An academic question...

I'd want to forbid my Client_1 to access/see tab Connections in
his IE Properties.

I've created a group in AD (Global, Security) named NoConn and
put User Client_1 in it as a Member.

Then I've put this NoConn group as a New group in Group Policy
Object Links of Group Policy tab (Domain, Properties).

I've edited this Group Policy Object (User Configuration, Administrative
Templates, Windows Componets, Internet Explorer, Internet Control
Pannel, Disable Connection page = ENABLED).

I've have added NoConn to Properties, Security, Group checking
- only for it - Apply Group Policy.

After Logging OFF/ON, when I log to the Domain from a computer
as Client_1, I continue seeing tab Connections on IE Properties.

I tried the very same procedure from inside a new OU but
nothing is changing.

Why this Gruop Policy doesn't propagate to all Users?
It only works against Administrator from the server when I put
him in NoConn group.
What am I missing?

Bruno

Hi,

Did you put user account into OU where the policy is applied?

--
Mike
Microsoft MVP - Windows Security

"Bruno Campanini" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'd want to forbid my Client_1 to access/see tab Connections in
> his IE Properties.
>
> I've created a group in AD (Global, Security) named NoConn and
> put User Client_1 in it as a Member.
>
> Then I've put this NoConn group as a New group in Group Policy
> Object Links of Group Policy tab (Domain, Properties).
>
> I've edited this Group Policy Object (User Configuration, Administrative
> Templates, Windows Componets, Internet Explorer, Internet Control
> Pannel, Disable Connection page = ENABLED).
>
> I've have added NoConn to Properties, Security, Group checking
> - only for it - Apply Group Policy.
>
> After Logging OFF/ON, when I log to the Domain from a computer
> as Client_1, I continue seeing tab Connections on IE Properties.
>
> I tried the very same procedure from inside a new OU but
> nothing is changing.
>
> Why this Gruop Policy doesn't propagate to all Users?
> It only works against Administrator from the server when I put
> him in NoConn group.
> What am I missing?
>
> Bruno
>

"Bruno Campanini" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'd want to forbid my Client_1 to access/see tab Connections in
> his IE Properties.

[...]

Addendum:

I'm running Winserver 2003 SE SP1 with these roles:
AD, File Server, DHCP Server

Bruno

Another note...

When you use security settings "Apply Group Policy" it is usually used only
in "Deny Apply Group Policy". E.g. when you have 100 user accounts in same
OU and you would like to prevent a certain policy from applying to e.g. 5
users in that OU -- you can use Deny Apply Group Policy.

--
Mike
Microsoft MVP - Windows Security

"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Did you put user account into OU where the policy is applied?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Bruno Campanini" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I'd want to forbid my Client_1 to access/see tab Connections in
>> his IE Properties.
>>
>> I've created a group in AD (Global, Security) named NoConn and
>> put User Client_1 in it as a Member.
>>
>> Then I've put this NoConn group as a New group in Group Policy
>> Object Links of Group Policy tab (Domain, Properties).
>>
>> I've edited this Group Policy Object (User Configuration, Administrative
>> Templates, Windows Componets, Internet Explorer, Internet Control
>> Pannel, Disable Connection page = ENABLED).
>>
>> I've have added NoConn to Properties, Security, Group checking
>> - only for it - Apply Group Policy.
>>
>> After Logging OFF/ON, when I log to the Domain from a computer
>> as Client_1, I continue seeing tab Connections on IE Properties.
>>
>> I tried the very same procedure from inside a new OU but
>> nothing is changing.
>>
>> Why this Gruop Policy doesn't propagate to all Users?
>> It only works against Administrator from the server when I put
>> him in NoConn group.
>> What am I missing?
>>
>> Bruno
>>
>
>

"Bruno Campanini" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...



This particular sentence is very unclear to me:

"Then I've put this NoConn group as a New group in Group Policy Object Links
of Group Policy tab (Domain, Properties)."

Where would you add group in group policy object links? And why? You can
only link group policy there. "group" and "group policy" are something
entirely different.

"Damir" <(E-Mail Removed)> wrote in message
news:eg09en$nt0$(E-Mail Removed)...

> This particular sentence is very unclear to me:
>
> "Then I've put this NoConn group as a New group in Group Policy Object
> Links of Group Policy tab (Domain, Properties)."

