[gptalk] Re: Disabling Computer Accounts
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Sat, 27 Jan 2007 10:01:43 +0100
hello,
this occurs because your computer is then not able to communicate with your DC
to get the new GPO.
You have different way to manage this:
-create an ipsec encryption to not encrypt to the ip of your dc
-when you want to stop ipsec after changing to the new OU, stop the ipsec
service, issue a gpupdate, then it will refresh gpo and stop ipsec for ever.
It depends if being able to communicate with your dc is an isssue (if it's also
a filer...)
If using DHCP, make an exception too or this station won't be able to get a
dhcp address (i think)
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
----- Original Message -----
From: Ray Lewis
To: gptalk@xxxxxxxxxxxxx
Sent: Saturday, January 27, 2007 9:53 AM
Subject: [gptalk] Re: Disabling Computer Accounts
It actually applied after some time and did the Job J
However, when I moved the machine back into an OU which didn't have the
policy assigned, the client simply didn't revoke back. In the end, I had to
remove the PC from the domain back to a workgroup and then back to the domain.
I may be outta my depth using this method.
Thanks for all your help guys
Ray
------------------------------------------------------------------------------
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: 26 January 2007 22:32
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disabling Computer Accounts
Ray,
The GPResult report shows that there are no policies being applied to the
Machine.
What is the Policy name and is it applied to the test\Computers OU?
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ray Lewis
Sent: Saturday, 27 January 2007 9:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disabling Computer Accounts
Mathieu, please see below..
Thanks again for you help on this...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
U:\>gpupdate
Refreshing Policy...
User Policy Refresh has completed.
Computer Policy Refresh has completed.
U:\>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 26-01-2007 at 21:57:09
RSOP results for HOMEDOMAIN\razor on MASTER : Logging Mode
-----------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HOMEDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\razor
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=MASTER,OU=Computers,OU=Test,DC=HomeDomain,DC=com
Last time Group Policy was applied: 26-01-2007 at 21:56:45
Group Policy was applied from: DC-FileServer.HomeDomain.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Computer Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
MASTER$
Domain Computers
USER SETTINGS
--------------
CN=Razor,OU=Admin Users,DC=HomeDomain,DC=com
Last time Group Policy was applied: 26-01-2007 at 21:56:45
Group Policy was applied from: DC-FileServer.HomeDomain.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Admin Group Policy
Local Group Policy
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Group Policy Creator Owners
Domain Admins
Schema Admins
Enterprise Admins
U:\>
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mathieu CHATEAU
Sent: 26 January 2007 21:47
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disabling Computer Accounts
so this station can still communicate with others that are not using ipsec ?
can you send me the gpresult from gpmc ?
ipsec can clearly prevent this unencrypted communication from my
understanding
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
----- Original Message -----
From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
To: <gptalk@xxxxxxxxxxxxx>
Sent: Friday, January 26, 2007 10:44 PM
Subject: [gptalk] Re: Disabling Computer Accounts
> Hello
>
> Yes to both
>
> Cheers
>
> Ray
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Mathieu CHATEAU
> Sent: 26 January 2007 21:35
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Disabling Computer Accounts
>
> did you replicate between AD and issue a gpupdate on the station ?
> is the windows ipsec service started ?
>
>
> Regards,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> ----- Original Message -----
> From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
> To: <gptalk@xxxxxxxxxxxxx>
> Sent: Friday, January 26, 2007 10:35 PM
> Subject: [gptalk] Re: Disabling Computer Accounts
>
>
>> Thanks Guys..
>>
>> Mathieu, I tried this but unfortunately, it had no effect.
>>
>> I cant think were Im going wrong
>>
>> -----Original Message-----
>> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Mathieu CHATEAU
>> Sent: 26 January 2007 18:36
>> To: gptalk@xxxxxxxxxxxxx
>> Subject: [gptalk] Re: Disabling Computer Accounts
>>
>> just to be clear,
>> you will find an example of the GPO to make as screenshot.
>>
>> The goal is to allow only encrypted trafic and nothing else.
>>
>>
>> Regards,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> ----- Original Message -----
>> From: <neil@xxxxxxxxxxxxxxxx>
>> To: <gptalk@xxxxxxxxxxxxx>
>> Sent: Thursday, January 25, 2007 5:03 PM
>> Subject: [gptalk] Disabling Computer Accounts
>>
>>
>>> Hi all,
>>>
>>> Does anyone have any ideas on how best to achieve the following.
>>>
>>> I need to make a computer that is intially built into the domain -
>>> virtually unusable until it is placed in the correct OU.
>>>
>>> I had thought of applying a very restrictive GPO to the default
>>> computers
>>> OU which made it unusable but not quite sure which settings to apply and
>>> if there are any issues with doing this.
>>>
>>> It is bascially to stop people bypassing build procedures and policies
>>> and
>>> not putting the computer into the correct OU.
>>>
>>> Thanks for any thoughts :)
>>>
>>> Neil
>>> ***********************
>>> You can unsubscribe from gptalk by sending email to
>>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
>>> by
>>
>>> logging into the freelists.org Web interface. Archives for the list are
>>> available at http://www.freelists.org/archives/gptalk/
>>> ************************
>>>
>>
>> ***********************
>> You can unsubscribe from gptalk by sending email to
>> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
>> by
>
>> logging into the freelists.org Web interface. Archives for the list are
>> available at http://www.freelists.org/archives/gptalk/
>> ************************
>>
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
- Follow-Ups:
- [gptalk] Disable Right Click
- From: Ray Lewis
- References:
- [gptalk] Re: Disabling Computer Accounts
- From: Ray Lewis
Other related posts:
- » [gptalk] Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- » [gptalk] Re: Disabling Computer Accounts
- [gptalk] Disable Right Click
- From: Ray Lewis
- [gptalk] Re: Disabling Computer Accounts
- From: Ray Lewis