RE: [ActiveDir] Add trusted sites to IE via Policy
Hello Steve. This can be found under the Default Domain Policy, User Configuration/Windows Settings/Internet Explorer Maintenance/Security... then on the right side, Security Zones and Content Ratings. From there you can set the sites in any manner that you need. HTH. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 17:42 To: [EMAIL PROTECTED] Subject: [ActiveDir] Add trusted sites to IE via Policy I need to add a trusted site to all corporate users. I thought that you can do this through Group Policy, but for the life of me I can not remember. Could someone point me in the right direction? If there is an ADM that needs to be added to accomplish this? Etc.. Thanks, Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message In case anyone is interested, I finally figured out the problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;311511 Thanks for everyones help. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 16:35 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Try turning that off (make it synchronous).
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 12:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Group Policy and IE Zone Security
Interestingly enough, I have that policy enabled (IE Maintenance policy processing). However, I do notice that when I go to the registry key mentioned in that article, the value is still set to 1, instead of 0. I changed it manually, and will reboot to see what happens. Does anyone know what would keep that registry key from changing when the IE Maintenance policy is set to apply? Okay... rebooted, and the zones are being reset again, and everything that I changed is gone (under the zones). Thanks, Charles -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, August 11, 2003 23:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Have you checked out this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the same but could be your problem. Darren attachment: winmail.dat
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Update: I have now noticed (beating my head on desk for not seeing it sooner) that the server also sees the reset of the site changes Meaning: 1) I log onto the server, change the site listings as needed under IE Maintenance/Security 2) Run Secedit, check to make sure changes are applied on workstation (they are). 3) Now I check the server, changes took place there as well. 4) Reboot *any* workstation, and the changes are gone. 5) Check server, changes are gone from there as well and from the policy. Any ideas? I have been unable to find anything even remotely close via google or technet. Thanks. Charles
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message You lost me on one part What are you referring to when you say Preference mode settings? As for local GPO IE settings, there are none set. I will enable the verbose logging and see what happens Thanks Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 13:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Well, I did a reset with no problems I tried setting to preference mode, but seem unable to input any changes. I tried adding the *.adm files for IE (inetcorp.adm and inetset.adm), however, when I go to access the settings, I see the following: The inetset.adm file is not for Windows 2000. These settings will not be displayed. I see the same error message for inetcorp.adm. When trying to access the Advanced settings under User Config/IE Maintenance/Advanced, I can see Corporate settings and Internet Settings listed. When I try to access either one of those policies, I get the following 2 errors: Source: DrWatson Event ID: 4097 The application, mmc.exe, generated an application error The error occurred on 08/13/2003 @ 08:41:52.547 The exception generated was c005 at address 02324FD8 (nosymbols) And Source: SQLServerAgent Category: Alert Engine Event ID: 318 Unable to read local eventlog (reason: The data area passed to a system call is too small). I am assuming that I am seeing these errors due to the problem stated above (that the *.adm file isnt for Windows 2000). Other than that I am at a loss as to what is happening. Any ideas? Thanks, Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 16:08 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security IE Maintenance has two modes--preference and mandatory. Preference says, hand down IE policy but then let the user change it whereas mandatory says, reinforce it all the time. You can see this by right clicking the IE Maintenance node and choosing either Preference mode or Reset Browser Settings. You might try a reset--I have seen weirdness around preference mode in the past.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message I enabled the logging, and am currently looking at the file. I dont see anything glaring out as an error, or showing that something was skipped Any suggestions as to where I should look in this log for the problem?? Thanks. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 13:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message These are all 2000 machines Under the GPO, I have Apply Group Policy Asynchronously for Users enabled. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 13:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 12:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
I've been getting hammered on this one myself... My firewall logs are packed with hits to ports 135 and 445. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, August 11, 2003 19:41 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Group Policy and IE Zone Security
