Steven L Umbach said:I would create a new Group Policy in that OU or modify one that you already
have linked to that OU if it is used ONLY for that OU and you want to apply
Restricted Groups to all computers in that OU. You would want to create a
new global group [wrkstadmins or whatever] that you would add users to that
you want to be administrators on computers in the OU. Then you would want
that global group to be "this group is a member of" administrators group.
If you can't browse to administrators group just type in administrators.
After you are done force Group Policy refresh on your domain computer or
reboot to see if the new global group is in the local administrators group
of the domain computers in the OU. If you are still a bit unsure/uneasy
create a test OU with it's own Group Policy and configure it there and move
a couple computers into the OU when done to see if it works. --- Steve
Marty said:Steve,
Thanks for the reply and excuse the following notes and questions as I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that domain
called
'XYZ'. When richt clicking and choosing properties I can get to the Group
Policy tab. Do I need to create a new group policy object or should I add
the default domain group policy object? Then create the restricted group
under that gpo. Once that is done would the group that you suggested
below
be made a member of the restricted gpo group? And would the restricted
gpo
be made a member of let's say domain admins?
Marty said:Steve,
Thanks again but I'm still a bit confused. Here's what I have and what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've created
an
OU, 'ATL' that has just 1 test machine in it. Also the global group,
'ATL-Admins', to hold the users I want to give admin rights to is at the
domain level. Should it be there or at the OU level? I also created a
new
gpo for the OU. In that gpo I've not defined any policy settins and I've
created a restricted group 'ATL-RG'. On the property sheet of this RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the RG a
member of the 'Administrators' group. After rebooting the client the new
global group is not in the local users and groups. What might I have done
wrong?
Thanks again.
Steven L Umbach said:I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want to
apply
Restricted Groups to all computers in that OU. You would want to create a
new global group [wrkstadmins or whatever] that you would add users to
that
you want to be administrators on computers in the OU. Then you would want
that global group to be "this group is a member of" administrators group.
If you can't browse to administrators group just type in administrators.
After you are done force Group Policy refresh on your domain computer or
reboot to see if the new global group is in the local administrators
group
of the domain computers in the OU. If you are still a bit unsure/uneasy
create a test OU with it's own Group Policy and configure it there and
move
a couple computers into the OU when done to see if it works. --- Steve
Marty said:Steve,
Thanks for the reply and excuse the following notes and questions as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that domain
called
'XYZ'. When richt clicking and choosing properties I can get to the
Group
Policy tab. Do I need to create a new group policy object or should I
add
the default domain group policy object? Then create the restricted
group
under that gpo. Once that is done would the group that you suggested
below
be made a member of the restricted gpo group? And would the restricted
gpo
be made a member of let's say domain admins?
:
Probably the best way is implement Group Policy Restricted Groups at
the
OU
level for the computers you want this to happen on. See the link below
for
more details. I would create a global group and add it to "this group
is
a
member of" for administrators at the OU level. Doing it at the OU
level
will
prevent the users from being address to the administrators group for
the
domain assuming that domain controllers are not in the scope of
management
of that GPO at the OU level which they would not be if all are in the
default domain controllers container. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
I would like to give a certain user (or group) full administrator
rights
to
a
subset of machines in my domain, without making them members of the
'Domain
Admins' or 'Administrators' group. Is this possible?
Steven L Umbach said:Did you get it to work yet? It sounds like you did it correctly if you used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to make sure
that your Windows 2000 computers are using service pack 4. It does not
matter where the global group itself is and make sure the global group is a
security group and not a distribution group. I would also run the support
tool gpresult on the computer in the new OU to make sure that it shows that
the new Group Policy is applying to it under computer configuration to see
if you have a problem with RG configuration or if it is a Group Policy
problem. --- Steve
Marty said:Steve,
Thanks again but I'm still a bit confused. Here's what I have and what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've created
an
OU, 'ATL' that has just 1 test machine in it. Also the global group,
'ATL-Admins', to hold the users I want to give admin rights to is at the
domain level. Should it be there or at the OU level? I also created a
new
gpo for the OU. In that gpo I've not defined any policy settins and I've
created a restricted group 'ATL-RG'. On the property sheet of this RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the RG a
member of the 'Administrators' group. After rebooting the client the new
global group is not in the local users and groups. What might I have done
wrong?
Thanks again.
