Information Technology Reference
In-Depth Information
8. If your Allow log on locally policy doesn't have the domain GPO icon, the policy hasn't
been updated yet on your Vista computer. If so, do the following: Close the Local Security
Policy MMC, open a command prompt window, type
gpupdate
, and press
Enter
.
Gpupdate.exe immediately updates group policies on the local computer. When it's finished,
open the Local Security Policy MMC and navigate back to User Rights Assignment.
In this chapter's activities, if Gpupdate.exe doesn't seem to update policies
on the local computer, try using gpupdate /force, which reapplies all policy
settings, even those that haven't changed.
9. In the right pane, double-click
Allow log on locally
. In the list box of users and groups, click
Administrators
. Neither the Add User or Group nor the Remove button is active because no
users, not even administrators, can override domain polices on the local computer. Click
Cancel
.
10. Log off the Vista computer, and then try to log back on as
testuser1
. Because you have
restricted local logon to Administrators only, you should get the following message: “You
cannot log on because the logon method you are using is not allowed on this computer.
Please see your network administrator for more information.” The logon method referred to
in the message is interactive logon or local logon. Click
OK
.
11. On your server, change the
Allow log on locally
policy on the TestGP1GPO to
Not defined
.
Close GPME.
12. On your Vista computer, try again to log on as
testuser1
. You'll probably get the same mes-
sage about not being able to log on because the policy hasn't been updated yet. Click
OK
.
Restart the computer by clicking the red button at the lower right of the logon window and
clicking
Restart
. Recall that computer policies are updated every 90 minutes or when the
computer restarts.
13. Log on to Vista as
testuser1
. Only an administrator can run the Local Security Policy MMC, but
there is a workaround with the Runas command. Click
Start
, type
runas /user:administrator
mmc
in the Start Search text box, and press
Enter
. When prompted for the password, type
Password01
.
14. Click
File
,
Add/Remove Snap-in
from the MMC menu. In the Available snap-ins list box, click
Group Policy Object Editor
, and then click the
Add
button. Click
Finish
, and then click
OK
.
15. In the Group Policy Object Editor, navigate to the
User Rights Assignment
node. In the right
pane, double-click
Allow log on locally
to view the list of users and groups assigned this per-
mission. Notice that this right is now assigned from a local GPO rather than a domain GPO,
so you can make changes if needed. Click
OK
.
16. Close all open windows and log off the Vista computer. When prompted to save your console set-
tings, click
No
. Close all open windows on your server, but stay logged on for the next activity.
7
Using Starter GPOs
A
Starter GPO
is a GPO template, for lack of a better word, not to
be confused with the GPTs discussed earlier. An administrator creates a Starter GPO to be used
as a baseline for new GPOs, much like the user account templates discussed in Chapter 5.
When you create a GPO, the New GPO Wizard includes an option to use a Starter GPO.
Starter GPOs are stored in the Starter GPOs folder in GPMC. Recall the best practice discussed
earlier of creating new GPOs that focus on a narrow category of settings. Starter GPOs can be
used to specify a baseline of settings for certain settings categories and then modified when the
Starter GPO is used to create the new GPO.
To use a Starter GPO to create a new GPO, select one in the Source Starter GPO list box in
the New GPO Wizard (see Figure 7-10), or right-click a Starter GPO in the Starter GPOs folder
and click New GPO From Starter GPO. To create a Starter GPO, right-click the Starter GPOs
folder and click New. After creating a Starter GPO, you can edit it just like any GPO. However,
Starter GPOs don't contain all the nodes of a regular GPO; only the Administrative Templates
folder in both Computer Configuration and User Configuration is included.
Search WWH ::
Custom Search