Still searching for an answer on this one Anybody have an idea? On the server, I set up the GPO to reflect certain sites under the Intranet and Trusted sites. I also set the GPO to disable the users ability to add/remove sites, and change their home page. As of right now, users can not add/remove sites from the Security Zones, nor can they change their default home page. (Which is what I wanted). However, each time any workstation reboots, the sites that I set under Intranet/Trusted are removed and what was originally there comes back. (i.e. free.aol.com, etc). Each time, on the server, I remove the specific zones, add the ones I want, then run secedit from the command prompt. Users receive the policy change no problem, until they reboot. Where should I look for the problem here? Im at a loss. Server: Windows 2000 AS SP4 Workstations: Windows 2000 SP4 Thanks. Charles
RE: [ActiveDir] GP overridden
Are you referring to opening the GPO on each workstation to disable the user/computer settings? Thanks. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, July 30, 2003 18:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden After sending this, I realized that there is a much easier, non-hacked version to disable the local GPO. You can simply open gpedit.msc, select the local GPO's properties and disable user and computer settings. This is equivalent to adding a line to the end of the gpt.ini that says: Options=3 -Original Message- From: Darren Mar-Elia Sent: Wednesday, July 30, 2003 2:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden It is possible to effectively disable the local GPO on a given machine. Much of the local GPO is stored in %systemroot%\system32\grouppolicy. Within that folder is a file called gpt.ini and in that file is a line that says Version=. If you set that version parameter to 0, the local GPO will be skipped. Note that this is a huge hack, but it will do what you're after. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden IIRC, the local policy runs no matter what as it is the first policy to be run. If you want to override local policies, you need to set the policies in either the domain, site, or OU. Note that domain based security policies, such as password aging, cannot be overridden by site or OU policies. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden Is there a way, from the DC, to keep the local policy from being applied at each workstation? Or is there a way to disable the local policy (while at each workstation)? Thanks. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, July 30, 2003 11:27 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GP overridden Group Policies get applied Local, Site, Domain, OU Each and every computer has a local policy. -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 10:00 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] GP overridden The event log shows: Security policy in the Group policy objects are applied successfully. According to GPResult: Group Policy applied Wed, July 30, 2003 at 9:23:37 AM Group Policy was applied from ..com (names changed to protect the innocent) Computer Received Registry Settings from these GPOs: Local Group Policy LAN Policy LAN Policy Computer Received Security settings from these GPOs: Local Group Policy LAN Policy Default Domain Controllers Policy LAN Policy Computer received EFS recovery settings from these GPOs: Local Group Policy LAN Policy LAN Policy I guess what's confusing me here is why Local Group Policy is being applied, and where, exactly is it? Under AD, in the .com properties box/Group Policy, I only have LAN Policy listed. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, July 30, 2003 09:14 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GP overridden Charles A couple of points here. 1. Group Policy is refreshed on Domain Controllers every five minutes by default. The default refresh cycle is every 90 minutes on client computers. If the event log entries you mention occur on a DC this may be perfectly normal. What are the details of the event? 2. It is not a good idea to mess with the Default Domain Policy, or for that matter the Default Domain Controllers Policy. I would recommend that you change the name back to what it was. 3. The use of No Override can cause confusion and should be used sparingly. Policies are applied in the order Site - Domain - OU ...but in the event of conflict the policy that was last applied takes priority. For example if you have conflicting settings in domain and OU policies the OU policy setting will win. The GPRESULT tool is quite useful for detecting which policies have been applied. Tony -- Original Message -- From: Charles Campbell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jul 2003 08:47:53 -0400 For some reason, there is a GP being applied on the server every 5 minutes (according to the Event Viewer). In AD, I changed the name of the Default Group Policy to be LAN policy and check-marked No Over-Ride. Where would I look to see what is being applied? It's changing all the settings that I have set under LAN policy (i.e. IE branding, custom url links, etc). Thanks. Charles List info
RE: [ActiveDir] GP overridden
