Link to home
Start Free TrialLog in
Avatar of halfondj
halfondj

asked on

Active Directory (GPO): When local admin, logon script doesn't run (Win2K PC)

Environment: 4 Win2K servers; 1 Win2k AD server
PCs: Win98, WinXP and Win 2K Pro

I have the default domain GPO set that applies to all domain users except administrator type user names [default securities that get set when with AD is installed].

The GPO is working fine for all users except when I add the user to the local administrators group.  On a Win 2K PC, the logon script defined in the GPO does not execute.  On the Win XP it seem to.

There are other GPO settings that don't seem to apply either, e.g. the default IE home page that I have set in the GPO.

Does anyone have any ideas why the policies or logon don't work?

Thanks.
Avatar of wtrmk74
wtrmk74
Flag of United States of America image

So is this two questions that need answers?

1st - The GPO is working fine for all users except when I add the user to the local administrators group.

2nd - On a Win 2K PC, the logon script defined in the GPO does not execute.

wtrmk74
Avatar of halfondj
halfondj

ASKER

I asked one question - Why doesn't the domain GPO logon script get executed for a local admin user on a Win 2K PC?
Login scripts are a user policy.  User Policies only apply to domain users, not local users.
The user is a domain user, but they are also a local user.

What can be done to rectify my problem?

Thanks.
You could setup local policies on each PC.

I would not recommend having both local and domain users for users though.  I would only create a domain user and then if needed, add them to local groups.

What is the reasoning for having local users also?
>> What is the reasoning for having local users also?
Unfortunately, there are 3 third-party applications that require that the user have local administrator rights.  Therefore, it's necessary to add the domain user into the local administrator group.

We would prefer not giving anybody local administrator rights, but the applications require it.

Any suggestions for not having to give local administrator rights to the user would be appreciated.  I can't seem to find a way to do it through a GPO.

Thanks.

Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?  If so, that is how it should be done (and domain GPOs will apply to them).  What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.  Did you try running the application with the user as a local Power User?  That tends to work most of the time.
>> Ok, so you are not creating users on the local PC, but adding domain users to local groups, right?
That's right.  I'm adding the domain user to the local PC and adding them to the Administrator group.

>> If so, that is how it should be done (and domain GPOs will apply to them).
Some of the setting in the domain GPO apply, not all of them, e.g. I have the home page set to Google, but on Win XP PCs, when the domain user who is in the local admin group logs onto the PC, the Dell home page displays.  Why?

>> What I would do about the admin rights is try to figure out what it needs to do that are part of the administrator permissions and then add just those rights to a new local group and assign the domain users to that group.
This may be difficult to do because it seems that the 3 applications, have different reasons for why the user has to have local admin rights, e.g. needs to write to the registry, write access to certain folders.

>> Did you try running the application with the user as a local Power User?  That tends to work most of the time.
No, I haven't tried putting the user into the local Power User group.  Sounds like a great idea.  Is a Power User able to write to the registry.

BTW - If someone is able to resolve my problem, I will increase the points.

Thanks.



ASKER CERTIFIED SOLUTION
Avatar of robrandon
robrandon

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Power users CAN write to more of the registry (not critical settings, but a lot more than a standard user).  The power users group was designed for legacy application use.
Thanks for the replies.  Due to this question has been outstanding for a while and that I really need a solution, I increased the points to the max.

As robrandon suggested, I ran gpresult.  I hope the information I'm providing below will be of assistance in resolving why the GPO doesn't apply to the user after I give the user local PC administrator rights.

Thanks.

Two scenarios:
1) On a Win XP PC, I logged on with a domain user name that does not have local administrator rights - all worked fine - default domain policy was applied including running the logon script.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:41:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
       
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

I then gave local admin rights to the same user on the same Win XP PC:
2) On the same Win XP PC, I logged on with the same domain user name and the domain default policy did not work - did not apply.  Here's info after running gpresult.

