An academic question...

Discussion in 'Server Networking' started by Bruno Campanini, Oct 4, 2006.

  1. I'd want to forbid my Client_1 to access/see tab Connections in
    his IE Properties.

    I've created a group in AD (Global, Security) named NoConn and
    put User Client_1 in it as a Member.

    Then I've put this NoConn group as a New group in Group Policy
    Object Links of Group Policy tab (Domain, Properties).

    I've edited this Group Policy Object (User Configuration, Administrative
    Templates, Windows Componets, Internet Explorer, Internet Control
    Pannel, Disable Connection page = ENABLED).

    I've have added NoConn to Properties, Security, Group checking
    - only for it - Apply Group Policy.

    After Logging OFF/ON, when I log to the Domain from a computer
    as Client_1, I continue seeing tab Connections on IE Properties.

    I tried the very same procedure from inside a new OU but
    nothing is changing.

    Why this Gruop Policy doesn't propagate to all Users?
    It only works against Administrator from the server when I put
    him in NoConn group.
    What am I missing?

    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #1
    1. Advertisements

  2. Hi,

    Did you put user account into OU where the policy is applied?
     
    Miha Pihler [MVP], Oct 4, 2006
    #2
    1. Advertisements

  3. [...]

    Addendum:

    I'm running Winserver 2003 SE SP1 with these roles:
    AD, File Server, DHCP Server

    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #3
  4. Another note...

    When you use security settings "Apply Group Policy" it is usually used only
    in "Deny Apply Group Policy". E.g. when you have 100 user accounts in same
    OU and you would like to prevent a certain policy from applying to e.g. 5
    users in that OU -- you can use Deny Apply Group Policy.
     
    Miha Pihler [MVP], Oct 4, 2006
    #4
  5. Bruno Campanini

    Damir Guest

    This particular sentence is very unclear to me:

    "Then I've put this NoConn group as a New group in Group Policy Object Links
    of Group Policy tab (Domain, Properties)."

    Where would you add group in group policy object links? And why? You can
    only link group policy there. "group" and "group policy" are something
    entirely different.
     
    Damir, Oct 4, 2006
    #5
  6. - AD
    - Right Click on Domain, Properties, Policy Group, New...
    Here I added the group named NoConn.
    It appeared to me the right procedure.
    But I'm not expert on this OS and for sure I missed
    something.
    Any suggestions?

    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #6
  7. Yes I did but nothing's changing.

    A - created the user account in new OU and defined properties
    in OU

    B - created a new group in OU, then the user account as member
    of this new group and defined properties in that new group

    But no result!

    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #7
  8. Bruno Campanini

    steve_t Guest

    Comments inline.

    Placing Client_1 into a group has absolutely no impact on how Group Policy
    is applied. The user settings on a GPO are determined by where the user's
    account is located, not any group memberships.
    I'm not sure what you did here. What you need to do is create a new Group
    Policy object in the OU where the Client_1 account is located. Properties of
    the OU, Group Policy tab, click new, name it DenyIEConnectionsTab (or
    something similar).
    This looks correct.
    You don't really need to do this. By default, I believe Authenticated Users
    have the Read and Apply Group Policy settings allowed. (If you didn't give
    the Read permission, that may have been part of the problem).
    Try the options I mentioned above and see if it works. Let us know.

    Steve
     
    steve_t, Oct 4, 2006
    #8
  9. [...]
    1 - Created a new OU named NoConn
    2 - Selected NoConn in AD, left pane, and created a new User named
    Jolly-10, which by default is member of Domain Users
    3 - In NoConn Properties, Group Policy, created a new
    DenyIEConnectionsTab. Edited this one to have
    diabled the IE Connections page.
    4 - In DenyIEConnectionsTab, Properties, Security there is,
    among others, Authenticaded Users with Read and
    Apply Group Policy checked.

    But it doesn't work.
    Jolly-10 continue seeing Connections page in his IE.

    Any other suggestions?

    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #9
  10. Bruno Campanini

    steve_t Guest

    Have you used GP Result
    (http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/gpresult.mspx?mfr=true)
    or the Group Policy Management Console
    (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) to see if the
    policy is actually getting applied? (I should have mentioned these tools
    earlier). If not, give them a try and let us know the results. I'll try to
    replicate the issue you're having on my lab at home tonight.

    Steve

     
    steve_t, Oct 4, 2006
    #10
  11. I didn't, I'll try ald let you know.
    I'm very confident on it.

    Thanks
    Bruno
     
    Bruno Campanini, Oct 4, 2006
    #11
  12. Hi Steve,
    that's the procedure I've done:

    1 - In AD:
    a - created a new OU named NoConn
    b - under NoConn created the User Jolly-11, which by default is member
    of
    Domain Users
    3 - In GP Mamagment:
    a - created a new Group Policy Object named NOIE; edited in order
    to have Connections Tab in IE unavailable
    b - NOIE then dragged and dropped on to NoConn, which appears
    in GPM.
    Executed gpupdate, logged off/on.

    I think the procedure is correct, but still Jolly-11 has Connections
    Tab available on his IE.

    gpresult /user Jolly-11 /v
    reports:
    INFO: The user "Jolly-11" does not have RSOP data.

    I'm becoming crazy...

    Bruno
     
    Bruno Campanini, Oct 5, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.