2000 Server users and security groups and group policies!

I have a Windows 2000 SBS set up as a domain controller. I have created new
security groups inside the domain, along with users. The users were added to
their specified security groups. (this was done in the year 2003) Just
recently I have created Group Policies, and have added the users to their
correct group policy, along with a general group policy that is at the bottom
of the list and is the first applied.

It seems that SOME (including ALL newly created users) of the users are not
fully making the correct relationship connection to their security group...
They have all the rights/priveledges of their specified security group, but
they do not take on the policies that are set up for that security group, OR
the general group policy for "Authenticated Users" When I log into a
computer with a user that does not seem to fully make the correct
relationship connection, and run gpresult.exe the "Assigned Security Groups"
area is BLANK. Yet when looking in Active Directory under both the user's
"Member Of" tab and the corresponding "Security Group"'s "Members" tab, it
correctly appears in here.

Any ideas or suggestions or questions for further clarification are GREATLY
appreciated!

Thanks,

Group Policy in Windows 2000 and 2003 does not apply to security groups
without a lot of fiddling around with Group Policy Permissions.

Active Directory takes advantage of "Organisational Units" which act in a
similar fashion to folders / containers. Put the users in the OUs and apply
the group policy to the OU.

The use of OU's allows you to "nest" a group of users under a specific area,
that will inherit from it's parent.

eg.
John is a user in Sales located in Perth Australia.

The OU structure that John may be a part of could be set up as follows:

Contoso.msft
Australia
Perth
Users
Sales

John can also be a member of security groups, now only really used for
assigning permissions and delegating rights. Security groups can also be used
as email distribution groups.

A good explanation of OUs:
http://www.samspublishing.com/articl...p?p=98126&rl=1

Active Directory and Group Policy:
http://www.microsoft.com/resources/d...c_pol_DYZR.asp

You can apply group policy to security groups, but it is not really a best
practice, and can be quite messy to set up unless you really know what you
are doing.

Small Business Server is actually very good and creating an efficient setup
by default. Have a look at some of the wizards that are available to you from
the Configure Your Service wizard.

Hope this helps

"Users n Security groups n Group Policies" wrote:

> I have a Windows 2000 SBS set up as a domain controller. I have created new
> security groups inside the domain, along with users. The users were added to
> their specified security groups. (this was done in the year 2003) Just
> recently I have created Group Policies, and have added the users to their
> correct group policy, along with a general group policy that is at the bottom
> of the list and is the first applied.
>
> It seems that SOME (including ALL newly created users) of the users are not
> fully making the correct relationship connection to their security group...
> They have all the rights/priveledges of their specified security group, but
> they do not take on the policies that are set up for that security group, OR
> the general group policy for "Authenticated Users" When I log into a
> computer with a user that does not seem to fully make the correct
> relationship connection, and run gpresult.exe the "Assigned Security Groups"
> area is BLANK. Yet when looking in Active Directory under both the user's
> "Member Of" tab and the corresponding "Security Group"'s "Members" tab, it
> correctly appears in here.
>
> Any ideas or suggestions or questions for further clarification are GREATLY
> appreciated!
>
> Thanks,
>
>

Numpty,

Thanks for the info, organizing them the way you had in the Australia
example is a GREAT way of doing it! One question... If the users are
already created in..

DOMAIN.name
USERS
John

And not in seperate OU's, is it possible to MOVE a user from one place to
another OU? Without deleting and re-making that user...? I have Exchange on
this server also, and my users are very picky with keeping every email that
they have, and Exchange is a headache in and of itself as I am not expertly
familiar with it... I don't want to have to delete the user and exchange box
and re-create it...

If it is not possible to just MOVE a user, but is necessary to DELETE the
user and re-create them in a new OU, IS it possible to point that user to
their original Exchange profile??

