bsharath
asked on
Through GPO how can i add the Domain\Administrator & Domain Admin's accounts into each machines local group.
Hi,
Through GPO how can i add the Domain\Administrator & Domain Admin's accounts into each machines local group.
A policy that can push these 2 users accounts into each machines local group called "SophosAdministrator"
Regards
Sharath
Through GPO how can i add the Domain\Administrator & Domain Admin's accounts into each machines local group.
A policy that can push these 2 users accounts into each machines local group called "SophosAdministrator"
Regards
Sharath
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Matthew.
Few questions here
When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.
Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
Few questions here
When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.
Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
ASKER
Thanks Matthew.
Few questions here
When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.
Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
Few questions here
When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.
Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks...
If by chance anything fails will there be errors on the clients?
How long will it take t replicate on the clients
I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .
Should i have the policy selected to enforce?
If by chance anything fails will there be errors on the clients?
How long will it take t replicate on the clients
I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .
Should i have the policy selected to enforce?
ASKER
Thanks...
If by chance anything fails will there be errors on the clients?
How long will it take t replicate on the clients
I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .
Should i have the policy selected to enforce?
If by chance anything fails will there be errors on the clients?
How long will it take t replicate on the clients
I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .
Should i have the policy selected to enforce?
Just a suggestion,
I'd only apply it to a few machines first so you can get a feel for the policy and how it works. Basically a pilot group before making a domain wide change
..,yes if you set it at the OU level it will affect all machines in that OU.
Thanks
Mike
I'd only apply it to a few machines first so you can get a feel for the policy and how it works. Basically a pilot group before making a domain wide change
..,yes if you set it at the OU level it will affect all machines in that OU.
Thanks
Mike
ASKER
How can i force it happen immediately on the clients
ASKER
How can i force it happen immediately on the clients
gpupdate /force
ASKER
This did not do it..
Restarted 3 times
Gpupdate /force 3 times
Rsop.msc shows red mark
Restarted 3 times
Gpupdate /force 3 times
Rsop.msc shows red mark
another possible solution would be to add the posted code to a batch file and set it as the login script. this save you the confusion of using restricted groups.
net localgroup "local group name here" /add "domain group name here"
If rsop.msc is showing a red cross, something is fatally wrong with the deployment of Group Policy. That would be the reason why the Restricted Groups policy did not apply, and until you fixed the issue with GPO, Restricted Groups and many other policies will fail to run.
What Group Policy related events are logged in the Event Viewer?
-Matt
ASKER
I put 5 computer objects in the OU
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross
In the system and DC event log shows this
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030
no other events
i created a group called Sophosadministrator and added Domain\administrator in
member of this group
is all that right
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross
In the system and DC event log shows this
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030
no other events
i created a group called Sophosadministrator and added Domain\administrator in
member of this group
is all that right
ASKER
I put 5 computer objects in the OU
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross
In the system and DC event log shows this
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030
no other events
i created a group called Sophosadministrator and added Domain\administrator in
member of this group
is all that right
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross
In the system and DC event log shows this
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030
no other events
i created a group called Sophosadministrator and added Domain\administrator in
member of this group
is all that right
ASKER
Its as this
Security Settings
Restricted Groups
Group Members Member of
DEVELOPMENT\SophosAdminist rator DEVELOPMENT\administrator
Security Settings
Restricted Groups
Group Members Member of
DEVELOPMENT\SophosAdminist
The way you did it sounds correct. We can resolve issues with it applying later. The issue with 2 workstations not detecting it is more of a concern here.
What is the DNS Server IP on the failing workstations? DNS should be set to be resolved from one or more of your internal Domain Controllers which also runs the DNS Service. No ISP DNS Servers should be present here. Can you confirm this is the case?
DEVELOPMENT is your domain, correct?
It looks like there's a mistake in the configuration. It should be:
Create the initial group in the Restricted Groups config. Create the initial restricted group as DOMAIN\Domain Admins. Then, edit this Restricted Group policy and add to the 'Member Of' the text 'SophosAdministrator' (without the DEVELOPMENT\ before it).
I'm pretty sure that will work. Does that look correct to you, Mike?
-Matt
It looks like there's a mistake in the configuration. It should be:
Create the initial group in the Restricted Groups config. Create the initial restricted group as DOMAIN\Domain Admins. Then, edit this Restricted Group policy and add to the 'Member Of' the text 'SophosAdministrator' (without the DEVELOPMENT\ before it).
I'm pretty sure that will work. Does that look correct to you, Mike?
-Matt
ASKER
Should i select the enforce?
Faster ways to force the GPO?
Faster ways to force the GPO?
ASKER
Should i select the enforce?
Faster ways to force the GPO?
Faster ways to force the GPO?
Enforcing the GPO will not cause it to update at the clients faster.
The only way you can get the clients to pick it up is to either wait for a background refresh, reboot them or run gpupdate /force. In the case of restricted groups policies I'd probably reboot them to kick it into action.
-Matt
The only way you can get the clients to pick it up is to either wait for a background refresh, reboot them or run gpupdate /force. In the case of restricted groups policies I'd probably reboot them to kick it into action.
-Matt
ASKER
I just tried couple of restarts and few still show red and 2 got to the normal state when rsop and has the setting correct but the group has not beencleared and added with the new user we set.
What is the enforce used for.
What is the enforce used for.
ASKER
I just tried couple of restarts and few still show red and 2 got to the normal state when rsop and has the setting correct but the group has not beencleared and added with the new user we set.
What is the enforce used for.
What is the enforce used for.
Just wanted to throw out another link about restricted groups, great writeup from MVP Florian
http://www.frickelsoft.net
Thanks
Mike