[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Group Policy and Active Directory Deployment

Posted on 2009-04-21
7
Medium Priority
?
314 Views
Last Modified: 2012-05-06
Currently, we are having issues with our Group Policy and Active Directory setup. As it stands, currently users belonging to the 'Domain Admin' group have nonrestrictive access for operating their local system. In Active Directory, we have departmentalized our users and workstations according to their corresponding department. (e.g. Department -> Sales -> Users/Computers in sales.) From the GPO perspective, these departments are linked to an existing GPO. What we are trying to narrow down is why users are unable to operate their local machines (for example, accessing Outlook 2003 is not permitted--as a Domain User). However, after immediately adding the user to the 'Domain Admin' group, they are granted privileges and are able to operate their system with no restrictions--which is not what we want.

So my questions are:
1.) What ties does the 'Domain Admin' have between GPO/AD?

2.) Are we possibly looking in the completely wrong area?

3.) How can we enable users to work off of the 'Domain Users' group without having such restrictive permissions?

Thanks for your time, and any follow ups that occur.
0
Comment
Question by:media3printing
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:uborpete
ID: 24195250
1) Domain Admin is a user group which allows members to administer your entire domain, log onto domain controllers etc. It is not a good idea to have anyone log on with that kind of access but it will by default give members local administrator rights on any machine they log into.
2) I am not sure why you are using group policies at all. What are you trying to achieve?
3)
Right click on "My computer", "Manage", "Local Users and Groups", "Groups".
Double click on the group "Users", make sure "Domain Users" is in there. If not, add it.

If you would like users to be able to install software also add "Domain Users" to the "Administrators" group on each local computer.

This is not a full answer, but if you could elaborate on question 2 I will attempt to answer.
0
 

Author Comment

by:media3printing
ID: 24195957
Please disregard the first post:
What we are trying to narrow down is why when users log into the workstation using their roaming profile credentials they are experiencing restricted access to system programs and have limited functionality (for example, accessing Outlook 2003 is not permitted--as a Domain User). If we add the user to the 'Domain Admin' group, they are granted privileges and are able to operate their system with no restrictions--which is not what we want. We need an 'in between' type of privilege. The best privilege we can relate it to would be a power user.

How can we enable users to work off of the 'Domain Users' group without having such restrictive permissions?
0
 
LVL 3

Expert Comment

by:SimonL-UK
ID: 24197277
Hi,
  if users can log into the computers but not launch applications, users are members of the "Domain Users" group.
Do users get an error message when they launch applications?
Is it all applications?

The two most common reasons are:

1. The NTFS permissions on the client workstations are non-default - you can check this by using a tool  called filemon from sysinternals
2. You have restricted the applications that users can launch using GPOs - this will be a software restriction policy.
    Run gpresult /v > c:\appliedgpos.txt and see what policies are applied

HTH
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:media3printing
ID: 24204546
Okay, I'll try my best to accurately describe what happened after following your instructions; although I'm not presently at the workstation. I ran filemon, and one of the reoccurring issues I've seen after executing OUTLOOK.EXE was that the status indicated "Access denied" for the specific user. (The username was in the format DOMAIN\username.) Also, the error message for OUTLOOK.EXE indicates "Cannot start Microsoft Office Outlook."
0
 
LVL 3

Expert Comment

by:SimonL-UK
ID: 24207962
If your getting error "Access is denied" when launching your applications, then your NTFS permissions on the local workstations are too strict.
I'd check your NTFS permissions...
0
 

Accepted Solution

by:
media3printing earned 0 total points
ID: 24315319
Figured it out. Turns out we had to recreate our profiles from scratch.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question