Steven L Umbach said:I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want to
apply
Restricted Groups to all computers in that OU. You would want to create a
new global group [wrkstadmins or whatever] that you would add users to
that
you want to be administrators on computers in the OU. Then you would want
that global group to be "this group is a member of" administrators group.
If you can't browse to administrators group just type in administrators.
After you are done force Group Policy refresh on your domain computer or
reboot to see if the new global group is in the local administrators
group
of the domain computers in the OU. If you are still a bit unsure/uneasy
create a test OU with it's own Group Policy and configure it there and
move
a couple computers into the OU when done to see if it works. --- Steve
Steve,
Thanks for the reply and excuse the following notes and questions as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that domain
called
'XYZ'. When richt clicking and choosing properties I can get to the
Group
Policy tab. Do I need to create a new group policy object or should I
add
the default domain group policy object? Then create the restricted
group
under that gpo. Once that is done would the group that you suggested
below
be made a member of the restricted gpo group? And would the restricted
gpo
be made a member of let's say domain admins?
:
Probably the best way is implement Group Policy Restricted Groups at
the
OU
level for the computers you want this to happen on. See the link below
for
more details. I would create a global group and add it to "this group
is
a
member of" for administrators at the OU level. Doing it at the OU
level
will
prevent the users from being address to the administrators group for
the
domain assuming that domain controllers are not in the scope of
management
of that GPO at the OU level which they would not be if all are in the
default domain controllers container. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
I would like to give a certain user (or group) full administrator
rights
to
a
subset of machines in my domain, without making them members of the
'Domain
Admins' or 'Administrators' group. Is this possible?
Marty said:Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:55
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:48
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
Steven L Umbach said:Did you get it to work yet? It sounds like you did it correctly if you
used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to make
sure
that your Windows 2000 computers are using service pack 4. It does not
matter where the global group itself is and make sure the global group is
a
security group and not a distribution group. I would also run the support
tool gpresult on the computer in the new OU to make sure that it shows
that
the new Group Policy is applying to it under computer configuration to
see
if you have a problem with RG configuration or if it is a Group Policy
problem. --- Steve
Marty said:Steve,
Thanks again but I'm still a bit confused. Here's what I have and what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've
created
an
OU, 'ATL' that has just 1 test machine in it. Also the global group,
'ATL-Admins', to hold the users I want to give admin rights to is at
the
domain level. Should it be there or at the OU level? I also created a
new
gpo for the OU. In that gpo I've not defined any policy settins and
I've
created a restricted group 'ATL-RG'. On the property sheet of this RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the RG
a
member of the 'Administrators' group. After rebooting the client the
new
global group is not in the local users and groups. What might I have
done
wrong?
Thanks again.
:
I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want to
apply
Restricted Groups to all computers in that OU. You would want to
create a
new global group [wrkstadmins or whatever] that you would add users to
that
you want to be administrators on computers in the OU. Then you would
want
that global group to be "this group is a member of" administrators
group.
If you can't browse to administrators group just type in
administrators.
After you are done force Group Policy refresh on your domain computer
or
reboot to see if the new global group is in the local administrators
group
of the domain computers in the OU. If you are still a bit
unsure/uneasy
create a test OU with it's own Group Policy and configure it there and
move
a couple computers into the OU when done to see if it works. ---
Steve
Steve,
Thanks for the reply and excuse the following notes and questions as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that
domain
called
'XYZ'. When richt clicking and choosing properties I can get to the
Group
Policy tab. Do I need to create a new group policy object or should
I
add
the default domain group policy object? Then create the restricted
group
under that gpo. Once that is done would the group that you
suggested
below
be made a member of the restricted gpo group? And would the
restricted
gpo
be made a member of let's say domain admins?
:
Probably the best way is implement Group Policy Restricted Groups
at
the
OU
level for the computers you want this to happen on. See the link
below
for
more details. I would create a global group and add it to "this
group
is
a
member of" for administrators at the OU level. Doing it at the OU
level
will
prevent the users from being address to the administrators group
for
the
domain assuming that domain controllers are not in the scope of
management
of that GPO at the OU level which they would not be if all are in
the
default domain controllers container. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
I would like to give a certain user (or group) full administrator
rights
to
a
subset of machines in my domain, without making them members of
the
'Domain
Admins' or 'Administrators' group. Is this possible?
Steven L Umbach said:Hi Marty.
The gpresult indicates that the computer that you ran this on is in the OU
call Atlanta though you said that the OU with the GPO that has RG is called
ATL and it is also confusing in that it appears that the GPO ATL-Admin-GPO
is applying to it? Maybe the test OU name is actually Atlanta? What I would
do is to configure a couple non disruptive Group Policy settings in your new
ATL-Admin-GPO such as maybe defining guests for the user right for deny
logon locally to see if that setting propagates or not which will help show
if their is a problem with the ATL-Admin-GPO working or just a configuration
problem with RG. You can also run rsop.msc on the XP computer to see what
settings are being applied by Group Policy and from what GPO. --- Steve
Marty said:Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:55
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:48
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
Steven L Umbach said:Did you get it to work yet? It sounds like you did it correctly if you
used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to make
sure
that your Windows 2000 computers are using service pack 4. It does not
matter where the global group itself is and make sure the global group is
a
security group and not a distribution group. I would also run the support
tool gpresult on the computer in the new OU to make sure that it shows
that
the new Group Policy is applying to it under computer configuration to
see
if you have a problem with RG configuration or if it is a Group Policy
problem. --- Steve
Steve,
Thanks again but I'm still a bit confused. Here's what I have and what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've
created
an
OU, 'ATL' that has just 1 test machine in it. Also the global group,
'ATL-Admins', to hold the users I want to give admin rights to is at
the
domain level. Should it be there or at the OU level? I also created a
new
gpo for the OU. In that gpo I've not defined any policy settins and
I've
created a restricted group 'ATL-RG'. On the property sheet of this RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the RG
a
member of the 'Administrators' group. After rebooting the client the
new
global group is not in the local users and groups. What might I have
done
wrong?
Thanks again.
:
I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want to
apply
Restricted Groups to all computers in that OU. You would want to
create a
new global group [wrkstadmins or whatever] that you would add users to
that
you want to be administrators on computers in the OU. Then you would
want
that global group to be "this group is a member of" administrators
group.
If you can't browse to administrators group just type in
administrators.
After you are done force Group Policy refresh on your domain computer
or
reboot to see if the new global group is in the local administrators
group
of the domain computers in the OU. If you are still a bit
unsure/uneasy
create a test OU with it's own Group Policy and configure it there and
move
a couple computers into the OU when done to see if it works. ---
Steve
Steve,
Thanks for the reply and excuse the following notes and questions as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that
domain
called
'XYZ'. When richt clicking and choosing properties I can get to the
Group
Policy tab. Do I need to create a new group policy object or should
I
add
the default domain group policy object? Then create the restricted
group
under that gpo. Once that is done would the group that you
suggested
below
be made a member of the restricted gpo group? And would the
restricted
gpo
be made a member of let's say domain admins?
:
Probably the best way is implement Group Policy Restricted Groups
at
the
OU
level for the computers you want this to happen on. See the link
below
for
more details. I would create a global group and add it to "this
group
is
a
member of" for administrators at the OU level. Doing it at the OU
level
will
prevent the users from being address to the administrators group
for
the
domain assuming that domain controllers are not in the scope of
management
of that GPO at the OU level which they would not be if all are in
the
default domain controllers container. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
I would like to give a certain user (or group) full administrator
rights
to
a
subset of machines in my domain, without making them members of
the
'Domain
Admins' or 'Administrators' group. Is this possible?
Marty said:Steve,
Sorry for the confusion. The OU is called 'Atlanta'. I'm using it as the
test so that when I get everything right, all I have to do is move the
PC's
into this group. The OU has GPO 'ATL-Admin-GPO'. And this GPO has RG
'ATL-ADMINS-RG'. And the group of users to get admin rights is 'Atlanta
Admins'.
I did a test as you asked and set 'Deny logon locally' to the 'Atlanta
Admins'. This sucessfully prevented my test user in that group from
logging
on. I'm assuming this means it's working correctly. However maybe my
question is now no longer a RG problem, but a GPO problem. When I set
'Deny
logon locally' back to 'Not defined', I can logon as my test user. But,
I'm
still unable to do things like change the IP address. Something I know
the
administrator or other domain admins can do. What might be my problem?
Once again. Thanks a million for your help.
Marty
Steven L Umbach said:Hi Marty.
