but the client continues to
reference SYSVOL for the .adm files. If you must upgrade a
template, you must do so manually.
I am going nuts here, please help.
Thanks In Advance,
Dave Marden

Dave Marden

2004-02-04 13:19:25 UTC

I am unfamilier with IMHO, what does this stand for? The rest of the ideas
that you mention I think I am familier with. I wish I could get someone to
do a Remote Assistant with me. My email address is
***@nospam.mardenfamily.com. Email, and I'd call you.

Dave Marden

Dave Marden

Post by Roger Abell [MVP]
X-posted to SBS, as you indicate that you have tried there hitherto
Dave,
Lets go back to your situation where you defined a new GPO
(which IMHO is what you do want to do, so that the SBS supplied
GPOs are left intact and as they were).
You may link a GPO any number of places, to the Domain or to
OU(s) within the domain.
If you link to the domain, then all computers and users are within
the scope of that GPO. If you link to an OU then only the computers
and users that are within that OU or its descendent OU(s) are within
the scope of that GPO.
So, if you set this control panel policy in a new GPO, setting it in
the Users section of the GPO, then that GPO will need to be linked
to the OU that contains the accounts that should be affected (or to
the domain to affect all accounts). The similar situation applies for
computer policies, linking them to an OU that contains the computer
objects that should be affected (or the domain for all).
Notice that the category of policy needs to match the kind of object,
User or Computer, that is within the scope of the GPO.
Now, it is not that simple.
First, there is security filtering, which you find in the Delegation
tab of GPMC. By default Authenticated Users has Read (and Apply)
which means that all Users and Computers will be affected by the
GPO. If this security group filtering is changed, then the GPO will
only be applied onto those objects that are both within the scope
of the GPO and also listed in the security setting as having Read
and Apply (note that the last half of this is mask in the GPMC display
for Delegation unless you look with the Advance button's view).
Remember, Authenticated Users includes all accounts, whether
User or Computer objects.
And still, it is even a bit less simple than this.
When there are multiple GPOs applied to an object then the
application is done in order. You stated that your custom was
the last (of 7) listed. If you mean it was at the bottom of the list
this means it was the first applied - and any of the 6 that came
after it could have overwritten the policy you were using as a
test case. Highest in the list, last to apply, wins . . .
at least in absence (even more less simple) of a GPO being
enforced.
When a GPO is enforced its settings cannot be overwritten by
conflicting policy settings in GPOs that are applied later. This
was earlier referred to has the GPO being set for No Override.
Clear as mud ??
OK, so then we will not go into WMI filtering, which can make
it even less direct.
You are right in trying to use the group policy results feature
in the GPMC tool. This cuts through all of the details for you
about security group filtering, scope of application, overwriting
settings from higher priority GPOs, etc..
I suspect that what you reported seeing was because of where
your initial test GPO was linked, and what was as a consequence
within its scope.
--
Roger

Post by Dave Marden
It does apply in the other GPO's.
This is what it looks like in my Server Console -> Group Policy

Management.

Post by Dave Marden
This is what it looks like in my Server Console -> Group Policy

Management.

Post by Dave Marden
Forest: Mardens.local
Domains
Mardens.local
Default Domain Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Domain Controllers
Default Domain Controllers Policy
Small Business Server Auditing Policy
MyBusiness
Users
SBS High Rights
High Rights
SBS Low Rights
Low Rights
Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
High Rights
Low Rights
Small Business Server Auditing Policy
Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Folder Redirection
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Under Group Policy Objects -> High Rights
Scope ->
Location - SBS High Rights
Enforced - No
Link Enabled - Yes
Path Mardens.local/MyBusiness/Users/SBS High Rights
Security Filter - Authenticated Users
Details
GPO Status
Enabled
Settings ->
Computer Configuration (Enabled)
No Settings Defined
User Configuration (Enabled)
Admin Temp
Control Panel
Policy
Prohibit access to the Control Panel
Enabled
Delegation ->
Authenticated Users -> Read(From Security Filtering) -> Inherited -> No
Domain Admins -> Edit Settings, delete, modify security ->

Inherited ->

Post by Roger Abell [MVP]
No

Post by Dave Marden
Enterprise Admins -> Edit Settings, delete, modify security ->
Inherited -> No
Enterprise Domain Controllers -> Read -> Inherited -> No
System -> Edit settings, delete, modify security
Temporarily I have it set up in High Rights, but this is actually one of
the things I ultimately plan to put in Low Rights. I would really
appreciate any help with this. Hopefully there is something here

obvious

Post by Roger Abell [MVP]
to

Post by Dave Marden
someone. Please help, any ideas appreciated.
Dave Marden
P.S. The attachment is a notepad file just in case this doesn't show
correct formatting on your newsreader.

Post by Chriss3
Try to make the change in an existing policy and see if that applies.
However Group Policies can only applies to OUs, Domains and Sites,
also some of the settings to the local computer. They can't be set
on a peer user basis.
The particular user must be in the OU with the Policy
--
Regards,
Christoffer Andersson
No email replies please - reply in the newsgroup
http://www.itsystem.se/employers.asp?ID=1

2003,

Post by Dave Marden
and I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction for 1 user,
just to try to make it work. What I did is enforced Prohibit access

Post by Dave Marden
control panel (I figured it would be easy to check). I created a GPO
named John Doe, then I put it last in the list under

domainname.local,

Post by Dave Marden
which happens to be 7. Upon logging on as John Doe the control
panel is still present. I checked it on a client computer. The users
are in the SBSUsers OU, and I put the GPO link in

(MyBusiness/Users).

Post by Dave Marden
What I want to do is be able to set restrictions on the users in

Post by Dave Marden
domain.
I went into Group Policy Relusts, and upon generating results on
this Policy, and under Applied GPO's it doesn't even show up, and
under Denied GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made sure it
was set up the same as the other default policies, but it still
doesn't work.
I can't seem to figure this out and would really appreciate any
help you could give me.
Any help appreciated,
Dave Marden

Roger Abell [MVP]

2004-02-04 14:07:54 UTC

Hi Dave,

IMHO = in my humble (yea, right!) opinion

I am now prep'ing to be off into the work-day.
So much for the remoting in , ey ?

Try this.
Define a new GPO, in it make some test settings.
Link this GPO to the top of the list of GPOs on some location
other than the domain. Usually we will define a new OU for
this so that the scope of our testing/play/learning is tightly
constrained. So, you define a new GPO, and an new OU, and
link the new GPO to the new OU

Now, if you test user settings in the GPO, move a user account
(or make a new one) into the OU. If you test computer settings
in the GPO, move a client computer object into the OU.
Then, with the settings made in the GPO, go test the result by
logging in (user settings) or by booting the computer (computer
settings). Note that some settings are not immediately felt at
the target, but fresh login or reboot cuts through most of these
delays.

Roger

Post by Dave Marden
I am unfamilier with IMHO, what does this stand for? The rest of the ideas
that you mention I think I am familier with. I wish I could get someone to
do a Remote Assistant with me. My email address is
Dave Marden
Dave Marden

Post by Dave Marden
It does apply in the other GPO's.
This is what it looks like in my Server Console -> Group Policy

Management.

Post by Dave Marden
This is what it looks like in my Server Console -> Group Policy

Management.

Post by Dave Marden
Domain Admins -> Edit Settings, delete, modify security ->

Inherited ->

Post by Roger Abell [MVP]
No

Post by Dave Marden
the things I ultimately plan to put in Low Rights. I would really
appreciate any help with this. Hopefully there is something here

obvious

Post by Roger Abell [MVP]
to

Post by Dave Marden
someone. Please help, any ideas appreciated.
Dave Marden
P.S. The attachment is a notepad file just in case this doesn't show
correct formatting on your newsreader.

Post by Chriss3
Try to make the change in an existing policy and see if that applies.
However Group Policies can only applies to OUs, Domains and Sites,
also some of the settings to the local computer. They can't be set
on a peer user basis.
The particular user must be in the OU with the Policy
--
Regards,
Christoffer Andersson
No email replies please - reply in the newsgroup
http://www.itsystem.se/employers.asp?ID=1

2003,

Post by Dave Marden
and I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction for 1

user,

Post by Dave Marden
just to try to make it work. What I did is enforced Prohibit access

Post by Dave Marden
control panel (I figured it would be easy to check). I created a

GPO

Post by Dave Marden
named John Doe, then I put it last in the list under

domainname.local,

Post by Dave Marden
which happens to be 7. Upon logging on as John Doe the control
panel is still present. I checked it on a client computer. The

users

Post by Dave Marden
are in the SBSUsers OU, and I put the GPO link in

(MyBusiness/Users).

