Solved

Is there a better/easier way to configure GPO?

Posted on 2008-10-15
3
223 Views
Last Modified: 2010-03-17
i want to setup a GPO for our users and a GPO for the administration on the network...meaning, the managers of all the departments.

now, on my test server that i play around on, in AD i created 2 new OUs. Office Users and Administration.

in group policy editor, i made a GPO and named it Office Users. i set all their restrictions and enforced the policy for that group.

staying in group policy editor, i made another GPO and named it Administration and i just left it alone, didnt change any options.

i make a test user, john, and by habit, i put him in the normal AD users folder. i take him from the users folder and move him to the Office Users folder, i get a pop up that states something along the lines of....if can damage the account if moved from the users folder....i am sure you guys know the pop up i am talking about.

once i move john over to the Office Users OU, i log in on my workstation that is already connected to the domain, and all of the restrictions are in effect. i was not surprised, this is what the GPO is for. i logged my user out, moved him from the Office Users OU to the Administration OU and when i logged back in as john on the desktop workstation, the restrictions were gone and he had access to everything.

so, everything i did seemed to work just fine.

here is my question...

is there a better way to do what i am doing?

my only problem is that if i want to change a setting for that user, i would have to move them from one OU to the other.
0
Comment
Question by:tomdlgns
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
ckozloski earned 125 total points
ID: 22721745
No. You move them from one group to another. It's easier that way. You can apply your GPO's to user groups instead of OU's and just change the group membership of the person you want the settings to change on.
So, create two groups: Administration and Office Users
Change the enforcement for your two GPO's to Administration and Office Users
Then change the group membership of your test user to Office Users. Create another test user and add him to the group Administration.
Log in with the two and see the difference.
Hope this helps.
0
 

Author Comment

by:tomdlgns
ID: 22721851
ok, that is a good way to do it as well.

can i corrupt the user account if i keep moving it back and forth from folder to folder?

what role does the member of tab have in the AD user properties?

i have noticed, at times, if there is a restricted user on my network, for example, they cant change the power settings on their computer, if i click the member of tab, and add them as an administrator, they now have access to change power settings.

i suppose i might be looking into this too deep.

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22722082
No, you have to look into group policies very deeply. They can get confusing and you can actually create a lot of issues just by implementing GPO's. If done right, however, they are an administrators dream come true.
You can't corrupt a user account by moving it from OU to OU. What can happen is that anything that may be tied to that OU will be lost when you move it to a different OU and vice-versa.
And yes, if you put a user in the Administrators group, you give them administrative rights to the computers and they will be able to change all that stuff and then some. Better to use the Power Users group instead.
You can also use group policy to assign what rights they do have access to on the local machine such as power settings and things like that.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP scope restore question Server 2003 to 2012R2 6 59
ticket bloat 3 31
Need help in modifying an existing script 2 19
Bind Mac To Azure AD 1 33
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question