The gpresult indicates that the computer that you ran this on is in the
OU
call Atlanta though you said that the OU with the GPO that has RG is
called
ATL and it is also confusing in that it appears that the GPO
ATL-Admin-GPO
is applying to it? Maybe the test OU name is actually Atlanta? What I
would
do is to configure a couple non disruptive Group Policy settings in your
new
ATL-Admin-GPO such as maybe defining guests for the user right for deny
logon locally to see if that setting propagates or not which will help
show
if their is a problem with the ATL-Admin-GPO working or just a
configuration
problem with RG. You can also run rsop.msc on the XP computer to see what
settings are being applied by Group Policy and from what GPO. --- Steve
Marty said:Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:55
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:48
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
:
Did you get it to work yet? It sounds like you did it correctly if you
used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to make
sure
that your Windows 2000 computers are using service pack 4. It does not
matter where the global group itself is and make sure the global group
is
a
security group and not a distribution group. I would also run the
support
tool gpresult on the computer in the new OU to make sure that it shows
that
the new Group Policy is applying to it under computer configuration to
see
if you have a problem with RG configuration or if it is a Group Policy
problem. --- Steve
Steve,
Thanks again but I'm still a bit confused. Here's what I have and
what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've
created
an
OU, 'ATL' that has just 1 test machine in it. Also the global
group,
'ATL-Admins', to hold the users I want to give admin rights to is
at
the
domain level. Should it be there or at the OU level? I also
created a
new
gpo for the OU. In that gpo I've not defined any policy settins and
I've
created a restricted group 'ATL-RG'. On the property sheet of this
RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the
RG
a
member of the 'Administrators' group. After rebooting the client
the
new
global group is not in the local users and groups. What might I
have
done
wrong?
Thanks again.
:
I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want
to
apply
Restricted Groups to all computers in that OU. You would want to
create a
new global group [wrkstadmins or whatever] that you would add users
to
that
you want to be administrators on computers in the OU. Then you
would
want
that global group to be "this group is a member of" administrators
group.
If you can't browse to administrators group just type in
administrators.
After you are done force Group Policy refresh on your domain
computer
or
reboot to see if the new global group is in the local
administrators
group
of the domain computers in the OU. If you are still a bit
unsure/uneasy
create a test OU with it's own Group Policy and configure it there
and
move
a couple computers into the OU when done to see if it works. ---
Steve
Steve,
Thanks for the reply and excuse the following notes and questions
as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that
domain
called
'XYZ'. When richt clicking and choosing properties I can get to
the
Group
Policy tab. Do I need to create a new group policy object or
should
I
add
the default domain group policy object? Then create the
restricted
group
under that gpo. Once that is done would the group that you
suggested
below
be made a member of the restricted gpo group? And would the
restricted
gpo
be made a member of let's say domain admins?
:
Probably the best way is implement Group Policy Restricted
Groups
at
the
OU
level for the computers you want this to happen on. See the link
below
for
more details. I would create a global group and add it to "this
group
is
a
member of" for administrators at the OU level. Doing it at the
OU
level
will
prevent the users from being address to the administrators group
for
the
domain assuming that domain controllers are not in the scope of
management
of that GPO at the OU level which they would not be if all are
in
the
default domain controllers container. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
I would like to give a certain user (or group) full
administrator
rights
to
a
subset of machines in my domain, without making them members
of
the
'Domain
Admins' or 'Administrators' group. Is this possible?
Steven L Umbach said:Well you proved that the Group Policy is working and I bet that RG is
working but not the way that you expect. Look at the administrators group on
that test computer and see if the domain admins group has been removed. If
it has then RG probably removed it and you still need to tweak your RG
settings. Make sure that you are doing this for RG. In the GP for the test
OU add ATL-Admins as the RG using "add group". Once it shows as the RG
double click it to open it's properties and under "this group is a member
of" add administrators. It sounds like you may have administrators as the
RG. That should make sure that ATL-Admins is added to the administrators
group on the computers in that OU. It is a bit confusing configuring RG for
the first time. You may need/want to add your users to the "members of this
group" for ATL-Admins RG if they disappear from your ATL-Admins group which
should check for proper membership after enabling RG. -- Steve
Marty said:Steve,
Sorry for the confusion. The OU is called 'Atlanta'. I'm using it as the
test so that when I get everything right, all I have to do is move the
PC's
into this group. The OU has GPO 'ATL-Admin-GPO'. And this GPO has RG
'ATL-ADMINS-RG'. And the group of users to get admin rights is 'Atlanta
Admins'.
