Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Do Active Directory Resctrictions take privilege over local ones

Posted on 2004-09-28
5
Medium Priority
?
262 Views
Last Modified: 2010-04-10
Hi, We have active directory setup, one of our users is restricted from basically doing anything, but i want to give him full access to his machine, i added his domain user as a local administrator but this does not seem to work

any help

aprecciated
0
Comment
Question by:m3mn0ck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:iwontleaveyou
ID: 12176902
Add the users account in active directory to his computer name.

go to user -->properties-->memberof-->Add the(computername).
0
 
LVL 7

Expert Comment

by:wparrott
ID: 12177033
As long as the domain user is in the local Administrators group, the user should have un-restricted access to the computer. If you login with a domain admin account, do you have unrestricted access?

To test further, create a new domain user account, add it to the local Administrators group and login using that account on the workstation. Does that account have unrestricted access?

HTH...
0
 
LVL 5

Accepted Solution

by:
swinterborn earned 200 total points
ID: 12177691
If the user has restrictions placed on them by a GPO in AD, the restrictions will apply irrespective of what rights they have on the machine. You need to know where these restrictions are being applied before finding a solution:

What is the OU structure in AD?
Is the GPO applying the restriction based on the machine or the user?
What is the restriction that is affecting the user?

Depending on the answers, there are a number of options:

Create a new OU and GPO for this user/machine underneath the existing one, set inherit all existing policies and use the GPO to overwrite only the policies which are preventing the user from working. (This would be ideal - if a different user had the same issue, moving their acccount to the new OU would solve the problem)
Place an ACL on the GPO preventing it from applying to your user/machine (Useful for troubleshooting, but overkill for a long term fix, and may cause more problems than it fixes)
And many more, probably as many options as there are AD deployment scenarios.

Cheers


0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12181998
Yes, GPO restrictions are applied to the machine *after* local policies.

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12182980
Maybe you forgot to re-login (logoff and login again that user). if so, Do it!!! If wanna know why, let me know.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Make the most of your online learning experience.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question