Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 136
  • Last Modified:

Group Policy Inheritance Windows 2000 AD

Here is what I am trying to do...

I have 2 OU's one called test and a child OU called test2.

I want to be able to set a global standard of users who can login to all machines located in and below test, but I also want to also add specific users who can login to all machines located in test 2. So

Is this possible?:

TEST
    -> Windows Settings
         -> Security Settings
             -> Local Policies
                 -> User Rights Assignments
                      -> Logon Locally
                          -> Domain Admins, Group A
       TEST 2
           -> Windows Settings
              -> Security Settings
                 -> Local Policies
                    -> User Rights Assignments
                        -> Logon Locally
                            -> Johnny B

So what I am wanting is a way to have it with the setup above and Domain Admins, Group A, and Johnny B can all login to systems located in Test 2. Basically we have 10 Sites that are setup as OU's and we want to be able to add users that can login to all sites without having to go into each sites specific GP and edit each policy.

May sense?

0
jeremywatco
Asked:
jeremywatco
  • 2
1 Solution
 
Jay_Jay70Commented:
Hi jeremywatco,

as long as test2 is a SUB OU of test, then policies set on TEST2 will hold, but you are overwriting TEST settings

remember LSDOU
Local - Site - Domain - OU   that is the order of which policies apply    last applied wins

i would create an additional group and add johny to it, then add him on test policy

Cheers!
0
 
jeremywatcoAuthor Commented:
Thanks for the fast response... I figured as much, that it would be overwritten.. is there any way around this. Here is my situation.. I have 20 remote offices and at each office there is are certain users that have the right to login, but also we have area managers that need the right to login to any of the machines at any office, so i was hoping for an easy solution as opposed to going through all 20 GP's and adding the new group.
0
 
Jay_Jay70Commented:
there is a no override policy setting available but i am pretty sure it does exactly that, prevents overriding it......

you know, if you have an xp client you can use the Group Policy Management Console for heaps more power over Group Policy... you can link and copy etc....
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now