[gptalk] Re: Group Policy sticks after domain migration
- From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 19 Nov 2008 10:34:28 +1100
Hi,
If I understand you correctly, what is happening is that the Local Admins
are being locked out, even though neither policy is being applied...
I am not sure what Darren means by "because the new domain knows nothing
about them (and thus doesn't know to remove them)". I thought the only
information about old policies was held in the NTUSER.POL file, so provided
that moved across, old policies (or at least the non tattooed parts of it)
would be removed.
The problem could be that the Default User directory was built by copying
over the NTUser.dat from a user that had the policy applied, but the
NTUSER.pol was not copied. This means that the registry has the non tattooed
entries, but Group Policy doesn't know how to remove them.
Also, wouldn't it be easier to just have one policy, and put ADMINS in the
DENY list?
Alan Cuthbertson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, 19 November 2008 9:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy sticks after domain migration
In addition, in general when you move machines between domains, policies get
stuck from the old domain because the new domain knows nothing about them
(and thus doesn't know to remove them). So, I do recommend that before you
move machines between domains, you move them to a "staging" OU that has no
GPOs applied to it. Let the machines process the lack of policy and then
move into a new domain. Also, you can use my freeware Clean Registry Policy
(www.sdmsoftware.com/freeware) which is designed to clean up registry policy
from computers moved from domains.
Darren
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jake (sanfranjake)
Sent: Tuesday, November 18, 2008 2:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy sticks after domain migration
Your big mistake is using Authenticated Users.
At thee verty least with this strategy I'd use a separate security group
so you have at least a way to filter admins out. As admins are
authenticated users, you will keep running into this type of issues,
therefore I'd recommend a separate TSAPP-security group which filters
this policy.
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Kaiser, Charlie
Sent: Tuesday, November 18, 2008 10:41 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy sticks after domain migration
Hi all...
Scenario:
W2K3 native mode AD domain (domain1)
W2K Terminal server locked down with GPO (computer configuration,
administrative templates, Start Menu and taskbar (among many others))
that applies to auth users.
Second GPO that disables all those lockdowns that applies only to domain
admins and enterprise admins.
Works fine. Users get nothing except the app, domain admins get
everything.
Problem:
Domain migration project. Move all member servers to W2K3 native mode AD
domain (domain2).
Now GPOs from domain 1 are still applied. Server admins cannot get into
the box. Login and get locked down desktop. Domain admins in domain2 can
get in fine, but now local admins group needs access.
Gpresult doesn't show the settings being applied. No apparent way to
remove.
Any ideas?
I'm thinking move the box back to domain1, remove GPO and force, verify
access, and then move back to domain2... Any other ideas?
Thanks!
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security
Systems Engineer
925 274 3183 desk
925 890 3517 cell
**********************
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security
Systems Engineer
925 274 3183 desk
925 890 3517 cell
**********************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