Well, I must have a serious problem... I changed the name back to Default Domain Policy. Rebooted the server. Waited approximately 30 minutes, then ran GPResult from the Server. Below is the result: (More info after results) User Group Policy results for: CN=Administrator,CN=Users,DC= X,DC=com Domain Name: X Domain Type: Windows 2000 Site Name:Default-First-Site-Name Roaming profile: (None) Local profile:C:\Documents and Settings\Administrator The user is a member of the following security groups: X\Domain Users \Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users \LOCAL X \Group Policy Creator Owners X \Domain Admins X \Schema Admins X \Enterprise Admins X \OWS_4001231503_admin X \OLAP Administrators ### Last time Group Policy was applied: Thursday, July 31, 2003 at 2:09:33 PM Group Policy was applied from: mainserver.mainserver.com === The user received Registry settings from these GPOs: LAN Policy LAN Policy === The user received Internet Explorer Branding settings from these GPOs: Default Domain Policy Default Domain Policy ### Computer Group Policy results for: CN=MAINSERVER,OU=Domain Controllers,DC=X,DC=com Domain Name: X Domain Type: Windows 2000 Site Name:Default-First-Site-Name The computer is a member of the following security groups: BUILTIN\Administrators \Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users X\MAINSERVER$ X \Domain Controllers X \Domain Admins X \Schema Admins X \Enterprise Admins NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS X \DnsAdmins ### Last time Group Policy was applied: Thursday, July 31, 2003 at 2:05:14 PM Group Policy was applied from: X.X.com === The computer received Registry settings from these GPOs: Local Group Policy LAN Policy LAN Policy === The computer received Security settings from these GPOs: Local Group Policy Default Domain Policy Default Domain Policy === The computer received EFS recovery settings from these GPOs: Local Group Policy Default Domain Policy Default Domain Policy Now, I have checked under AD/ServerName/Properties/Group Policy... There is only Default Domain Policy listed. I don't know why it's showing up twice, nor do I know where else to look for this problem. Thanks. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, July 31, 2003 10:29 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden I believe Justin asked the question because the gpresult output shows the LAN Policy twice in various places. This is unusual, e.g Computer Received Registry Settings from these GPOs: Local Group Policy LAN Policy LAN Policy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP overridden
The event log shows: Security policy in the Group policy objects are applied successfully. According to GPResult: Group Policy applied Wed, July 30, 2003 at 9:23:37 AM Group Policy was applied from ..com (names changed to protect the innocent) Computer Received Registry Settings from these GPOs: Local Group Policy LAN Policy LAN Policy Computer Received Security settings from these GPOs: Local Group Policy LAN Policy Default Domain Controllers Policy LAN Policy Computer received EFS recovery settings from these GPOs: Local Group Policy LAN Policy LAN Policy I guess what's confusing me here is why Local Group Policy is being applied, and where, exactly is it? Under AD, in the .com properties box/Group Policy, I only have LAN Policy listed. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, July 30, 2003 09:14 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GP overridden Charles A couple of points here. 1. Group Policy is refreshed on Domain Controllers every five minutes by default. The default refresh cycle is every 90 minutes on client computers. If the event log entries you mention occur on a DC this may be perfectly normal. What are the details of the event? 2. It is not a good idea to mess with the Default Domain Policy, or for that matter the Default Domain Controllers Policy. I would recommend that you change the name back to what it was. 3. The use of No Override can cause confusion and should be used sparingly. Policies are applied in the order Site - Domain - OU ...but in the event of conflict the policy that was last applied takes priority. For example if you have conflicting settings in domain and OU policies the OU policy setting will win. The GPRESULT tool is quite useful for detecting which policies have been applied. Tony -- Original Message -- From: Charles Campbell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jul 2003 08:47:53 -0400 For some reason, there is a GP being applied on the server every 5 minutes (according to the Event Viewer). In AD, I changed the name of the Default Group Policy to be LAN policy and check-marked No Over-Ride. Where would I look to see what is being applied? It's changing all the settings that I have set under LAN policy (i.e. IE branding, custom url links, etc). Thanks. Charles List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP overridden
The event log shows: Security policy in the Group policy objects are applied successfully. According to GPResult: Group Policy applied Wed, July 30, 2003 at 9:23:37 AM Group Policy was applied from ..com (names changed to protect the innocent) Computer Received Registry Settings from these GPOs: Local Group Policy LAN Policy LAN Policy Computer Received Security settings from these GPOs: Local Group Policy LAN Policy Default Domain Controllers Policy LAN Policy Computer received EFS recovery settings from these GPOs: Local Group Policy LAN Policy LAN Policy I guess what's confusing me here is why Local Group Policy is being applied, and where, exactly is it? Under AD, in the .com properties box/Group Policy, I only have LAN Policy listed. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, July 30, 2003 09:14 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GP overridden Charles A couple of points here. 1. Group Policy is refreshed on Domain Controllers every five minutes by default. The default refresh cycle is every 90 minutes on client computers. If the event log entries you mention occur on a DC this may be perfectly normal. What are the details of the event? 2. It is not a good idea to mess with the Default Domain Policy, or for that matter the Default Domain Controllers Policy. I would recommend that you change the name back to what it was. 3. The use of No Override can cause confusion and should be used sparingly. Policies are applied in the order Site - Domain - OU ...but in the event of conflict the policy that was last applied takes priority. For example if you have conflicting settings in domain and OU policies the OU policy setting will win. The GPRESULT tool is quite useful for detecting which policies have been applied. Tony -- Original Message -- From: Charles Campbell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jul 2003 08:47:53 -0400 For some reason, there is a GP being applied on the server every 5 minutes (according to the Event Viewer). In AD, I changed the name of the Default Group Policy to be LAN policy and check-marked No Over-Ride. Where would I look to see what is being applied? It's changing all the settings that I have set under LAN policy (i.e. IE branding, custom url links, etc). Thanks. Charles List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP overridden
