[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Active Directory (GPO): When local admin, logon script doesn't run (Win2K PC)

Posted on 2004-08-18
21
Medium Priority
?
663 Views
Last Modified: 2010-04-13
Environment: 4 Win2K servers; 1 Win2k AD server
PCs: Win98, WinXP and Win 2K Pro

I have the default domain GPO set that applies to all domain users except administrator type user names [default securities that get set when with AD is installed].

The GPO is working fine for all users except when I add the user to the local administrators group.  On a Win 2K PC, the logon script defined in the GPO does not execute.  On the Win XP it seem to.

There are other GPO settings that don't seem to apply either, e.g. the default IE home page that I have set in the GPO.

Does anyone have any ideas why the policies or logon don't work?

Thanks.
0
Comment
Question by:halfondj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 4
  • +1
21 Comments
 
LVL 7

Expert Comment

by:wtrmk74
ID: 11837925
So is this two questions that need answers?

1st - The GPO is working fine for all users except when I add the user to the local administrators group.

2nd - On a Win 2K PC, the logon script defined in the GPO does not execute.

wtrmk74
0
 

Author Comment

by:halfondj
ID: 11840183
I asked one question - Why doesn't the domain GPO logon script get executed for a local admin user on a Win 2K PC?
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11846021
Login scripts are a user policy.  User Policies only apply to domain users, not local users.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:halfondj
ID: 11851950
The user is a domain user, but they are also a local user.

What can be done to rectify my problem?

Thanks.
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11852205
You could setup local policies on each PC.

I would not recommend having both local and domain users for users though.  I would only create a domain user and then if needed, add them to local groups.

What is the reasoning for having local users also?
0
 

Author Comment

by:halfondj
ID: 11858531
>> What is the reasoning for having local users also?
Unfortunately, there are 3 third-party applications that require that the user have local administrator rights.  Therefore, it's necessary to add the domain user into the local administrator group.

We would prefer not giving anybody local administrator rights, but the applications require it.

Any suggestions for not having to give local administrator rights to the user would be appreciated.  I can't seem to find a way to do it through a GPO.

Thanks.

0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11858817
Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?  If so, that is how it should be done (and domain GPOs will apply to them).  What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.  Did you try running the application with the user as a local Power User?  That tends to work most of the time.
0
 

Author Comment

by:halfondj
ID: 11858987
>> Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?
That's right.  I'm adding the domain user to the local PC and adding them to the Administrator group.

>> If so, that is how it should be done (and domain GPOs will apply to them).
Some of the setting in the domain GPO apply, not all of them, e.g. I have the home page set to Google, but on Win XP PCs, when the domain user who is in the local admin group logs onto the PC, the Dell home page displays.  Why?

>> What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.
This may be difficult to do because it seems that the 3 applications, have different reasons for why the user has to have local admin rights, e.g. needs to write to the registry, write access to certain folders.

>> Did you try running the application with the user as a local Power User?  That tends to work most of the time.
No, I haven't tried putting the user into the local Power User group.  Sounds like a great idea.  Is a Power User able to write to the registry.

BTW - If someone is able to resolve my problem, I will increase the points.

Thanks.



0
 
LVL 16

Accepted Solution

by:
robrandon earned 2000 total points
ID: 11872665
Your domain logon script should be running, even if you domain user is a member of the local administrators group.  After you logon, run gpresult and make sure that the correct GP is applying.

You can post the results here if you would like.
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11873079
Power users CAN write to more of the registry (not critical settings, but a lot more than a standard user).  The power users group was designed for legacy application use.
0
 

Author Comment

by:halfondj
ID: 11884594
Thanks for the replies.  Due to this question has been outstanding for a while and that I really need a solution, I increased the points to the max.

As robrandon suggested, I ran gpresult.  I hope the information I'm providing below will be of assistance in resolving why the GPO doesn't apply to the user after I give the user local PC administrator rights.

Thanks.

Two scenarios:
1) On a Win XP PC, I logged on with a domain user name that does not have local administrator rights - all worked fine - default domain policy was applied including running the logon script.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:41:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
       
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

I then gave local admin rights to the same user on the same Win XP PC:
2) On the same Win XP PC, I logged on with the same domain user name and the domain default policy did not work - did not apply.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:45:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

         Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11886305
So the only difference between these 2 logons was that inbetween you added the account to the local administrators group?  I just want to firm up that this is the same exact domain account in both instances.

