Solved

Active Directory (GPO): When local admin, logon script doesn't run (Win2K PC)

Posted on 2004-08-18
21
656 Views
Last Modified: 2010-04-13
Environment: 4 Win2K servers; 1 Win2k AD server
PCs: Win98, WinXP and Win 2K Pro

I have the default domain GPO set that applies to all domain users except administrator type user names [default securities that get set when with AD is installed].

The GPO is working fine for all users except when I add the user to the local administrators group.  On a Win 2K PC, the logon script defined in the GPO does not execute.  On the Win XP it seem to.

There are other GPO settings that don't seem to apply either, e.g. the default IE home page that I have set in the GPO.

Does anyone have any ideas why the policies or logon don't work?

Thanks.
0
Comment
Question by:halfondj
  • 11
  • 5
  • 4
  • +1
21 Comments
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
So is this two questions that need answers?

1st - The GPO is working fine for all users except when I add the user to the local administrators group.

2nd - On a Win 2K PC, the logon script defined in the GPO does not execute.

wtrmk74
0
 

Author Comment

by:halfondj
Comment Utility
I asked one question - Why doesn't the domain GPO logon script get executed for a local admin user on a Win 2K PC?
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Login scripts are a user policy.  User Policies only apply to domain users, not local users.
0
 

Author Comment

by:halfondj
Comment Utility
The user is a domain user, but they are also a local user.

What can be done to rectify my problem?

Thanks.
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
You could setup local policies on each PC.

I would not recommend having both local and domain users for users though.  I would only create a domain user and then if needed, add them to local groups.

What is the reasoning for having local users also?
0
 

Author Comment

by:halfondj
Comment Utility
>> What is the reasoning for having local users also?
Unfortunately, there are 3 third-party applications that require that the user have local administrator rights.  Therefore, it's necessary to add the domain user into the local administrator group.

We would prefer not giving anybody local administrator rights, but the applications require it.

Any suggestions for not having to give local administrator rights to the user would be appreciated.  I can't seem to find a way to do it through a GPO.

Thanks.

0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?  If so, that is how it should be done (and domain GPOs will apply to them).  What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.  Did you try running the application with the user as a local Power User?  That tends to work most of the time.
0
 

Author Comment

by:halfondj
Comment Utility
>> Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?
That's right.  I'm adding the domain user to the local PC and adding them to the Administrator group.

>> If so, that is how it should be done (and domain GPOs will apply to them).
Some of the setting in the domain GPO apply, not all of them, e.g. I have the home page set to Google, but on Win XP PCs, when the domain user who is in the local admin group logs onto the PC, the Dell home page displays.  Why?

>> What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.
This may be difficult to do because it seems that the 3 applications, have different reasons for why the user has to have local admin rights, e.g. needs to write to the registry, write access to certain folders.

>> Did you try running the application with the user as a local Power User?  That tends to work most of the time.
No, I haven't tried putting the user into the local Power User group.  Sounds like a great idea.  Is a Power User able to write to the registry.

BTW - If someone is able to resolve my problem, I will increase the points.

Thanks.



0
 
LVL 16

Accepted Solution

by:
robrandon earned 500 total points
Comment Utility
Your domain logon script should be running, even if you domain user is a member of the local administrators group.  After you logon, run gpresult and make sure that the correct GP is applying.

You can post the results here if you would like.
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Power users CAN write to more of the registry (not critical settings, but a lot more than a standard user).  The power users group was designed for legacy application use.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:halfondj
Comment Utility
Thanks for the replies.  Due to this question has been outstanding for a while and that I really need a solution, I increased the points to the max.

As robrandon suggested, I ran gpresult.  I hope the information I'm providing below will be of assistance in resolving why the GPO doesn't apply to the user after I give the user local PC administrator rights.

Thanks.

Two scenarios:
1) On a Win XP PC, I logged on with a domain user name that does not have local administrator rights - all worked fine - default domain policy was applied including running the logon script.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:41:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
       
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

I then gave local admin rights to the same user on the same Win XP PC:
2) On the same Win XP PC, I logged on with the same domain user name and the domain default policy did not work - did not apply.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:45:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

         Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
So the only difference between these 2 logons was that inbetween you added the account to the local administrators group?  I just want to firm up that this is the same exact domain account in both instances.