Here's the entire GPResult (editing some names out) from the server: Created on Wednesday, July 30, 2003 at 11:08:04 AM Operating System Information: Operating System Type: Domain Controller Operating System Version: 5.0.2195.Service Pack 4 Terminal Server Mode: None ### User Group Policy results for: CN=Administrator,CN=Users,DC=XX,DC=com Domain Name: X Domain Type: Windows 2000 Site Name:Default-First-Site-Name Roaming profile: (None) Local profile:C:\Documents and Settings\Administrator The user is a member of the following security groups: XX\Domain Users \Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users \LOCAL XXX\Group Policy Creator Owners XXX\Domain Admins XXX\Schema Admins XXX\Enterprise Admins XXX\OLAP Administrators ### Last time Group Policy was applied: Tuesday, July 29, 2003 at 10:05:28 PM Group Policy was applied from: XX.XX.com === The user received Registry settings from these GPOs: LAN Policy LAN Policy === The user received Internet Explorer Branding settings from these GPOs: LAN Policy LAN Policy ### Computer Group Policy results for: CN=MAINSERVER,OU=Domain Controllers,DC=XX,DC=com Domain Name: XX Domain Type: Windows 2000 Site Name:Default-First-Site-Name The computer is a member of the following security groups: BUILTIN\Administrators \Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users XX\MAINSERVER$ XX\Domain Controllers XX\Domain Admins XX\Schema Admins XX\Enterprise Admins NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS XX\DnsAdmins ### Last time Group Policy was applied: Wednesday, July 30, 2003 at 11:05:40 AM Group Policy was applied from: XX.XX.com === The computer received Registry settings from these GPOs: Local Group Policy LAN Policy LAN Policy === The computer received Security settings from these GPOs: Local Group Policy LAN Policy Default Domain Controllers Policy LAN Policy === The computer received EFS recovery settings from these GPOs: Local Group Policy LAN Policy LAN Policy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, July 30, 2003 10:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden Did your email contain all of the GPRESULT output? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP overridden
No. Only one policy, and when I check under properties (AD/Servername/Properties/Group Policy) only LAN policy is listed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, July 30, 2003 11:27 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GP overridden Do you have two different LAN Policys? -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 9:33 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] GP overridden The event log shows: Security policy in the Group policy objects are applied successfully. According to GPResult: Group Policy applied Wed, July 30, 2003 at 9:23:37 AM Group Policy was applied from ..com (names changed to protect the innocent) Computer Received Registry Settings from these GPOs: Local Group Policy LAN Policy LAN Policy Computer Received Security settings from these GPOs: Local Group Policy LAN Policy Default Domain Controllers Policy LAN Policy Computer received EFS recovery settings from these GPOs: Local Group Policy LAN Policy LAN Policy I guess what's confusing me here is why Local Group Policy is being applied, and where, exactly is it? Under AD, in the .com properties box/Group Policy, I only have LAN Policy listed. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, July 30, 2003 09:14 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GP overridden Charles A couple of points here. 1. Group Policy is refreshed on Domain Controllers every five minutes by default. The default refresh cycle is every 90 minutes on client computers. If the event log entries you mention occur on a DC this may be perfectly normal. What are the details of the event? 2. It is not a good idea to mess with the Default Domain Policy, or for that matter the Default Domain Controllers Policy. I would recommend that you change the name back to what it was. 3. The use of No Override can cause confusion and should be used sparingly. Policies are applied in the order Site - Domain - OU ...but in the event of conflict the policy that was last applied takes priority. For example if you have conflicting settings in domain and OU policies the OU policy setting will win. The GPRESULT tool is quite useful for detecting which policies have been applied. Tony -- Original Message -- From: Charles Campbell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 30 Jul 2003 08:47:53 -0400 For some reason, there is a GP being applied on the server every 5 minutes (according to the Event Viewer). In AD, I changed the name of the Default Group Policy to be LAN policy and check-marked No Over-Ride. Where would I look to see what is being applied? It's changing all the settings that I have set under LAN policy (i.e. IE branding, custom url links, etc). Thanks. Charles List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
