Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

Group Policies For different Users/Computers, net user command

I have a couple of questions about Active Directory.

I want to have sperate groups of users in AD who would receive different group policies, would I do this by creating organizational units?  Ultimatately I would like to have different departments receive different group policies.

One of my problems is logon scripts, the Administrator account receives the same logon script as all of the user accounts. This could be a potential problem for me.
--------------------------------------------------------------------------------------
Maybe some knows this question also. I am trying to change the local administrator account for all of the workstations on the domain I administer by using the net command "net user Administrator password". I would like to put this in a logon script. The problem is this script gets run when I logon to one of the servers using the domain Administrator account. If I type in "net user" on the domain controller for example it lists all of the users accounts in active directory for the domain. I thought that local user accounts were disabled on a domain controller. Why then does the "net user" command give results. Can I use the "net" command to change accounts on the domain controller?

Thanks,
DMS
0
DMS-X
Asked:
DMS-X
  • 4
  • 2
  • 2
2 Solutions
 
RWrigleyCommented:
OU's are exactly how you need to do it.  You can nest them as well, since GPO's are cumulative, so you can put common GPO elements in the "parent" OU, and specific GPO elements in the specific OU's.

For Login Scripts, I'm still using the old "Profile" tab in the user properties.  However, you can assign login scripts in a GPO as well, so all you need to do is make your administrator accounts members of a different OU.

Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.

On a domain controller, ALL accounts are effectively "local" accounts, since "Local" in the context of the domain controller is the domain.

When you say that you want to "Change" the administrator account, what exactly are you trying to do?  
0
 
adamdrayerCommented:

using OUs is the preferred method of distributing Group Policy.  You can also click the properties button in Group Policy, and goto thet edit tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"

0
 
adamdrayerCommented:
sorry, that should have been:
You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
DMS-XAuthor Commented:
Thanks to both of you guys : )

>Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
I saw that one too : ), But I am looking at just changing the password for the local Administrator acaount for now.
>When you say that you want to "Change" the administrator account, what exactly are you trying to do?
Not to confuse the domain/Administrator account with LocalMachineAccount/Administrator on the workstations.
I want to run the "net user" command as a logon script for all workstaions to change the LocalMachineAccount/Administrator account password. I am afraid that some how the domain/Administrator account would get changed if this batch script was to run on the domain controller.

As of right now there is no OU's created and I have never done this before. There is only the domain container (I guess thats what its called) as of right now. I just don't want to screw things up thats all : )  . Any good advise when creating OU's

>You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to
>and check the "deny" box for "apply this policy"
Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked. I would think then that this would exempt the Administrator account from receiving GPO's from within the domain container since the Administrator account is part of the "Domain Admins" group.
0
 
adamdrayerCommented:
>>Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked?

This is the way NTFS and all security works in Microsoft.  If the entry for Domain Users is checked, then all domain users are applied.  The "domain admins" would just be redundant.

When processing security permissions, each user you want to have permission has to be part of some group that is allowed or the user has to be explicity allowed.  If he is part of a group that is denied, it takes priority.

A big mistake people make is to ALLOW user1, and DENY everyone.  Thinking this will allow access to user1 and no one else.  This will in fact deny access to user1 because he is part of everyone and deny takes priority.

Also know that "unchecked" Allows are NOT the same thing as Denies.  It just doesn't if affect it one way or the other.  So again, if Domain Users is allowed to apply the policy, then it will be applied to all domains users who are not denied.  Since the Domain Admins has no checks, it doesn't change this inherited permission
0
 
RWrigleyCommented:
If I were you, I would apply your group policies only throught the OU's.  That way, you dont' have to worry about having to give anyone specific access to specific GPO's;

Microsoft describes their "best practices" approach here; well worth a read, if only as a starting point for your security design:
<http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx>

Make sure you grab the associated "Threats and Countermeasures" document as well...its invaluble for figuring out what all the GPO options mean!

Now, as for your Administrator problem.  First thing you ought to do is change the name of the adminstrator account.  Its an old-school security trick (and its not all that effective anymore), but it slows down the dumber ones.  More importantly, in this case, is that it allows you make the local administrator account different from the domain administrator account.

Finally, check here for a samples of useful scripts.  Amongst them is one that you can use to change passwords:
<http://www.microsoft.com/technet/scriptcenter/repository.mspx>

One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files. If not, read through the script center (the link above).  With it, you're a god amongst users!
0
 
adamdrayerCommented:

I agree that OUs are the best way to do things, but sometimes you need a policy that applies to people in some OUs but not all, and also to users in other OUs.

For example, if you want to apply a policy to everyone except the administrator, I wouldn't recommend putting the administrator in an OU all by himself.  I would use the deny checkbox for that GPO.  otherwise, you may want to move users around from OU to OU as you work out the heirarchy and write more and more GPOs.  Moving users breaks GPOs like this that are based on exceptions rather than true "group policy"
0
 
DMS-XAuthor Commented:
>One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files.
I would love to have the time to spend the next month or so studying vbs scripting, but its a simple matter of time : )

Thanks for all of the advise everyone.

DMS
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now