Re: Giving admin rights to a subset of computers

Great. Glad you got it working. Sometimes the fine print is hard to sort
out. --- Steve


"Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0D2D8FE6-EC45-488A-9DFF-AA9C6FA20E73@xxxxxxxxxxxxxxxx
> SUCCESS!!!!!
>
> I see where I screwed up.
> I removed the group name 'ATL-ADMINS-RG' and added group 'Atlanta Admins'
> (the one with my test user) to the RG of the GPO 'ATL-Admin-GPO' for the
> OU
> 'Atlanta'. Once the client was rebooted I was able to get admin
> priviledges
> for my client PC.
>
> Thanks a billion.
>
> "Steven L Umbach" wrote:
>
>> Well you proved that the Group Policy is working and I bet that RG is
>> working but not the way that you expect. Look at the administrators group
>> on
>> that test computer and see if the domain admins group has been removed.
>> If
>> it has then RG probably removed it and you still need to tweak your RG
>> settings. Make sure that you are doing this for RG. In the GP for the
>> test
>> OU add ATL-Admins as the RG using "add group". Once it shows as the RG
>> double click it to open it's properties and under "this group is a member
>> of" add administrators. It sounds like you may have administrators as the
>> RG. That should make sure that ATL-Admins is added to the administrators
>> group on the computers in that OU. It is a bit confusing configuring RG
>> for
>> the first time. You may need/want to add your users to the "members of
>> this
>> group" for ATL-Admins RG if they disappear from your ATL-Admins group
>> which
>> should check for proper membership after enabling RG. -- Steve
>>
>>
>> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A1E15E99-28DB-48C4-A187-D400186DFE89@xxxxxxxxxxxxxxxx
>> > Steve,
>> >
>> > Sorry for the confusion. The OU is called 'Atlanta'. I'm using it as
>> > the
>> > test so that when I get everything right, all I have to do is move the
>> > PC's
>> > into this group. The OU has GPO 'ATL-Admin-GPO'. And this GPO has RG
>> > 'ATL-ADMINS-RG'. And the group of users to get admin rights is
>> > 'Atlanta
>> > Admins'.
>> >
>> > I did a test as you asked and set 'Deny logon locally' to the 'Atlanta
>> > Admins'. This sucessfully prevented my test user in that group from
>> > logging
>> > on. I'm assuming this means it's working correctly. However maybe my
>> > question is now no longer a RG problem, but a GPO problem. When I set
>> > 'Deny
>> > logon locally' back to 'Not defined', I can logon as my test user.
>> > But,
>> > I'm
>> > still unable to do things like change the IP address. Something I know
>> > the
>> > administrator or other domain admins can do. What might be my problem?
>> >
>> > Once again. Thanks a million for your help.
>> >
>> > Marty
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Hi Marty.
>> >>
>> >> The gpresult indicates that the computer that you ran this on is in
>> >> the
>> >> OU
>> >> call Atlanta though you said that the OU with the GPO that has RG is
>> >> called
>> >> ATL and it is also confusing in that it appears that the GPO
>> >> ATL-Admin-GPO
>> >> is applying to it? Maybe the test OU name is actually Atlanta? What I
>> >> would
>> >> do is to configure a couple non disruptive Group Policy settings in
>> >> your
>> >> new
>> >> ATL-Admin-GPO such as maybe defining guests for the user right for
>> >> deny
>> >> logon locally to see if that setting propagates or not which will help
>> >> show
>> >> if their is a problem with the ATL-Admin-GPO working or just a
>> >> configuration
>> >> problem with RG. You can also run rsop.msc on the XP computer to see
>> >> what
>> >> settings are being applied by Group Policy and from what GPO. ---
>> >> Steve
>> >>
>> >>
>> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:4AF7C182-59E5-47D4-AB2F-00E04ED220DD@xxxxxxxxxxxxxxxx
>> >> > Steve,
>> >> > Not working yet, but I think some progress.
>> >> > The client is WinXP Pro sp2 and domain controller is Win2K SP4.
>> >> >
>> >> > Here's the result of gpresult. I see the RG I created in the
>> >> > computer
>> >> > security section
>> >> > so does this point to a gpo problem. The new gpo ATL-Admin-GPO, I
>> >> > just
>> >> > created it and did no modification to any of the settings.
>> >> >
>> >> > C:\Program Files\Resource Kit>gpresult
>> >> > Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
>> >> > tool
>> >> > Copyright (C) Microsoft Corp. 1981-1999
>> >> >
>> >> >
>> >> > Created on Monday, January 16, 2006 at 12:37:08 PM
>> >> >
>> >> >
>> >> > Operating System Information:
>> >> >
>> >> > Operating System Type: Professional
>> >> > Operating System Version: 5.1.2600.Service Pack 2
>> >> > Terminal Server Mode: Not supported
>> >> >
>> >> > ###############################################################
>> >> >
>> >> > User Group Policy results for:
>> >> >
>> >> > CN=Steve Adams,CN=Users,DC=shareddata,DC=com
>> >> >
>> >> > Domain Name: SHAREDDATA
>> >> > Domain Type: Windows 2000
>> >> > Site Name: Default-First-Site-Name
>> >> >
>> >> > Roaming profile: (None)
>> >> > Local profile: C:\Documents and Settings\sadams
>> >> >
>> >> > The user is a member of the following security groups:
>> >> >
>> >> > SHAREDDATA\Atlanta Admins
>> >> > \Everyone
>> >> > BUILTIN\Users
>> >> > NT AUTHORITY\INTERACTIVE
>> >> > NT AUTHORITY\Authenticated Users
>> >> > \LOCAL
>> >> > SHAREDDATA\Domain Users
>> >> > SHAREDDATA\NOCC_Group
>> >> >
>> >> >
>> >> > ###############################################################
>> >> >
>> >> > Last time Group Policy was applied: Monday, January 16, 2006 at
>> >> > 12:36:55
>> >> > PM
>> >> > Group Policy was applied from: sdndc1.shareddata.com
>> >> >
>> >> >
>> >> > ===============================================================
>> >> >
>> >> >
>> >> > The user received "Registry" settings from these GPOs:
>> >> >
>> >> > Default Domain Policy
>> >> >
>> >> >
>> >> >
>> >> > ###############################################################
>> >> >
>> >> > Computer Group Policy results for:
>> >> >
>> >> > CN=CHAMALEON2,OU=Atlanta,DC=shareddata,DC=com
>> >> >
>> >> > Domain Name: SHAREDDATA
>> >> > Domain Type: Windows 2000
>> >> > Site Name: Default-First-Site-Name
>> >> >
>> >> >
>> >> > The computer is a member of the following security groups:
>> >> >
>> >> > BUILTIN\Administrators
>> >> > \Everyone
>> >> > BUILTIN\Users
>> >> > NT AUTHORITY\NETWORK
>> >> > NT AUTHORITY\Authenticated Users
>> >> > SHAREDDATA\CHAMALEON2$
>> >> > SHAREDDATA\Domain Computers
>> >> >
>> >> > ###############################################################
>> >> >
>> >> > Last time Group Policy was applied: Monday, January 16, 2006 at
>> >> > 12:36:48
>> >> > PM
>> >> > Group Policy was applied from: sdndc1.shareddata.com
>> >> >
>> >> >
>> >> > ===============================================================
>> >> >
>> >> >
>> >> > The computer received "Registry" settings from these GPOs:
>> >> >
>> >> > Default Domain Policy
>> >> >
>> >> >
>> >> > ===============================================================
>> >> > The computer received "Security" settings from these GPOs:
>> >> >
>> >> > Default Domain Policy
>> >> > ATL-Admin-GPO
>> >> >
>> >> >
>> >> > ===============================================================
>> >> > The computer received "EFS recovery" settings from these GPOs:
>> >> >
>> >> > Default Domain Policy
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> Did you get it to work yet? It sounds like you did it correctly if
>> >> >> you
>> >> >> used
>> >> >> RG to configure 'ATL-RG' for "this group is a member of " the
>> >> >> administrators group. For "this group is a member of" you need to
>> >> >> make
>> >> >> sure
>> >> >> that your Windows 2000 computers are using service pack 4. It does
>> >> >> not
>> >> >> matter where the global group itself is and make sure the global
>> >> >> group
>> >> >> is
>> >> >> a
>> >> >> security group and not a distribution group. I would also run the
>> >> >> support
>> >> >> tool gpresult on the computer in the new OU to make sure that it
>> >> >> shows
>> >> >> that
>> >> >> the new Group Policy is applying to it under computer configuration
>> >> >> to
>> >> >> see
>> >> >> if you have a problem with RG configuration or if it is a Group
>> >> >> Policy
>> >> >> problem. --- Steve
>> >> >>
>> >> >>
>> >> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:990239B0-5664-4C39-BE2E-1995257642B0@xxxxxxxxxxxxxxxx
>> >> >> > Steve,
>> >> >> > Thanks again but I'm still a bit confused. Here's what I have
>> >> >> > and
>> >> >> > what
>> >> >> > I've
>> >> >> > tried.
>> >> >> > We are small so our users were created at the domain level. All
>> >> >> > the
>> >> >> > computers exist in the 'Computers' folder under the domain. I've
>> >> >> > created
>> >> >> > an
>> >> >> > OU, 'ATL' that has just 1 test machine in it. Also the global
>> >> >> > group,
>> >> >> > 'ATL-Admins', to hold the users I want to give admin rights to
>> >> >> > is
>> >> >> > at
>> >> >> > the
>> >> >> > domain level. Should it be there or at the OU level? I also
>> >> >> > created a
>> >> >> > new
>> >> >> > gpo for the OU. In that gpo I've not defined any policy settins
>> >> >> > and
>> >> >> > I've
>> >> >> > created a restricted group 'ATL-RG'. On the property *** of
>> >> >> > this
>> >> >> > RG,
>> >> >> > I've
>> >> >> > made the global group 'ATL-Admins' a member of the RG. And made
>> >> >> > the
>> >> >> > RG
>> >> >> > a
>> >> >> > member of the 'Administrators' group. After rebooting the client
>> >> >> > the
>> >> >> > new
>> >> >> > global group is not in the local users and groups. What might I
>> >> >> > have
>> >> >> > done
>> >> >> > wrong?
>> >> >> >
>> >> >> > Thanks again.
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> I would create a new Group Policy in that OU or modify one that
>> >> >> >> you
>> >> >> >> already
>> >> >> >> have linked to that OU if it is used ONLY for that OU and you
>> >> >> >> want
>> >> >> >> to
>> >> >> >> apply
>> >> >> >> Restricted Groups to all computers in that OU. You would want to
>> >> >> >> create a
>> >> >> >> new global group [wrkstadmins or whatever] that you would add
>> >> >> >> users
>> >> >> >> to
>> >> >> >> that
>> >> >> >> you want to be administrators on computers in the OU. Then you
>> >> >> >> would
>> >> >> >> want
>> >> >> >> that global group to be "this group is a member of"
>> >> >> >> administrators
>> >> >> >> group.
>> >> >> >> If you can't browse to administrators group just type in
>> >> >> >> administrators.
>> >> >> >> After you are done force Group Policy refresh on your domain
>> >> >> >> computer
>> >> >> >> or
>> >> >> >> reboot to see if the new global group is in the local
>> >> >> >> administrators
>> >> >> >> group
>> >> >> >> of the domain computers in the OU. If you are still a bit
>> >> >> >> unsure/uneasy
>> >> >> >> create a test OU with it's own Group Policy and configure it
>> >> >> >> there
>> >> >> >> and
>> >> >> >> move
>> >> >> >> a couple computers into the OU when done to see if it
>> >> >> >> orks. ---
>> >> >> >> Steve
>> >> >> >>
>> >> >> >>
>> >> >> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> >> news:3DC2B523-3E7A-49AA-A8E0-D5798F2F7CFA@xxxxxxxxxxxxxxxx
>> >> >> >> > Steve,
>> >> >> >> > Thanks for the reply and excuse the following notes and
>> >> >> >> > questions
>> >> >> >> > as
>> >> >> >> > I'm a
>> >> >> >> > bit confused and somewhat overwhelmed.
>> >> >> >> > I currently have domain 'A' and there is an OU underneath that
>> >> >> >> > domain
>> >> >> >> > called
>> >> >> >> > 'XYZ'. When richt clicking and choosing properties I can get
>> >> >> >> > to
>> >> >> >> > the
>> >> >> >> > Group
>> >> >> >> > Policy tab. Do I need to create a new group policy object or
>> >> >> >> > should
>> >> >> >> > I
>> >> >> >> > add
>> >> >> >> > the default domain group policy object? Then create the
>> >> >> >> > restricted
>> >> >> >> > group
>> >> >> >> > under that gpo. Once that is done would the group that you
>> >> >> >> > suggested
>> >> >> >> > below
>> >> >> >> > be made a member of the restricted gpo group? And would the
>> >> >> >> > restricted
>> >> >> >> > gpo


.

Quantcast