• 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Part 3] Creating a domain: Windows Server 2003 Group Policy
#1
[Part 3] Creating a domain: Windows Server 2003 Group Policy

This is step three in Setting up and configuring Windows Server 2003. For these series of tutorials we are using Windows Server 2003 R2, Enterprise edition x86.

Part one: http://mcompute.co.uk/showthread.php?tid=689
Part two: http://mcompute.co.uk/showthread.php?tid=700

In step three we are
  • Creating a new Group Policy for our Managers group
  • Enabling several group policy objects


Background knowledge and understanding

Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.

Further reading: http://en.wikipedia.org/wiki/Group_Policy



Steps

We're going to be creating a new group policy for a given group which we're then going to lock down.

1) Start > All Programs > Administrative tools > Active Directory Users and Computers

[Image: 1.png]


2) Right click the Organizational unit that you created then click Properties.

[Image: 2.png]


Under the Group Policy tab, click New.

[Image: 3.png]


3) To edit, enabled or disabled group poilcy objects click the edit button and it'll bring up a new window.

This is where the magic happens, become familiar with your new home.

[Image: 4.png]


4) For now, i'm going to make a list and explain the initial changes that i have made regarding my group policy.

I'm not going to print screen every single one because once you've done one, you can do as many as you want - it's the same process.

Note: You can click on the "Explain" tab for detailed information on what you're doing.


Enable the following settings

1) User Configuration > Administrative Templates > Windows Components > Windows Explorer

a) Remove Map Network Drive and Disconnect Network Drive
Prevents users from using Windows Explorer or My Network Places to map or disconnect network drives.

b) Hide these specified drives in My Computer (I enabled for C only)
Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.


c) Prevent access to drives from My Computer
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.


2) User Configuration > Administrative Templates > Windows Components > Internet Explorer

a) Disable changing home page settings
Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.


3) User Configuration > Administrative Templates > Start Menu and Taskbar

a) Remove Search menu from Start Menu
Removes the Search item from the Start menu, and disables some Windows Explorer search elements.

b) Remove Help menu from Start Menu
Removes the Help command from the Start menu.

c) Remove Run menu from Start Menu
Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.

d) Lock the Taskbar
If you enable this setting, it prevents the user from moving or resizing the taskbar.


4) User Configuration > Administrative Templates > Control Panel

a) Prohibit access to the Control Panel
This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.


5) User Configuration > Administrative Templates > Control Panel > Display

a) Prevent changing wallpaper
Prevents users from adding or changing the background design of the desktop.


6) User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options

a) Remove Task Manager
Prevents users from starting Task Manager (Taskmgr.exe)


7) User Configuration > Administrative Templates > Control Panel > Desktop

a) Prohibit user from changing My Documents path
Prevents users from changing the path to the My Documents folder.


8) User Configuration > Administrative Templates > Control Panel > System

a) Prevent access to the command prompt
Disable the command prompt script processing also? No
Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.

b) Prevent access to the registry editing tools
Disable regedit from running silently? Yes
Disables the Windows registry editor Regedit.exe.


Restart your client computer, and log back in. Good luck doing anything!

[Image: 5.png]


Part 1 of the tutorial: http://mcompute.co.uk/showthread.php?tid=689
Part 2 of the tutorial: http://mcompute.co.uk/showthread.php?tid=700
  Reply
#2
Here is what I am confronted with: The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "DAVILA-NELSON.LOCAL":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.DAVILA-NELSON.LOCAL

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

10.40.1.1
192.168.1.1
209.18.47.62
209.18.47.61

- One or more of the following zones do not include delegation to its child zone:

DAVILA-NELSON.LOCAL
LOCAL
. (the root zone)
Can you help me with this. Thanks
  Reply
#3
Have you got the DNS on your client PC pointing to the Server? I had that problem.. kinda.
[Image: nomnomnom.jpg]
;7$=v?%v%#5>v7v8994
The decrypt code is V, I could not make it any simpler!
  Reply
#4
Can you walk me through it.

Thanks
  Reply
#5
http://www.mediacollege.com/computer/network/dns.html
[Image: nomnomnom.jpg]
;7$=v?%v%#5>v7v8994
The decrypt code is V, I could not make it any simpler!
  Reply
#6

I saw your post yesterday, but a bit of research was in hand before replying.

Quote:A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number.
In Microsoft Windows 2000 clients use SRV records to find the domain controller for a given service.

Then your issue.
Quote:The DNS SRV records required to locate a AD DC for the domain are not registered in DNS.

What's your setup, have you got more than one DC on the network?
Quote:These records are registered with a DNS server automatically when a AD DC is added to a domain.


Also, why have you set it to use so many different DNS servers?
Quote:This computer is configured to use DNS servers with the following IP addresses:

10.40.1.1
192.168.1.1
209.18.47.62
209.18.47.61

When is the error messaging being displayed? What do you do in order to make it appear? I'd say it's a problem with your server, not client(s).
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Part 1] Creating a domain: Installing and setting up Windows Server 2003 Mark 4 19,381 20-04-2011, 10:57 PM
Last Post: Mark
  [Part 2] [Windows Server 2003] Creating a domain: Users and groups Mark 0 24,111 29-12-2010, 01:16 PM
Last Post: Mark

Forum Jump: