Group Policy

[msilka]

I have 2 Windows 2000 Servers.
One is the domain controller with Active Directory.
The other does not have Active Directory and will be used for Terminal Services.

On the Server with Active Directory I set up an Organizational Unit then added a Group to that Unit called "Remote Users" and added the users who would be connecting.
I then added a policy to that Organization Group called "Remote Security" and enabled the various settings for the desktop.

On the Server without Active Directory I went into the MMC and added the Group Policy Snap-In. I selected the Group Policy I had created on the other server.

When I login under one of the remote users accounts the policy changes did not take affect.

What am I missing here?

Thank you

 

[Paul318]

msilka
I don't think a Group Policy can be applied to a group in that way. The users who you need to apply that Group Policy need to be in the OU the policy is set at.
You can then put the users you want to apply the policy to (in this case your remote users)in a group and set the "Apply Group Policy" permission to that group.
Paul

 

[msilka]

Ok,

So how do I restrict access on that server.
If I use the local policy it does it for all users including the administrator and I do not want that.

 

[hewissa]

"On the Server without Active Directory I went into the MMC and added the Group Policy Snap-In. I selected the Group Policy I had created on the other server."

In doing this you actually modified the local group policy which, yes, does apply to everyone. I would disable that local policy and allow the OU policy to impact the member server.

Reboot the member server after you have removed the gpo and logon again to see if the policy (ou) is applied.

Paulhonosutomo is correct, although applied to an OU, if its membership is simply a group, that won't work. On the security permissions of the OU/GPO you can apply the "Read" and "Apply Group Policy" to said group.

Hewissa

MCSE, CCNA, CIW

 

[msilka]

Ok,
That is a straight-forward answer.
My next question.
If those users in question log onto another computer
will that policy take effect there also?
I just want it to affect that 1 server not every computer they login to on the Domain.

 

[hewissa]

Yes, the gpo is applied to the users, therefore applied to any computer they log onto.

Place the server in it's own OU, and apply the GPO to that OU. Remove the OU for the users.

Hewissa

MCSE, CCNA, CIW

 

[msilka]

I placed the server in its own OU.
I applied the GPO to it.
I restarted the server and when it was restarting
it displayed the message about applying security policies.
I logged in under one of the users and the policy still did not take affect.

Is there something I am missing?

 

[hewissa]

Check the event viewer for errors in the security and application log.

Also, run the gptool or gpresult to see what gpo's are being applied and from where.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

Hewissa

MCSE, CCNA, CIW

 

[msilka]

I ran those programs.
I found that the Policy I had created was not getting to the server.
How do I make that policy get to the server?

 

[hewissa]

Is the server a member of the domain?

Check connectivity. Check DNS, make sure the server is registered and make sure it has proper DNS settings. Is the sever listed in AD?

Is the Domain policy being applied? Are any policies being applied?

Did event viewer report errors?

Hewissa

MCSE, CCNA, CIW

 

[msilka]

The server has the correct DNS Settings.
It does show in the AD of the other server.
There are not events in event viewer for policies.
When I ran the gpresult.exe it did show that the Default Domain Policy was applied.