i am in the beginnings of group policies at our office and am applying them
successfully for the most part, but i have noticed that the policy under
computer configuration > windows settings > security > local policies >
user rights, for who gets the permission to change the system clock is not
working. from the group policy editor for the ou, i have it set to domain
admins and the workstations (2000) are at their default of administrators
and power users. i have a cad user that i am testing the new policies on
and he can still change the system time being a power user. i know i can
change the local security policy on each machine, but i also know that
domain policies are supposed to override the local ones. anyone know what
is going on? i only have 2 policies: first is the default domain policy
which is untouched, and then a ou policy for cad users. thanks. kevin.

first i'd ask have you checked the event log for any USERENV errors that
might indicate that group policy is not being applied successfully on the
machine in question?

tx

--
Jeromy Statia [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.


"kevin" <kliner@charter.net> wrote in message
news:1020df8o3bbq029@corp.supernews.com...

Jeromy Statia [MSFT] wrote:

i was going to vpn and check, but i can't get into the network right now,
will have to check tomorrow and post a response when i get back from work.
thanks. kevin.

kevin wrote:

i do have an error for userenv (1000): "windows cannot unload your
registry file. if you have a roaming profile, your settings are not
replicated. contact your administrator. detail - access is denied. ,
build number ((2195))." it occurred before the gpo was applied, but also
occurred yesterday after the gpo was applied. hasn't happened yet today.
i searched eventid.net for the error, and downloaded oh.exe from
microsoft. at first, it gave me an error about not being able to edit
some value in the registry, so i changed the policy for not being able
to edit the registry from enabled to not configured and ran oh.exe again
from telnet and it gave me the message "enabled maintaining a list of
objects for each type. will take effect next time you boot. until then,
oh is unable to query useful information." now, i have rebooted and run
the command again, what a large text file i now have (with no idea what
i'm looking for). so now i have given the local privileges back to the
cad user to change the time, logged back into his account, double
clicked the time, and he is still able to change it. thanks. kevin.

Well this is interesting. So the Domain policy affecting your rights to
modify the registry applied successfully, but the domain policy that would
not allow the user to change the time does not. could you try running the
command listed in the following KB:
http://support.microsoft.com/default...b;en-us;227448
Using Secedit.exe to Force Group Policy to Be Applied Again
and see if any errors are reported

also you could download the Group Policy Management Console:
http://www.microsoft.com/downloads/d...displaylang=en
Group Policy Management Console with Service Pack 1

but this requires to be run on an XP client (but still very helpful and
handy when trying to triage Group Policy problems)

let me know if any of this information helps

tx

--
Jeromy Statia [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.


"kevin" <_nospam_kliner@charter.net> wrote in message
news:1023108mi0o343f@corp.supernews.com...

Jeromy Statia [MSFT] wrote:

yea, it's not the only one either. i have several other policies (in the cad
policy) that work as well. i have been using secedit to refresh the
policies on a test machine and on the cad user's machine. there are no
reported errors after applying the policy. i noticed again today the
userenv error 1000 and decided to request the uphclean service. no response
yet, but it is supposed to fix the userenv error that i am having. i will
try the gpmc from my laptop (it is xp pro). afaik the time policy is still
not working. vpn is not working from my house for some reason, so i cannot
test these things unless i am at work and i cannot read the newsgroups
while at work because it is filtered by ip address. fun. heh. thanks again.
kevin.