- AD
- Right Click on Domain, Properties, Policy Group, New...
Here I added the group named NoConn.

> Where would you add group in group policy object links? And why? You can
> only link group policy there. "group" and "group policy" are something
> entirely different.

It appeared to me the right procedure.
But I'm not expert on this OS and for sure I missed
something.
Any suggestions?

Bruno

"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Hi,
>
> Did you put user account into OU where the policy is applied?
>
> --
> Mike
> Microsoft MVP - Windows Security

Yes I did but nothing's changing.

A - created the user account in new OU and defined properties
in OU

B - created a new group in OU, then the user account as member
of this new group and defined properties in that new group

But no result!

Bruno

Comments inline.

"Bruno Campanini" wrote:

> I'd want to forbid my Client_1 to access/see tab Connections in
> his IE Properties.
>
> I've created a group in AD (Global, Security) named NoConn and
> put User Client_1 in it as a Member.

Placing Client_1 into a group has absolutely no impact on how Group Policy
is applied. The user settings on a GPO are determined by where the user's
account is located, not any group memberships.

> Then I've put this NoConn group as a New group in Group Policy
> Object Links of Group Policy tab (Domain, Properties).

I'm not sure what you did here. What you need to do is create a new Group
Policy object in the OU where the Client_1 account is located. Properties of
the OU, Group Policy tab, click new, name it DenyIEConnectionsTab (or
something similar).

> I've edited this Group Policy Object (User Configuration, Administrative
> Templates, Windows Componets, Internet Explorer, Internet Control
> Pannel, Disable Connection page = ENABLED).

This looks correct.

> I've have added NoConn to Properties, Security, Group checking
> - only for it - Apply Group Policy.

You don't really need to do this. By default, I believe Authenticated Users
have the Read and Apply Group Policy settings allowed. (If you didn't give
the Read permission, that may have been part of the problem).

> After Logging OFF/ON, when I log to the Domain from a computer
> as Client_1, I continue seeing tab Connections on IE Properties.
>
> I tried the very same procedure from inside a new OU but
> nothing is changing.
>
> Why this Gruop Policy doesn't propagate to all Users?
> It only works against Administrator from the server when I put
> him in NoConn group.
> What am I missing?
>
> Bruno

Try the options I mentioned above and see if it works. Let us know.

Steve

"steve_t" <(E-Mail Removed)> wrote in message
news:786ACF2A-261D-4282-B6C5-(E-Mail Removed)...

[...]
> Try the options I mentioned above and see if it works. Let us know.
>
> Steve

1 - Created a new OU named NoConn
2 - Selected NoConn in AD, left pane, and created a new User named
Jolly-10, which by default is member of Domain Users
3 - In NoConn Properties, Group Policy, created a new
DenyIEConnectionsTab. Edited this one to have
diabled the IE Connections page.
4 - In DenyIEConnectionsTab, Properties, Security there is,
among others, Authenticaded Users with Read and
Apply Group Policy checked.

But it doesn't work.
Jolly-10 continue seeing Connections page in his IE.

Any other suggestions?

Bruno

Have you used GP Result
(http://www.microsoft.com/resources/d....mspx?mfr=true)
or the Group Policy Management Console
(http://www.microsoft.com/windowsserv...c/default.mspx) to see if the
policy is actually getting applied? (I should have mentioned these tools
earlier). If not, give them a try and let us know the results. I'll try to
replicate the issue you're having on my lab at home tonight.

Steve

"Bruno Campanini" wrote:

> "steve_t" <(E-Mail Removed)> wrote in message
> news:786ACF2A-261D-4282-B6C5-(E-Mail Removed)...
>
> [...]
> > Try the options I mentioned above and see if it works. Let us know.
> >
> > Steve
>
> 1 - Created a new OU named NoConn
> 2 - Selected NoConn in AD, left pane, and created a new User named
> Jolly-10, which by default is member of Domain Users
> 3 - In NoConn Properties, Group Policy, created a new
> DenyIEConnectionsTab. Edited this one to have
> diabled the IE Connections page.
> 4 - In DenyIEConnectionsTab, Properties, Security there is,
> among others, Authenticaded Users with Read and
> Apply Group Policy checked.
>
> But it doesn't work.
> Jolly-10 continue seeing Connections page in his IE.
>
> Any other suggestions?
>
> Bruno
>
>
>