[SOLVED] Server 2003 GPO help..

husla_16 · 09-20-2007, 07:07 PM

Greetings all...

I am a newbie at networking just so you know...

...I am running windows server 2003, I have 2 folders, a students folder (where students are located) and a users folder (where administrator account, and staff are located). If I was to create a new folder under the students folder ie: \\server\students\teachers..would I be able to set different policies for these two OU's? How do I distinguish between which GPO goes where?...I want it so the students are not allowed to touch anything inside the control panel (block access) or change the desktop background/color, and they can't install anything. For the Teachers I dont want them to have access to add/remove programs, or install anything, and to have their work follow them wherever they login on the domain. I've been at this for days, and am unable to distinguish which GPO resides on which OU...I've set the access restictors on the students folder, but both the students and the users folder had the same credentials...

...I hope someone out there can help me with this, as I have just deleted the GPO out of frustration, and am currently residing on the default domain GPO for my forest..any help would be greatly appreciated..

**Cellus** · 09-21-2007, 12:43 AM

To make it easier working with GPOs, you should use the Group Policy Management Console (GPMC). This will help visually to better label and organize GPOs, so you can understand what is affecting what. You can download the GPMC from the Microsoft website here.

Addendum:

To further assist on top of GPMC, you can run what is known as a Resultant Set of Policy (RSoP), which can "simulate" and lay out in a generated report what your GPOs are actually doing on a target computer. This will help you see "this is affecting this".

husla_16 · 09-21-2007, 06:11 PM

Thanks for the reply. Unfortunately, that program you've mentioned (GPMC) is what I have been using. Under Group Policy Objects, I have a Student GPO. The Location is set to "Students" Folder which is not enforced, but it is linked, and the Security Filtering is set to "Authenticated Users". Now, If I was to remove the Authenticated Users from the Security Filter, and just include all 250 students in that location instead, would I be able to accomplish the one thing I am trying to accomplish??...I've read about that RSOP, I'm currently looking at it, and am hoping to be able to create 2 separate policies the way I've been trying to do. By the way, since I removed that GPO last night, no users are able to logon except for administrator. "The local policy of this system does not allow you to logon interactively" is the error I receive. I wasnt in @ work today, so no one had access to the network allday.

I am going to use a backup of a GPO that I created sometime ago, and hopefully that will allow the kids to login again. I've just loaded the backup GPO's and the kids still cannot login with a general user I've created in the students folder to test.

I just wish, I could set my GPO's so that the kids have a locked down computer configuration, and the staff have a different configuration. I've been looking at the microsoft website for tips about GPO settings, perhaps when I try to run these apps, I will finally figure this GPO thing out.

**Cellus** · 09-21-2007, 07:59 PM

One of the nice things about RSoP is that, if you were to run through it and inspect the report, you could determine that the users would end up losing login capabilities, all without actually implementing it in the production environment.

Because, even with GPMC, GPOs and how they affect the environment can become too complex, RSoP allows you to simulate the effects on a target computer (which, by the way, does not actually affect the target computer - the target computer is a simulated version). In some environments, if you were to logically draw out and map the GPOs, their functions, and the computers and devices they affected, it could very well look like an incomprehensible mess. RSoP helps alleviate some of that confusion.

husla_16 · 09-24-2007, 01:16 PM

Thanks for the insight Cellus. I've located a kb article on the Microsoft Knowledge Base regarding my problem. "The local policy of this system does not permit you to logon interactively." you can look at it yourself here: http://support.microsoft.com/kb/253268/. I have not been able to logon to the Directory Services restore mode, as it says to, because I dont have that option after reboot. So instead, I've just located the folder it specifies and made the required changes in there. I just copy and pasted everything in the "Permissions compatible only with Windows 2000 users" into my GptTmpl.inf folder. I've read and followed all the steps it tells me to, and now I can't login on my network computer because the client computer cannot find the password I've specified..

I get an error.."the system could not log you on. Make sure the user and domain are correct, then retype your password". My user is correct, and the password has been reset twice. I've created a test account in the students folder, and I cannot login with that account on all computers, I can login to some but not all systems. I've created a test account in the teachers (users) folder called test2 and I cannot login with that account at all. I may have to DCPromo it down and start from scratch...but I dont know how to do it so that it was the way it was before I took over...how do you create a backup??

husla_16 · 09-25-2007, 12:08 PM

Quick UPdate: I've gone into Directory Services Restore Mode and I reset user rights in teh Defaul Domain Controllers Group Policy as it says to in the kb article 267553 which you can find HERE http://support.microsoft.com/kb/267553. I've checked out the sysvol folder after reboot and all the settings that i've made have changed. I still receive that same error after rebooting the computer. "The local policy of this system does not permit you to logon interactively". There's no backups (I guess the previous tech did not perform any) so I may have to reinstall everything. I'm not 100% positive I know how to do that, is it the same as a standalone installation?. Do I have to assign the DHCP and DNS or will the Server CD do it for me?.

. I've requested network tech's assistance, and hopefully they will get here before the end of the week.

09-20-2007, 07:07 PM	#1 (permalink)
husla_16 Registered User Join Date: Sep 2007 Location: manitoba canada Posts: 34 OS: windows server 2003	[SOLVED] Server 2003 GPO help.. Greetings all... I am a newbie at networking just so you know......I am running windows server 2003, I have 2 folders, a students folder (where students are located) and a users folder (where administrator account, and staff are located). If I was to create a new folder under the students folder ie: \\server\students\teachers..would I be able to set different policies for these two OU's? How do I distinguish between which GPO goes where?...I want it so the students are not allowed to touch anything inside the control panel (block access) or change the desktop background/color, and they can't install anything. For the Teachers I dont want them to have access to add/remove programs, or install anything, and to have their work follow them wherever they login on the domain. I've been at this for days, and am unable to distinguish which GPO resides on which OU...I've set the access restictors on the students folder, but both the students and the users folder had the same credentials......I hope someone out there can help me with this, as I have just deleted the GPO out of frustration, and am currently residing on the default domain GPO for my forest..any help would be greatly appreciated..

09-21-2007, 12:43 AM	#2 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: Server 2003 GPO help.. To make it easier working with GPOs, you should use the Group Policy Management Console (GPMC). This will help visually to better label and organize GPOs, so you can understand what is affecting what. You can download the GPMC from the Microsoft website here. Addendum: To further assist on top of GPMC, you can run what is known as a Resultant Set of Policy (RSoP), which can "simulate" and lay out in a generated report what your GPOs are actually doing on a target computer. This will help you see "this is affecting this". __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate! Last edited by Cellus; 09-21-2007 at 12:46 AM.

09-21-2007, 06:11 PM	#3 (permalink)
husla_16 Registered User Join Date: Sep 2007 Location: manitoba canada Posts: 34 OS: windows server 2003	Re: Server 2003 GPO help.. Thanks for the reply. Unfortunately, that program you've mentioned (GPMC) is what I have been using. Under Group Policy Objects, I have a Student GPO. The Location is set to "Students" Folder which is not enforced, but it is linked, and the Security Filtering is set to "Authenticated Users". Now, If I was to remove the Authenticated Users from the Security Filter, and just include all 250 students in that location instead, would I be able to accomplish the one thing I am trying to accomplish??...I've read about that RSOP, I'm currently looking at it, and am hoping to be able to create 2 separate policies the way I've been trying to do. By the way, since I removed that GPO last night, no users are able to logon except for administrator. "The local policy of this system does not allow you to logon interactively" is the error I receive. I wasnt in @ work today, so no one had access to the network allday. I am going to use a backup of a GPO that I created sometime ago, and hopefully that will allow the kids to login again. I've just loaded the backup GPO's and the kids still cannot login with a general user I've created in the students folder to test. I just wish, I could set my GPO's so that the kids have a locked down computer configuration, and the staff have a different configuration. I've been looking at the microsoft website for tips about GPO settings, perhaps when I try to run these apps, I will finally figure this GPO thing out. Last edited by husla_16; 09-21-2007 at 06:29 PM. Reason: mistake

09-21-2007, 07:59 PM	#4 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: Server 2003 GPO help.. One of the nice things about RSoP is that, if you were to run through it and inspect the report, you could determine that the users would end up losing login capabilities, all without actually implementing it in the production environment. Because, even with GPMC, GPOs and how they affect the environment can become too complex, RSoP allows you to simulate the effects on a target computer (which, by the way, does not actually affect the target computer - the target computer is a simulated version). In some environments, if you were to logically draw out and map the GPOs, their functions, and the computers and devices they affected, it could very well look like an incomprehensible mess. RSoP helps alleviate some of that confusion. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!

09-24-2007, 01:16 PM	#5 (permalink)
husla_16 Registered User Join Date: Sep 2007 Location: manitoba canada Posts: 34 OS: windows server 2003	Re: Server 2003 GPO help.. Thanks for the insight Cellus. I've located a kb article on the Microsoft Knowledge Base regarding my problem. "The local policy of this system does not permit you to logon interactively." you can look at it yourself here: http://support.microsoft.com/kb/253268/. I have not been able to logon to the Directory Services restore mode, as it says to, because I dont have that option after reboot. So instead, I've just located the folder it specifies and made the required changes in there. I just copy and pasted everything in the "Permissions compatible only with Windows 2000 users" into my GptTmpl.inf folder. I've read and followed all the steps it tells me to, and now I can't login on my network computer because the client computer cannot find the password I've specified.. I get an error.."the system could not log you on. Make sure the user and domain are correct, then retype your password". My user is correct, and the password has been reset twice. I've created a test account in the students folder, and I cannot login with that account on all computers, I can login to some but not all systems. I've created a test account in the teachers (users) folder called test2 and I cannot login with that account at all. I may have to DCPromo it down and start from scratch...but I dont know how to do it so that it was the way it was before I took over...how do you create a backup?? Last edited by husla_16; 09-24-2007 at 01:35 PM. Reason: mistake about test account

09-25-2007, 12:08 PM	#6 (permalink)
husla_16 Registered User Join Date: Sep 2007 Location: manitoba canada Posts: 34 OS: windows server 2003	Re: Server 2003 GPO help.. Quick UPdate: I've gone into Directory Services Restore Mode and I reset user rights in teh Defaul Domain Controllers Group Policy as it says to in the kb article 267553 which you can find HERE http://support.microsoft.com/kb/267553. I've checked out the sysvol folder after reboot and all the settings that i've made have changed. I still receive that same error after rebooting the computer. "The local policy of this system does not permit you to logon interactively". There's no backups (I guess the previous tech did not perform any) so I may have to reinstall everything. I'm not 100% positive I know how to do that, is it the same as a standalone installation?. Do I have to assign the DHCP and DNS or will the Server CD do it for me?. . I've requested network tech's assistance, and hopefully they will get here before the end of the week. Last edited by husla_16; 09-25-2007 at 12:09 PM.