More putzing with the new server
I want to try out the CrossLoop client stuff tonight and the ISA web filter, too.
But first, let’s get caught up on the crumby stuff I had to do to get here.
Well, that required password settings was getting pretty wearisome, so I disabled it, only to find that it was still in effect, despite running gpupdate. Man that’s irritating.
I setup a new GPO called “IE7 Settings” but couldn’t find a darn thing I wanted to set. I was going to force on the phishing filter, but that’s not an option (though turning it OFF is.)
I also, put in place a “Lockdown Desktop Features” GPO and tried setting only this:
But then it wouldn’t let me login! I turned off ALL of the Default Domain Account stuff and try to change otto’s password and I still get:
So I’ll try to turn it off directly from Default Domain Security Settings. The only thing left to turn off is the the Account Lockout. Let’s try the Default Domain Controller Security Settings. Nope, none there. Let’s try giving otto a goofy password. One that MEETS the requirements works! I’ll re-login and see if that makes a difference. Nope. Even resetting the server did NO GOOD. What finally worked was going in to the Password Complexity and changing it from “Not defined” to “Disabled.” I could then immediately change the otto password.
As to the GPO, once I logged in, an icon I purposely put on the desktop is still there. But then, the fast startup features sometimes require two logins to activate a GPO. Sure enough, when I logged otto out and in, the icon disappeared. Let’s try clicking “Enforced” on the OU’s GPO so it’s UNchecked. I run gpupdate and login back in. Nope, no icon. I logoff/on again. Still nothing. I run gpudate on the client and logoff/on. Still nothing. I notice that I can’t even right click on the desktop. These GPOs STICK! I’m going to try a reboot. Still STUCK. I’ll try unchecking the Link Enabled. That WORKED! Now I’ll try re-linking it. Yep, that activated it. So I STILL wonder what that “Enforced” means??? (Looks like that is a facility to prevent overriding at some level. Printing out more info on that now.) But I have proven that it is the “Enable Link” that is the key here. Unlinking seems to basically be a way to disable it and is one step short of deleting it from the OU (NOT the stockpile of available GPOs.)
I wanted to remove the default setting of audit logging all SUCCESFUL account logons. These seems a little odd since entries are being added continually, especially for the system loggin in/out all the time. I saw about 10 entries a minute last night and I wasn’t doing much. A user logging in seems to create about a dozen. So I turned it to audit Failure account logons. I noticed that there are many other success audit entries and I may have to zap these, too. By the way these are at the Domain Controller level.
Yikes, yes there are still WAY too many entries for my taste. Here is what the default setting WERE:
Now, the setting I think I’ll go with ARE:
To try it out, I went to the client and Ctrl-Alt-Deleted to try to change the password and got a Account Management failure Event 627 and gives me the user and the computer. Sweet!
I also tracked down a kb article titled “How to configure an authoritative time server in Windows Server 2003 at: http://support.microsoft.com/kb/816042
How confusing! In XP you click on a tab and a button and you’re done. Here they want you to edit a bunch of registry entries.
Notice I’m out of time and I didn’t get to the two things I wanted to. Oh, well!