lock wallpaper on a domain

i am using win2k server with AD. i have set up a roaming profile for a certain user. when he logs in to other pc, his wallpaper is the same.
now my question is, how can i lock his wallpaper on a certain pc? for instance, user logs in at pc1 changes his wallpaper. then he logs in to pc2, his wallpaper is the same as what i have set in his roaming profile. can i possibly restrict his local profile on changing his wallpaper?

You can set the wallpaper via group policy and prevent the user from changing it via group policy.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

i have looked into the "domain security policy" and i cant find anything about "wallpapers". am i looking in the right one? "domain security policy" or "domain controller security policy"?
thanks.

No, you don't want to mess with those.  The domain security policy really should only be used to set a handful of security settings such as minimum password length, password age etc.

Create a new GPO.  You will need to drill down to
User Configuration
  Administrative Templates
    Desktop
       Active Desktop
          Wallpaper

Note that you will need to enable active desktop.
Also go to:
 
User Configuration
  Administrative Templates
     Control Panel
        Display
           Prevent Changing Wallpaper

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

now im totally lost. GPO means group policy organization? and where do i start creating it?
active desktop option is disabled on my folder options and i cant enable it.

ok now. i explored the AD and i got the GPO. there is already a GPO in the AD, "Default Domain Policy". do i have to add another GPO or i'll just edit this one?
and also, the active desktop button on the workstations are disabled.

GPO= Group Policy Object

You will want to create a new one.  GPO settings will override the workstation settings.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

this is what i have done here, please correct me if this procedure is wrong:

1. i created a new orgnizational unit(named "netaccess1") under the root domain(named "laboratory1.local").
   it would be like this:
                      AD Users and Computers
                          --> laboratory1.local                                   
                                --> netaccess1

2. i created a user under the OU netaccess1, named it "kasparov"

i want to add/edit the GPO on all the users under OU netacces1, so i

3. right click on the netaccess1, slide down to properties, and click on the "Group Policy" tab. there is no GPO present so i click "new" and it automatically adds a "New GPO".


IS THIS THE RIGHT PROCEDURE???

Yes that is correct.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

ok thanks for that, sir mark.
now what i want to do is to have the user "kasparov" a single wallpaper that he can't change even if he logs in to any machine under the domain.
this is what i did:

1. i clicked the edit button on the GPO that the user "kasparov" is under, the Group Policy Editor opens up
2. i went to:
   User Configuration
       --> Administrative Templates
              --> Desktop
                     --> Active Desktop
3. under the "Active Desktop" i changed these options:
         Active Desktop Wallpaper - enabled and set the unc          
                            path of the wallpaper, bmp.
         Allow Only Bitmapped Wallpaper - enabled
         Enable Active Desktop - enable
         Disable All Items - enable
         Prohibit Changes - enable
4. then i went to the:
   User Configuration
       --> Administrative Templates
               --> Control Panel
                      --> Display
                         Disable Changing Wallpaper - enable

i think im missing something because the user can still change his wallpaper.

Did you update the group policies on the test computer?

On Win2K run the following from a command prompt:
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

On XP it is just one command:
GPUPDATE /FORCE

Also, how many DCs do you have?  Did you allow time for replication?

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

i only have 1 DC.

i run the 2 commands on the command prompt on 2 test workstations. i let it set for a little while, logged out, then logged in again, nothing. then i restarted the pc, let it set for a while, then logged in, i still can change the wallpaper.

Try setting the No Override ont he GPO.  Also, run GPRESULT while logged on as the client and verify that the GPO is even being applied.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

i checked the "No Overrie" on the GPO. logged on to the test machime, the wallpaper is blank. then i run GPRESULT in the command:

        Last time Group Policy was applied: TODAY
       
        The computer received "registry" setings from these                
        GPOs:
               Local Group Policy

         The computer received "EFS Recovery" settings from      
         these GPOs:
                Local Groups Policy


         

OK, so that is showing you that your policy is NOT being applied (and not just not giving you the expected results).

You need to look at the security of the GPO and where the user account and GPO are applied.

