• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Active Directory: Advice re:computer policies

I just implmented an OU which contains all the PCs that can have domain users with local admin right.  To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.

In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.

In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs.  In the logon script I have a command to sync the time with one of our servers.

In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings.  Otherwise, I had found that the user was denied access for changing the date/time.  Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.

Question: Am I correct to say that I had to set that computer policy in both GPOs?

I would like advice to how I should be configuring the computer policies in the most effecient way.  I want to be sure that I'm doing it correctly.

2 Solutions
What precedence are the GPO's - perhaps the script is running before the GPO is applied, so there's no permission.  Make sure the first GPO applies the permission, the second the script...

You should not need to set policy in each - they accumulate, unless they are contrary, then the higher level one wins. Usually. :)

halfondjAuthor Commented:
I'm not sure by what you mean precedence.  I have only 1 GPO at the domain level and another GPO at the local computer OU level.

The script works, but the policy in the GPO has to be set.  Once I set it in the local computer OU GPO, all is working.

I just want to confirm that I'm doing it correctly.  I also set the date/time policy to authenticated users.

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
             ABC-Acct-Grp [members consist of accounting users]
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers
There is absolutly no need to set the time manually on W2k or XP machines that are members of an AD domain. Those machines will synchronize their time automatically with the DC. In fact, allowing your users to change the time on their machines can/will be counterproductive; some smarthead might come up with the idea of "adjusting" the time on his machine manually to (pseudo-) meet a deadline, forget about it, ahutdown his computer, and then won't be able to logon the next morning.

Cannot Log On If Time and Date Are Not Synchronized

Basic Operation of the Windows Time Service

As for the policies, I usually try to stay away from the default domain policy for your "every-day policies". I'd create a top level OU, and put all the necessary stuff below that, then you can create your GPOs in there.
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

I would have to agree; User settings should be in the default domain, and computer settings in lower OU's. And I would recommend turning off the computer side of the policy in the default domain, and turning off the user in the OU computer policy. If you need to apply OU member specific settings to users, create a second one at that level to apply to the users. Makes processing the policies faster.
halfondjAuthor Commented:
Thank you for your replies.  I was unaware that it's unnecessary to set the time on Win2K and XP PCs.  I'll be sure to take out the command from the logon script.

Due to the excellent replies, I am increasing the points and splitting them.
Cool, and thanks for the score and points! Glad you got it fixed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now