A
Adrian Marsh (NNTP)
Hi,
I'm trying to sort out my domain structure before deployment, but I'm
hitting some snags. Main problem is in sorting out where in the
structure User accounts should exist, and what groups they should be a
member of, and how that affects the logon scripts.
Heres the current Layout:
---------------------------------
uk-lab
Builtin
Computers
Domain Controllers (OU)
ForeignSecurityPrincipals
Servers (OU) (Server Admins)
Users (labadmin)
Workstations (OU) (labuser, labusergroup)
Desktops A (OU)
Desktops B (OU)
Desktops C (OU)
laptops (OU)
test machines (OU)
here are the users:
labuser - part of the Workstations OU. member of the "labusergroup".
Also a member of Domain User.
labadmin - part of the Users container. member of "server admins
group". Also a member of Domain Admin.
here are the groups:
labusergroup - Part of the workstations OU
Server admins - Part of the Servers OU
I have 5 GPO policies:
uk-lab domain policy (top level)
DC policies
Servers Policy
Workstations Policy
test machines policy
(Workstation policy will be inherited into child-OUs : laptops, etc.
Intended to be able to setup different Automatic Update schedules, and
test different settings on test machines).
Seperate logon scripts are defined for both the Server OU, and
Workstation OU.
labuser is a member of Restricted Group (Administrator) under the
Workstation OU.
labadmin is a memeber of the Domain Admins.
-----------------------------------
Heres my issue:
I want labadmin to be able to logon anywhere (which is why I left it in
the default users container). i only want labuser to be able to logon
to computers held in the Workstations OU and below.
At the moment, when labuser logs into Workstation PCs, all works well.
But if labadmin logs into a machine on the Server OU, then none of the
server logon scripts run. If i move the lab admin account into the
Servers account, then will that account be able to log into the
Workstation PCs??? Will the logon scripts for labadmin work?
I want labadmin to be able to logon anywhere, but have the logon scripts
run in reflection of the OU policy (i.e. Servers run "server" type
scripts, Workstations run different sets).
What am I missing about the setup of labadmin to be able to have it
logon everywhere, and have appropriate scripts run?
I've tried:
- Moving the logon scripts for sever into the top-level OU (uk-lab), but
then those scripts also run on any Computers in Workstation and below.
- Moving the labadmin account into Servers. But then I'm unsure if
labadmin is still able to logon to Workstation accounts. And how would
logon scripts run?
I just can't work out which OU to put labadmin in. Whichever OU I move
him too i think he'll not be able to log into the other. obviously I've
missed something simple ??
Adrian
I'm trying to sort out my domain structure before deployment, but I'm
hitting some snags. Main problem is in sorting out where in the
structure User accounts should exist, and what groups they should be a
member of, and how that affects the logon scripts.
Heres the current Layout:
---------------------------------
uk-lab
Builtin
Computers
Domain Controllers (OU)
ForeignSecurityPrincipals
Servers (OU) (Server Admins)
Users (labadmin)
Workstations (OU) (labuser, labusergroup)
Desktops A (OU)
Desktops B (OU)
Desktops C (OU)
laptops (OU)
test machines (OU)
here are the users:
labuser - part of the Workstations OU. member of the "labusergroup".
Also a member of Domain User.
labadmin - part of the Users container. member of "server admins
group". Also a member of Domain Admin.
here are the groups:
labusergroup - Part of the workstations OU
Server admins - Part of the Servers OU
I have 5 GPO policies:
uk-lab domain policy (top level)
DC policies
Servers Policy
Workstations Policy
test machines policy
(Workstation policy will be inherited into child-OUs : laptops, etc.
Intended to be able to setup different Automatic Update schedules, and
test different settings on test machines).
Seperate logon scripts are defined for both the Server OU, and
Workstation OU.
labuser is a member of Restricted Group (Administrator) under the
Workstation OU.
labadmin is a memeber of the Domain Admins.
-----------------------------------
Heres my issue:
I want labadmin to be able to logon anywhere (which is why I left it in
the default users container). i only want labuser to be able to logon
to computers held in the Workstations OU and below.
At the moment, when labuser logs into Workstation PCs, all works well.
But if labadmin logs into a machine on the Server OU, then none of the
server logon scripts run. If i move the lab admin account into the
Servers account, then will that account be able to log into the
Workstation PCs??? Will the logon scripts for labadmin work?
I want labadmin to be able to logon anywhere, but have the logon scripts
run in reflection of the OU policy (i.e. Servers run "server" type
scripts, Workstations run different sets).
What am I missing about the setup of labadmin to be able to have it
logon everywhere, and have appropriate scripts run?
I've tried:
- Moving the logon scripts for sever into the top-level OU (uk-lab), but
then those scripts also run on any Computers in Workstation and below.
- Moving the labadmin account into Servers. But then I'm unsure if
labadmin is still able to logon to Workstation accounts. And how would
logon scripts run?
I just can't work out which OU to put labadmin in. Whichever OU I move
him too i think he'll not be able to log into the other. obviously I've
missed something simple ??
Adrian