AD FAQs – Group Policy
- How can I deny a user from logging into my workstations and deny them from accessing any of my file shares?
- Why do my polices not apply on Windows XP during startup?
- How can I map a network drive and/or printer share using group policy?
- How can I add XP policy settings to my Group Policy?
- Why isn’t my group policy being applied?
How can I deny a user from logging into my workstations and deny them from accessing any of my file shares?
Users in the AD domain are dynamically created and deleted based on official data received from Personnel and the Registrar. This data is fed into AD from PH. There maybe certain situations that require you to “lock out” a user from your environment even though the user still has an active account. To do this you can use the deny logon locally and deny access from the network policies.
- Create a new security group in your OU called TLA-Denied Users.
- Create a group policy on an OU where you want to enforce the logon restrictions.
- Navigate to “Computer Configuration-> Windows Settings->Security Settings->Local Policies->User Rights Assignment”. Double click “Deny Log on locally”.
- In the Deny Log on locally Properties window, check the box “Define these policy settings”
- Click the “Add User or Group…” button.
- Add the name of the security group you created in step 1. Either use the browse button to select the user/group from the object picker or manually type in the name of the group using AD\groupname for a domain group and groupname for a local group. It is also a good idea to add Guest and ASPNET as these accounts are part of XP and should be blocked.
- When you have finished specifying the list of groups and users, click the “OK” button to save your changes.
- Follow steps 2-6 on the security right for “Deny Access to this computer from the network”.
- The restrictions will take effect on the next reboot or during the next group policy refresh. To apply the change immediately you can run gpupdate.exe on XP or 2K3.
- When ever you want to lockout a user in your environment just add the user to the denied security group. This will effectively deny the user access to any of your resources. It is recommended that this policy be put into place on your top-level OU. This will ensure your complete protection.
Windows XP has the ability to fastboot. What this means is that it has the ability to present the Ctrl-Alt-Del login window before the machine actually has a network connection. It will allow you to log on using cached credentials and will then connect you to your network shares in the background once the network connection is online.
However, the fast boot process does not apply group policy consistently on startup. For the group policy to apply correctly, a network connection must be present when the machine is booting up. You can use a group policy setting to force XP to wait for a network connection on startup. This will ensure the group policy is applied correctly every time the machine boots. If a network connection is unavailable the machine will still boot, it just may take a little longer than before as it waits for the network timeout to occur.
Note:This policy should be applied in lab environments where group policy enforcement is considered crucial.
- Change the “Always wait for network at computer startup” group policy setting to “Enabled”.
- On the next reboot and all subsequent boots XP will now wait for a network connection.
Instead of relying on the logon script specified on the user object, an OU Administrator can use group policy to specify logon scripts to be run. One important use of this capability is to run a custom logon script based on the machine the user is logging onto. The following example shows how to create a logon script that will map a drive and a printer based on group membership.
- Create a new policy on the OU where you want the script to run. This can be applied directly on the OU that contains the workstations, or on an OU that contains workstations in sub-OUs.
- Edit the policy and navigate to “User Configuration->Windows Settings->Scripts (Logon/Logoff)”.
- Double click “Logon” and select the “Show Files” button.
- In the Explorer window, right click and select New -> Text Document. Name the file mapdrive.vbs
- Right click the new file, called mapdrive.vbs, and select Edit. Paste the following code into the file.
- Replace the lines in the above code that appear in red text with the appropriate values.
- Save the file and close the Explorer window.
- Click the “Add” button on the Login window. Click the “Browse” button and select mapdrive.vbs from the window.
- Close the Group Policy to save your changes.
- Reboot the workstation to receive the new group policy. The next time a user logs on the script will run, mapping the network drives and printers.
‘–Cut Text Here–
‘Set up Wscript Environment Variables
Set WshNetwork = CreateObject(“WScript.Network”)
Set wshShell = CreateObject(“WScript.Shell”)
Set WshSysEnv = WshShell.Environment(“Process”)
‘Set up ADO Connections
Set con = CreateObject(“ADODB.Connection”)
Set Com = CreateObject(“ADODB.Command”)
Set oRootDSE = GetObject(“LDAP://RootDSE”)
‘Get a list of Current Network Drives Mapped
Set oDrives = WshNetwork.EnumNetworkDrives
‘Get Default domain, e.g., dc=ad,dc=bu,dc=edu
strNamingContext = oRootDSE.Get(“defaultNamingContext”)
‘Open a Connection object for an LDAP Query
con.Provider = “ADsDSOObject”
con.Open “Active Directory Provider”
‘Create a command object on this connection
Set Com.ActiveConnection = con
‘Get Current Username and then query the userobject via LDAP
strUserName = WshSysEnv(“USERNAME”)
‘Query the directory for a list of groups the user is a member of
Com.CommandText = “select adspath,memberof from ‘LDAP://” & strNamingContext & “‘ WHERE cn = ‘” & strUserName & “‘”
Set rs = Com.Execute
‘Loop through the Group Membership of the current user to verify the map drive path
for each gname in rs.fields(“memberof”).value
‘If user is a member of GroupA or GroupB then map the drive, otherwise do not do anything
if instr(lcase(gname),”bu_deptid_xx”) > 0 or instr(lcase(gname),”tla-administrators”) > 0 then
‘Map the drives
DriveMapper “p:”, “\server\HOME$” & strUserName
DriveMapper “s:”, “\server\groupshare”
‘Set up Printer Connections
‘PrinterDriver is not necessary and can be set to vbNULL
PrinterPath = “\server\printershare”
WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
PrinterPath = “\server\printer2″
WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
‘End of Main Program
Sub DriveMapper(Drive, Share)
For i = 0 to oDrives.Count -1 Step 2
if LCase(Drive) = LCase(oDrives.Item(i)) then
if not LCase(Share) = LCase(oDrives.Item(i+1)) then
WshNetwork.RemoveNetworkDrive Drive, true, true
WshNetwork.MapNetworkDrive Drive, Share
‘–End Cut Text–
Windows XP has many more features you can control via Group Policy. When a Group Policy is created, the default is to use the templates from the Windows 2000 Server. The following steps will allow you to access the XP policy settings. This will not break any existing policies already set on the GPO. You can still apply the policy on Win2K machines–any settings that are exclusive to XP will simply be ignored on a Win2K workstation.
- To see the XP settings, you must run the Group Policy editor on a WinXP workstation. From a Windows XP workstation, launch the AD Users and Computers tool. If you don’t have the admin tools installed on XP, you can download, extract, and install them.
- Create a new Policy on the OU by selecting the properties of the OU and clicking on the Group Policy tab. Once on the tab, click the “New” button. Be sure always to begin each Group Policy name you create with “TLA-”, where “TLA” is the name assigned to your department.
- Select the new policy and click the “Edit” button.
- Right click “Administrative Templates” under Computer Configuration and select “Add/Remove Templates…”
- Highlight all of the templates and click “Remove”.
- Click “Add”.
- Navigate to “\\adc1\ouadmin\Group Policy\XP Group Policy Templates\”. Highlight all policies and click “Open”.
- Click Close.
- You should now have the XP templates loaded into your GPO. These templates are now associated with this GPO. If you create a new GPO in the future, you will have to follow the same steps to add the XP settings to the new GPO.
The application of group policy is based on machine accounts — not user accounts. To ensure that a GPO (Group Policy Object) you have created is applied to anyone who logs on to a machine in the OU where the GPO is being applied you must turn on loopback policy processing. To enable loopback policy mode, load the GPO and navigate to the group policy folder of the Computer Configuration section. Enable User Group Policy loopback processing mode.