Thanks for the help!
(btw - I made the original post I just put the wrong Display Name)

"Numpty" wrote:

> Group Policy in Windows 2000 and 2003 does not apply to security groups
> without a lot of fiddling around with Group Policy Permissions.
>
> Active Directory takes advantage of "Organisational Units" which act in a
> similar fashion to folders / containers. Put the users in the OUs and apply
> the group policy to the OU.
>
> The use of OU's allows you to "nest" a group of users under a specific area,
> that will inherit from it's parent.
>
> eg.
> John is a user in Sales located in Perth Australia.
>
> The OU structure that John may be a part of could be set up as follows:
>
> Contoso.msft
> Australia
> Perth
> Users
> Sales
>
> John can also be a member of security groups, now only really used for
> assigning permissions and delegating rights. Security groups can also be used
> as email distribution groups.
>
> A good explanation of OUs:
> http://www.samspublishing.com/articl...p?p=98126&rl=1
>
> Active Directory and Group Policy:
> http://www.microsoft.com/resources/d...c_pol_DYZR.asp
>
> You can apply group policy to security groups, but it is not really a best
> practice, and can be quite messy to set up unless you really know what you
> are doing.
>
> Small Business Server is actually very good and creating an efficient setup
> by default. Have a look at some of the wizards that are available to you from
> the Configure Your Service wizard.
>
> Hope this helps
>
> "Users n Security groups n Group Policies" wrote:
>
> > I have a Windows 2000 SBS set up as a domain controller. I have created new
> > security groups inside the domain, along with users. The users were added to
> > their specified security groups. (this was done in the year 2003) Just
> > recently I have created Group Policies, and have added the users to their
> > correct group policy, along with a general group policy that is at the bottom
> > of the list and is the first applied.
> >
> > It seems that SOME (including ALL newly created users) of the users are not
> > fully making the correct relationship connection to their security group...
> > They have all the rights/priveledges of their specified security group, but
> > they do not take on the policies that are set up for that security group, OR
> > the general group policy for "Authenticated Users" When I log into a
> > computer with a user that does not seem to fully make the correct
> > relationship connection, and run gpresult.exe the "Assigned Security Groups"
> > area is BLANK. Yet when looking in Active Directory under both the user's
> > "Member Of" tab and the corresponding "Security Group"'s "Members" tab, it
> > correctly appears in here.
> >
> > Any ideas or suggestions or questions for further clarification are GREATLY
> > appreciated!
> >
> > Thanks,
> >
> >

No problem mate.

Yes you can move users between Organisational Units.

Right click on the user account and select Move

Choose the destination OU and this will move the user.

All Exchange settings will stay where they are, as they are actually held in
what is known as the Schema (a simple way to look at it would be to think of
it as the Registry for Active Directory)

If you use XP Professional as your administrative workstation, and install
the 2003 Server Administration tools, you can actually select multiple users,
then click and drag the users into the OU of your choice.

Good luck

"Bamskel" wrote:

