Group Policy Problem...

TechJunkyTechJunky Member Posts: 881
Ok, So I am pulling a long shift and I am very tired.... But I am still pretty sure my GPO is setup correctly.

I created a Group called Regular Users, I then added a policy to make sure these users cannot edit the advanced properties of their lan connection or change it.

I am logging in with a user that I know is part of the Regular users policy and I am still able to view the advanced properties config on the lan.

Any ideas?

Here is a screenshot of my gpresult, and I am using gpmc.msc to creat the GPO. It is linked to my domain and it is enabled.


Oh, the Group Policy is called TCP/IP btw.

Thanks!

Comments

  • szkizzerszkizzer Member Posts: 44 ■■□□□□□□□□
    Try pasting the ScreenShot again. Cant really see whats going on here.
    "Never stand begging for something u have the power to earn."
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Since we can't see the screenshot/link, I'll just make a guess.

    You're not applying the GPO to an OU that contains only the Group, are you? GPO's only apply to User Objects or Computer Objects. So just making a user a member of the group (assuming you meant a security group) and then putting that group into an OU won't work.
    All things are possible, only believe.
  • thesemantheseman Member Posts: 230
    Like sprkymrk said above, Group Polices do not apply to security (or any) groups. I see this time and time again, as the name Group Policies is somewhat misleading.
  • TechJunkyTechJunky Member Posts: 881
    Here is the screenshot of the group policy editor.

    I just woke up. Sorry, it was a long night.

    ou.jpg
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Okay, so you linked the GPO to the domain, and then used the DACL to only have it apply to the Regular Users security group. So far so good. Can you tell us/verify the persmissions to make sure "Apply Group Policy" is allowed? Then run gpresult.exe on one of the computers while logged in as a Regular User member.
    All things are possible, only believe.
  • TechJunkyTechJunky Member Posts: 881
    Ok, here is the gpresult. Sorry for not posting it initially... TIRED.

    gpresult.jpg


    Oh, btw. The TCP/IP policy seems to work, however if you are a local admin of the machine then this rule doesnt apply. Any way to apply this even if the user has local admin rights?

    The user is part of the Regular Users Group as well.

    Thanks again.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    It sounds like you have enabled the setting ""Prohibit access to properties of a LAN connection", so you also need to configure the "Enable Network Connections settings for Administrators" by setting it to "Disabled", otherwise admins will still be able to configure network settings.
    All things are possible, only believe.
  • TechJunkyTechJunky Member Posts: 881
    I have one really simular to that one...

    Enable Network Connections settings for Windows 2000 Administrators. I already went ahead and disabled it.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    That second setting that sprkymrk mentioned seems like it should be set to disabled just from reading the name of the policy, but after reading the description of the original policy that techjunky asked about, the second one Enable Network Connections settings for Administrators" should be set to ENABLED.
    Prohibit TCP/IP advanced configuration

    Determines whether users can configure advanced TCP/IP settings.

    If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.

    Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.

    If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box.

    Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration.

    Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting.

    Tip: To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.

    Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.

    I guess by "Enable Network Connections Settings", it meant enabling the settings that you are pushing out, and not enabling access to the settings on the computer.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Which version of SBS are you running?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • TechJunkyTechJunky Member Posts: 881
  • TechJunkyTechJunky Member Posts: 881
    blargoe: Thanks for the reply. I went back and read the explanation and it defiantly needs to be set to enabled. After running gpupdate /force this fixed my problem.

    Thanks.
Sign In or Register to comment.