?
Solved

ad gpo help rights

Posted on 2009-04-20
9
Medium Priority
?
263 Views
Last Modified: 2012-05-06
I have a client that has a active directory structure at the toop of a ou he has a gpo that gives full rights to him and his admin to the server that are added to this gpo, but when he applied this all the other admin rights that are applied are revoked. He wants to loeave that him and his admin have full rights but wants to have the ability for other clients the ability to have full rights to certain server
0
Comment
Question by:zenworksb
  • 3
  • 3
  • 2
  • +1
9 Comments
 

Expert Comment

by:corphealth
ID: 24186717
Not sure I 100% understand the question. There were already specific settings set in GPO that are now nonexistent once he applied this change?
If that is the case, it sounds like his GPO is replacing permissions set on another GPO further up the line.
0
 

Author Comment

by:zenworksb
ID: 24186763
I am sorry here is the situation.

He has a OU that he has applied a GPO that will have full rights to the servers that are added to teh GPO in container server

when this is applied it works and everything is great. But he has local rights on the server with users that are in teh administrator group on that server. When he applies the gpo it removes all of this and just replaces with teh users in the GPO. Is there a way to have both?
0
 

Expert Comment

by:corphealth
ID: 24186916
Not that I'm aware. Sounds like GPO is doing what it was designed to do by applying the settings he specified to that machine. He will need to add those users to the GPO as well.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 27

Accepted Solution

by:
bluntTony earned 2000 total points
ID: 24186987
Are you talking about a Restricted Groups policy? In that case, the GPO setting you have used is the wrong one. It sounds like you've defined the local group on the server and added the users to this. This make ONLY those users members of this local group.
Say for example, you want to add the group Admins1 to the local Administrators group on the server, but want to leave the existing members intact:
1. In the Restricted Groups policy. Create a new group, and enter DOMAIN\Admins1.  (where DOMAIN is your domain name)
2. Then in the next dialogue, you use the 'This group is a member of' section. Add the local 'Administrators' group to this section at the bottom. This will add DOMAIN\Admins1 to the local group but will leave the other members in the group.
Hope this helps..
 

Snap1.jpg
0
 
LVL 12

Expert Comment

by:NetAdmin2436
ID: 24187036
If I understand your situation correctly...It sounds like he is using a restricted groups setting, correct? Why couldn't he just add his account or any account he wants to the Administrator group in the restricted groups settings? Then his account and any others he specifies will always be applied.

GPO's are applied in this order: Local > Site > Domain > OU. OU's being the last policy that is applied and therefore the highest ranking.  

Unless your saying he wants each server to have different members in the Administrators group. In that case, you could either create more OU's or don't even configure restricted groups. Is there any rhyme or reason to who get's administrator right to a particular server? If not, then not bothering with restriced groups might be easier to administer then creating a bunch of OU's.

If there is some structure to who get's admin rights you could create an OU called 'Web Servers' and another called 'File Servers' and make a seperate OU for each with the appropriate members/groups.
0
 

Author Comment

by:zenworksb
ID: 24188962
so in the restricted groups we have one and that applies and works but we create another one and it still only applies the top one and does not add anyone else?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24193104
Do not define the local group using the top section. This section defines the members of the local group, and no-one else. It says 'these are the members of this local group, and nobody else', hence 'Restricted Groups'.
You want to add users/groups to the group without restricting others. Just use the bottom section as described. This says 'these domain groups/users are to be added to the specified local group(s)'.
Although I've never done it, if you define both of the above in the same GPO, I would say that the restrictive setting overrules...
Please let me know if I have misunderstood.
0
 

Author Comment

by:zenworksb
ID: 24207357
i think you do understand. I went into the gpo setting and removed teh top part and put the group I want in the bottom part and refreshed and it did not remove anyone, but it removed that group so that group was never present?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24217832
I'm not sure I understand. Are you saying that the other default groups have come back, but the one you are trying to add is not being added?
I would remove the current setting completely and start again. Select 'Add Group' and enter the DOMAIN group, i.e. DOMAIN\groupname. Then, in the properties for this group, in the bottom section, add the name of the local group, i.e. Administrators.
This will add the group to the existing members. Also ensure that the GPO is actually applying by using gpresult.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question