• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Group policy with local administrators and domain accounts

M

Mellman

Diamond Member
I need to setup a domain users group that has local admin rights on the machines. I know this is possible to do with group policy, but the "instructions" ive found so far dont specify where to add the local group.

I know how to do this manually from the server and from the workstation but i'd like to know how to do it via GPO.

Thanks,
-Matt
 
In Group Policy Console.
- Computer Settings
-- Windows Settings
--- Security Settings
---- Restricted Groups

Im just setting this up today and from what Ive researched, I believe this is the section its done in.

- Im using an AD group I created "PROD-LocalWrkAdmins" and specifying it here....
 
Yes, its in there - but I dont know what groups to add to which section, anything i've read is very unclear about that...any help? 🙂

I dont know which Member Of, and Members, etc...I want my Teachers group to be members of the local admin group on each machine.

I also read somewhere that this is an absolute setting and that unless you add the domain admins group too - you wont have access.
 
I also read somewhere that this is an absolute setting and that unless you add the domain admins group too - you wont have access.
Click to expand...
That's correct. Your restricted group policy will remove all current members of whatever local group you are configuring and replace them with the members you specify. You can log onto the machine that the policy is applying to and manually add a user or group, but when group policy gets reapplied (every couple hours or so), any users or groups you manually add will be removed.

If you want to add users to a restricted group, you want the members section. Member Of is to groups that you want the restricted group to be a member of.

http://technet2.microsoft.com/WindowsSe...33-b3fe-1b1a15c18f6a1033.mspx?mfr=true
 
but where do i specify that I want to add members to the local admin group? From what I'm seeing, when i "add" a restricted group - nowhere can i specify that it is for local admin, i can only select groups with in the AD...
 
Just type in Administrators and when the policy is applied to a member machine, it will know that it should be the local administrators group on that box.
 
LOL why didn't any of the responses on expertsexchagne say that?

Ok another question for you - my domain policy doesnt seem to be applying properly all the time (also am making exceptions in windows XP firewall)

Even when i do gpupdate /force it never seems to work - am i missing something else on GPO? its been a few years since i played with GPO.

Thanks!
 
Originally posted by: Mellman
Even when i do gpupdate /force it never seems to work - am i missing something else on GPO? its been a few years since i played with GPO.

Thanks!
Click to expand...

Do you have more than one Active Directory server (domain controller)?
 
Originally posted by: Brazen
Originally posted by: Mellman
Even when i do gpupdate /force it never seems to work - am i missing something else on GPO? its been a few years since i played with GPO.

Thanks!
Click to expand...

Do you have more than one Active Directory server (domain controller)?
Click to expand...
Could be replication, I'd also take a look at the client to make sure there arent errors in the event log.
 
How are you determining that it isn't applying? RSOP, gpresult?

Is this the default domain policy? You typically don't want to make any changes to that GPO outside of the password and account policy settings. All other settings (firewall exceptions, whatever) should be in separate GPOs.
 
yes - this was on the default domain policy, thats how i was taught to do it long ago :-X

Any other time ive used the default domain policy it has worked fine, determined it "not working" by doing gpupdate /force

This whole network is sortof a mess, and I'm helping as a favor to the school.
 
Originally posted by: stash
How are you determining that it isn't applying? RSOP, gpresult?

Is this the default domain policy? You typically don't want to make any changes to that GPO outside of the password and account policy settings. All other settings (firewall exceptions, whatever) should be in separate GPOs.
Click to expand...

I don't even change the password and account policy settings. I create a seperate GPO with those settings and just apply it at the domain level.
 
Any other time ive used the default domain policy it has worked fine, determined it "not working" by doing gpupdate /force
Click to expand...
Yeah it will work, I was just saying it isn't recommended 😉

Have you checked the application log of the client(s) that are having issues? That's a good place to start, and then if necessary you can enable more detailed logging with userenv debugging, etc.
 
The main reason to stay away from it, other than for account policies, is because it will apply to every user and computer in the domain. That applies for any policy at the domain level. Generally the only settings you want to be making that have that broad of an impact are the account policy settings.