> Numpty,
>
> Thanks for the info, organizing them the way you had in the Australia
> example is a GREAT way of doing it! One question... If the users are
> already created in..
>
> DOMAIN.name
> USERS
> John
>
> And not in seperate OU's, is it possible to MOVE a user from one place to
> another OU? Without deleting and re-making that user...? I have Exchange on
> this server also, and my users are very picky with keeping every email that
> they have, and Exchange is a headache in and of itself as I am not expertly
> familiar with it... I don't want to have to delete the user and exchange box
> and re-create it...
>
> If it is not possible to just MOVE a user, but is necessary to DELETE the
> user and re-create them in a new OU, IS it possible to point that user to
> their original Exchange profile??
>
> Thanks for the help!
> (btw - I made the original post I just put the wrong Display Name)
>
> "Numpty" wrote:
>
> > Group Policy in Windows 2000 and 2003 does not apply to security groups
> > without a lot of fiddling around with Group Policy Permissions.
> >
> > Active Directory takes advantage of "Organisational Units" which act in a
> > similar fashion to folders / containers. Put the users in the OUs and apply
> > the group policy to the OU.
> >
> > The use of OU's allows you to "nest" a group of users under a specific area,
> > that will inherit from it's parent.
> >
> > eg.
> > John is a user in Sales located in Perth Australia.
> >
> > The OU structure that John may be a part of could be set up as follows:
> >
> > Contoso.msft
> > Australia
> > Perth
> > Users
> > Sales
> >
> > John can also be a member of security groups, now only really used for
> > assigning permissions and delegating rights. Security groups can also be used
> > as email distribution groups.
> >
> > A good explanation of OUs:
> > http://www.samspublishing.com/articl...p?p=98126&rl=1
> >
> > Active Directory and Group Policy:
> > http://www.microsoft.com/resources/d...c_pol_DYZR.asp
> >
> > You can apply group policy to security groups, but it is not really a best
> > practice, and can be quite messy to set up unless you really know what you
> > are doing.
> >
> > Small Business Server is actually very good and creating an efficient setup
> > by default. Have a look at some of the wizards that are available to you from
> > the Configure Your Service wizard.
> >
> > Hope this helps
> >
> > "Users n Security groups n Group Policies" wrote:
> >
> > > I have a Windows 2000 SBS set up as a domain controller. I have created new
> > > security groups inside the domain, along with users. The users were added to
> > > their specified security groups. (this was done in the year 2003) Just
> > > recently I have created Group Policies, and have added the users to their
> > > correct group policy, along with a general group policy that is at the bottom
> > > of the list and is the first applied.
> > >
> > > It seems that SOME (including ALL newly created users) of the users are not
> > > fully making the correct relationship connection to their security group...
> > > They have all the rights/priveledges of their specified security group, but
> > > they do not take on the policies that are set up for that security group, OR
> > > the general group policy for "Authenticated Users" When I log into a
> > > computer with a user that does not seem to fully make the correct
> > > relationship connection, and run gpresult.exe the "Assigned Security Groups"
> > > area is BLANK. Yet when looking in Active Directory under both the user's
> > > "Member Of" tab and the corresponding "Security Group"'s "Members" tab, it
> > > correctly appears in here.
> > >
> > > Any ideas or suggestions or questions for further clarification are GREATLY
> > > appreciated!
> > >
> > > Thanks,
> > >
> > >

Numpty,

Thanks you have been much help, I have now gotten everything organized MUCH
better!

I now have it set up as follows:

DomainName.domain
Phoenix (an OU)
Users (an OU)
User_Groups (multiple different OUs.. ie. Counseling,
FosterCare, Support Staff)
UserName

and

DomainName.domain
Phoenix (an OU)
Groups (an OU)
Group_Name_OU (an OU)
Group

I have set one GroupPolicy at the "Phoenix" OU level, and applied it to "All
Authenticated Users" (both read and apply group policy setting)
This policy has basic desktop mods, disables active directory and adds the
"Log Off" option to the start menu (I have windows2000 pro clients)

I went through and added the specified group policies to the "User Groups"
OU... But I am still getting the same problem where the group policies only
apply to some of the users... It seems like my domain server (I could easily
be completely wrong in this assumption).. but it seems like my domain server
is not refreshing the user information for any new uers, and for some of the
old users(if that makes sense..?) it doesn't apply the policy that it is
supposed to. I have ONE user that somehow only has HALF of the policy being
applied! Her user when logged on, does not have the ability to have an
Active Desktop, but she DOES have the ability to access the Control Panel,
and the Display Feature... which was disabled in the Phoenix OU group policy.

Any more ideas?? I have created a "Test OU" OU within the "Users" OU, and
have applied a Group Policy to just that OU, and have set it for
"Authenticated Users" read/apply policy settings... still doesn't work... I
added just the test user itself to the group policy, with read/apply policy
settings... and it still didn't work...?!?

Thanks again for the help, and for any future help on this!

You need to also create an Organisational unit structure for your computers.
Create a policy that applies to this OU, called Workstation Settings or
something else aptly named.

Make any settings in the policy that fall under "Computer Configuration" and
apply it here.

Any settings that fall under User Configuration should be applied at the the
User OU level.

These group policies won't apply to the following operating systems:
NT3.1, NT 3.5, NT 4.0 or below

Windows 95, 98, Me or below

For Windows 9x machines you need to create a policy on the actual
workstation, very painful.\

For Windows NT Machines, you can create an NTConfig.pol using the NT Poledit
tool and put it in the NETLOGON folder. Read up on technet about this first
as there are some issues with "Tattooing" of machines etc.

On the XP Clients, run GPUPDATE /FORCE to force a refresh of the group
policy on the workstations.

There is an excellent document available on technet called Troubleshooting
Group Policy in Windows 2000. Do a search on google to find it and have a
read of it with a nice cold beer.

