We run Windows Server 2008 R2 on our servers and Windows 7 Pro on our laptops/computers.
I've recently joined the school IT department and everything is in a bit of a shambles, and I'd like to ask for some help on an issue as I'm not having much luck with it.
In Active Directory for Users and Computers, I have Teachers in one organisational unit within the managed users section, and have Teaching Assistants in another.
Teachers are able to lock their computers, and use the "right-click" functionality to copy, paste, view properties etc however the Teaching Assistants cannot do any of this. I've tested all the accounts in this organisational unit and none of them can, so I assume its permissions assigned to that organisational unit that is stopping them.
Does anyone know how I change these settings and could anyone give me some step-by-step instructions on how to go about this?
Teachers have other privileges that I don't want Ta's to have, so I don't just want to move them all into their OU as they'll end up having more than I want them too.
Look forward to hearing from you all!
It's probably permissions assigned to the OU through Group Policy. Have a look in Group Policy Management on DC and compare what group policy objects are assigned to both OU's.
If you click on the GPO and settings tab, it generates a report showing what is set.
I'd use a combo of group policy modelling and resultant set of policies to see what should be applying and what actually is
GP result is better than RSOP nowadays, as its quicker to navigate and easier to see where GPO's clash or override each other.
James, see screenshot.
Originally Posted by jamesbrown
I get this error when going to the TA OU to where you said, under security settings for user:
An error has occurred while collecting data for Software Restriction Policies.
This error impacts the following settings:
Software Restriction Policies
Software Restriction Policies/Security Levels
Software Restriction Policies/Additional Rules
The following errors apply to all of the above settings:
An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Regist ry.UnknownType'.
Sorry, always mix those up. Tis what I meant
Originally Posted by Mr.Ben
This issue is still outstanding. I've spent ages looking in Group Policy Management but to no avail.
Can anyone provide me with simple step by step instructions on how to allow one particular organisational unit the ability to allow them to lock their machines?
Are there any wmi filters in the group policy?
What are the registry edits in the group policy preferences section? It may have been done using registry edits with targetting.
Are you now the main server person? I would consider creating some new OU's to make life simpler.
Then if you want to change a setting on one OU you can create a new policy and just apply it to that OU. WMI filters and group policy preference targetting are ok but make it hard to tract things down.
Originally Posted by dany2010
The only registry edits for that OU in the preferences section of GP is a default wallpaper we have for all users in that OU. There is nothing else there.
In regards to WMI Filters, no there isn't any showing.
I have now solved this issue. Thanks for all your help :)