Post by Dave Marden
What I want to do is be able to set restrictions on the users in

Dave Marden

2004-02-04 15:32:19 UTC

I just noticed that the only policy's that seem to be inherited by my
users is the local policies. None of the Default Policies are working on
the user side. Is there a setting to enable this?

Dave Marden

Dave Marden

2004-02-04 15:35:41 UTC

Roger Abell

2004-02-05 01:43:47 UTC

It is joining the domain that enables/requires this.
If they are not being applied it is likely a networking
configuration issue. Are your clients using only the
DNS server that is running on your SBS DC ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Dave Marden
I just noticed that the only policy's that seem to be inherited by my
users is the local policies. None of the Default Policies are working on
the user side. Is there a setting to enable this?
Dave Marden

Dave Marden

2004-02-05 02:26:35 UTC

I believe so, I cable for the internet, and I then have a router. All 3
pc's are connected to the same router. My 2 client pc's are able to log
into the server, or at liest I think they are. All the user accounts are
set up on the Server, except for local Administrator accounts on each of the
2 pc's. As for whether I am using only the DNS server that is running on my
SBS DC, how would I know this? It is my only server, I only have the 3
pc's.

I will add this however, there has been a few times where I have felt
like I had a networking problem however. When I log onto the clients as
Myself via the Server, if I try to add permissions to a directory, it only
lists the local ones, and if I search for other locations usually the only
location I see is the local computer name. mydomain.local does not always
show up, but sometimes it does.

I think you are right, and that we are on to something here. To be
honest with you I think that I have a pretty good grasp on the GPO's and how
they work. I just thought maybe I was missing something somewhere since I
am just learning.

Do you have any idea of what my my problem might be?

Dave Marden

Post by Roger Abell
It is joining the domain that enables/requires this.
If they are not being applied it is likely a networking
configuration issue. Are your clients using only the
DNS server that is running on your SBS DC ?
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Roger Abell [MVP]

2004-02-05 03:19:35 UTC

Just run
ipconfig /all
when logged into the client machines.
That you can log in with a domain account does
not mean that Active Directory enabled features,
such as group policy application, are going to work.
You need to have healthy DNS support, and be using
it alone.
--
Roger

Post by Dave Marden
I believe so, I cable for the internet, and I then have a router. All 3
pc's are connected to the same router. My 2 client pc's are able to log
into the server, or at liest I think they are. All the user accounts are
set up on the Server, except for local Administrator accounts on each of the
2 pc's. As for whether I am using only the DNS server that is running on my
SBS DC, how would I know this? It is my only server, I only have the 3
pc's.
I will add this however, there has been a few times where I have felt
like I had a networking problem however. When I log onto the clients as
Myself via the Server, if I try to add permissions to a directory, it only
lists the local ones, and if I search for other locations usually the only
location I see is the local computer name. mydomain.local does not always
show up, but sometimes it does.
I think you are right, and that we are on to something here. To be
honest with you I think that I have a pretty good grasp on the GPO's and how
they work. I just thought maybe I was missing something somewhere since I
am just learning.
Do you have any idea of what my my problem might be?
Dave Marden

Post by Dave Marden
I just noticed that the only policy's that seem to be inherited by

Post by Roger Abell

Post by Dave Marden
users is the local policies. None of the Default Policies are working

Post by Roger Abell

Post by Dave Marden
the user side. Is there a setting to enable this?
Dave Marden

Dave Marden

2004-02-05 15:03:22 UTC

Post by Roger Abell [MVP]
Just run
ipconfig /all
when logged into the client machines.
That you can log in with a domain account does
not mean that Active Directory enabled features,
such as group policy application, are going to work.
You need to have healthy DNS support, and be using
it alone.
--
Roger

Well here goes, sorry 'bout the length, but I want to get it all
out there. Please take a look at this for me, as I seem to be a little
(whole lot) lost.

This information was obtained from my Desktop, then Laptop, and
finally the server.

Like I was saying before, I have the a router hooked up to the internet via
cable, and I have each of the 3 pc's connected to the router, the desktop is
set to automatically get ip and DNS information automatically, On the server
I put in the settings manually, and on the laptop, it is set to
automatically obtain the information.

Here is the information I got from ipconfig /all, I notice that
there is 3 DNS Server addresses for the laptop. To be honest, with my
limited knowledge they looked pretty messed up.

Desktop Results from ipconfig /all:

Windows IP Configuration

Host Name : desktop

Primary DNS Suffix : Mardens.local

Node Type : Unknown

IP Routing Enabled : No

WINS Proxy Enabled : No

DNS Suffix Search List : Mardens.local

Ethernet adapter Local Area Connection:

Connection-Specific DNS Suffix: bay.chartermi.net

Description : NVidia nForce MCP
Networking Adapter

Physical Address : ##-L#-##-LL-##-LL

DHCP Enabled : Yes

Autoconfiguration Enabled : Yes

IP Address : 192.168.0.3

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.0.1

DHCP Server : 192.168.0.1

DNS Servers : 24.247.24.53

: 24.247.15.53

: 24.213.28.38

Lease Obtained : Feb 5, 2004

Lease Expires : Feb 8, 2004

Ethernet adapter Local Area Connection 2:

Media State : Media Disconnected

Laptop Differences with ipconfig /all:

Ethernet adapter Local Area Connection:

Connection-Specific DNS Suffix: This is Blank

Description : MAC Bridge Miniport

Physical Address : ##-##-#L-##-##-LL

DHCP Enabled : No

Autoconfiguration Enabled : Does not show one

IP Address : 192.168.0.2

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.0.1

DHCP Server : Not Listed

DNS Servers : 24.247.24.53

: 24.247.15.53

: Does not
show one

Lease Obtained : Does not show one

Lease Expires : Does not show one

P.S. I wasn't sure if it was a good idea to put the physical address on the
internet so I put # for numbers, and L for Letters.

I don't know if it will be usefull, but I will show my servers info as well
while I'm at it.

Windows IP Configuration:

Host Name : daveserver

Primary DNS Suffix : Mardens.local

Node Type : Unknown

IP Routing Enabled : Yes

WINS Proxy Enabled : Yes

DNS Suffix Search List : Mardens.local

Ethernet adapter Local Area Connection: (This is the one I use)

Connection-Specific DNS Suffix: Blank

Description : Netgear FA311/FA312
PCI Adapter

Physical Address : ##-##-L#-#L-##-#L

DHCP Enabled : No

Autoconfiguration Enabled : Does not show

IP Address : 192.168.0.5

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.0.1

DHCP Server : Does not show

DNS Servers : 24.247.24.53

: Does not
Show

: Does not Show

Ethernet adapter Local Area Connection: (Not currently used)

Connection-Specific DNS Suffix: Blank

Description : Nvidia nForch MCP
Networking Adapter

Physical Address : ##-#L-#L-##-##-L#

DHCP Enabled : Yes

Autoconfiguration Enabled : Yes

IP Address : 169.254.40.252

Subnet Mask : 255.255.0.0

Default Gateway : Does not show

DHCP Server : Does not show

Primary WINS Server : 192.168.0.5

DNS Servers : Does not Show

: Does not
Show

: Does not
Show

NetBIOS over Tcpip : Disabled

Any help greatly appreciated,

Dave Marden ***@nospam.mardenfamily.com

2004-02-05 06:47:14 UTC

Dave:

Verify that when you are logging on to the ws, you selecting the domain for
authentication:
At the ws log on dialog:
Click the Options button.
Use the "Logon to:" drop dn menu to select "smallbusiness".
Enter user name and password.
Click OK button.

Dave Marden

2004-02-05 10:25:48 UTC

I am logging onto the server, I do however log onto the
clients on a local basis, such as my laptop, when I take
it to work.

I really suspect that Roger is probably correct, I will
have to look at it in the morning when I get home from
work.

Dave Marden

Dave Marden

2004-02-06 16:11:55 UTC

Roger, and CZ,
I got the fix out of the microsoft white papers. Roger you were
correct, I had a DNS problem. I had the client pc's pointing at my isp,
instead of the server. I appreciate it very much.

Dave Marden

Roger Abell

2004-02-07 07:15:26 UTC

Yes, just noticed from the ipconfig's you posted.

Actually, with the clients connected directly to the router
you did pretty well getting SBS installed and going, as it
really favors a different network design (SBS between the
router and the network with the clients).

So you are now seeing policy apply as expected ??
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Dave Marden
Roger, and CZ,
I got the fix out of the microsoft white papers. Roger you were
correct, I had a DNS problem. I had the client pc's pointing at my isp,
instead of the server. I appreciate it very much.
Dave Marden

Dave Marden

2004-02-07 14:13:12 UTC

Yep, working well,

Do you think I should hook the other pc's up the other way? I can see where
it would give me alot more options on how to configure the system.

Dave Marden

Roger Abell

2004-02-07 16:16:39 UTC

Hi Dave,

IMO (no H this time) using the network with the client
machines all "behind" the SBS server gives to you a
number of advantages, and it does not increase the exposure
of anything (they all already have a direct public interface,
so you are only reducing to where only the server has this
exposure). With the network rearranged, you could easily
use a number of the pre-designed features of SBS, whereas
with it otherwise some would be inapplicable or in cases
still usable but convoluted.
You would especially want to reshuffle the network topology
if you bought the Premium version of SBS om order to use
ISA correctly.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Dave Marden
Yep, working well,
Do you think I should hook the other pc's up the other way? I can see where
it would give me alot more options on how to configure the system.
Dave Marden

Dave Marden

2004-02-08 14:44:34 UTC

Last night my network stopped working. I had no internet or intranet.
For some reason root hints was not working, so I had to use the forwarders.
Just thought I'd let you know.

Thanks Again For All The Help,
Dave Marden

Roger Abell

2004-02-08 19:29:02 UTC

Pretty hard to say what was up, but if you are going to use Forwarders you
should be aware of the EDNS0 issue in case it exists with your Forwarders

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731&Product=winsvr2003

You may also find the following of use
323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Dave Marden
Last night my network stopped working. I had no internet or intranet.
For some reason root hints was not working, so I had to use the forwarders.
Just thought I'd let you know.
Thanks Again For All The Help,
Dave Marden

a***@discussions.microsoft.com

2004-02-05 19:18:08 UTC

Have you placed your GPO where the default domain policy
is? Your reference to "local" puzzles me. Note also that
your user must have the right to read and apply group
policy. And you may be having a replication latency
problem if you have more than one DC. Finally, make sure
your policy is being applied by running gpupdate /Force on
the target machine and checking the Event Log for error
messages.

Dave Marden

2004-02-05 23:20:53 UTC

I have placed it in the same location as the defaults, to be honest with
you sometimes it would show up in the Group Policy Results in GPMC under
Applied GPO's, but when you would go to Setting in the Group Policy Results
it does not show up as actually being applied. The same holds true for all
of my default GPO's.

By local only, I mean that under Group Policy Results the only settings
that show up are local policies, not defined by any of the default or
personalized GPO's.

Dave Marden

Post by a***@discussions.microsoft.com
Have you placed your GPO where the default domain policy
is? Your reference to "local" puzzles me. Note also that
your user must have the right to read and apply group
policy. And you may be having a replication latency
problem if you have more than one DC. Finally, make sure
your policy is being applied by running gpupdate /Force on
the target machine and checking the Event Log for error
messages.

Dave Marden

2004-02-05 23:43:41 UTC

Running gpupdate /force does not make any difference.

Dave Marden

Ricky Stead

2004-02-05 21:50:16 UTC

I hope you find the answer. I have a brand new server
(2003 std edition) and new workstations and I am having
the same problem out of the box.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Dave Marden

2004-02-05 23:23:55 UTC

You could look in the Microsoft Knowledge Base under "Troubleshooting
Group Policy in Microsoft Windows Server 2003". They have some good white
papers on troubleshooting this problem. I just downloaded it and printed it
out and plan to start diving into that tonight.

Good Luck,
Dave Marden

Post by Ricky Stead
I hope you find the answer. I have a brand new server
(2003 std edition) and new workstations and I am having
the same problem out of the box.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Roger Abell

2004-02-07 07:18:40 UTC

If you mean a new out-of-the-box SBS and clients,
then if you have the clients all behind the SBS, with
the SBS between the client network and the outside,
then just allowing the clients to be DHCP served by
the SBS server should set you networking up in a
fully functioning manner.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Ricky Stead
I hope you find the answer. I have a brand new server
(2003 std edition) and new workstations and I am having
the same problem out of the box.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Ricky Stead

2004-02-06 14:25:24 UTC

Make sure the first DNS Server IP address in your network
settings is the Domain Server. I changed this and it
fixed my problem.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Dave Marden

2004-02-06 15:23:45 UTC

Currently I have the desktop and the server setup to use the DNS
addresses from my ISP. Am I correct in taking this as meaning that each
client pc should use the my servers ip address as the DNS address? If so
what DNS address should my server use, the ones from my isp? Currently I
have the desktop set up to auto detect the ip address, as well as DNS
address, and I know that is wrong, so I will be correcting this.

I did the troubleshooting white papers by Microsoft, and I did take it
that it was saying to use the servers IP address in the clients, but for
some reason that didn't really sound correct to me.

Could someone tell me based on the information provided above, what settings
would be correct, and where?

Any help appreciated,
Dave Marden

Post by Ricky Stead
Make sure the first DNS Server IP address in your network
settings is the Domain Server. I changed this and it
fixed my problem.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Roger Abell

2004-02-07 07:25:33 UTC

In an SBS environment with one DC the SBS server should
use only its own internal IP for DNS in its Tcp/Ip config.
The DNS service can be set to use the ISP's DNS servers
as Forwarders (highlight the server node in the DNS mgmt
UI, r-click into its properties, and set this on the Forwarders
tab). Using the ISP's DNS server is not mandatory, as Root
Hints will be sufficient; if you do use them as Forwarders
one should make sure that this is OK with the ISP as not all
DNS servers are configured so that they will work when
used as Forwarders.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Dave Marden
Currently I have the desktop and the server setup to use the DNS
addresses from my ISP. Am I correct in taking this as meaning that each
client pc should use the my servers ip address as the DNS address? If so
what DNS address should my server use, the ones from my isp? Currently I
have the desktop set up to auto detect the ip address, as well as DNS
address, and I know that is wrong, so I will be correcting this.
I did the troubleshooting white papers by Microsoft, and I did take it
that it was saying to use the servers IP address in the clients, but for
some reason that didn't really sound correct to me.
Could someone tell me based on the information provided above, what settings
would be correct, and where?
Any help appreciated,
Dave Marden

Post by Ricky Stead
Make sure the first DNS Server IP address in your network
settings is the Domain Server. I changed this and it
fixed my problem.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Dave Marden

2004-02-06 16:05:38 UTC

Yep, that did it Ricky. Finally. I have been reading every book I have
pertaining to Group Policy's to no avail. I greatly appreciate it.

Huge Thanks to you as well Roger.

If anyone would not mind taking a look at those settings I listed above,
to let me know what else I should change to get my system set up correctly I
would appreciate it.

Thanks, Thanks, Thanks,
Dave Marden

Roger Abell

2004-02-07 07:22:00 UTC

Not just the "first" but the only !!
Any machine within an Active Directory should only
be allowed to use DNS servers that can resolve names
used by that Active Directory. If you put in ISP's or other
public DNS server IPs then at some point that machine will
show failure behaviors since as soon as it has moved to the
next DNS server (where it will stick until the DNS client is
restarted or that DNS server is unresponsive) it will no longer
be able to resolve names from the private DNS namespace -
- and at that point things break.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Ricky Stead
Make sure the first DNS Server IP address in your network
settings is the Domain Server. I changed this and it
fixed my problem.

-----Original Message-----
I have been asking this question in Windows SBS 2003

newsgroups so far

to no avail, thought maybe someone here could help me.
I have been trying to figure this out. I have

Windows Server 2003, and

I cannot get my personalized GPO's to work.
My client PC's are XP Pro, I have added 1 restriction

for 1 user, just

to try to make it work. What I did is enforced Prohibit

access to control

panel (I figured it would be easy to check). I created a

GPO named John

Doe, then I put it last in the list under

domainname.local, which happens to

be 7. Upon logging on as John Doe the control panel is

still present. I

checked it on a client computer. The users are in the

SBSUsers OU, and I

put the GPO link in (MyBusiness/Users).
What I want to do is be able to set restrictions on

the users in my

domain.
I went into Group Policy Relusts, and upon generating

results on this

Policy, and under Applied GPO's it doesn't even show up,

and under Denied

GPO's, it also doesn't show up.
What am I doing wrong? I have enabled it and made

sure it was set up

the
same as the other default policies, but it still doesn't

work.

I can't seem to figure this out and would really

appreciate any help you

could give me.
Any help appreciated,
Dave Marden
.

Joe Raymond

2004-02-09 20:11:05 UTC