Domain Users problem

We run windows server 2008 R2 in an office. Active directory is being utilized in office.

Everything is good but we have a problem with some of users in our domain!

Some of users have been joined to domain and their clocks have been synced by clock server. They took their policies from server, and for example when I run below command, their policies in Internet explorer reset and take from server again:

run > gpupdate -force

The problem is these users have admin access in their system, they can install/uninstall software, change system clock and so on. whereas other users in the domain with same permission couldn't!

What's the reason of this issue? 

July 4th, 2015 4:49am

Hi,

You can compare applied GPO against Working & non working users. If required collect the GPRESULT & see if anything is configured in local policy using SECPOL.msc

Free Windows Admin Tool Kit Click here and download it now
July 4th, 2015 6:27am

Thanks

I ran SECPOL.msc  for 2 users in the same group. I couldn't run SECPOL.msc in limited user (truly configured user) but in user who have permission problem , it ran.

In user who have permission problem, many restrictions haven't been applied just like administrator users!!!

For example, Software restriction policy tab shows:   No software restriction policy defined!!

new finding!

I wanted these users to change their PCs, and log on with their users! the result is strange.

limited user logged on problemed PC: SECPOL.msc ran!

problemed user logged on no problemed PC: SECPOL.msc ran!

  • Edited by emanir 3 hours 22 minutes ago
July 4th, 2015 11:20pm

Thanks

I ran SECPOL.msc  for 2 users in the same group. I couldn't run SECPOL.msc in limited user (truly configured user) but in user who have permission problem , it ran.

In user who have permission problem, many restrictions haven't been applied just like administrator users!!!

For example, Software restriction policy tab shows:   No software restriction policy defined!!

new finding!

I wanted these users to change their PCs, and log on with their users! the result is strange.

limited user logged on problemed PC: SECPOL.msc ran!

problemed user logged on no problemed PC: SECPOL.msc ran!

  • Edited by emanir Sunday, July 05, 2015 3:37 AM
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2015 3:06am
Have you compare the GPO For working users Vs non working users. Using GPMC console.
July 5th, 2015 11:00am

The problem is these users have admin access in their system, they can install/uninstall software, change system clock and so on. whereas other users in the domain with same permission couldn't!

Could you please let us know what kind of settings have you configured in Group Policy? And also the detailed steps on how you applied them.
 
I would suggest you run gpresult /h result.html to collect the resultant set of policy information for both working and non-working users and see if there is any difference. You can find the result.html file under your user profile folder (C:\users\<username>).
 
More reference about Gpresult: https://technet.microsoft.com/en-us/library/cc733160.aspx?f=255&MSPPError=-2147217396
 

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 9:04am

Hello,

Hope your query resolved now. if yes can you mark proposed as Answer so that others can refer it.

July 18th, 2015 9:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics