Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory: Advice re:computer policies

Posted on 2004-09-05
6
Medium Priority
?
227 Views
Last Modified: 2010-04-14
I just implmented an OU which contains all the PCs that can have domain users with local admin right.  To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.

In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.

In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs.  In the logon script I have a command to sync the time with one of our servers.

In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings.  Otherwise, I had found that the user was denied access for changing the date/time.  Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.

Question: Am I correct to say that I had to set that computer policy in both GPOs?

I would like advice to how I should be configuring the computer policies in the most effecient way.  I want to be sure that I'm doing it correctly.

Thanks.
0
Comment
Question by:halfondj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 11984118
What precedence are the GPO's - perhaps the script is running before the GPO is applied, so there's no permission.  Make sure the first GPO applies the permission, the second the script...

You should not need to set policy in each - they accumulate, unless they are contrary, then the higher level one wins. Usually. :)

0
 

Author Comment

by:halfondj
ID: 11984839
I'm not sure by what you mean precedence.  I have only 1 GPO at the domain level and another GPO at the local computer OU level.

The script works, but the policy in the GPO has to be set.  Once I set it in the local computer OU GPO, all is working.

I just want to confirm that I'm doing it correctly.  I also set the date/time policy to authenticated users.

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 11984960
There is absolutly no need to set the time manually on W2k or XP machines that are members of an AD domain. Those machines will synchronize their time automatically with the DC. In fact, allowing your users to change the time on their machines can/will be counterproductive; some smarthead might come up with the idea of "adjusting" the time on his machine manually to (pseudo-) meet a deadline, forget about it, ahutdown his computer, and then won't be able to logon the next morning.

Cannot Log On If Time and Date Are Not Synchronized
http://support.microsoft.com/?kbid=232386

Basic Operation of the Windows Time Service
http://support.microsoft.com/?kbid=224799

As for the policies, I usually try to stay away from the default domain policy for your "every-day policies". I'd create a top level OU, and put all the necessary stuff below that, then you can create your GPOs in there.
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 6

Assisted Solution

by:Casca1
Casca1 earned 1000 total points
ID: 11986101
I would have to agree; User settings should be in the default domain, and computer settings in lower OU's. And I would recommend turning off the computer side of the policy in the default domain, and turning off the user in the OU computer policy. If you need to apply OU member specific settings to users, create a second one at that level to apply to the users. Makes processing the policies faster.
0
 

Author Comment

by:halfondj
ID: 11990458
Thank you for your replies.  I was unaware that it's unnecessary to set the time on Win2K and XP PCs.  I'll be sure to take out the command from the logon script.

Due to the excellent replies, I am increasing the points and splitting them.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 11992944
Cool, and thanks for the score and points! Glad you got it fixed.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question