[Part 3] Creating a domain: Windows Server 2003 Group Policy - Printable Version +- howtothings.co.uk (https://www.howtothings.co.uk) +-- Forum: Computing (https://www.howtothings.co.uk/forumdisplay.php?fid=4) +--- Forum: Hardware, Networking and Wireless (https://www.howtothings.co.uk/forumdisplay.php?fid=11) +--- Thread: [Part 3] Creating a domain: Windows Server 2003 Group Policy (/showthread.php?tid=690) |
[Part 3] Creating a domain: Windows Server 2003 Group Policy - Mark - 29-12-2010 [Part 3] Creating a domain: Windows Server 2003 Group Policy This is step three in Setting up and configuring Windows Server 2003. For these series of tutorials we are using Windows Server 2003 R2, Enterprise edition x86. Part one: http://mcompute.co.uk/showthread.php?tid=689 Part two: http://mcompute.co.uk/showthread.php?tid=700 In step three we are
Background knowledge and understanding Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on. Further reading: http://en.wikipedia.org/wiki/Group_Policy Steps We're going to be creating a new group policy for a given group which we're then going to lock down. 1) Start > All Programs > Administrative tools > Active Directory Users and Computers 2) Right click the Organizational unit that you created then click Properties. Under the Group Policy tab, click New. 3) To edit, enabled or disabled group poilcy objects click the edit button and it'll bring up a new window. This is where the magic happens, become familiar with your new home. 4) For now, i'm going to make a list and explain the initial changes that i have made regarding my group policy. I'm not going to print screen every single one because once you've done one, you can do as many as you want - it's the same process. Note: You can click on the "Explain" tab for detailed information on what you're doing. Enable the following settings 1) User Configuration > Administrative Templates > Windows Components > Windows Explorer a) Remove Map Network Drive and Disconnect Network Drive Prevents users from using Windows Explorer or My Network Places to map or disconnect network drives. b) Hide these specified drives in My Computer (I enabled for C only) Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. c) Prevent access to drives from My Computer If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. 2) User Configuration > Administrative Templates > Windows Components > Internet Explorer a) Disable changing home page settings Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser. 3) User Configuration > Administrative Templates > Start Menu and Taskbar a) Remove Search menu from Start Menu Removes the Search item from the Start menu, and disables some Windows Explorer search elements. b) Remove Help menu from Start Menu Removes the Help command from the Start menu. c) Remove Run menu from Start Menu Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. d) Lock the Taskbar If you enable this setting, it prevents the user from moving or resizing the taskbar. 4) User Configuration > Administrative Templates > Control Panel a) Prohibit access to the Control Panel This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items. 5) User Configuration > Administrative Templates > Control Panel > Display a) Prevent changing wallpaper Prevents users from adding or changing the background design of the desktop. 6) User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options a) Remove Task Manager Prevents users from starting Task Manager (Taskmgr.exe) 7) User Configuration > Administrative Templates > Control Panel > Desktop a) Prohibit user from changing My Documents path Prevents users from changing the path to the My Documents folder. 8) User Configuration > Administrative Templates > Control Panel > System a) Prevent access to the command prompt Disable the command prompt script processing also? No Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer. b) Prevent access to the registry editing tools Disable regedit from running silently? Yes Disables the Windows registry editor Regedit.exe. Restart your client computer, and log back in. Good luck doing anything! Part 1 of the tutorial: http://mcompute.co.uk/showthread.php?tid=689 Part 2 of the tutorial: http://mcompute.co.uk/showthread.php?tid=700 RE: [Part 3] Creating a domain: Windows Server 2003 Group Policy - tx78109 - 29-04-2011 Here is what I am confronted with: The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "DAVILA-NELSON.LOCAL": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.DAVILA-NELSON.LOCAL Common causes of this error include the following: - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses: 10.40.1.1 192.168.1.1 209.18.47.62 209.18.47.61 - One or more of the following zones do not include delegation to its child zone: DAVILA-NELSON.LOCAL LOCAL . (the root zone) Can you help me with this. Thanks RE: [Part 3] Creating a domain: Windows Server 2003 Group Policy - Drumm - 29-04-2011 Have you got the DNS on your client PC pointing to the Server? I had that problem.. kinda. RE: [Part 3] Creating a domain: Windows Server 2003 Group Policy - tx78109 - 30-04-2011 Can you walk me through it. Thanks RE: [Part 3] Creating a domain: Windows Server 2003 Group Policy - Drumm - 30-04-2011 http://www.mediacollege.com/computer/network/dns.html RE: [Part 3] Creating a domain: Windows Server 2003 Group Policy - Mark - 01-05-2011 I saw your post yesterday, but a bit of research was in hand before replying. Quote:A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number. Then your issue. Quote:The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. What's your setup, have you got more than one DC on the network? Quote:These records are registered with a DNS server automatically when a AD DC is added to a domain. Also, why have you set it to use so many different DNS servers? Quote:This computer is configured to use DNS servers with the following IP addresses: When is the error messaging being displayed? What do you do in order to make it appear? I'd say it's a problem with your server, not client(s). |