I did a test as you asked and set 'Deny logon locally' to the 'Atlanta
Admins'. This sucessfully prevented my test user in that group from
logging
on. I'm assuming this means it's working correctly. However maybe my
question is now no longer a RG problem, but a GPO problem. When I set
'Deny
logon locally' back to 'Not defined', I can logon as my test user. But,
I'm
still unable to do things like change the IP address. Something I know
the
administrator or other domain admins can do. What might be my problem?
Once again. Thanks a million for your help.
Marty
Steven L Umbach said:Hi Marty.
The gpresult indicates that the computer that you ran this on is in the
OU
call Atlanta though you said that the OU with the GPO that has RG is
called
ATL and it is also confusing in that it appears that the GPO
ATL-Admin-GPO
is applying to it? Maybe the test OU name is actually Atlanta? What I
would
do is to configure a couple non disruptive Group Policy settings in your
new
ATL-Admin-GPO such as maybe defining guests for the user right for deny
logon locally to see if that setting propagates or not which will help
show
if their is a problem with the ATL-Admin-GPO working or just a
configuration
problem with RG. You can also run rsop.msc on the XP computer to see what
settings are being applied by Group Policy and from what GPO. --- Steve
Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:55
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:48
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
:
Did you get it to work yet? It sounds like you did it correctly if you
used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to make
sure
that your Windows 2000 computers are using service pack 4. It does not
matter where the global group itself is and make sure the global group
is
a
security group and not a distribution group. I would also run the
support
tool gpresult on the computer in the new OU to make sure that it shows
that
the new Group Policy is applying to it under computer configuration to
see
if you have a problem with RG configuration or if it is a Group Policy
problem. --- Steve
Steve,
Thanks again but I'm still a bit confused. Here's what I have and
what
I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've
created
an
OU, 'ATL' that has just 1 test machine in it. Also the global
group,
'ATL-Admins', to hold the users I want to give admin rights to is
at
the
domain level. Should it be there or at the OU level? I also
created a
new
gpo for the OU. In that gpo I've not defined any policy settins and
I've
created a restricted group 'ATL-RG'. On the property sheet of this
RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made the
RG
a
member of the 'Administrators' group. After rebooting the client
the
new
global group is not in the local users and groups. What might I
have
done
wrong?
Thanks again.
:
I would create a new Group Policy in that OU or modify one that you
already
have linked to that OU if it is used ONLY for that OU and you want
to
apply
Restricted Groups to all computers in that OU. You would want to
create a
new global group [wrkstadmins or whatever] that you would add users
to
that
you want to be administrators on computers in the OU. Then you
would
want
that global group to be "this group is a member of" administrators
group.
If you can't browse to administrators group just type in
administrators.
After you are done force Group Policy refresh on your domain
computer
or
reboot to see if the new global group is in the local
administrators
group
of the domain computers in the OU. If you are still a bit
unsure/uneasy
create a test OU with it's own Group Policy and configure it there
and
move
a couple computers into the OU when done to see if it works. ---
Steve
Steve,
Thanks for the reply and excuse the following notes and questions
as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that
domain
called
'XYZ'. When richt clicking and choosing properties I can get to
the
Group
Policy tab. Do I need to create a new group policy object or
should
I
add
the default domain group policy object? Then create the
restricted
group
under that gpo. Once that is done would the group that you
suggested
below
be made a member of the restricted gpo group? And would the
restricted
gpo
Marty said:SUCCESS!!!!!
I see where I screwed up.
I removed the group name 'ATL-ADMINS-RG' and added group 'Atlanta Admins'
(the one with my test user) to the RG of the GPO 'ATL-Admin-GPO' for the
OU
'Atlanta'. Once the client was rebooted I was able to get admin
priviledges
for my client PC.
Thanks a billion.
Steven L Umbach said:Well you proved that the Group Policy is working and I bet that RG is
working but not the way that you expect. Look at the administrators group
on
that test computer and see if the domain admins group has been removed.
