Emergency help needed about domain policy

[jueliang]

I am a field engineer and this was quite humiliated when I could finish the job properly at customer's site.

I was requested to configure 3 computers to their network. It doesn't sound hard and it shouldn't be as well. These 3 PC's were on the other company's network. They are brought to this company now and need to be configured to the new domain. So I just did my text book routine: change the domain, reboot, move the new computer to correspondent OU, create new users who gonna use these 3 machines and put them in proper OU. Then one of the PC has this funny behaviour. When the user log on, it has this fully restricted interface, like people does with the group policy or registry. It has very simple start menu, which has only "program" and "search". You can only "logoff", you don't have access to any post-installed application like Office. It doesn't allow right click anywhere, and much more. I made the user to local admin and it didn't change anything. If I logged on as a domain admin to that PC, it gave me full access to applications and desktop. I thought this is because of the domain policy but I couldn't see any evidence. And it also doesn't happen to any other machine. But if it is identical to local policy, how come local admin won't work but domain admin works. I couldn't think about any way unless make the user domain admin. Any advice is welcomed. Thank you!

Also, a old HP laserjet 4 with a Netgear ethernet interface card, how do I know what IP address this printer is getting? I checked the printer menu and it doesn't have option to print a report which shows IP coz it was not designed as a network printer. I also checked the Netgear interface card and it doesn't have any button on it to print a report. Help help help!

[Ctrl-X]

Check if any local policies are defined on the computer: Start / Run / "gpedit.msc" [Enter] to open the local computer's Group Policy settings. See if there are any local settings defined and remove them if necessary.

[Edit]Changed instructions to open local GPO to a much easier method after reading allen2's post

Edited September 27, 2006 by Ctrl-X

[allen2]

Perhaps this Pc has a local policy. Check it with gpedit.

Also perhaps there is something with the user's profile. If you're using roaming profile in your AD, you'll need to clean it after saving it somewhere. Then go to profiles dir on the PC hard drive and save again the profile dir and then remove it. It should then be created again. If the problem happens again then you'll have to investigate more.

[jueliang]

Thanks guys. I had a look at local gpedit.msc and nothing is defined. So I guess all the restricted access setting might be done by changing the registry. And because there are so many restricted items, there is no way for me go through registry's each entry to identify what has been changed and what has been not. Btw, when the local administrator log on to the local work station or the domain admin log on the domain from this PC, nothing has restricted. But if users log on to the domain or lcoal, it has been restricted. Any other work around?

[cluberti]

I would suggest removing the PC from the domain (so it belongs to no domain), and use secedit when logged on as the local administrator to reset default security. More info can be found here:

http://www.microsoft.com/resources/documen...s.mspx?mfr=true

http://support.microsoft.com/?kbid=313222

[Ctrl-X]

The suggested secedit method will only reset security settings to default: NTFS, registry en services permissions, user privileges - basically everything under the Security node in GPEdit. This won't affect any user interface restrictions, which are all registry-based settings, located under the Administrative Templates node.

By the way: even if the restrictions were applied by editing the registry directly, they should still show up in GPEdit. After all it's the same registry entries, whether you change them in GPEdit or in RegEdit.

[jueliang]

Thanks guys. But I didn't get a chance to try the method you suggested. What happen was when the user log in to the domain today, it works fine and it didn't have any restrictions. It is odd and I still didn't understand. But the link u guys provided is very helpful. Thank you again.