Solved

Prevent Active Directory group policy getting applied

Posted on 2009-05-07
9
954 Views
Last Modified: 2012-05-06
Hi,
I would like to know whats the options possilbe in preventing AD Group Policy getting applied to a computer or user.

The reason is we have few users who is having local admin rights on the machine and they are removing Domain Administrators from Local admin group. I am running a login script as part of GPO to add the Domain Admin back to the local admin group everytime they login and i know that its failing. For Group Policy everything else is fine, like networking OU's etc.

So i want to know what are the options they have to prevent GP script getting applied and work that way. Our setup is Win 2003 AD with XP SP3 and SP2 machines.

Thanks

0
Comment
Question by:qman2007
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 18

Expert Comment

by:Mal Osborne
ID: 24333146
Add the users to a Group, then in the security tab on the GPO properties, Tick the "deny" box under "apply group policy"  for that group.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24333266
For more information about security filtering look here:
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
...but that is really not your issue because you want the policies to apply to the users
If they are local admin rights they can add and remove to the local machines at will.  First thing is maybe take their rights away.  They should not be doing that.
Have you thought about using restricted groups for your admin groups?
http://www.frickelsoft.net/blog/?p=13
Thanks
Mike
0
 

Author Comment

by:qman2007
ID: 24334658
Hi Malmensa & Mike,

Thanks for your replies. But as i said in my post they are not letting the Group Policy to be executed and becuse of that i cant add Domain Administrator to Local Admin group.

Any suggestions on how users can block Group Policy Getting executed

Cheers
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 9

Expert Comment

by:Frank McCourry
ID: 24335017
Go back to your policy in Group Policy Manager and make sure it is "Enforced"
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24336200
How do you know they are not letting it execute?  It could execute then they could just go remove the Domain Admin group.  The script won't run again
 
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 24336292
Create a Policy that defines your users in the policy instead of using the script.  The policy need to have these settings:
Location:
Computer Configuration
      Windows Settings
            Security Settings
                Restricted Groups
                   
Under restricted Groups add "Administrators"  Right click on the group and the properties.  Add the domain accounts that need administrator access and remove any that don't.

Save the policy, apply it to the OU and set it to enforced.  use gpupdate /force /wait:0 to apply it immediatly.  Users will have to log off then back on for it to take effect, but then you won't have to worry about it again.

BTW you can do this with power users and other groups too.

0
 

Author Comment

by:qman2007
ID: 24342264
Hi Guys,

Thanks for your replies. The problem is my Group Policies are not getting applied.

Mike, you asked me how do i know that policies are not getting applied. I checked on 1 - 2 machines and found that its not applied. What i mainly want to know is, is there a way in Windows XP where a user can stop Group Policy getting applied eventhough he logs to domain.

Thanks



0
 
LVL 2

Expert Comment

by:techxperts
ID: 24349208
you can do a gpupdate /force on the windows client to force it to refresh the policy locally otherwise you may not  be waiting long enough time interval for syncronization? Some policies would force a logoff and logon to fully take affect but you should be notified when running this command from a prompt.
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 24354092
If a policy is not being applied, it most likely not caused by anything the user is doing.  The whole purpose of policies it to force settings that the users cannot change.  If they are not being applied, it is because of a security error, possibly because the computer SID does not match or because of a networking problem such as the time on the server is drastically different from the PC's.  

As techexperts said, you may not be waiting long enough for synchronization to occur.  Just to add to his comment, if you add the /Wait:0 to the gpupdate command you will not have to wait.  the full command would be gpupdate /force /wait:0.  the caveat is that this has to be run from each workstation, which may take you longer than 15 minutes anyway.  You could put it in their logon script however.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question