Group/User Policies under Win2000Pro & Server

b4u

Golden Member
Nov 8, 2002
1,380
2
81
I'm having some trouble configuring a specific policy on a domain.

I have the following config:
1 Windows 2000 Server SP4: Active Directory, DNS, DHCP configured. Named PC00
3 Windows 2000 Pro SP4; Named PC01, PC02, PC03.

Domain is called CONT (www.cont.com on domain creation). I created the users (let's say USER01, USER02, ...) on the Active Directory User Control, belonging to Domain\Users group.

So, all users connect to any computer, logging to the CONT domain with no problems (I even have logon scripts for them, no problem here).

The problem I have is related to permitions. I would like the users to have basic permitions (users group), with one exception: "Change the system time".

Before coming to this forum, I took a couple of hours with the system, so I easily found the "Local Security Policy -> Local Policies -> User Rights Assignment" on PC01, so changed the attribute (is had Administrators and Power Users), and I've added the Users group.

I even restarted, but couldn't change it (I logged on with one user belonging to the users group). When I checked the setting, I had 2 checkboxes on the users group: Local Policy Setting (enabled) and Effective Policy Setting (disabled).

In that window, I can read the following message: "If domain-level policy settings are defined, they override local policy settings". I thought "But of course! Let's check the Server!".

On the server (I cannot access it right now, so I'll try to remember the settings), I have another option (besides the Local Policy Settings), that is "Domain Policy Settings". When opened, the window showed to be quite similar, so I went through the tree, and found the "Change the system Time" option. Changing this setting, I've noticed that it has no checkbox kind of config, but I could add the groups to it, so I added Domain\Users, Domain\Administrators, Users (all this 3, just to be sure, but I thought it would work just with the first one. I would remove the others latter).

The thing is, it didn't work, and I made restarts to server and workstations just to be sure. Still the "Effective Policy Setting" on the workstations was disabled, and still cannot change date/time due to permitions, no matter what.

Changing the workstation setting again, on the "Change the system Time", and when entering the user/group to assign the setting, I noticed that I had a combo to select the domain. it was PC01 selected (local machine), so I changed to cont.com domain, and there it was ... Domain\Users ready to be added :) ... selecting the options, and clicking add, a window poped up for a user/password on the domain level. I entered the Administrator/password of the domain, and after that, it gave me an error that it could not access the domain, and the combo for domain selection changed to disabled with PC01 (local) selected ...

I'm getting a little confused here ... I have Local Policies, Domain Local Policies, and if I open the Microsoft Console (Start->Run->mmc) and add the Group Policies, I have again a new (?) set of options not available on the others ... :(


What am I making wrong? I'm no system expert, so I need some advice from anyone ... I'm googling for this problem right now, but I would apreciate any guidance, I really need to let users change the date/time from system.

Thank You.
 

mikecel79

Platinum Member
Jan 15, 2002
2,858
1
81
What you need is a to read about Group Policy's in Win2k and how to apply them to your workstations. From what you describe it looks as if you are changing the policy that applies to your domain controllers. There's not better primer on GPs than this one.