Solved

Active Directory: Advice re:computer policies

Posted on 2004-09-05
6
185 Views
Last Modified: 2010-04-14
I just implmented an OU which contains all the PCs that can have domain users with local admin right.  To set up the local admin rights, I set the computer policy for restricted groups to domain admin, admin and a security group that contains all the domain users that should have local admin access to the PC.

In addition to that GPO, I'm using the default domain GPO because our company is small and it's easier to maintain all the users and remaining computers at the domain level.

In the domain GPO, the logon script policy is used and therefore, when the user logs on to the domain, a kix script runs.  In the logon script I have a command to sync the time with one of our servers.

In order for the user to have the ability to sync the time, I had to allow for this by setting the appropriate policy in the computer settings.  Otherwise, I had found that the user was denied access for changing the date/time.  Originally I did this at the domain level, but when I implemented the new computer OU, I didn't know that I had to do it in that GPO too.

Question: Am I correct to say that I had to set that computer policy in both GPOs?

I would like advice to how I should be configuring the computer policies in the most effecient way.  I want to be sure that I'm doing it correctly.

Thanks.
0
Comment
Question by:halfondj
6 Comments
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
What precedence are the GPO's - perhaps the script is running before the GPO is applied, so there's no permission.  Make sure the first GPO applies the permission, the second the script...

You should not need to set policy in each - they accumulate, unless they are contrary, then the higher level one wins. Usually. :)

0
 

Author Comment

by:halfondj
Comment Utility
I'm not sure by what you mean precedence.  I have only 1 GPO at the domain level and another GPO at the local computer OU level.

The script works, but the policy in the GPO has to be set.  Once I set it in the local computer OU GPO, all is working.

I just want to confirm that I'm doing it correctly.  I also set the date/time policy to authenticated users.

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers
0
 
LVL 82

Accepted Solution

by:
oBdA earned 250 total points
Comment Utility
There is absolutly no need to set the time manually on W2k or XP machines that are members of an AD domain. Those machines will synchronize their time automatically with the DC. In fact, allowing your users to change the time on their machines can/will be counterproductive; some smarthead might come up with the idea of "adjusting" the time on his machine manually to (pseudo-) meet a deadline, forget about it, ahutdown his computer, and then won't be able to logon the next morning.

Cannot Log On If Time and Date Are Not Synchronized
http://support.microsoft.com/?kbid=232386

Basic Operation of the Windows Time Service
http://support.microsoft.com/?kbid=224799

As for the policies, I usually try to stay away from the default domain policy for your "every-day policies". I'd create a top level OU, and put all the necessary stuff below that, then you can create your GPOs in there.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Assisted Solution

by:Casca1
Casca1 earned 250 total points
Comment Utility
I would have to agree; User settings should be in the default domain, and computer settings in lower OU's. And I would recommend turning off the computer side of the policy in the default domain, and turning off the user in the OU computer policy. If you need to apply OU member specific settings to users, create a second one at that level to apply to the users. Makes processing the policies faster.
0
 

Author Comment

by:halfondj
Comment Utility
Thank you for your replies.  I was unaware that it's unnecessary to set the time on Win2K and XP PCs.  I'll be sure to take out the command from the logon script.

Due to the excellent replies, I am increasing the points and splitting them.
0
 
LVL 6

Expert Comment

by:Casca1
Comment Utility
Cool, and thanks for the score and points! Glad you got it fixed.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now