[gptalk] Re: Windows Server 2003 R2 SP2 GPO Access denied (security filtering)

  • From: "prankmonkey" <prankmonkey@xxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 12 Mar 2008 20:23:13 +1100

Is tan1 a user or a computer? Sounds like it's a user object in which case
your policy will not apply as although you initially linked it to the Domain
Controllers container, you changed the security to the group with the user
in it. Either put in a DC name in the security group (if you only want
policy to apply to that particular DC) or put back authenticated users.


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of tan hs
Sent: Wednesday, 12 March 2008 7:25 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Windows Server 2003 R2 SP2 GPO Access denied (security
filtering)

Hi,

I am new to GP on the above mentioned.  I setup a new server which is
the only server as domain controller.
Then, I have created a global security group "grp_limited" and assiged
a member 'tan1' to the group.
The "grp_limited" is a member of "Remote Desktop Users".  Everything
went fine, and I am able to connect into the
server using its own RDC.  My first task is to try to disable all
drive redirection from this server.

I am running the GPMC and created a new policy under "Group Policy
Objects" name "MRS L".
I created a link in under the "Domain Controllers" and enabled the
"MRS L".  In the "MRS L" scope, under the
"Security Filtering" panel a "Authenticated Users" group was
automatically assigned to it.

In the "MRS L" policy, I only have a setting.  Computer
Configuration->Admin Templates->Windows Components->
Terminal Services->Client/Server data redirection->Do no allow drive
redirection "Enabled".

Then, I run the wizard on tan1 in GP Result, all the policy were
applied correctly.

Later, I removed the "Authenticated Users" from the "MRS L" policy and
replaced with "grp_limited" and do
multiple times of "gpupdate /force" and reboot the server.  I rerun
the wizard earlier and recreate new wizard,
this "MRS L" policy just stuck in the Denied GPOs in the result with
reasons "Access Denied (security filtering)".

I tried with some tool like GPExpert but I still can't figure out what
goes wrong.  I even tried to set the Delegation to the
'tan1' and 'grp_limtied' with Full Control permission also doesn't help.

Can some experts help me on this?  bare in mind, I do all these in the
same machine.


Thank you.
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: