Re: Giving admin rights to a subset of computers
- From: "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 Jan 2006 09:46:04 -0800
Steve,
Not working yet, but I think some progress.
The client is WinXP Pro sp2 and domain controller is Win2K SP4.
Here's the result of gpresult. I see the RG I created in the computer
security section
so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
created it and did no modification to any of the settings.
C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Monday, January 16, 2006 at 12:37:08 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 2
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Steve Adams,CN=Users,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\sadams
The user is a member of the following security groups:
SHAREDDATA\Atlanta Admins
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
SHAREDDATA\Domain Users
SHAREDDATA\NOCC_Group
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:55 PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
###############################################################
Computer Group Policy results for:
CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
Domain Name: SHAREDDATA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
SHAREDDATA\CHAMALEON2$
SHAREDDATA\Domain Computers
###############################################################
Last time Group Policy was applied: Monday, January 16, 2006 at 12:36:48 PM
Group Policy was applied from: sdndc1.shareddata.com
===============================================================
The computer received "Registry" settings from these GPOs:
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Default Domain Policy
ATL-Admin-GPO
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Default Domain Policy
"Steven L Umbach" wrote:
> Did you get it to work yet? It sounds like you did it correctly if you used
> RG to configure 'ATL-RG' for "this group is a member of " the
> administrators group. For "this group is a member of" you need to make sure
> that your Windows 2000 computers are using service pack 4. It does not
> matter where the global group itself is and make sure the global group is a
> security group and not a distribution group. I would also run the support
> tool gpresult on the computer in the new OU to make sure that it shows that
> the new Group Policy is applying to it under computer configuration to see
> if you have a problem with RG configuration or if it is a Group Policy
> problem. --- Steve
>
>
> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:990239B0-5664-4C39-BE2E-1995257642B0@xxxxxxxxxxxxxxxx
> > Steve,
> > Thanks again but I'm still a bit confused. Here's what I have and what
> > I've
> > tried.
> > We are small so our users were created at the domain level. All the
> > computers exist in the 'Computers' folder under the domain. I've created
> > an
> > OU, 'ATL' that has just 1 test machine in it. Also the global group,
> > 'ATL-Admins', to hold the users I want to give admin rights to is at the
> > domain level. Should it be there or at the OU level? I also created a
> > new
> > gpo for the OU. In that gpo I've not defined any policy settins and I've
> > created a restricted group 'ATL-RG'. On the property sheet of this RG,
> > I've
> > made the global group 'ATL-Admins' a member of the RG. And made the RG a
> > member of the 'Administrators' group. After rebooting the client the new
> > global group is not in the local users and groups. What might I have done
> > wrong?
> >
> > Thanks again.
> >
> > "Steven L Umbach" wrote:
> >
> >> I would create a new Group Policy in that OU or modify one that you
> >> already
> >> have linked to that OU if it is used ONLY for that OU and you want to
> >> apply
> >> Restricted Groups to all computers in that OU. You would want to create a
> >> new global group [wrkstadmins or whatever] that you would add users to
> >> that
> >> you want to be administrators on computers in the OU. Then you would want
> >> that global group to be "this group is a member of" administrators group.
> >> If you can't browse to administrators group just type in administrators.
> >> After you are done force Group Policy refresh on your domain computer or
> >> reboot to see if the new global group is in the local administrators
> >> group
> >> of the domain computers in the OU. If you are still a bit unsure/uneasy
> >> create a test OU with it's own Group Policy and configure it there and
> >> move
> >> a couple computers into the OU when done to see if it works. --- Steve
> >>
> >>
> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:3DC2B523-3E7A-49AA-A8E0-D5798F2F7CFA@xxxxxxxxxxxxxxxx
> >> > Steve,
> >> > Thanks for the reply and excuse the following notes and questions as
> >> > I'm a
> >> > bit confused and somewhat overwhelmed.
> >> > I currently have domain 'A' and there is an OU underneath that domain
> >> > called
> >> > 'XYZ'. When richt clicking and choosing properties I can get to the
> >> > Group
> >> > Policy tab. Do I need to create a new group policy object or should I
> >> > add
> >> > the default domain group policy object? Then create the restricted
> >> > group
> >> > under that gpo. Once that is done would the group that you suggested
> >> > below
> >> > be made a member of the restricted gpo group? And would the restricted
> >> > gpo
> >> > be made a member of let's say domain admins?
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Probably the best way is implement Group Policy Restricted Groups at
> >> >> the
> >> >> OU
> >> >> level for the computers you want this to happen on. See the link below
> >> >> for
> >> >> more details. I would create a global group and add it to "this group
> >> >> is
> >> >> a
> >> >> member of" for administrators at the OU level. Doing it at the OU
> >> >> level
> >> >> will
> >> >> prevent the users from being address to the administrators group for
> >> >> the
> >> >> domain assuming that domain controllers are not in the scope of
> >> >> management
> >> >> of that GPO at the OU level which they would not be if all are in the
> >> >> default domain controllers container. --- Steve
> >> >>
> >> >>
> >> >> http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> >> >>
> >> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:7B660EFC-C3B8-4019-978D-447BC423C75B@xxxxxxxxxxxxxxxx
> >> >> >I would like to give a certain user (or group) full administrator
> >> >> >rights
> >> >> >to
> >> >> >a
> >> >> > subset of machines in my domain, without making them members of the
> >> >> > 'Domain
> >> >> > Admins' or 'Administrators' group. Is this possible?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: Giving admin rights to a subset of computers
- From: Steven L Umbach
- Re: Giving admin rights to a subset of computers
- References:
- Re: Giving admin rights to a subset of computers
- From: Steven L Umbach
- Re: Giving admin rights to a subset of computers
- From: Steven L Umbach
- Re: Giving admin rights to a subset of computers
- From: Marty
- Re: Giving admin rights to a subset of computers
- From: Steven L Umbach
- Re: Giving admin rights to a subset of computers
- Prev by Date: Re: Certificate Server Error.
- Next by Date: Re: Giving admin rights to a subset of computers
- Previous by thread: Re: Giving admin rights to a subset of computers
- Next by thread: Re: Giving admin rights to a subset of computers
- Index(es):
Relevant Pages
|
