Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory: Advice re:computer policies

Posted on 2004-09-05
6
Medium Priority
?
229 Views
Last Modified: 2010-04-14
I just implmented an OU which contains all the PCs that can have domain users with local admin right.  To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.

In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.

In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs.  In the logon script I have a command to sync the time with one of our servers.

In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings.  Otherwise, I had found that the user was denied access for changing the date/time.  Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.

Question: Am I correct to say that I had to set that computer policy in both GPOs?

I would like advice to how I should be configuring the computer policies in the most effecient way.  I want to be sure that I'm doing it correctly.

Thanks.
0
Comment
Question by:halfondj
6 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 11984118
What precedence are the GPO's - perhaps the script is running before the GPO is applied, so there's no permission.  Make sure the first GPO applies the permission, the second the script...

You should not need to set policy in each - they accumulate, unless they are contrary, then the higher level one wins. Usually. :)

0
 

Author Comment

by:halfondj
ID: 11984839
I'm not sure by what you mean precedence.  I have only 1 GPO at the domain level and another GPO at the local computer OU level.

The script works, but the policy in the GPO has to be set.  Once I set it in the local computer OU GPO, all is working.

I just want to confirm that I'm doing it correctly.  I also set the date/time policy to authenticated users.

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 11984960
There is absolutly no need to set the time manually on W2k or XP machines that are members of an AD domain. Those machines will synchronize their time automatically with the DC. In fact, allowing your users to change the time on their machines can/will be counterproductive; some smarthead might come up with the idea of "adjusting" the time on his machine manually to (pseudo-) meet a deadline, forget about it, ahutdown his computer, and then won't be able to logon the next morning.

Cannot Log On If Time and Date Are Not Synchronized
http://support.microsoft.com/?kbid=232386

Basic Operation of the Windows Time Service
http://support.microsoft.com/?kbid=224799

As for the policies, I usually try to stay away from the default domain policy for your "every-day policies". I'd create a top level OU, and put all the necessary stuff below that, then you can create your GPOs in there.
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
LVL 6

Assisted Solution

by:Casca1
Casca1 earned 1000 total points
ID: 11986101
I would have to agree; User settings should be in the default domain, and computer settings in lower OU's. And I would recommend turning off the computer side of the policy in the default domain, and turning off the user in the OU computer policy. If you need to apply OU member specific settings to users, create a second one at that level to apply to the users. Makes processing the policies faster.
0
 

Author Comment

by:halfondj
ID: 11990458
Thank you for your replies.  I was unaware that it's unnecessary to set the time on Win2K and XP PCs.  I'll be sure to take out the command from the logon script.

Due to the excellent replies, I am increasing the points and splitting them.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 11992944
Cool, and thanks for the score and points! Glad you got it fixed.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question