Active Directory: Advice re:computer policies
Posted on 2004-09-05
I just implmented an OU which contains all the PCs that can have domain users with local admin right. To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.
In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.
In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs. In the logon script I have a command to sync the time with one of our servers.
In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings. Otherwise, I had found that the user was denied access for changing the date/time. Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.
Question: Am I correct to say that I had to set that computer policy in both GPOs?
I would like advice to how I should be configuring the computer policies in the most effecient way. I want to be sure that I'm doing it correctly.