[gptalk] Re: Disabling Computer Accounts

  • From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 27 Jan 2007 10:01:43 +0100

hello,

this occurs because your computer is then not able to communicate with your DC 
to get the new GPO.

You have different way to manage this:
-create an ipsec encryption to not encrypt to the ip of your dc
-when you want to stop ipsec after changing to the new OU, stop the ipsec 
service, issue a gpupdate, then it will refresh gpo and stop ipsec for ever.

It depends if being able to communicate with your dc is an isssue (if it's also 
a filer...)

If using DHCP, make an exception too or this station won't be able to get a 
dhcp address (i think)


Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


  ----- Original Message ----- 
  From: Ray Lewis 
  To: gptalk@xxxxxxxxxxxxx 
  Sent: Saturday, January 27, 2007 9:53 AM
  Subject: [gptalk] Re: Disabling Computer Accounts


  It actually applied after some time and did the Job J

   

  However, when I moved the machine back into an OU which didn't have the 
policy assigned, the client simply didn't revoke back. In the end, I had to 
remove the PC from the domain back to a workgroup and then back to the domain. 
I may be outta my depth using this method.

   

  Thanks for all your help guys

   

  Ray

   


------------------------------------------------------------------------------

  From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
  Sent: 26 January 2007 22:32
  To: gptalk@xxxxxxxxxxxxx
  Subject: [gptalk] Re: Disabling Computer Accounts

   

  Ray,

   

  The GPResult report shows that there are no policies being applied to the 
Machine. 

   

  What is the Policy name and is it applied to the test\Computers OU?

   

  Alan Cuthbertson

   

   

   Policy Management Software:-

  http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

   

  ADM Template Editor:-

  http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

   

  Policy Log Reporter(Free)

  http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

   

   

   

  -----Original Message-----
  From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ray Lewis
  Sent: Saturday, 27 January 2007 9:00 AM
  To: gptalk@xxxxxxxxxxxxx
  Subject: [gptalk] Re: Disabling Computer Accounts

   

  Mathieu, please see below..

   

  Thanks again for you help on this...

   

   

  Microsoft Windows XP [Version 5.1.2600]

  (C) Copyright 1985-2001 Microsoft Corp.

   

  U:\>gpupdate

  Refreshing Policy...

   

  User Policy Refresh has completed.

  Computer Policy Refresh has completed.

   

   

  U:\>gpresult

   

  Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0

  Copyright (C) Microsoft Corp. 1981-2001

   

  Created On 26-01-2007 at 21:57:09

   

   

  RSOP results for HOMEDOMAIN\razor on MASTER : Logging Mode

  -----------------------------------------------------------

   

  OS Type:                     Microsoft Windows XP Professional

  OS Configuration:            Member Workstation

  OS Version:                  5.1.2600

  Domain Name:                 HOMEDOMAIN

  Domain Type:                 Windows 2000

  Site Name:                   Default-First-Site-Name

  Roaming Profile:

  Local Profile:               C:\Documents and Settings\razor

  Connected over a slow link?: No

   

   

  COMPUTER SETTINGS

  ------------------

      CN=MASTER,OU=Computers,OU=Test,DC=HomeDomain,DC=com

      Last time Group Policy was applied: 26-01-2007 at 21:56:45

      Group Policy was applied from:      DC-FileServer.HomeDomain.com

      Group Policy slow link threshold:   500 kbps

   

      Applied Group Policy Objects

      -----------------------------

          Computer Policy

   

      The following GPOs were not applied because they were filtered out

      -------------------------------------------------------------------

          Local Group Policy

              Filtering:  Not Applied (Empty)

   

      The computer is a part of the following security groups:

      --------------------------------------------------------

          BUILTIN\Administrators

          Everyone

          BUILTIN\Users

          NT AUTHORITY\NETWORK

          NT AUTHORITY\Authenticated Users

          MASTER$

          Domain Computers

   

   

  USER SETTINGS

  --------------

      CN=Razor,OU=Admin Users,DC=HomeDomain,DC=com

      Last time Group Policy was applied: 26-01-2007 at 21:56:45

      Group Policy was applied from:      DC-FileServer.HomeDomain.com

      Group Policy slow link threshold:   500 kbps

   

      Applied Group Policy Objects

      -----------------------------

          Admin Group Policy

          Local Group Policy

   

      The user is a part of the following security groups:

      ----------------------------------------------------

          Domain Users

          Everyone

          BUILTIN\Users

          BUILTIN\Administrators

          NT AUTHORITY\INTERACTIVE

          NT AUTHORITY\Authenticated Users

          LOCAL

          Group Policy Creator Owners

          Domain Admins

          Schema Admins

          Enterprise Admins

   

  U:\>

   

  -----Original Message-----

  From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On

  Behalf Of Mathieu CHATEAU

  Sent: 26 January 2007 21:47

  To: gptalk@xxxxxxxxxxxxx

  Subject: [gptalk] Re: Disabling Computer Accounts

   

  so this station can still communicate with others that are not using ipsec ?