At what OU is the test user account and at what OU level are you applying the GPO?  Have you set any explicit permissions for Apply or Deny of the GPO?

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

ok this is what the domain tree looks like:

AD Users and Computers[labserver.laboratory1.local]
  -->laboratory1.local
      -->Builtin
      -->Computers
      -->Domain Controllers
      -->ForeignSecurityPrincipals
      -->classaccess1
      -->netaccess1
      -->users

i created the "classaccess1" and "netaccess1" OUs then i created a user "kasparov" inside the "netaccess1" OU:

AD Users and Computers[labserver.laboratory1.local]
  -->laboratory1.local
      -->Builtin
      -->Computers
      -->Domain Controllers
      -->ForeignSecurityPrincipals
      -->classaccess1
      -->netaccess1
         --<>kasparov
      -->users

i just right click on the "netaccess1" OU >> properties >> "Group Policy" tab >> since there is no GPO, i click "New" and a default GPO appears. thats when i click the "Edit" and went to the instructions that you gave me. This is what i did inside this GPO:
                User Configuration
                  -->Administrative Templates
                     -->Desktop
                        -->Active Desktop
                           --<>Enable Active Desktop-enable
                           --<>Disable All Items-enable
                           --<>Prohibit Changes-enable
                           --<>Active Desktop                  
                               Wallpaper-enabled and set the             
                               unc path of the wallpaper,
                               bmp.
                           --<>Allow Only Bitmapped
                               Wallpaper - enabled

                User Configuration
                  -->Administrative Templates
                     -->Control Panel
                        -->Display
                           --<>Disable Changing        
                               Wallpaper-enable

i also checked the "No Override" on the GPO.

i also had the "kasparov" user a roaming profile. i right click on the user "kasparov" >> properties >> "Profile" tab >> and set the "Profile Path" to "\\laboratory1\kasparov\"

QUESTION: in the domain laboratory1.local, is there a default GPO there or is it blank? mine is blank here.

Hmmm that does look OK to me.  Try explicitly setting to apply the GPO.  From the GPO list (where you would go to edit it) click the Properties button.  Now click the Security tab.  Add kasparov and at the bottom of the settigns add Apply.

Your default GPO should be at the top level and it should have the same setting choices you see in the GPO you created.  Only a handful of the Security settigns should be set here if you have set them.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

i added user "kasparov" on the Security Tab and its permission is set at "Read" by default. i logged in again to the test machines but again i could still change the wallpaper. i tried to checked the "Add Group Policy" on the permission, set it
"Allow" but still the same.

in the root domain tree:

AD Users and Computers[labserver.laboratory1.local]
  -->laboratory1.local

when i right click on the laboratory1.local and go to its GPO, is it blank(no GPO) by default?

Sound slike you missed the right setting for applying the GPO.  In the security tab, the last setting is APPLY.

I hope you find this post helpful.  Please let me know if it was.

Regards,

Mark

Greetings, i am trying to achieve the same thing "pemorej" is but without success.

I am running a new SBS2003 network, and followed much of the advice above to the "Small Business Server Client Computer" GPO. Other settings i set in the GPO have been working, but the force wallpaper not at all. Preventing a ser from switching a wallpaper seems to be working though.

Did you ever get this working pemorej?

I ran srop.msc on the workstation computers and they are getting the correct GPO settings ""Small business Server client computer". I can see the active directory settings set fine, but they dont seem to work, the wallpaper is not being set.

im sorry i didnt replied here for quite some time, im working on something here that need much needed attention.
anyway, about the gpo policy, still it doesnt work. i have done ALL the instructions above, explored a little bit and still to no avail.
i also ran poledit to see if the workstation is getting the unc path of the wallpaper to the server, it sees the unc path.
but still roaming user can change the wallpaper.

i posted this issue on another forum as well and got a solution and its working, might want to check it out:

http://www.security-forums.com/forum/viewtopic.php?t=24271&postdays=0&postorder=asc&amp;start=0

ok thanks Canadaka for the tip. ill check it out. got deadlines to catch up in here first. thanks again.

Candaka, please check your thread on the other forum. thanks.