General discussion


Stopping a Service through Group Policy

By KingOfTheNerds ·
Hi All,

I want to stop the Messenger and Alerter service using group policy. I have a Group Policy at the top of the Domain structure in Active Directory Users and Groups that i will use to do this.

I thought i had the answer when i enter the policy and found under computer management>security settings>services. So i set the access to everyone Deny, and disable service.

This did not work, the computers still were able to do net send "computer" "message". So then i tried setting the policy to make these services manual. This did not work either.

Does anyone have any ideas?

Note - My network is too large to go to each computer and diable these services.

One last thing, are you able to restrict access to things locally as well as on the domain. In other words, could i set a policy to restrict local admin from accessing certain areas rather than setting up local restictions on each machine.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Stopping a Service throug ...

I think the "where" you are applying the group policy is the problem. Group Policy "settings" applies to local, site, domain, or OU in that order. Also note that OU policies overwrite domain policies and domain overwrite site unless you block inheritance or use no override. if you want to apply a GP to all computers within your domain create a OU, put all computers in that OU and apply the GP to the OU. remember that GP isn't applied immediately unless you force it. Also note Group Policy can be applied through domain security groups and can be applied to all or some of the users and computers in a site domain or OU. So for your purposes, as I stated above, create an OU to collect all your computers in your domain into one spot, create the group policy and apply it to the OU.

Collapse -

by CG IT In reply to

good question for the MCSE exam 70-217

Collapse -

by KingOfTheNerds In reply to

I was sure that Priority of Group Policies come from the Top Down,not the other way around. So you are saying if i made a group policy allowing access to messenger service and applied it to the OU, then i made a group policy denying access to messenger on the domain, that the users of that OU would have access to the messenger service.

That doesn't sound right to me, please confirm your answer. Also if this is true, i did make a policy for the OU of the computers in that lab and one for the domain, both were set to disable the messenger and alerter serice, neither worked.

Also you did not tell me if you can set group policies to apply to a local machine that is a member of the domain. In other words 'test' computer is a member of the domain, but the user selects not to log in to the domain and chooses to log in to the local computer. Can policy be set on the server to restrict the local admins access?

Please help thanks

Collapse -

by CG IT In reply to Stopping a Service throug ...

quote "group policy settings are applied in this order. local, site, domain, ou. unless modified through block policy inheritance or no override, ou policies overwrite domain policies and domain polcies overwrite site policies." unquote. excerpt from the ExamCram Cram Sheet in the book, ExamCram Windows 2000 Directory Services Exam 70-217 written by Will Willis, David V. Watts and J. Peter Bruzzese. Publisher Coriolis

as for your last question: local policy always overrides global policy settings. If your question is restrict the local admin account from accessing certain areas of the domain, the accounts are not the same. change the password for the local admin account and then try logging on to the domain with it. wont work. try logging in locally with the domain admin account and password won't work [thats assuming the local account password is different than the domain account password even though the accounts have the same name.

Collapse -

by CG IT In reply to

on your first problem. organizational units are containers. the container collects objects into one spot. you apply a group policy to the organizational unit which will apply to the objects in the container with the noted exceptions of no override or block inheritance. Further, some OUs depending upon where in the domain structure they are located might require the enterprise admin account for the policy to be enforced. This is usually in the case of a large enterprise.

another good question for the MCSE exam 70-217

which it seems that TechRepublic Question and Answer section has turned into. Nothing more that a few people with not much to do making up MCSE test question senarios rather than actual people with a problem seeking some suggestions for possible help in resolving the problem.

Collapse -

by KingOfTheNerds In reply to

Poster rated this answer.

Collapse -

by KingOfTheNerds In reply to Stopping a Service throug ...

This question was closed by the author

Related Discussions

Related Forums