Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!
Solved
Group Policies For different Users/Computers, net user command
Posted on 2004-08-26
I have a couple of questions about Active Directory.
I want to have sperate groups of users in AD who would receive different group policies, would I do this by creating organizational units? Ultimatately I would like to have different departments receive different group policies.
One of my problems is logon scripts, the Administrator account receives the same logon script as all of the user accounts. This could be a potential problem for me.
--------------------------
Maybe some knows this question also. I am trying to change the local administrator account for all of the workstations on the domain I administer by using the net command "net user Administrator password". I would like to put this in a logon script. The problem is this script gets run when I logon to one of the servers using the domain Administrator account. If I type in "net user" on the domain controller for example it lists all of the users accounts in active directory for the domain. I thought that local user accounts were disabled on a domain controller. Why then does the "net user" command give results. Can I use the "net" command to change accounts on the domain controller?
Thanks,
DMS
I want to have sperate groups of users in AD who would receive different group policies, would I do this by creating organizational units? Ultimatately I would like to have different departments receive different group policies.
One of my problems is logon scripts, the Administrator account receives the same logon script as all of the user accounts. This could be a potential problem for me.
--------------------------
Maybe some knows this question also. I am trying to change the local administrator account for all of the workstations on the domain I administer by using the net command "net user Administrator password". I would like to put this in a logon script. The problem is this script gets run when I logon to one of the servers using the domain Administrator account. If I type in "net user" on the domain controller for example it lists all of the users accounts in active directory for the domain. I thought that local user accounts were disabled on a domain controller. Why then does the "net user" command give results. Can I use the "net" command to change accounts on the domain controller?
Thanks,
DMS
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4
2-
2
8 Comments
OU's are exactly how you need to do it. You can nest them as well, since GPO's are cumulative, so you can put common GPO elements in the "parent" OU, and specific GPO elements in the specific OU's.
For Login Scripts, I'm still using the old "Profile" tab in the user properties. However, you can assign login scripts in a GPO as well, so all you need to do is make your administrator accounts members of a different OU.
Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
On a domain controller, ALL accounts are effectively "local" accounts, since "Local" in the context of the domain controller is the domain.
When you say that you want to "Change" the administrator account, what exactly are you trying to do?
For Login Scripts, I'm still using the old "Profile" tab in the user properties. However, you can assign login scripts in a GPO as well, so all you need to do is make your administrator accounts members of a different OU.
Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
On a domain controller, ALL accounts are effectively "local" accounts, since "Local" in the context of the domain controller is the domain.
When you say that you want to "Change" the administrator account, what exactly are you trying to do?
using OUs is the preferred method of distributing Group Policy. You can also click the properties button in Group Policy, and goto thet edit tab. Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
sorry, that should have been:
You can also click the properties button in Group Policy, and goto the security tab. Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
You can also click the properties button in Group Policy, and goto the security tab. Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
Thanks to both of you guys : )
>Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
I saw that one too : ), But I am looking at just changing the password for the local Administrator acaount for now.
>When you say that you want to "Change" the administrator account, what exactly are you trying to do?
Not to confuse the domain/Administrator account with LocalMachineAccount/Admini
I want to run the "net user" command as a logon script for all workstaions to change the LocalMachineAccount/Admini
As of right now there is no OU's created and I have never done this before. There is only the domain container (I guess thats what its called) as of right now. I just don't want to screw things up thats all : ) . Any good advise when creating OU's
>You can also click the properties button in Group Policy, and goto the security tab. Add the person(s) that you do not wish that group policy to apply to
>and check the "deny" box for "apply this policy"
Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked. I would think then that this would exempt the Administrator account from receiving GPO's from within the domain container since the Administrator account is part of the "Domain Admins" group.
>Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
I saw that one too : ), But I am looking at just changing the password for the local Administrator acaount for now.
>When you say that you want to "Change" the administrator account, what exactly are you trying to do?
Not to confuse the domain/Administrator account with LocalMachineAccount/Admini
I want to run the "net user" command as a logon script for all workstaions to change the LocalMachineAccount/Admini
As of right now there is no OU's created and I have never done this before. There is only the domain container (I guess thats what its called) as of right now. I just don't want to screw things up thats all : ) . Any good advise when creating OU's
>You can also click the properties button in Group Policy, and goto the security tab. Add the person(s) that you do not wish that group policy to apply to
>and check the "deny" box for "apply this policy"
Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked. I would think then that this would exempt the Administrator account from receiving GPO's from within the domain container since the Administrator account is part of the "Domain Admins" group.
