Link to home
Start Free TrialLog in
Avatar of zenworksb
zenworksb

asked on

ad gpo help rights

I have a client that has a active directory structure at the toop of a ou he has a gpo that gives full rights to him and his admin to the server that are added to this gpo, but when he applied this all the other admin rights that are applied are revoked. He wants to loeave that him and his admin have full rights but wants to have the ability for other clients the ability to have full rights to certain server
Avatar of corphealth
corphealth

Not sure I 100% understand the question. There were already specific settings set in GPO that are now nonexistent once he applied this change?
If that is the case, it sounds like his GPO is replacing permissions set on another GPO further up the line.
Avatar of zenworksb

ASKER

I am sorry here is the situation.

He has a OU that he has applied a GPO that will have full rights to the servers that are added to teh GPO in container server

when this is applied it works and everything is great. But he has local rights on the server with users that are in teh administrator group on that server. When he applies the gpo it removes all of this and just replaces with teh users in the GPO. Is there a way to have both?
Not that I'm aware. Sounds like GPO is doing what it was designed to do by applying the settings he specified to that machine. He will need to add those users to the GPO as well.
ASKER CERTIFIED SOLUTION
Avatar of bluntTony
bluntTony
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I understand your situation correctly...It sounds like he is using a restricted groups setting, correct? Why couldn't he just add his account or any account he wants to the Administrator group in the restricted groups settings? Then his account and any others he specifies will always be applied.

GPO's are applied in this order: Local > Site > Domain > OU. OU's being the last policy that is applied and therefore the highest ranking.  

Unless your saying he wants each server to have different members in the Administrators group. In that case, you could either create more OU's or don't even configure restricted groups. Is there any rhyme or reason to who get's administrator right to a particular server? If not, then not bothering with restriced groups might be easier to administer then creating a bunch of OU's.

If there is some structure to who get's admin rights you could create an OU called 'Web Servers' and another called 'File Servers' and make a seperate OU for each with the appropriate members/groups.
so in the restricted groups we have one and that applies and works but we create another one and it still only applies the top one and does not add anyone else?
Do not define the local group using the top section. This section defines the members of the local group, and no-one else. It says 'these are the members of this local group, and nobody else', hence 'Restricted Groups'.
You want to add users/groups to the group without restricting others. Just use the bottom section as described. This says 'these domain groups/users are to be added to the specified local group(s)'.
Although I've never done it, if you define both of the above in the same GPO, I would say that the restrictive setting overrules...
Please let me know if I have misunderstood.
i think you do understand. I went into the gpo setting and removed teh top part and put the group I want in the bottom part and refreshed and it did not remove anyone, but it removed that group so that group was never present?
I'm not sure I understand. Are you saying that the other default groups have come back, but the one you are trying to add is not being added?
I would remove the current setting completely and start again. Select 'Add Group' and enter the DOMAIN group, i.e. DOMAIN\groupname. Then, in the properties for this group, in the bottom section, add the name of the local group, i.e. Administrators.
This will add the group to the existing members. Also ensure that the GPO is actually applying by using gpresult.