Hope this helps

"Numpty" wrote:

> No problem mate.
>
> Yes you can move users between Organisational Units.
>
> Right click on the user account and select Move
>
> Choose the destination OU and this will move the user.
>
> All Exchange settings will stay where they are, as they are actually held in
> what is known as the Schema (a simple way to look at it would be to think of
> it as the Registry for Active Directory)
>
> If you use XP Professional as your administrative workstation, and install
> the 2003 Server Administration tools, you can actually select multiple users,
> then click and drag the users into the OU of your choice.
>
> Good luck
>
> "Bamskel" wrote:
>
> > Numpty,
> >
> > Thanks for the info, organizing them the way you had in the Australia
> > example is a GREAT way of doing it! One question... If the users are
> > already created in..
> >
> > DOMAIN.name
> > USERS
> > John
> >
> > And not in seperate OU's, is it possible to MOVE a user from one place to
> > another OU? Without deleting and re-making that user...? I have Exchange on
> > this server also, and my users are very picky with keeping every email that
> > they have, and Exchange is a headache in and of itself as I am not expertly
> > familiar with it... I don't want to have to delete the user and exchange box
> > and re-create it...
> >
> > If it is not possible to just MOVE a user, but is necessary to DELETE the
> > user and re-create them in a new OU, IS it possible to point that user to
> > their original Exchange profile??
> >
> > Thanks for the help!
> > (btw - I made the original post I just put the wrong Display Name)
> >
> > "Numpty" wrote:
> >
> > > Group Policy in Windows 2000 and 2003 does not apply to security groups
> > > without a lot of fiddling around with Group Policy Permissions.
> > >
> > > Active Directory takes advantage of "Organisational Units" which act in a
> > > similar fashion to folders / containers. Put the users in the OUs and apply
> > > the group policy to the OU.
> > >
> > > The use of OU's allows you to "nest" a group of users under a specific area,
> > > that will inherit from it's parent.
> > >
> > > eg.
> > > John is a user in Sales located in Perth Australia.
> > >
> > > The OU structure that John may be a part of could be set up as follows:
> > >
> > > Contoso.msft
> > > Australia
> > > Perth
> > > Users
> > > Sales
> > >
> > > John can also be a member of security groups, now only really used for
> > > assigning permissions and delegating rights. Security groups can also be used
> > > as email distribution groups.
> > >
> > > A good explanation of OUs:
> > > http://www.samspublishing.com/articl...p?p=98126&rl=1
> > >
> > > Active Directory and Group Policy:
> > > http://www.microsoft.com/resources/d...c_pol_DYZR.asp
> > >
> > > You can apply group policy to security groups, but it is not really a best
> > > practice, and can be quite messy to set up unless you really know what you
> > > are doing.
> > >
> > > Small Business Server is actually very good and creating an efficient setup
> > > by default. Have a look at some of the wizards that are available to you from
> > > the Configure Your Service wizard.
> > >
> > > Hope this helps
> > >
> > > "Users n Security groups n Group Policies" wrote:
> > >
> > > > I have a Windows 2000 SBS set up as a domain controller. I have created new
> > > > security groups inside the domain, along with users. The users were added to
> > > > their specified security groups. (this was done in the year 2003) Just
> > > > recently I have created Group Policies, and have added the users to their
> > > > correct group policy, along with a general group policy that is at the bottom
> > > > of the list and is the first applied.
> > > >
> > > > It seems that SOME (including ALL newly created users) of the users are not
> > > > fully making the correct relationship connection to their security group...
> > > > They have all the rights/priveledges of their specified security group, but
> > > > they do not take on the policies that are set up for that security group, OR
> > > > the general group policy for "Authenticated Users" When I log into a
> > > > computer with a user that does not seem to fully make the correct
> > > > relationship connection, and run gpresult.exe the "Assigned Security Groups"
> > > > area is BLANK. Yet when looking in Active Directory under both the user's
> > > > "Member Of" tab and the corresponding "Security Group"'s "Members" tab, it
> > > > correctly appears in here.
> > > >
> > > > Any ideas or suggestions or questions for further clarification are GREATLY
> > > > appreciated!
> > > >
> > > > Thanks,
> > > >
> > > >