If
it has then RG probably removed it and you still need to tweak your RG
settings. Make sure that you are doing this for RG. In the GP for the
test
OU add ATL-Admins as the RG using "add group". Once it shows as the RG
double click it to open it's properties and under "this group is a member
of" add administrators. It sounds like you may have administrators as the
RG. That should make sure that ATL-Admins is added to the administrators
group on the computers in that OU. It is a bit confusing configuring RG
for
the first time. You may need/want to add your users to the "members of
this
group" for ATL-Admins RG if they disappear from your ATL-Admins group
which
should check for proper membership after enabling RG. -- Steve
Marty said:Steve,
Sorry for the confusion. The OU is called 'Atlanta'. I'm using it as
the
test so that when I get everything right, all I have to do is move the
PC's
into this group. The OU has GPO 'ATL-Admin-GPO'. And this GPO has RG
'ATL-ADMINS-RG'. And the group of users to get admin rights is
'Atlanta
Admins'.
I did a test as you asked and set 'Deny logon locally' to the 'Atlanta
Admins'. This sucessfully prevented my test user in that group from
logging
on. I'm assuming this means it's working correctly. However maybe my
question is now no longer a RG problem, but a GPO problem. When I set
'Deny
logon locally' back to 'Not defined', I can logon as my test user.
But,
I'm
still unable to do things like change the IP address. Something I know
the
administrator or other domain admins can do. What might be my problem?
Once again. Thanks a million for your help.
Marty
:
Hi Marty.
The gpresult indicates that the computer that you ran this on is in
the
OU
call Atlanta though you said that the OU with the GPO that has RG is
called
ATL and it is also confusing in that it appears that the GPO
ATL-Admin-GPO
is applying to it? Maybe the test OU name is actually Atlanta? What I
would
do is to configure a couple non disruptive Group Policy settings in
your
new
ATL-Admin-GPO such as maybe defining guests for the user right for
deny
logon locally to see if that setting propagates or not which will help
show
if their is a problem with the ATL-Admin-GPO working or just a
configuration
problem with RG. You can also run rsop.msc on the XP computer to see
what
settings are being applied by Group Policy and from what GPO. ---
Steve
Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the
computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I
just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:55
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at
12:36:48
PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
:
Did you get it to work yet? It sounds like you did it correctly if
you
used
RG to configure 'ATL-RG' for "this group is a member of " the
administrators group. For "this group is a member of" you need to
make
sure
that your Windows 2000 computers are using service pack 4. It does
not
matter where the global group itself is and make sure the global
group
is
a
security group and not a distribution group. I would also run the
support
tool gpresult on the computer in the new OU to make sure that it
shows
that
the new Group Policy is applying to it under computer configuration
to
see
if you have a problem with RG configuration or if it is a Group
Policy
problem. --- Steve
Steve,
Thanks again but I'm still a bit confused. Here's what I have
and
what
I've
tried.
We are small so our users were created at the domain level. All
the
computers exist in the 'Computers' folder under the domain. I've
created
an
OU, 'ATL' that has just 1 test machine in it. Also the global
group,
'ATL-Admins', to hold the users I want to give admin rights to
is
at
the
domain level. Should it be there or at the OU level? I also
created a
new
gpo for the OU. In that gpo I've not defined any policy settins
and
I've
created a restricted group 'ATL-RG'. On the property sheet of
this
RG,
I've
made the global group 'ATL-Admins' a member of the RG. And made
the
RG
a
member of the 'Administrators' group. After rebooting the client
the
new
global group is not in the local users and groups. What might I
have
done
wrong?
Thanks again.
:
I would create a new Group Policy in that OU or modify one that
you
already
have linked to that OU if it is used ONLY for that OU and you
want
to
apply
Restricted Groups to all computers in that OU. You would want to
create a
new global group [wrkstadmins or whatever] that you would add
users
to
that
you want to be administrators on computers in the OU. Then you
would
want
that global group to be "this group is a member of"
administrators
group.
If you can't browse to administrators group just type in
administrators.
After you are done force Group Policy refresh on your domain
computer
or
reboot to see if the new global group is in the local
administrators
group
of the domain computers in the OU. If you are still a bit
unsure/uneasy
create a test OU with it's own Group Policy and configure it
there
and
move
a couple computers into the OU when done to see if it
orks. ---
Steve
Steve,
Thanks for the reply and excuse the following notes and
questions
as
I'm a
bit confused and somewhat overwhelmed.
I currently have domain 'A' and there is an OU underneath that
domain
called
'XYZ'. When richt clicking and choosing properties I can get
to
the
Group
Policy tab. Do I need to create a new group policy object or
should
I
add
the default domain group policy object? Then create the
restricted
group
under that gpo. Once that is done would the group that you
suggested
below
be made a member of the restricted gpo group? And would the
restricted
gpo