Re: Domain Users into Local Admins

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/23/05 

Date: Fri, 22 Apr 2005 17:43:31 -0500

Make sure you use Restricted Groups ONLY at the OU level for your purpose
otherwise that group will be also address to the administrators group for
the domain! Try running the support tool netiag on both the domain
controller that the client computer is using as a preferred dns server and
the client itself to see if any pertinent errors are reported that may help
resolve the problem. I would also run dcdiag on that domain controller to
make sure that replication and such is working fine. Another quick test is
that from the domain client if you run \\domaincontroller\sysvol in the run
box the client must be able to find and access the sysvol share. --- Steve

"Ben" <bjblackmore@xyz.hotmail.com> wrote in message
news:u58QOozRFHA.1396@TK2MSFTNGP10.phx.gbl...
> Hi Todd,
>
> Thanks for the reply.
>
> I've just rebooted 4 times, checked the DNS is correct and made sure both
> user and computer is correctly authenticated in the domain, and there is
> no filtering going on.
> Still no Local Admins
> One thing I noticed was when I ran gpresult I get an error something about
> user not having any RSoP data? No idea what that means, I looked up RSoP
> and its Resultant Set of Policy but I have no idea why its not working!
> It could be ICMP being blocked, I'm running symantec client firewall, so
> I'm just about to check now.
>
> Any idea why the RSoP error means?
>
> Ben
>
> "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
> news:%231vvtzyRFHA.2788@TK2MSFTNGP09.phx.gbl...
>> Sometimes two reboots are needed. Failing that, see below.
>>
>> The following are common reasons why GPO settings are failing to apply to
>> a
>> user or computer (8-point check):
>>
>> 1) Machine or user must be a domain member and authenticate with the
>> domain
>> 2) DNS client configuration problem. Is the client's preferred DNS
>> server
>> setting pointing to a DNS server that handles the zone for AD domain
>> 3) User or machine is not in the container to which the GPO is linked.
>> Run
>> rsop.msc or gpresult.exe /v on the users workstation to check that the
>> policy is actually being applied or not.
>> 4) User or machine is under a hierarchy which is blocking the GPO
>> 5) There is group filtering which is preventing the user or machine from
>> reading the GPO
>> 6) The user is a member of a group which is being filtered from the
>> effect
>> of Group Policy. For example, the 'Authenticated Users' has "Deny"
>> selected
>> for 'Appy Group Policy'.
>> 7) If ICMP is blocked for administrative reasons, group policies will not
>> apply. (Clients test the link speed by sending an IMCP packet of 2048
>> bytes.)
>> 8) Check to see if the user is a member of too many groups.
>>
>> Quoted from:
>> Kerberos authentication may not work if user is a member of many groups:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;280830
>>
>> If a user is a member of many groups either directly or because of group
>> nesting, Kerberos authentication may not work. The Group Policy object
>> (GPO)
>> may not be applied to the user and the user may not be validated to use
>> network resources.
>>
>> --
>> Todd J Heron, MCSE
>> Windows Server 2003/2000/NT; CCA
>> ----------------------------------------------------------------------------
>> This posting is provided "as is" with no warranties and confers no rights
>>
>
>

Relevant Pages

  • Re: Default GP Applies to some but not all users
    ... > 4) Nothing relevant in the event logs ... but make sure the DNS settings are ... >>address, DNS domain name for the client computer, and DNS ... >>if the Sysvol and AD have the same version of GPO. ...
    (microsoft.public.win2000.group_policy)
  • Re: Secondary (backup) domain controller not working ?
    ... Do you use Universal groups and are the accounts member of them? ... We have configured them in the DNS configuration for each client ... DCdiag doesnt show any specific error. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon script not working
    ... it adds the login information of the server. ... When you say you put the file in the logon window in GPO, do you mean that you physically copied it into the physical location of the GPO after you clicked on the Browse button? ... I assume there are no event log errors on the client side or the SBS side, as well as that the client and SBS are only configured to only use the SBS' IP as a DNS address. ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policies
    ... This is not looking llike a DNS problem. ... Machine or user must be a domain member and authenticate with the domain ... User or machine is not in the container to which the GPO is linked. ... for 'Appy Group Policy'. ...
    (microsoft.public.windows.server.dns)
  • Re: Domain Users into Local Admins
    ... checked the DNS is correct and made sure both ... > 3) User or machine is not in the container to which the GPO is linked. ... > 6) The user is a member of a group which is being filtered from the effect ... Kerberos authentication may not work. ...
    (microsoft.public.windows.server.security)
Loading