Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Is there a better/easier way to configure GPO?

Posted on 2008-10-15
3
Medium Priority
?
231 Views
Last Modified: 2010-03-17
i want to setup a GPO for our users and a GPO for the administration on the network...meaning, the managers of all the departments.

now, on my test server that i play around on, in AD i created 2 new OUs. Office Users and Administration.

in group policy editor, i made a GPO and named it Office Users. i set all their restrictions and enforced the policy for that group.

staying in group policy editor, i made another GPO and named it Administration and i just left it alone, didnt change any options.

i make a test user, john, and by habit, i put him in the normal AD users folder. i take him from the users folder and move him to the Office Users folder, i get a pop up that states something along the lines of....if can damage the account if moved from the users folder....i am sure you guys know the pop up i am talking about.

once i move john over to the Office Users OU, i log in on my workstation that is already connected to the domain, and all of the restrictions are in effect. i was not surprised, this is what the GPO is for. i logged my user out, moved him from the Office Users OU to the Administration OU and when i logged back in as john on the desktop workstation, the restrictions were gone and he had access to everything.

so, everything i did seemed to work just fine.

here is my question...

is there a better way to do what i am doing?

my only problem is that if i want to change a setting for that user, i would have to move them from one OU to the other.
0
Comment
Question by:tomdlgns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
ckozloski earned 500 total points
ID: 22721745
No. You move them from one group to another. It's easier that way. You can apply your GPO's to user groups instead of OU's and just change the group membership of the person you want the settings to change on.
So, create two groups: Administration and Office Users
Change the enforcement for your two GPO's to Administration and Office Users
Then change the group membership of your test user to Office Users. Create another test user and add him to the group Administration.
Log in with the two and see the difference.
Hope this helps.
0
 

Author Comment

by:tomdlgns
ID: 22721851
ok, that is a good way to do it as well.

can i corrupt the user account if i keep moving it back and forth from folder to folder?

what role does the member of tab have in the AD user properties?

i have noticed, at times, if there is a restricted user on my network, for example, they cant change the power settings on their computer, if i click the member of tab, and add them as an administrator, they now have access to change power settings.

i suppose i might be looking into this too deep.

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22722082
No, you have to look into group policies very deeply. They can get confusing and you can actually create a lot of issues just by implementing GPO's. If done right, however, they are an administrators dream come true.
You can't corrupt a user account by moving it from OU to OU. What can happen is that anything that may be tied to that OU will be lost when you move it to a different OU and vice-versa.
And yes, if you put a user in the Administrators group, you give them administrative rights to the computers and they will be able to change all that stuff and then some. Better to use the Power Users group instead.
You can also use group policy to assign what rights they do have access to on the local machine such as power settings and things like that.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question