- Aug 24, 2001
- 1,590
- 0
- 0
Post - GPOs Newbie
So I just started with Group Policy. Ive enabled a company wide policy, which I applied to the Default Domain Policy GPO.
Its pretty basic stuff, a company wallpaper, company screensaver, some IE and Start Menu configurations, Windows Update interval and options, etc.
The screensaver and wallpaper setting were a bit tricky. I used a batch file at logon to copy the .scr from the server into the System32 directory, otherwise it wouldnt work with the UNC path. For the wallpaper, I didnt want to use Active Desktop, so instead I used a batch file to import a reg key into the Registry key HKEY_CURRENT_USER\Control Panel\Desktop and set the wallpaper bitmap.
Users cannot change the wallpaper or the screensaver.
However, Ive noticed that even if I log in as an administrator, I cant either. Im also locked from making changes. So my question is, how can I exclude domain admins from the Default Domain Policy? Or am I doing something wrong to begin with?
Another inquiry is this. I have a few problem users who spent too much time on Windows Live Messenger and some other crap I dont like. Some of them need to be local admin because of some idiotic business applications we have to run, which wont run otherwise. So I was planning on creating an user group in AD called Problem Users. I would add those users (just 8 or 10) to that group. Then, Id create a GPO for that user group alone, and apply all the restrictions there. I believe that will keep the domain admins out, right? Even if the user is a local admin, the GPO should override their privileges, am I correct?
Ive been reading a lot aboutG Group Policy lately, but I appreciate all the help I can get.
Thanks!
So I just started with Group Policy. Ive enabled a company wide policy, which I applied to the Default Domain Policy GPO.
Its pretty basic stuff, a company wallpaper, company screensaver, some IE and Start Menu configurations, Windows Update interval and options, etc.
The screensaver and wallpaper setting were a bit tricky. I used a batch file at logon to copy the .scr from the server into the System32 directory, otherwise it wouldnt work with the UNC path. For the wallpaper, I didnt want to use Active Desktop, so instead I used a batch file to import a reg key into the Registry key HKEY_CURRENT_USER\Control Panel\Desktop and set the wallpaper bitmap.
Users cannot change the wallpaper or the screensaver.
However, Ive noticed that even if I log in as an administrator, I cant either. Im also locked from making changes. So my question is, how can I exclude domain admins from the Default Domain Policy? Or am I doing something wrong to begin with?
Another inquiry is this. I have a few problem users who spent too much time on Windows Live Messenger and some other crap I dont like. Some of them need to be local admin because of some idiotic business applications we have to run, which wont run otherwise. So I was planning on creating an user group in AD called Problem Users. I would add those users (just 8 or 10) to that group. Then, Id create a GPO for that user group alone, and apply all the restrictions there. I believe that will keep the domain admins out, right? Even if the user is a local admin, the GPO should override their privileges, am I correct?
Ive been reading a lot aboutG Group Policy lately, but I appreciate all the help I can get.
Thanks!