none
C: Drive restriction and restrict changes to desktop GPO not working

    Question

  • I found the permissions I needed to use to restrict access to the local c: drive in the Default domain policy gpo.

    I have read that it is not a good practice to edit it directly so a copied it and created a gpo called copy of default domain policy gpo.

    I enabled the following under userconfiguration\policies\administrativetemplates\windows explorer

    Hide the specified drives in windows explorer

    enabled c:

    also prevent access to drives on my computer c:

    I right clicked the gpo with the user linked it and enforced it and it still won't work.

    I did both edit in copy of default domain policy and that is the gpo I linked.

    Why isn't it working? its been over a week

    I also enabled prevent adding dragging dropping closing desktop toolbar and don'tsave changes on exit under desktop.

    It also isn't working.

    I don't see any block inheritance set on the ou.

    Maybe the default domain policy being inherited overides the directly linked one?

    I just enabled block inheritance directly on the gpo with the user accounts i want it to apply to.

    Will that work?


    Droid Hacker



    Friday, December 5, 2014 9:24 PM

All replies

  • Hi Droid,

    Based on your description, you can run command gpreuslt/h gpreport.html to collect group policy result report to check how the policy settings were applied.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, December 8, 2014 9:13 AM
    Moderator
  • Ok should I run this from the workstations that aren't locking down or the server?

    I ran it from the server so far.

    What do I need to look for?

    I just want the users in the specified group to have no c: drive access


    results of gpupdate /force on a workstation

    Droid Hacker

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>gpupdate /force
    Updating Policy...

    User policy could not be updated successfully. The following errors were encount
    ered:

    The processing of Group Policy failed because of lack of network connectivity to
     a domain controller. This may be a transient condition. A success message would
     be generated once the machine gets connected to the domain controller and Group
     Policy has succesfully processed. If you do not see a success message for sever
    al hours, then contact your administrator.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:

    The processing of Group Policy failed because of lack of network connectivity to
     a domain controller. This may be a transient condition. A success message would
     be generated once the machine gets connected to the domain controller and Group
     Policy has succesfully processed. If you do not see a success message for sever
    al hours, then contact your administrator.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    C:\Windows\system32>
    C:\Windows\system32>
    C:\Windows\system32>
    C:\Windows\system32>
    C:\Windows\system32>

    This doesn't look good

    • Edited by Droidhacker Monday, December 8, 2014 3:32 PM
    Monday, December 8, 2014 3:13 PM
  • So in the gpresult your looking to see if your policy was applied successfully? Also depending on where you are placing that user policy, you might need to enable loopback processing.

    Also the other thing on your scoping of the GPO, you will have to allow the computers the policy will be ran on privileges to read the GPO object. In the order of things the group policy client service reads the GPO, without that system access it will just ignore the user policy if it isn't scoped for it.

    Monday, December 8, 2014 3:32 PM
  • Do you have a step by step for that?

    How can I satisfy the lack of Networking connectivity error above?

    It doesn't look good


    Droid Hacker

    Monday, December 8, 2014 3:46 PM
  • Ah this time it shows. Last time I didn't see the result. Ya that isn't good... From the start menu type rsop.msc and press enter. This will show a breakdown of policies like they are in the GPO object configuration. You should be able to see your policy and as well what GPO Name the policy comes from.

    If your trying to target a group of users with a certain policy you have three options. The first option is apply it directly to the user OU or if you are just wanting it to apply to certain machines, you'd use loopback processing. The third option is to create an AD group and target it to that group. So, for example you could apply it to the users OU and build an AD group of only certain users you want to have it.I have highlighted a GPO object where you set that up.

    Re-reading your original post it sounds like you just want it to the users across all machines and you have already applied the policy to the user OU. I would recommend running RSOP.MSC and see if you see your policy applied.

    Monday, December 8, 2014 4:13 PM
  • run rsop.msc from the server?

    Droid Hacker

    Monday, December 8, 2014 4:17 PM
  • can't find the same hive I go in to enable hard drive restrictions in rsop that I see  in gpmc.

    can anyone detail the hives to collapse?


    Droid Hacker

    Monday, December 8, 2014 4:26 PM
  • Run rsop.msc where you want the policy targeted too. So if targeting is happening to a users laptop then it would be ran on there laptop under there account. If you are targeting a RDS/Citrix server you would run it from the server. RSOP stands for resultant set of policies, so it is what the group policy client see's.

    It seems like you cannot see a domain controller where your running these group policy tools from. Open a command prompt and run "set logonserver" does it come back with a logon server that you recognize?

    Monday, December 8, 2014 5:18 PM
  • set logonserver

    It looks like that is working fine.

    It is returning the name of my logon server.

    one letter of the server name is missing. assuming its truncated

    What next?


    Droid Hacker

    Monday, December 8, 2014 6:12 PM
  • If you go to start, type "event" it should bring back Event viewer as a result. Go into event viewer > Microsoft > Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational and view the logs. This will show you if you have any group policies that failed processing. You should see the one you created running. If nothing good is showing as far as information then go to Custom Views in the event viewer and administrative events. Look for anything that appears to be domain communication issues or polices failing to run.

    Monday, December 8, 2014 9:20 PM