Setting local machine permissions via GPO

[andy smart]

We need to set all our domain users up as power users on the local
workstations; we've thought through the implications of this but we have
so mucy, err, 'legacy' software out there that it is the easiest way for
it all to work. We did this on our old network.

Then over the summer we lost the network in a fairly big way, so we have
had to create a new domain etc etc etc

Now I can't get the gpo to set this permission on the local
workstations. I've created a gpo on the workstations OU, used computer
settings and restricted groups to make DOMAIN\domain users members of
the power users group. Only it doesn't seem to be working.

Any ideas of what dumb mistake I've made? (and don't say making them
power users in the first place!)

tia
andy

 

[Steven L Umbach]

Try running the support tool gpresult /v on one of the computers in the OU
to see what it reports. You may want to pipe the report to a text file as in
gpresult /v>c:\report.txt. It will show the container that the domain
computer thinks it is in, the Group Policies applied, last time applied, and
from what domain controller. I believe that with the /v switch you may see
some info on Restricted Groups. If I remember correctly the "member of"
feature of Restricted Groups only works well if SP4 is installed. Try making
some other change to the Group Policy for computer configuration [security
option or such] that has Restricted Groups configured to see if it
propagates to the domain computers or not. That will help determine if your
problem is a general problem with the GPO or with your configuration of
Restricted Groups. --- Steve

 

[andy smart]

Try running the support tool gpresult /v on one of the computers in the OU
to see what it reports. You may want to pipe the report to a text file as in
gpresult /v>c:\report.txt. It will show the container that the domain
computer thinks it is in, the Group Policies applied, last time applied, and
from what domain controller. I believe that with the /v switch you may see
some info on Restricted Groups. If I remember correctly the "member of"
feature of Restricted Groups only works well if SP4 is installed. Try making
some other change to the Group Policy for computer configuration [security
option or such] that has Restricted Groups configured to see if it
propagates to the domain computers or not. That will help determine if your
problem is a general problem with the GPO or with your configuration of
Restricted Groups. --- Steve

We need to set all our domain users up as power users on the local
workstations; we've thought through the implications of this but we have
so mucy, err, 'legacy' software out there that it is the easiest way for
it all to work. We did this on our old network.

Then over the summer we lost the network in a fairly big way, so we have
had to create a new domain etc etc etc

Now I can't get the gpo to set this permission on the local
workstations. I've created a gpo on the workstations OU, used computer
settings and restricted groups to make DOMAIN\domain users members of
the power users group. Only it doesn't seem to be working.

Any ideas of what dumb mistake I've made? (and don't say making them
power users in the first place!)

tia
andy

Ta Steve

That showed the dumb mistake up a treat!