Archive for the ‘Group Policy’ Category
While installing Level Platforms (LPI) Onsite Manager onto a Windows Server 2003 (a member server running on as and ESXi guest and added to a SBS 2003 domain) all went well, but one service would not start. Final, solution was that the MWService account did not have sufficient permissions. LPI tech support said to add that account to Administrators, Domain Administrators and Enterprise Administrators. This solved the problem.
Read the rest of this entry »
I want to try out the CrossLoop client stuff tonight and the ISA web filter, too.
But first, let’s get caught up on the crumby stuff I had to do to get here.
Well, that required password settings was getting pretty wearisome, so I disabled it, only to find that it was still in effect, despite running gpupdate. Man that’s irritating.
I setup a new GPO called “IE7 Settings” but couldn’t find a darn thing I wanted to set. I was going to force on the phishing filter, but that’s not an option (though turning it OFF is.)
I also, put in place a “Lockdown Desktop Features” GPO and tried setting only this:
But then it wouldn’t let me login! I turned off ALL of the Default Domain Account stuff and try to change otto’s password and I still get:
So I’ll try to turn it off directly from Default Domain Security Settings. The only thing left to turn off is the the Account Lockout. Let’s try the Default Domain Controller Security Settings. Nope, none there. Let’s try giving otto a goofy password. One that MEETS the requirements works! I’ll re-login and see if that makes a difference. Nope. Even resetting the server did NO GOOD. What finally worked was going in to the Password Complexity and changing it from “Not defined” to “Disabled.” I could then immediately change the otto password.
As to the GPO, once I logged in, an icon I purposely put on the desktop is still there. But then, the fast startup features sometimes require two logins to activate a GPO. Sure enough, when I logged otto out and in, the icon disappeared. Let’s try clicking “Enforced” on the OU’s GPO so it’s UNchecked. I run gpupdate and login back in. Nope, no icon. I logoff/on again. Still nothing. I run gpudate on the client and logoff/on. Still nothing. I notice that I can’t even right click on the desktop. These GPOs STICK! I’m going to try a reboot. Still STUCK. I’ll try unchecking the Link Enabled. That WORKED! Now I’ll try re-linking it. Yep, that activated it. So I STILL wonder what that “Enforced” means??? (Looks like that is a facility to prevent overriding at some level. Printing out more info on that now.) But I have proven that it is the “Enable Link” that is the key here. Unlinking seems to basically be a way to disable it and is one step short of deleting it from the OU (NOT the stockpile of available GPOs.)
I wanted to remove the default setting of audit logging all SUCCESFUL account logons. These seems a little odd since entries are being added continually, especially for the system loggin in/out all the time. I saw about 10 entries a minute last night and I wasn’t doing much. A user logging in seems to create about a dozen. So I turned it to audit Failure account logons. I noticed that there are many other success audit entries and I may have to zap these, too. By the way these are at the Domain Controller level.
Yikes, yes there are still WAY too many entries for my taste. Here is what the default setting WERE:
Now, the setting I think I’ll go with ARE:
To try it out, I went to the client and Ctrl-Alt-Deleted to try to change the password and got a Account Management failure Event 627 and gives me the user and the computer. Sweet!
I also tracked down a kb article titled “How to configure an authoritative time server in Windows Server 2003 at: http://support.microsoft.com/kb/816042
How confusing! In XP you click on a tab and a button and you’re done. Here they want you to edit a bunch of registry entries.
Notice I’m out of time and I didn’t get to the two things I wanted to. Oh, well!
The defaults that were setup are shown (though I had change the days from 1 to 0 for Minimum Password Age:
I printed all of this AND the Default Domain Controller to a paper log.I created two GPOs, one for the RIT Cptrs OU called “Require automatic updates daily” and one for the RIT Users OU called “Desktop efficiency.”
Yikes, so now I’ve added the computer account redboot67 and go to the PC to give it that name and it tells me it’s already setup so it will use the old name. Sheesh!
It went ahead and added this to the domain using this screwy name. Then I deleted the redboot67 computer from the RIT Cptrs OU and tried to change the computer name. I got no “Welcome to the risky.local domain” but then I got no message. But when I tried to re-add it I got a message saying the pre-2000 (NetBIOS I suppose) name still exists. There is no WINS server, so I wonder where this is stored?
Tried using nbtstat with various options and it didn’t show it anywhere. BUT, then I went back to the AD Users and Computers and pressed F5 and the garbage name changed to redboot67. So, I moved it to the OU. BUT, WHY wouldn’t it let me add the computer that had already been added thru AD Users and Computers???
Also, how can I give a domain admin full admin rights to any client XP workstation??
Elevated the B lab server to the highest functional level, Windows Server 2003. It said it would replicate this out to the entire domain, but I didn’t see the other server’s light do much and it cranks a lot when ANY thing happens. Hmmm. But I looked at it and sure enough it IS elelvated, too.
Found how to require Automatic Updates even if a local Administrator tries to override. Setup a GPO I called Require Automatic Updates and set as shown:
Man, these PC start slow now that roaming profiles and folder redirection is in place. They sit at the “Establishing network connections” prompt for over a minute. Tried removing the “Turn off fast logon” GPO, but it’s still pokey.
A standard PC workstation setup is a somewhat personal matter. What should and should not be on a desktop or on the Start menu or allowed alterations to the user profile will vary from administrator to administrator and even from time to time. Still it makes sense to have a list of a standard “golden PC” options. And it needs to be a working list, subject to improvement based upon learning and changes to technology.
So here’s the first rough start, assuming we’re starting with a XP Pro SP2 workstation:
Turn off Windows Messenger autostartup