Solved

Group Policies For different Users/Computers, net user command

Posted on 2004-08-26
8
284 Views
Last Modified: 2010-03-18
I have a couple of questions about Active Directory.

I want to have sperate groups of users in AD who would receive different group policies, would I do this by creating organizational units?  Ultimatately I would like to have different departments receive different group policies.

One of my problems is logon scripts, the Administrator account receives the same logon script as all of the user accounts. This could be a potential problem for me.
--------------------------------------------------------------------------------------
Maybe some knows this question also. I am trying to change the local administrator account for all of the workstations on the domain I administer by using the net command "net user Administrator password". I would like to put this in a logon script. The problem is this script gets run when I logon to one of the servers using the domain Administrator account. If I type in "net user" on the domain controller for example it lists all of the users accounts in active directory for the domain. I thought that local user accounts were disabled on a domain controller. Why then does the "net user" command give results. Can I use the "net" command to change accounts on the domain controller?

Thanks,
DMS
0
Comment
Question by:DMS-X
  • 4
  • 2
  • 2
8 Comments
 
LVL 12

Accepted Solution

by:
RWrigley earned 300 total points
ID: 11905838
OU's are exactly how you need to do it.  You can nest them as well, since GPO's are cumulative, so you can put common GPO elements in the "parent" OU, and specific GPO elements in the specific OU's.

For Login Scripts, I'm still using the old "Profile" tab in the user properties.  However, you can assign login scripts in a GPO as well, so all you need to do is make your administrator accounts members of a different OU.

Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.

On a domain controller, ALL accounts are effectively "local" accounts, since "Local" in the context of the domain controller is the domain.

When you say that you want to "Change" the administrator account, what exactly are you trying to do?  
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11905950

using OUs is the preferred method of distributing Group Policy.  You can also click the properties button in Group Policy, and goto thet edit tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"

0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11905958
sorry, that should have been:
You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to and check the "deny" box for "apply this policy"
0
 
LVL 1

Author Comment

by:DMS-X
ID: 11906904
Thanks to both of you guys : )

>Another neat trick that GPO's allow you to do is automatically rename the local administrator account on all your workstations.
I saw that one too : ), But I am looking at just changing the password for the local Administrator acaount for now.
>When you say that you want to "Change" the administrator account, what exactly are you trying to do?
Not to confuse the domain/Administrator account with LocalMachineAccount/Administrator on the workstations.
I want to run the "net user" command as a logon script for all workstaions to change the LocalMachineAccount/Administrator account password. I am afraid that some how the domain/Administrator account would get changed if this batch script was to run on the domain controller.

As of right now there is no OU's created and I have never done this before. There is only the domain container (I guess thats what its called) as of right now. I just don't want to screw things up thats all : )  . Any good advise when creating OU's

>You can also click the properties button in Group Policy, and goto the security tab.  Add the person(s) that you do not wish that group policy to apply to
>and check the "deny" box for "apply this policy"
Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked. I would think then that this would exempt the Administrator account from receiving GPO's from within the domain container since the Administrator account is part of the "Domain Admins" group.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 15

Expert Comment

by:adamdrayer
ID: 11907033
>>Cool but Why then is there a "apply group policy" in the security tab and the "Domain Admins" is unchecked?

This is the way NTFS and all security works in Microsoft.  If the entry for Domain Users is checked, then all domain users are applied.  The "domain admins" would just be redundant.

When processing security permissions, each user you want to have permission has to be part of some group that is allowed or the user has to be explicity allowed.  If he is part of a group that is denied, it takes priority.

A big mistake people make is to ALLOW user1, and DENY everyone.  Thinking this will allow access to user1 and no one else.  This will in fact deny access to user1 because he is part of everyone and deny takes priority.

Also know that "unchecked" Allows are NOT the same thing as Denies.  It just doesn't if affect it one way or the other.  So again, if Domain Users is allowed to apply the policy, then it will be applied to all domains users who are not denied.  Since the Domain Admins has no checks, it doesn't change this inherited permission
0
 
LVL 12

Expert Comment

by:RWrigley
ID: 11907325
If I were you, I would apply your group policies only throught the OU's.  That way, you dont' have to worry about having to give anyone specific access to specific GPO's;

Microsoft describes their "best practices" approach here; well worth a read, if only as a starting point for your security design:
<http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx>

Make sure you grab the associated "Threats and Countermeasures" document as well...its invaluble for figuring out what all the GPO options mean!

Now, as for your Administrator problem.  First thing you ought to do is change the name of the adminstrator account.  Its an old-school security trick (and its not all that effective anymore), but it slows down the dumber ones.  More importantly, in this case, is that it allows you make the local administrator account different from the domain administrator account.

Finally, check here for a samples of useful scripts.  Amongst them is one that you can use to change passwords:
<http://www.microsoft.com/technet/scriptcenter/repository.mspx>

One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files. If not, read through the script center (the link above).  With it, you're a god amongst users!
0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 200 total points
ID: 11907510

I agree that OUs are the best way to do things, but sometimes you need a policy that applies to people in some OUs but not all, and also to users in other OUs.

For example, if you want to apply a policy to everyone except the administrator, I wouldn't recommend putting the administrator in an OU all by himself.  I would use the deny checkbox for that GPO.  otherwise, you may want to move users around from OU to OU as you work out the heirarchy and write more and more GPOs.  Moving users breaks GPOs like this that are based on exceptions rather than true "group policy"
0
 
LVL 1

Author Comment

by:DMS-X
ID: 11914821
>One hopes you've discovered the joy and near-absolute power that Windows Scripting gives you, and aren't still useing puny little .BAT files.
I would love to have the time to spend the next month or so studying vbs scripting, but its a simple matter of time : )

Thanks for all of the advise everyone.

DMS
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now