Re: Giving admin rights to a subset of computers

Well you proved that the Group Policy is working and I bet that RG is
working but not the way that you expect. Look at the administrators group on
that test computer and see if the domain admins group has been removed. If
it has then RG probably removed it and you still need to tweak your RG
settings. Make sure that you are doing this for RG. In the GP for the test
OU add ATL-Admins as the RG using "add group". Once it shows as the RG
double click it to open it's properties and under "this group is a member
of" add administrators. It sounds like you may have administrators as the
RG. That should make sure that ATL-Admins is added to the administrators
group on the computers in that OU. It is a bit confusing configuring RG for
the first time. You may need/want to add your users to the "members of this
group" for ATL-Admins RG if they disappear from your ATL-Admins group which
should check for proper membership after enabling RG. -- Steve


"Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A1E15E99-28DB-48C4-A187-D400186DFE89@xxxxxxxxxxxxxxxx
> Steve,
>
> Sorry for the confusion. The OU is called 'Atlanta'. I'm using it as the
> test so that when I get everything right, all I have to do is move the
> PC's
> into this group. The OU has GPO 'ATL-Admin-GPO'. And this GPO has RG
> 'ATL-ADMINS-RG'. And the group of users to get admin rights is 'Atlanta
> Admins'.
>
> I did a test as you asked and set 'Deny logon locally' to the 'Atlanta
> Admins'. This sucessfully prevented my test user in that group from
> logging
> on. I'm assuming this means it's working correctly. However maybe my
> question is now no longer a RG problem, but a GPO problem. When I set
> 'Deny
> logon locally' back to 'Not defined', I can logon as my test user. But,
> I'm
> still unable to do things like change the IP address. Something I know
> the
> administrator or other domain admins can do. What might be my problem?
>
> Once again. Thanks a million for your help.
>
> Marty
>
> "Steven L Umbach" wrote:
>
>> Hi Marty.
>>
>> The gpresult indicates that the computer that you ran this on is in the
>> OU
>> call Atlanta though you said that the OU with the GPO that has RG is
>> called
>> ATL and it is also confusing in that it appears that the GPO
>> ATL-Admin-GPO
>> is applying to it? Maybe the test OU name is actually Atlanta? What I
>> would
>> do is to configure a couple non disruptive Group Policy settings in your
>> new
>> ATL-Admin-GPO such as maybe defining guests for the user right for deny
>> logon locally to see if that setting propagates or not which will help
>> show
>> if their is a problem with the ATL-Admin-GPO working or just a
>> configuration
>> problem with RG. You can also run rsop.msc on the XP computer to see what
>> settings are being applied by Group Policy and from what GPO. --- Steve
>>
>>
>> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:4AF7C182-59E5-47D4-AB2F-00E04ED220DD@xxxxxxxxxxxxxxxx
>> > Steve,
>> > Not working yet, but I think some progress.
>> > The client is WinXP Pro sp2 and domain controller is Win2K SP4.
>> >
>> > Here's the result of gpresult. I see the RG I created in the computer
>> > security section
>> > so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I just
>> > created it and did no modification to any of the settings.
>> >
>> > C:\Program Files\Resource Kit>gpresult
>> > Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
>> > tool
>> > Copyright (C) Microsoft Corp. 1981-1999
>> >
>> >
>> > Created on Monday, January 16, 2006 at 12:37:08 PM
>> >
>> >
>> > Operating System Information:
>> >
>> > Operating System Type: Professional
>> > Operating System Version: 5.1.2600.Service Pack 2
>> > Terminal Server Mode: Not supported
>> >
>> > ###############################################################
>> >
>> > User Group Policy results for:
>> >
>> > CN=Steve Adams,CN=Users,DC=shareddata,DC=com
>> >
>> > Domain Name: SHAREDDATA
>> > Domain Type: Windows 2000
>> > Site Name: Default-First-Site-Name
>> >
>> > Roaming profile: (None)
>> > Local profile: C:\Documents and Settings\sadams
>> >
>> > The user is a member of the following security groups:
>> >
>> > SHAREDDATA\Atlanta Admins
>> > \Everyone
>> > BUILTIN\Users
>> > NT AUTHORITY\INTERACTIVE
>> > NT AUTHORITY\Authenticated Users
>> > \LOCAL
>> > SHAREDDATA\Domain Users
>> > SHAREDDATA\NOCC_Group
>> >
>> >
>> > ###############################################################
>> >
>> > Last time Group Policy was applied: Monday, January 16, 2006 at
>> > 12:36:55
>> > PM
>> > Group Policy was applied from: sdndc1.shareddata.com
>> >
>> >
>> > ===============================================================
>> >
>> >
>> > The user received "Registry" settings from these GPOs:
>> >
>> > Default Domain Policy
>> >
>> >
>> >
>> > ###############################################################
>> >
>> > Computer Group Policy results for:
>> >
>> > CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
>> >
>> > Domain Name: SHAREDDATA
>> > Domain Type: Windows 2000
>> > Site Name: Default-First-Site-Name
>> >
>> >
>> > The computer is a member of the following security groups:
>> >
>> > BUILTIN\Administrators
>> > \Everyone
>> > BUILTIN\Users
>> > NT AUTHORITY\NETWORK
>> > NT AUTHORITY\Authenticated Users
>> > SHAREDDATA\CHAMALEON2$
>> > SHAREDDATA\Domain Computers
>> >
>> > ###############################################################
>> >
>> > Last time Group Policy was applied: Monday, January 16, 2006 at
>> > 12:36:48
>> > PM
>> > Group Policy was applied from: sdndc1.shareddata.com
>> >
>> >
>> > ===============================================================
>> >
>> >
>> > The computer received "Registry" settings from these GPOs:
>> >
>> > Default Domain Policy
>> >
>> >
>> > ===============================================================
>> > The computer received "Security" settings from these GPOs:
>> >
>> > Default Domain Policy
>> > ATL-Admin-GPO
>> >
>> >
>> > ===============================================================
>> > The computer received "EFS recovery" settings from these GPOs:
>> >
>> > Default Domain Policy
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Did you get it to work yet? It sounds like you did it correctly if you
>> >> used
>> >> RG to configure 'ATL-RG' for "this group is a member of " the
>> >> administrators group. For "this group is a member of" you need to make
>> >> sure
>> >> that your Windows 2000 computers are using service pack 4. It does not
>> >> matter where the global group itself is and make sure the global group
>> >> is
>> >> a
>> >> security group and not a distribution group. I would also run the
>> >> support
>> >> tool gpresult on the computer in the new OU to make sure that it shows
>> >> that
>> >> the new Group Policy is applying to it under computer configuration to
>> >> see
>> >> if you have a problem with RG configuration or if it is a Group Policy
>> >> problem. --- Steve
>> >>
>> >>
>> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:990239B0-5664-4C39-BE2E-1995257642B0@xxxxxxxxxxxxxxxx
>> >> > Steve,
>> >> > Thanks again but I'm still a bit confused. Here's what I have and
>> >> > what
>> >> > I've
>> >> > tried.
>> >> > We are small so our users were created at the domain level. All the
>> >> > computers exist in the 'Computers' folder under the domain. I've
>> >> > created
>> >> > an
>> >> > OU, 'ATL' that has just 1 test machine in it. Also the global
>> >> > group,
>> >> > 'ATL-Admins', to hold the users I want to give admin rights to is
>> >> > at
>> >> > the
>> >> > domain level. Should it be there or at the OU level? I also
>> >> > created a
>> >> > new
>> >> > gpo for the OU. In that gpo I've not defined any policy settins and
>> >> > I've
>> >> > created a restricted group 'ATL-RG'. On the property *** of this
>> >> > RG,
>> >> > I've
>> >> > made the global group 'ATL-Admins' a member of the RG. And made the
>> >> > RG
>> >> > a
>> >> > member of the 'Administrators' group. After rebooting the client
>> >> > the
>> >> > new
>> >> > global group is not in the local users and groups. What might I
>> >> > have
>> >> > done
>> >> > wrong?
>> >> >
>> >> > Thanks again.
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> I would create a new Group Policy in that OU or modify one that you
>> >> >> already
>> >> >> have linked to that OU if it is used ONLY for that OU and you want
>> >> >> to
>> >> >> apply
>> >> >> Restricted Groups to all computers in that OU. You would want to
>> >> >> create a
>> >> >> new global group [wrkstadmins or whatever] that you would add users
>> >> >> to
>> >> >> that
>> >> >> you want to be administrators on computers in the OU. Then you
>> >> >> would
>> >> >> want
>> >> >> that global group to be "this group is a member of" administrators
>> >> >> group.
>> >> >> If you can't browse to administrators group just type in
>> >> >> administrators.
>> >> >> After you are done force Group Policy refresh on your domain
>> >> >> computer
>> >> >> or
>> >> >> reboot to see if the new global group is in the local
>> >> >> administrators
>> >> >> group
>> >> >> of the domain computers in the OU. If you are still a bit
>> >> >> unsure/uneasy
>> >> >> create a test OU with it's own Group Policy and configure it there
>> >> >> and
>> >> >> move
>> >> >> a couple computers into the OU when done to see if it works. ---
>> >> >> Steve
>> >> >>
>> >> >>
>> >> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:3DC2B523-3E7A-49AA-A8E0-D5798F2F7CFA@xxxxxxxxxxxxxxxx
>> >> >> > Steve,
>> >> >> > Thanks for the reply and excuse the following notes and questions
>> >> >> > as
>> >> >> > I'm a
>> >> >> > bit confused and somewhat overwhelmed.
>> >> >> > I currently have domain 'A' and there is an OU underneath that
>> >> >> > domain
>> >> >> > called
>> >> >> > 'XYZ'. When richt clicking and choosing properties I can get to
>> >> >> > the
>> >> >> > Group
>> >> >> > Policy tab. Do I need to create a new group policy object or
>> >> >> > should
>> >> >> > I
>> >> >> > add
>> >> >> > the default domain group policy object? Then create the
>> >> >> > restricted
>> >> >> > group
>> >> >> > under that gpo. Once that is done would the group that you
>> >> >> > suggested
>> >> >> > below
>> >> >> > be made a member of the restricted gpo group? And would the
>> >> >> > restricted
>> >> >> > gpo
>> >> >> > be made a member of let's say domain admins?
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> Probably the best way is implement Group Policy Restricted
>> >> >> >> Groups
>> >> >> >> at
>> >> >> >> the
>> >> >> >> OU
>> >> >> >> level for the computers you want this to happen on. See the link
>> >> >> >> below
>> >> >> >> for
>> >> >> >> more details. I would create a global group and add it to "this
>> >> >> >> group
>> >> >> >> is
>> >> >> >> a
>> >> >> >> member of" for administrators at the OU level. Doing it at the
>> >> >> >> OU
>> >> >> >> level
>> >> >> >> will
>> >> >> >> prevent the users from being address to the administrators group
>> >> >> >> for
>> >> >> >> the
>> >> >> >> domain assuming that domain controllers are not in the scope of
>> >> >> >> management
>> >> >> >> of that GPO at the OU level which they would not be if all are
>> >> >> >> in
>> >> >> >> the
>> >> >> >> default domain controllers container. --- Steve
>> >> >> >>
>> >> >> >>
>> >> >> >> http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
>> >> >> >>
>> >> >> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> >> news:7B660EFC-C3B8-4019-978D-447BC423C75B@xxxxxxxxxxxxxxxx
>> >> >> >> >I would like to give a certain user (or group) full
>> >> >> >> >administrator
>> >> >> >> >rights
>> >> >> >> >to
>> >> >> >> >a
>> >> >> >> > subset of machines in my domain, without making them members
>> >> >> >> > of
>> >> >> >> > the
>> >> >> >> > 'Domain
>> >> >> >> > Admins' or 'Administrators' group. Is this possible?
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


.