USER SETTINGS
--------------
    CN=TestUser jsmith,OU=ABC-Test-Users,OU=ABC-Departments,DC=ABC-OPS,DC=com
    Last time Group Policy was applied: 8/24/2004 at 1:45:07 PM
    Group Policy was applied from:      ad-srvr.ABC-OPS.COM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

         Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        ABC-Test-Users-Grp
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
So the only difference between these 2 logons was that inbetween you added the account to the local administrators group?  I just want to firm up that this is the same exact domain account in both instances.

Yes.  You are correct.  I [only] added the domain user to the local PC administrators group.

Thanks.
What if you created an additional policy with the same settings, and apply it just to that user?  I'm curious if the problem is with something in the GP or if it is because it is the default policy.

I'm pretty sure this is not normal.

I can certainly could try that, but I have a couple of questions to ask:

>> What if you created an additional policy with the same settings, and apply it just to that user?
1) Can I copy the current policy to a new one, so that I don't have to go through all the settings again?
2) How do I apply it to only 1 user?
Is it that I create a new OU and have only 1 user in it?  If so, that is how I'm currently doing my testing.  I have 1 test OU with 1 test user.  The OU does not have a GPO.  The OU is inheriting the default domain policy.

Thanks.
1.  If you have Windows Server 2003 or an XP box, you can use the GPMC.  I believe the gui actually lets you drag and drop policies, but I have never used it before.

2.  Make sure you place the GP either in an OU that contains the user, or an OU above the user so it can filter down.  You can put it at the domain level if you would like.  Then go to the properties of the GP, and select the Security tab.  The default will have Authenticated Users set for Read and Apply.  Remove the Apply setting so they don't get the redundant GP.  Add the user to the list and set them up with Read and Apply.  The GP will only work for users or groups that have Read or Apply, as long as a Deny setting for either of those is not set.  There is no need to move the user into a different OU.



I finally figured out my problem re:why the default domain policy was not applying to a domain user after I added them to the local PC administrators group.

In the security tab of the default domain policy, I had the administrators group set to allow-read and deny-apply group policy.  I didn't know that when a user is added to the local PC administrators group, they are considered to be in the administrators group that is defined on the active server.

The following describes what I did to get what I needed to work:

1.  In the default domain policy on the security tab, I deleted the administrators group.
2.  I created 2 security groups: 1) ABC-Local-Admin-Grp and 2) ABC-No-GPO-Admin-Grp.
The ABC-Local-Admin-Grp contains all users that are in the local administrators group on their PCs.
The ABC-No-GPO-Admin-Grp contains the active directory administrator usernames, e.g. Administrator, adadmin [backup administrator username].
3. In the default domain policy, I added the two security groups to the security tab.
For the ABC-Local-Admin-Grp, I set the permissions to allow-read and allow-apply group policy.
For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.

After doing the above, all domain users that I put into the local administrators group on their PCs, now have the default domain policy applied.  In addition, the administrator usernames [administrator and adadmin] works properly - the default domain policy is not applied.

If anyone has feedback re:how I rectified my problem, I would welcome all comments.

Also, thanks to everyone who responded to this posting especially to robrandon who suggested that I run GPRESULT.  That was a great suggestion.
>> For the ABC-No-GPO-Admin-Grp, I set the permissions to deny-read and deny-apply group policy.
There's a correction.  'deny-read' should be 'allow-read'.
Still doesn't make sense.  As far as I know, you can't have a local group in the security of a GP.  Even if you add the domain user to the computers local administrators group, it doesn't make that user a member of the domain administrator's group.  Oh well.


>> As far as I know, you can't have a local group in the security of a GP.
I didn't configure the security of the GP with a local group.  What it appears to be is that when one has domain_name\administrators in the security group, that somehow includes domain users who are also included in the local administrators group.  I did not explicitly define a local group in the security of the GP.  That's why I posted the original question.  I wouldn't think the domain_name\administrators group would include local administrators, but apparently it does.

Once I made two security groups and separated the real administrators - domain\administrator vs. domain\user_name, all is working perfectly.

One another thought - when I ran GPResult after I added the domain user to the local PC's administrators group, I noticed that 'BUILTIN\Administrators' was included under the 'The user is a part of the following security groups:' .