Everything else should be contained in a separate GPO and focused at smaller groups of objects, like OUs of computers or users or even groups of computers or users with filtering.
 
Originally posted by: Mellman
yes - this was on the default domain policy, thats how i was taught to do it long ago :-X

Any other time ive used the default domain policy it has worked fine, determined it "not working" by doing gpupdate /force

This whole network is sortof a mess, and I'm helping as a favor to the school.
Click to expand...

When I first got here, they had all sorts of funky AD problems like that. I found some tools from Microsoft (can't remember what they were now, it's been years) that do health checks on the domain. When I ran the checks, they found a bunch of errors. I matched the errors up with KB articles to get them fixed and when I was done, problems like that disappeared.
 
Originally posted by: Brazen
Originally posted by: Mellman
yes - this was on the default domain policy, thats how i was taught to do it long ago :-X

Any other time ive used the default domain policy it has worked fine, determined it "not working" by doing gpupdate /force

This whole network is sortof a mess, and I'm helping as a favor to the school.
Click to expand...

When I first got here, they had all sorts of funky AD problems like that. I found some tools from Microsoft (can't remember what they were now, it's been years) that do health checks on the domain. When I ran the checks, they found a bunch of errors. I matched the errors up with KB articles to get them fixed and when I was done, problems like that disappeared.
Click to expand...


Heh - Well - my issue is that , I'm not being paid a lot to do this, because they don't have the money to pay me, and don't want me to spend time when they can't pay me. On top of that, while i want to learn how to fix this stuff - i dont have free reign, because they start classes in a week and I would hate to mess something up :-D

Thanks guys I'll see if i can find anything else, im confused as to why its not updating, can't push SAV out to the clients either (I'm assuming due to the firewall)

 
Originally posted by: Brazen
I matched the errors up with KB articles to get them fixed and when I was done, problems like that disappeared.
Click to expand...

Sorry to hijack the thread...

There are a lot of consultants who make a good living doing just this.

Couldnt resist, it's just such a simple step to review error logs and always seems to get overlooked.

So Mellman, have you looked at the event log yet?
 
I made good money doing that two summers ago - but never ran into something this stubborn I couldn't fix - HOwever i havn't looked into the application log because...They rebooted the server 🙂

I told them I'd work on it from home and not charge them my time for it because they didnt neccesarily want it fixed. But then the server went down, if it comes back up I am going to look into it more. But for now, i'm going to begin installing myth tv on my box at home
 
Originally posted by: stash
The main reason to stay away from it, other than for account policies, is because it will apply to every user and computer in the domain. That applies for any policy at the domain level. Generally the only settings you want to be making that have that broad of an impact are the account policy settings.

Everything else should be contained in a separate GPO and focused at smaller groups of objects, like OUs of computers or users or even groups of computers or users with filtering.
Click to expand...

I stay away from it just because it helps you keep track of what policies have been changed from default. Also, like Stash said, most policies should only be applied to the computers or users you want, and maybe now you want it to apply to everyone and everything, but sometime down the road, you may decide to split up who which policies apply to. We, for instance, have seperate policies for our servers, and seperate policies for our workstations, and seperate policies for our laptops.
 
lol

I still remember the time when I was in PSS, and I got a call from an engineer in our India office. He was working with a customer, but they needed to escalate the issue, so enter me. So the engineer is relaying some info about the case to me, and he gets to a point where he needs to phonetically spell something to me. It went a little like this:

Him: "uh, I as in India, N as in Nancy, G as in Juliet..."
Me: "You mean J as in Juliet?"
Him: "Uh huh, G as in Juliet"
Me: "WTF?" /bangs head on whiteboard
 
well Getting This mess on a client side machine 🙂

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 8/23/2006
Time: 4:56:27 PM
User: NT AUTHORITY\SYSTEM
Computer: COMPLABDESK
Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

generated this error upon using the gpupdate /force command, I removed any changes to the default domain policy i made myself - but these errors have been showing up for months.

eventid.net here i come!
 
Check the \windows\security\templates policies directory (it's a hidden directory). On XP clients, this directory should be read only, but the files inside of it should not be.

The easiest way to fix that is to delete all files in that policies folder and do a gpupdate /force
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top