Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy Questions

Posted on 2008-06-16
4
Medium Priority
?
380 Views
Last Modified: 2010-03-17
Hi

I have a couple of questions on group policy that I was hoping someone could help me with;

a) I have the following GPO's applied to an OU (listed in order of increasing precedence)

GPO #1
GPO #2
Default Domain Policy

Can someone tell me which policy takes priority, is it the first or the third?

b) GPO #1 has a setting

Computer configuration > Windows Settings > Security Settings > Restricted Groups

...and there are two security groups listed in this setting. Can someone tell me exactly what this setting does?

c)  I wish to have a setting whereby the GPO adds certain domain security groups to the Local Admins group. Can you tell me where I can add this setting?

We are using Windows 2003 Domain controllers, the servers are Windows 2003.

Hope someone can help!

Thanks

0
Comment
Question by:kam_uk
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 1400 total points
ID: 21795382
kam_uk,

a) The first policy will have priority. Any policies defined in lower priority GPOs but are not defined in the higher preference ones will also apply - but if any policies are set more than once, the ones from the first policy at the top of your list will take precedence over the ones lower down.

b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

To achieve part c), you would need to create a Restricted Groups policy for the "Administrators" group, and then add the correct domain security groups as part of the properties of that restricted group policy. If you check the article, you will be able to get a more detailed description of the procedure.

There's also this Technet article on Restricted Groups for your info: http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

-tigermatt
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 600 total points
ID: 21795401
All three GPO's apply. However in the event two or more GPO's high conflicting settings set, the GPO with the highest precedence's setting is the one that is applied.

To better understand, GPO's are applied in a specific order, GPO's is processed in order, the last one to be processed has the highest precedence. This order is as follows(Local, Site, Domain, OU), precedence within these sections are considered but affects only its precedence within its category as listed above.

So with this in mind, local pc policies have the lowest precedence and OU policies have the highest precedence. Domain Policies apply to the entire domain, but OU policies are more specific, thus have a higher precedence and override domain policies.

For more information you can read:
Group Policy processing and precedence
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true

0
 
LVL 3

Author Comment

by:kam_uk
ID: 21798260
Thanks guys...

Tigermatt said "b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html. "

Question - I would like to do the following that would only apply to the machines in the OU where this GPO is applied

a) I would like Domain Security Group A to be a member of the Administrators group on servers in that specific OU
b) I would like Domain Security Group B to be a member of the Power Users group on servers in that specific OU

According to the article, I would set up Administrators and Power Users as Restricted Groups on the GPO, and add Domain Security Group A and Domain Security Group B as members of the groups respectively.

Could you confirm this will only affect machines that the GPO is applied to? For instance, if I created domain\domain admins as a Restricted Group and added Domain Security Group A to it, this would not be a domain wide change?

Thanks!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21800274
You control where the Restricted Gropus policy applies just like any other policy. Provided the policy which has restricted groups configured is ONLY linked to the OU containing your servers, the policy will only apply to that location.

All the places a policy is linked can be seen when you single-click on it in the Group Policy Management Console, it's on the first tab at the top.

-tigermatt
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question