Group Policy and Active Directory Deployment
Posted on 2009-04-21
Currently, we are having issues with our Group Policy and Active Directory setup. As it stands, currently users belonging to the 'Domain Admin' group have nonrestrictive access for operating their local system. In Active Directory, we have departmentalized our users and workstations according to their corresponding department. (e.g. Department -> Sales -> Users/Computers in sales.) From the GPO perspective, these departments are linked to an existing GPO. What we are trying to narrow down is why users are unable to operate their local machines (for example, accessing Outlook 2003 is not permitted--as a Domain User). However, after immediately adding the user to the 'Domain Admin' group, they are granted privileges and are able to operate their system with no restrictions--which is not what we want.
So my questions are:
1.) What ties does the 'Domain Admin' have between GPO/AD?
2.) Are we possibly looking in the completely wrong area?
3.) How can we enable users to work off of the 'Domain Users' group without having such restrictive permissions?
Thanks for your time, and any follow ups that occur.