- Group Policy Question
- Posted by Dave on December 1st, 2004
I have a Windows Server 2003 domain controller which I would like to set to
not allow Users to Log On Locally. However, when I go into the Group Policy
editor (Local Security Policy), I do not have the option to remove the group.
Obviously there is some inheritance going on, but I don't want to change for
all computers in the domain, just this specific domain controller. How can I
override this? Thanks.
- Posted by Mark-Allen Perry on December 1st, 2004
I believe that any changes ON a domain controller are handled by the Domain Controller GPO. Check under Admin tools, Domain Controller Security Policy or Domain Security Policy.
Keep us informed.
--
Always try the MS KB first before posting.
MS KB: http://support.microsoft.com/default...;EN-US;KBHOWTO
And the answer could have already been posted, so try searching this and other newsgroups first.
----
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org
"Dave" <Dave@discussions.microsoft.com> wrote in message news:549A2AA8-D6A0-4B7B-A4A5-B2735512E5C1@microsoft.com...
I have a Windows Server 2003 domain controller which I would like to set to
not allow Users to Log On Locally. However, when I go into the Group Policy
editor (Local Security Policy), I do not have the option to remove the group.
Obviously there is some inheritance going on, but I don't want to change for
all computers in the domain, just this specific domain controller. How can I
override this? Thanks.
- Posted by Dave on December 1st, 2004
Yeah, that's what I thought too, but I only see Local Security Policy. Any
other suggestions?
"Mark-Allen Perry" wrote:
- Posted by Mark-Allen Perry on December 1st, 2004
Well, if you don't see them under the normal menu, do they exist as ..MSCs in \System32?
Or just build one yourself. Run MMC and add them in.
How does that work?
--
Always try the MS KB first before posting.
MS KB: http://support.microsoft.com/default...;EN-US;KBHOWTO
And the answer could have already been posted, so try searching this and other newsgroups first.
----
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org
"Dave" <Dave@discussions.microsoft.com> wrote in message news
E3766CA-FF5A-4A86-9729-C6722C45F373@microsoft.com...
Yeah, that's what I thought too, but I only see Local Security Policy. Any
other suggestions?
"Mark-Allen Perry" wrote:
- Posted by Dave on December 1st, 2004
Tried that too - still no luck. Not sure if this gives any additional info,
but this system was an in-place upgrade from Windows 2000 Server, and I do
remember seeing it then. Ever since the upgrade, I haven't seen any Domain
Controller Security Policy options. There has to be a way to get around it
:-\
"Mark-Allen Perry" wrote:
- Posted by Mark-Allen Perry on December 1st, 2004
It looks like a long search through the KB and/or Google:
In KB, do a search using "missing DC gpo". There were a couple of docs.
One thing you might try is installing the Admin tools from the CD and see if they'll install. They have at least some that will help sometime. And the names for the Domain Controller and Domain MSC are: DCPOL.msc, and DOMPOL.msc. They are in the \386 folder on the CD. Copy them over to the server and run EXPAND on them. Maybe this will work.
I'll keep thinking about it though. And maybe someone else can add something.
--
Always try the MS KB first before posting.
MS KB: http://support.microsoft.com/default...;EN-US;KBHOWTO
And the answer could have already been posted, so try searching this and other newsgroups first.
----
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org
"Dave" <Dave@discussions.microsoft.com> wrote in message news:07901129-E707-4BEE-8109-6BDE63A62392@microsoft.com...
Tried that too - still no luck. Not sure if this gives any additional info,
but this system was an in-place upgrade from Windows 2000 Server, and I do
remember seeing it then. Ever since the upgrade, I haven't seen any Domain
Controller Security Policy options. There has to be a way to get around it
:-\
"Mark-Allen Perry" wrote:
- Posted by Dave on December 1st, 2004
Thanks for your help, I'll be giving that a try tomorrow and will post any
additional info!
"Mark-Allen Perry" wrote:
- Posted by Duke Eidson on December 6th, 2004
Is it possible that you are logging on to the DC using the local
administrator account..the only account that exists on the local SAM database
of the DC. If that is the case you may not be logging in to the domain
itself, simply the local computer...which would explain why only the Local
Security Policy is appearing in the Admin Tools menu. Have you tried
accessing the Domain Controller GPO using a different user account? Hope
this helps. Duke
"Dave" wrote:
