Solved

Active Directory: Advice re:computer policies

Posted on 2004-09-05
6
208 Views
Last Modified: 2010-04-14
I just implmented an OU which contains all the PCs that can have domain users with local admin right.  To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.

In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.

In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs.  In the logon script I have a command to sync the time with one of our servers.

In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings.  Otherwise, I had found that the user was denied access for changing the date/time.  Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.

Question: Am I correct to say that I had to set that computer policy in both GPOs?

I would like advice to how I should be configuring the computer policies in the most effecient way.  I want to be sure that I'm doing it correctly.

Thanks.
0
Comment
Question by:halfondj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 11984118
What precedence are the GPO's - perhaps the script is running before the GPO is applied, so there's no permission.  Make sure the first GPO applies the permission, the second the script...

You should not need to set policy in each - they accumulate, unless they are contrary, then the higher level one wins. Usually. :)

0
 

Author Comment

by:halfondj
ID: 11984839
I'm not sure by what you mean precedence.  I have only 1 GPO at the domain level and another GPO at the local computer OU level.

The script works, but the policy in the GPO has to be set.  Once I set it in the local computer OU GPO, all is working.

I just want to confirm that I'm doing it correctly.  I also set the date/time policy to authenticated users.

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 11984960
There is absolutly no need to set the time manually on W2k or XP machines that are members of an AD domain. Those machines will synchronize their time automatically with the DC. In fact, allowing your users to change the time on their machines can/will be counterproductive; some smarthead might come up with the idea of "adjusting" the time on his machine manually to (pseudo-) meet a deadline, forget about it, ahutdown his computer, and then won't be able to logon the next morning.

Cannot Log On If Time and Date Are Not Synchronized
http://support.microsoft.com/?kbid=232386

Basic Operation of the Windows Time Service
http://support.microsoft.com/?kbid=224799

As for the policies, I usually try to stay away from the default domain policy for your "every-day policies". I'd create a top level OU, and put all the necessary stuff below that, then you can create your GPOs in there.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 6

Assisted Solution

by:Casca1
Casca1 earned 250 total points
ID: 11986101
I would have to agree; User settings should be in the default domain, and computer settings in lower OU's. And I would recommend turning off the computer side of the policy in the default domain, and turning off the user in the OU computer policy. If you need to apply OU member specific settings to users, create a second one at that level to apply to the users. Makes processing the policies faster.
0
 

Author Comment

by:halfondj
ID: 11990458
Thank you for your replies.  I was unaware that it's unnecessary to set the time on Win2K and XP PCs.  I'll be sure to take out the command from the logon script.

Due to the excellent replies, I am increasing the points and splitting them.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 11992944
Cool, and thanks for the score and points! Glad you got it fixed.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cursed with a Windows 2000 Server that needs to copy files 3 731
Video card with drivers for Windows 2000 8 153
Can’t delete a file 14 200
Upgrade dos 4.00.1111 11 34
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question