   

  can you send me the gpresult from gpmc ?

   

  ipsec can clearly prevent this unencrypted communication from my 

  understanding

   

  Regards,

  Mathieu CHATEAU

  http://lordoftheping.blogspot.com

   

   

  ----- Original Message ----- 

  From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>

  To: <gptalk@xxxxxxxxxxxxx>

  Sent: Friday, January 26, 2007 10:44 PM

  Subject: [gptalk] Re: Disabling Computer Accounts

   

   

  > Hello

  > 

  > Yes to both

  > 

  > Cheers

  > 

  > Ray

  > 

  > -----Original Message-----

  > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On

  > Behalf Of Mathieu CHATEAU

  > Sent: 26 January 2007 21:35

  > To: gptalk@xxxxxxxxxxxxx

  > Subject: [gptalk] Re: Disabling Computer Accounts

  > 

  > did you replicate between AD and issue a gpupdate on the station ?

  > is the windows ipsec service started ?

  > 

  > 

  > Regards,

  > Mathieu CHATEAU

  > http://lordoftheping.blogspot.com

  > 

  > 

  > ----- Original Message ----- 

  > From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>

  > To: <gptalk@xxxxxxxxxxxxx>

  > Sent: Friday, January 26, 2007 10:35 PM

  > Subject: [gptalk] Re: Disabling Computer Accounts

  > 

  > 

  >> Thanks Guys..

  >> 

  >> Mathieu, I tried this but unfortunately, it had no effect.

  >> 

  >> I cant think were Im going wrong

  >> 

  >> -----Original Message-----

  >> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On

  >> Behalf Of Mathieu CHATEAU

  >> Sent: 26 January 2007 18:36

  >> To: gptalk@xxxxxxxxxxxxx

  >> Subject: [gptalk] Re: Disabling Computer Accounts

  >> 

  >> just to be clear,

  >> you will find an example of the GPO to make as screenshot.

  >> 

  >> The goal is to allow only encrypted trafic and nothing else.

  >> 

  >> 

  >> Regards,

  >> Mathieu CHATEAU

  >> http://lordoftheping.blogspot.com

  >> 

  >> 

  >> ----- Original Message ----- 

  >> From: <neil@xxxxxxxxxxxxxxxx>

  >> To: <gptalk@xxxxxxxxxxxxx>

  >> Sent: Thursday, January 25, 2007 5:03 PM

  >> Subject: [gptalk] Disabling Computer Accounts

  >> 

  >> 

  >>> Hi all,

  >>> 

  >>> Does anyone have any ideas on how best to achieve the following.

  >>> 

  >>> I need to make a computer that is intially built into the domain -

  >>> virtually unusable until it is placed in the correct OU.

  >>> 

  >>> I had thought of applying a very restrictive GPO to the default 

  >>> computers

  >>> OU which made it unusable but not quite sure which settings to apply and

  >>> if there are any issues with doing this.

  >>> 

  >>> It is bascially to stop people bypassing build procedures and policies

  >>> and

  >>> not putting the computer into the correct OU.

  >>> 

  >>> Thanks for any thoughts :)

  >>> 

  >>> Neil

  >>> ***********************

  >>> You can unsubscribe from gptalk by sending email to

  >>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR

  >>> by

  >> 

  >>> logging into the freelists.org Web interface. Archives for the list are

  >>> available at http://www.freelists.org/archives/gptalk/

  >>> ************************

  >>> 

  >> 

  >> ***********************

  >> You can unsubscribe from gptalk by sending email to

  >> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 

  >> by

  > 

  >> logging into the freelists.org Web interface. Archives for the list are

  >> available at http://www.freelists.org/archives/gptalk/

  >> ************************

  >> 

  > 

  > ***********************

  > You can unsubscribe from gptalk by sending email to

  > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by

  > logging into the freelists.org Web interface. Archives for the list are

  > available at http://www.freelists.org/archives/gptalk/

  > ************************

  > 

  > ***********************

  > You can unsubscribe from gptalk by sending email to 

  > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by

   

  > logging into the freelists.org Web interface. Archives for the list are 

  > available at http://www.freelists.org/archives/gptalk/

  > ************************

  > 

   

  ***********************

  You can unsubscribe from gptalk by sending email to

  gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by

  logging into the freelists.org Web interface. Archives for the list are

  available at http://www.freelists.org/archives/gptalk/

  ************************

   

  ***********************

  You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

  ************************

Other related posts: