(this howto is for people making first steps in windows domain configuration)
- this is a result of group policies.
when working with domain, you need to edit group policy, not local policy (if you run the editor [gpedit.msc] it won't help, cause all helpful bits would be greyed out).
hence, do not start group policy management editor but start instead the group policy management console gpmc.msc - how to edit group policies?
once the group policy management screen is open, go into the relevant forest, into domain controllers, to the "default domain controllers policy",
there choose the "settings" tab,
there,right click the Computer Configuration\policies\ windows settings\Security Settings\Local Policies\user rights assignment
and choose edit (if your edit is greyed out, go to item 3 in this post)
and lo and behold - the group policy management editor (similar to the one you know from a non-domain windows) will open but with editing working properly.
now, go to Computer Configuration\policies\ windows settings\Security Settings\Local Policies\user rights assignment
( make sure you are editing the right place)
and there you need to edit two items:
a) allow log on locally - make sure everything relevant be included (but don't be too generous. remember, this is the domain controller!)
b) deny log on locally - make sure this one does not include the ones you wish to be able to logon locally....
Now you need to wait. It takes about 15 minutes for changes to propagate and become active, even if we are talking about a single Domain Controller. If I learn how to initate propagationI'll update this post. - why can't my user edit group policies ?!? (why is my edit greyed out?)
if your admin user cannot edit policies try administrator. assuming he can, it is a matter of the groups included in the delegation of the group policy management. add the relevant group or the relevant user.
Now you need to wait about 15 minutes for propagation. - what to do if I get an internet explorer security message when I open the group policy management ?
when you first open the group policy management, you will get a message that tells that "content within this application coming from the website listed below is being blocked by internet explorer enhanced security configuration".
What to do ? Add the site to the trusted sites zone
(logical considering that this is our own local machine, no? )
two add and one close actions later, you will see the contents of the default domain policy.
some shortcuts:
- to run the group policy management, type gpmc.msc
- to run the active directory users and computers, type dsa.msc
No comments:
Post a Comment