0
 

Author Comment

by:halfondj
Comment Utility
Yes.  You are correct.  I [only] added the domain user to the local PC administrators group.

Thanks.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
What if you created an additional policy with the same settings, and apply it just to that user?  I'm curious if the problem is with something in the GP or if it is because it is the default policy.

I'm pretty sure this is not normal.

0
 

Author Comment

by:halfondj
Comment Utility
I can certainly could try that, but I have a couple of questions to ask:

>> What if you created an additional policy with the same settings, and apply it just to that user?
1) Can I copy the current policy to a new one, so that I don't have to go through all the settings again?
2) How do I apply it to only 1 user?
Is it that I create a new OU and have only 1 user in it?  If so, that is how I'm currently doing my testing.  I have 1 test OU with 1 test user.  The OU does not have a GPO.  The OU is inheriting the default domain policy.

Thanks.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
1.  If you have Windows Server 2003 or an XP box, you can use the GPMC.  I believe the gui actually lets you drag and drop policies, but I have never used it before.

2.  Make sure you place the GP either in an OU that contains the user, or an OU above the user so it can filter down.  You can put it at the domain level if you would like.  Then go to the properties of the GP, and select the Security tab.  The default will have Authenticated Users set for Read and Apply.  Remove the Apply setting so they don't get the redundant GP.  Add the user to the list and set them up with Read and Apply.  The GP will only work for users or groups that have Read or Apply, as long as a Deny setting for either of those is not set.  There is no need to move the user into a different OU.



0
 

Author Comment

by:halfondj
Comment Utility
I finally figured out my problem re:why the default domain policy was not applying to a domain user after I added them to the local PC administrators group.

In the security tab of the default domain policy, I had the administrators group set to allow-read and deny-apply group policy.  I didn't know that when a user is added to the local PC administrators group, they are considered to be in the administrators group that is defined on the active server.

The following describes what I did to get what I needed to work:

1.  In the default domain policy on the security tab, I deleted the administrators group.
2.  I created 2 security groups: 1) ABC-Local-Admin-Grp and 2) ABC-No-GPO-Admin-Grp.
The ABC-Local-Admin-Grp contains all users that are in the local administrators group on their PCs.
The ABC-No-GPO-Admin-Grp contains the active directory administrator usernames, e.g. Administrator, adadmin [backup administrator username].
3. In the default domain policy, I added the two security groups to the security tab.
For the ABC-Local-Admin-Grp, I set the permissions to allow-read and allow-apply group policy.
For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.

After doing the above, all domain users that I put into the local administrators group on their PCs, now have the default domain policy applied.  In addition, the administrator usernames [administrator and adadmin] works properly - the default domain policy is not applied.

If anyone has feedback re:how I rectified my problem, I would welcome all comments.

Also, thanks to everyone who responded to this posting especially to robrandon who suggested that I run GPRESULT.  That was a great suggestion.
0
 

Author Comment

by:halfondj
Comment Utility
>> For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.
There's a correction.  'deny-read' should be 'allow-read'.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Still doesn't make sense.  As far as I know, you can't have a local group in the security of a GP.  Even if you add the domain user to the computers local administrators group, it doesn't make that user a member of the domain administrator's group.  Oh well.


0
 

Author Comment

by:halfondj
Comment Utility
>> As far as I know, you can't have a local group in the security of a GP.
I didn't configure the security of the GP with a local group.  What it appears to be is that when one has domain_name\administrators in the security group, that somehow includes domain users who are also included in the local administrators group.  I did not explicitly define a local group in the security of the GP.  That's why I posted the original question.  I wouldn't think the domain_name\administrators group would include local administrators, but apparently it does.

Once I made two security groups and separated the real administrators - domain\administrator vs. domain\user_name, all is working perfectly.

0
 

Author Comment

by:halfondj
Comment Utility
One another thought - when I ran GPResult after I added the domain user to the local PC's administrators group, I noticed that 'BUILTIN\Administrators' was included under the 'The user is a part of the following security groups:' .


0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now