Need help restricting access to control panel for users through AD

[rlee]

I built a windows server 2003 domain called WCG w/ AD working correct (machines can join the domain with the user accounts I created). But this is driving me nuts, I'm trying to restrict control panel access and other things, so I want to get this working first. I can't for the life of me get restrictions to work. I d/led Group Policy Management. This is what I did:

Group Policy Management -> Forest: wcg -> Domains -> wcg -> Default Domain Policy. I right click that and clicked edit, GPO editor comes up and I go to User Config -> Admin Templates -> Control Panel -> Enabling "Prohibit access to the control panel".

I tried doing gpupdate /force on the server after that, but when I relog into the domain on aonther machine, the user still has access to the control panel, WHY?! I've been trying for hours, any ideas why? And the funny thing is, the Administrator account on that server, after I apply those restrictions, cannot access the control panel! Whats up with that? TIA

 

[dbwillis]

I would try to make the settings in a seperate GPO, I dont like to mess with the default domain policy in case I screw it up.
Poosibly create the GPO and apply it to your users container?
----> dont forget to run the GPUpdate on the workstation as well....depending on the time settings you have specified for GPO refreshing.

Maybe try the settings "Show only these control panel applets" will work better? (think thats the name of it)

I have several GPO's :>

"v1.0 Domain Policy"
"v1.0 Server Policy"
"v1.0 User Policy"
"v1.0 Computer Policy"
"v1.0 Drives and Folders"
"v1.0 Security Policy"

Testing them is great in the GPMC, just add the v1.1 GPO to a folder and remove the v1.0, if any problems, move the v1.0 back.

 

[LoStMaTt]

Right click on the policy group you created to do this and make sure "enabled" is checked.

 

[nessus]

Did you run "gpupdate /force" on the client machine?

It can take two reboots, or two group policy update intervals (90 minutes plus a 30 minute randomization window for each by default) for the changes to apply to it otherwise.

Running "gpupdate /force" on the server only affects the server in applying group policies that apply to it right then.

The control panel policy is one I wouldn't recommend applying at the default domain level, if you didn't exempt the domain controllers from the policy with security settings, making changes to their network settings would be a little tricky unless you are really familiar with the "netsh" command line tool...