jakesty
asked on
GPO exists, but I can't modify or access it from ADMINISTRATOR user ID.
I'm new to Group Policies, but I have nearly completed a setup. I have created a Loopback policy for my new test Thin Client computer which will connect to a terminal server 2003 via RDP. Under GPMC I have it set for all Authenticated users, but I don't want it to apply to the Administrators group.
In my efforts to set this policy, I set the DELEGATION access to DENY for this thin client OU. Now the OU doesn't show up. I'm afraid to do anything for fear that I could totally jack the network.
Under this OU there are Domain Admins and Enterprise Admins groups both with allow Access. These two groups are members of ADMINISTRATORS. Would it be ok, to remove them from the ADMINISTRATORS group, modify the setting with a user account that is only a member of DOMAIN ADMINS for example, then add it back in to ADMINISTRATORS?
If not, what is the best method to 1. get back access to the OU, and 2. prevent the OU from running/executing?
Thanks for your help, Jake
In my efforts to set this policy, I set the DELEGATION access to DENY for this thin client OU. Now the OU doesn't show up. I'm afraid to do anything for fear that I could totally jack the network.
Under this OU there are Domain Admins and Enterprise Admins groups both with allow Access. These two groups are members of ADMINISTRATORS. Would it be ok, to remove them from the ADMINISTRATORS group, modify the setting with a user account that is only a member of DOMAIN ADMINS for example, then add it back in to ADMINISTRATORS?
If not, what is the best method to 1. get back access to the OU, and 2. prevent the OU from running/executing?
Thanks for your help, Jake
Open DSA.MSC and remove the Deny Permission which you have applied.
Compare with other OUs
Compare with other OUs
ASKER
Under DSA.msc the link looks broken, but when I right click and go to properties it states;
"The active directory object could not be displayed
Unable to view attribute or value. You may not have permissions to view this object"
This makes sense since I disabled everything or group Administrators.
"The active directory object could not be displayed
Unable to view attribute or value. You may not have permissions to view this object"
This makes sense since I disabled everything or group Administrators.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had forgotten about that Advanced Features tab in ADUC. That's awesome, you solved it w/o me having to mess with removing and adding back access. You just never know how it may mess up the network if I were to start modifying administrators access.
Thanks a lot.
Jake
Thanks a lot.
Jake
1)GPO Filtering -
2) Create Groups add users (admins) in the same group and Apply policy permission - Deny it
Helpful links-
www.windowsnetworking.com/.../Group-Policy-Security-Filtering.html
technet.microsoft.com/en-u
GPO best practices & GPO Filtering
www.petri.co.il/forums/showthread.php?t=4533