Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policies For different Users/Computers, net user command

Posted on 2004-08-26
8
Medium Priority
?
298 Views
Last Modified: 2010-03-18
I have a couple of questions about Active Directory.

I want to have sperate groups of users in AD who would receive different group policies, would I do this by creating organizational units?  Ultimatately I would like to have different departments receive different group policies.

One of my problems is logon scripts, the Administrator account receives the same logon script as all of the user accounts. This could be a potential problem for me.
--------------------------------------------------------------------------------------
Maybe some knows this question also. I am trying to change the local administrator account for all of the workstations on the domain I administer by using the net command "net user Administrator password". I would like to put this in a logon script. The problem is this script gets run when I logon to one of the servers using the domain Administrator account. If I type in "net user" on the domain controller for example it lists all of the users accounts in active directory for the domain. I thought that local user accounts were disabled on a domain controller. Why then does the "net user" command give results. Can I use the "net" command to change accounts on the domain controller?

Thanks,
DMS
0
Comment
Question by:DMS-X
  • 4
  • 2
  • 2
8 Comments
 
LVL 12

Accepted Solution

by:
RWrigley earned 1200 total points
ID: 11905838
OU's are exactly how you need to do it.  You can nest them as well, since GPO's are cumulative, so you can put common GPO elements in the "parent" OU, and specific GPO elements in the specific OU's.

For Login Scripts, I'm still using the old "Profile" tab in the user properties.  However, you can assign login scripts in a GPO as well, so all you need to do is make your administrator accounts members of a different OU.

Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.

On a domain controller, ALL accounts are effectively "local" accounts, since "Local" in the context of the domain controller is the domain.

When you say that you want to "Change" the administrator account, what exactly are you trying to do?  
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11905950

using OUs is the preferred method of distributing Group Policy.  You can also click the properties button in Group Policy, and goto thet edit tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"

0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11905958
sorry, that should have been:
You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:DMS-X
ID: 11906904
Thanks to both of you guys : )

>Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
I saw that one too : ), But I am looking at just changing the password for the local Administrator acaount for now.
>When you say that you want to "Change" the administrator account, what exactly are you trying to do?
Not to confuse the domain/Administrator account with LocalMachineAccount/Administrator on the workstations.
I want to run the "net user" command as a logon script for all workstaions to change the LocalMachineAccount/Administrator account password. I am afraid that some how the domain/Administrator account would get changed if this batch script was to run on the domain controller.

As of right now there is no OU's created and I have never done this before. There is only the domain container (I guess thats what its called) as of right now. I just don't want to screw things up thats all : )  . Any good advise when creating OU's

>You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to
>and check the "deny" box for "apply this policy"
Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked. I would think then that this would exempt the Administrator account from receiving GPO's from within the domain container since the Administrator account is part of the "Domain Admins" group.
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11907033
>>Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked?

This is the way NTFS and all security works in Microsoft.  If the entry for Domain Users is checked, then all domain users are applied.  The "domain admins" would just be redundant.

When processing security permissions, each user you want to have permission has to be part of some group that is allowed or the user has to be explicity allowed.  If he is part of a group that is denied, it takes priority.

A big mistake people make is to ALLOW user1, and DENY everyone.  Thinking this will allow access to user1 and no one else.  This will in fact deny access to user1 because he is part of everyone and deny takes priority.

Also know that "unchecked" Allows are NOT the same thing as Denies.  It just doesn't if affect it one way or the other.  So again, if Domain Users is allowed to apply the policy, then it will be applied to all domains users who are not denied.  Since the Domain Admins has no checks, it doesn't change this inherited permission
0
 
LVL 12

Expert Comment

by:RWrigley
ID: 11907325
If I were you, I would apply your group policies only throught the OU's.  That way, you dont' have to worry about having to give anyone specific access to specific GPO's;

Microsoft describes their "best practices" approach here; well worth a read, if only as a starting point for your security design:
<http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx>

Make sure you grab the associated "Threats and Countermeasures" document as well...its invaluble for figuring out what all the GPO options mean!

Now, as for your Administrator problem.  First thing you ought to do is change the name of the adminstrator account.  Its an old-school security trick (and its not all that effective anymore), but it slows down the dumber ones.  More importantly, in this case, is that it allows you make the local administrator account different from the domain administrator account.

Finally, check here for a samples of useful scripts.  Amongst them is one that you can use to change passwords:
<http://www.microsoft.com/technet/scriptcenter/repository.mspx>

One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files. If not, read through the script center (the link above).  With it, you're a god amongst users!
0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 800 total points
ID: 11907510

I agree that OUs are the best way to do things, but sometimes you need a policy that applies to people in some OUs but not all, and also to users in other OUs.

For example, if you want to apply a policy to everyone except the administrator, I wouldn't recommend putting the administrator in an OU all by himself.  I would use the deny checkbox for that GPO.  otherwise, you may want to move users around from OU to OU as you work out the heirarchy and write more and more GPOs.  Moving users breaks GPOs like this that are based on exceptions rather than true "group policy"
0
 
LVL 1

Author Comment

by:DMS-X
ID: 11914821
>One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files.
I would love to have the time to spend the next month or so studying vbs scripting, but its a simple matter of time : )

Thanks for all of the advise everyone.

DMS
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
An article on effective troubleshooting
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question