0
 

Author Comment

by:halfondj
ID: 11886585
Yes.  You are correct.  I [only] added the domain user to the local PC administrators group.

Thanks.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11887220
What if you created an additional policy with the same settings, and apply it just to that user?  I'm curious if the problem is with something in the GP or if it is because it is the default policy.

I'm pretty sure this is not normal.

0
 

Author Comment

by:halfondj
ID: 11888258
I can certainly could try that, but I have a couple of questions to ask:

>> What if you created an additional policy with the same settings, and apply it just to that user?
1) Can I copy the current policy to a new one, so that I don't have to go through all the settings again?
2) How do I apply it to only 1 user?
Is it that I create a new OU and have only 1 user in it?  If so, that is how I'm currently doing my testing.  I have 1 test OU with 1 test user.  The OU does not have a GPO.  The OU is inheriting the default domain policy.

Thanks.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11891305
1.  If you have Windows Server 2003 or an XP box, you can use the GPMC.  I believe the gui actually lets you drag and drop policies, but I have never used it before.

2.  Make sure you place the GP either in an OU that contains the user, or an OU above the user so it can filter down.  You can put it at the domain level if you would like.  Then go to the properties of the GP, and select the Security tab.  The default will have Authenticated Users set for Read and Apply.  Remove the Apply setting so they don't get the redundant GP.  Add the user to the list and set them up with Read and Apply.  The GP will only work for users or groups that have Read or Apply, as long as a Deny setting for either of those is not set.  There is no need to move the user into a different OU.



0
 

Author Comment

by:halfondj
ID: 11895804
I finally figured out my problem re:why the default domain policy was not applying to a domain user after I added them to the local PC administrators group.

In the security tab of the default domain policy, I had the administrators group set to allow-read and deny-apply group policy.  I didn't know that when a user is added to the local PC administrators group, they are considered to be in the administrators group that is defined on the active server.

The following describes what I did to get what I needed to work:

1.  In the default domain policy on the security tab, I deleted the administrators group.
2.  I created 2 security groups: 1) ABC-Local-Admin-Grp and 2) ABC-No-GPO-Admin-Grp.
The ABC-Local-Admin-Grp contains all users that are in the local administrators group on their PCs.
The ABC-No-GPO-Admin-Grp contains the active directory administrator usernames, e.g. Administrator, adadmin [backup administrator username].
3. In the default domain policy, I added the two security groups to the security tab.
For the ABC-Local-Admin-Grp, I set the permissions to allow-read and allow-apply group policy.
For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.

After doing the above, all domain users that I put into the local administrators group on their PCs, now have the default domain policy applied.  In addition, the administrator usernames [administrator and adadmin] works properly - the default domain policy is not applied.

If anyone has feedback re:how I rectified my problem, I would welcome all comments.

Also, thanks to everyone who responded to this posting especially to robrandon who suggested that I run GPRESULT.  That was a great suggestion.
0
 

Author Comment

by:halfondj
ID: 11896392
>> For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.
There's a correction.  'deny-read' should be 'allow-read'.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11904098
Still doesn't make sense.  As far as I know, you can't have a local group in the security of a GP.  Even if you add the domain user to the computers local administrators group, it doesn't make that user a member of the domain administrator's group.  Oh well.


0
 

Author Comment

by:halfondj
ID: 11912983
>> As far as I know, you can't have a local group in the security of a GP.
I didn't configure the security of the GP with a local group.  What it appears to be is that when one has domain_name\administrators in the security group, that somehow includes domain users who are also included in the local administrators group.  I did not explicitly define a local group in the security of the GP.  That's why I posted the original question.  I wouldn't think the domain_name\administrators group would include local administrators, but apparently it does.

Once I made two security groups and separated the real administrators - domain\administrator vs. domain\user_name, all is working perfectly.

0
 

Author Comment

by:halfondj
ID: 11913023
One another thought - when I ran GPResult after I added the domain user to the local PC's administrators group, I noticed that 'BUILTIN\Administrators' was included under the 'The user is a part of the following security groups:' .


0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question