>>Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked?
This is the way NTFS and all security works in Microsoft. If the entry for Domain Users is checked, then all domain users are applied. The "domain admins" would just be redundant.
When processing security permissions, each user you want to have permission has to be part of some group that is allowed or the user has to be explicity allowed. If he is part of a group that is denied, it takes priority.
A big mistake people make is to ALLOW user1, and DENY everyone. Thinking this will allow access to user1 and no one else. This will in fact deny access to user1 because he is part of everyone and deny takes priority.
Also know that "unchecked" Allows are NOT the same thing as Denies. It just doesn't if affect it one way or the other. So again, if Domain Users is allowed to apply the policy, then it will be applied to all domains users who are not denied. Since the Domain Admins has no checks, it doesn't change this inherited permission
This is the way NTFS and all security works in Microsoft. If the entry for Domain Users is checked, then all domain users are applied. The "domain admins" would just be redundant.
When processing security permissions, each user you want to have permission has to be part of some group that is allowed or the user has to be explicity allowed. If he is part of a group that is denied, it takes priority.
A big mistake people make is to ALLOW user1, and DENY everyone. Thinking this will allow access to user1 and no one else. This will in fact deny access to user1 because he is part of everyone and deny takes priority.
Also know that "unchecked" Allows are NOT the same thing as Denies. It just doesn't if affect it one way or the other. So again, if Domain Users is allowed to apply the policy, then it will be applied to all domains users who are not denied. Since the Domain Admins has no checks, it doesn't change this inherited permission
If I were you, I would apply your group policies only throught the OU's. That way, you dont' have to worry about having to give anyone specific access to specific GPO's;
Microsoft describes their "best practices" approach here; well worth a read, if only as a starting point for your security design:
<http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx>
Make sure you grab the associated "Threats and Countermeasures" document as well...its invaluble for figuring out what all the GPO options mean!
Now, as for your Administrator problem. First thing you ought to do is change the name of the adminstrator account. Its an old-school security trick (and its not all that effective anymore), but it slows down the dumber ones. More importantly, in this case, is that it allows you make the local administrator account different from the domain administrator account.
Finally, check here for a samples of useful scripts. Amongst them is one that you can use to change passwords:
<http://www.microsoft.com/technet/scriptcenter/repository.mspx>
One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files. If not, read through the script center (the link above). With it, you're a god amongst users!
Microsoft describes their "best practices" approach here; well worth a read, if only as a starting point for your security design:
<http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx>
Make sure you grab the associated "Threats and Countermeasures" document as well...its invaluble for figuring out what all the GPO options mean!
Now, as for your Administrator problem. First thing you ought to do is change the name of the adminstrator account. Its an old-school security trick (and its not all that effective anymore), but it slows down the dumber ones. More importantly, in this case, is that it allows you make the local administrator account different from the domain administrator account.
Finally, check here for a samples of useful scripts. Amongst them is one that you can use to change passwords:
<http://www.microsoft.com/technet/scriptcenter/repository.mspx>
One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files. If not, read through the script center (the link above). With it, you're a god amongst users!
I agree that OUs are the best way to do things, but sometimes you need a policy that applies to people in some OUs but not all, and also to users in other OUs.
For example, if you want to apply a policy to everyone except the administrator, I wouldn't recommend putting the administrator in an OU all by himself. I would use the deny checkbox for that GPO. otherwise, you may want to move users around from OU to OU as you work out the heirarchy and write more and more GPOs. Moving users breaks GPOs like this that are based on exceptions rather than true "group policy"
>One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files.
I would love to have the time to spend the next month or so studying vbs scripting, but its a simple matter of time : )
Thanks for all of the advise everyone.
DMS
I would love to have the time to spend the next month or so studying vbs scripting, but its a simple matter of time : )
Thanks for all of the advise everyone.
DMS
Featured Post
The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device.
In simple terms a gateway is formed when a computer such as a serv…
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account
Challenge
The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen.
Visualize your data! ... really see it
To use the code to create a calendar from a q…
Suggested Courses
Course of the Month7 days, 21 hours left to enroll
715 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.