Jerry Seinfield
asked on
GPO help required
Hello MS team,
Can someone please provide me step by step instructions and screenshot to document following requirement?
Create a GPO at the root of the domain named contoso.com and match below
• Filter to apply to SERVER OS = ALL
• Exclude Domain Controllers
• Create a preference add group XXXXXXXXX to the local administrators group
Thanks in advance
Can someone please provide me step by step instructions and screenshot to document following requirement?
Create a GPO at the root of the domain named contoso.com and match below
• Filter to apply to SERVER OS = ALL
• Exclude Domain Controllers
• Create a preference add group XXXXXXXXX to the local administrators group
Thanks in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks Shaun,
Can you please summarize all steps required? Please, include screenshots of all steps
Can you please summarize all steps required? Please, include screenshots of all steps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not the point, question is for preferences
Well, now he has two options and can choose which he prefers to use in his environment. Here at Experts Exchange, people should be able to ask for assistance and receive guidance from professionals who draw from experience. Sometimes a question seeking a solution is misguided because the person asking lacks context. Much like a kid asking for cake at dinner time.
Yes after ID: 41960231 OP now has two options
Not to detract from you Shaun (and I didnt meant to sound gruff), your solution fits what the requester asked for regarding preferences. In my opinion, the only requirement being to add a group to local admin, the restricted groups option is cleaner. It lacks the flexibility of preferences, but also bypasses the headaches preferences introduce.
I'll look for a decent article which compares the two technologies so the OP can make an informed decision
I'll look for a decent article which compares the two technologies so the OP can make an informed decision
As you said, in your opinion.
Mine is the opposite.
Most preference issues that you might be referring too was due to round trips when you add security groups to items which was addressed in a patch.
Mine is the opposite.
Most preference issues that you might be referring too was due to round trips when you add security groups to items which was addressed in a patch.
Its not a fight here Shaun. Don't make it something its not. Our opinions differ and that benefits the OP.
Found a few hits an gave them a cursory read. They all seem to align with eachother at a high level:
GP Policy vs. Preference vs. GP preferences (GP Team Blog)
Policies vs. Preferences (WindowsNetworking)
Group Policy Preferences Myths and Facts (ITNinja)
Found a few hits an gave them a cursory read. They all seem to align with eachother at a high level:
GP Policy vs. Preference vs. GP preferences (GP Team Blog)
Policies vs. Preferences (WindowsNetworking)
Group Policy Preferences Myths and Facts (ITNinja)
Article 1 and 3 is pre-patch and article 2....
A policy disables its associated user interface item on the user’s computer; a preference does not.
Does not apply to groups
A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO. A preference, however, remains configured for the targeted user or computer even when the GPO goes out of scope. Another way of saying this is that preferences tattoo the registry on the client computer, while policies do not tattoo the registry on the client computer.
When a policy is applied, the original registry settings on the client computer are not changed. Instead, the policy is stored in a special policy-aware section of the registry on the client. If the policy is later removed, the client’s original registry settings are restored. Another way of saying this is that a policy supersedes the corresponding configuration setting in the user interface on the client. With preferences, however, the original registry settings on the client are overwritten and removing the preference does not restore the original setting. In other words, a preference actually modifies the corresponding configuration setting in the user interface on the client. Because of this difference, policies can be effective only for features of Windows operating systems and applications that are Group Policy–aware, while preferences can be effective for any features of Windows operating systems and applications as long as the appropriate preference extension is loaded.
Does not apply to groups
Policies can be configured in both domain and local GPOs; preferences can be configured only in domain GPOs.
So?
A preference can be applied only once if desired; policies are always periodically refreshed.
This is a benefit
A policy disables its associated user interface item on the user’s computer; a preference does not.
Does not apply to groups
A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO. A preference, however, remains configured for the targeted user or computer even when the GPO goes out of scope. Another way of saying this is that preferences tattoo the registry on the client computer, while policies do not tattoo the registry on the client computer.
When a policy is applied, the original registry settings on the client computer are not changed. Instead, the policy is stored in a special policy-aware section of the registry on the client. If the policy is later removed, the client’s original registry settings are restored. Another way of saying this is that a policy supersedes the corresponding configuration setting in the user interface on the client. With preferences, however, the original registry settings on the client are overwritten and removing the preference does not restore the original setting. In other words, a preference actually modifies the corresponding configuration setting in the user interface on the client. Because of this difference, policies can be effective only for features of Windows operating systems and applications that are Group Policy–aware, while preferences can be effective for any features of Windows operating systems and applications as long as the appropriate preference extension is loaded.
Does not apply to groups
Policies can be configured in both domain and local GPOs; preferences can be configured only in domain GPOs.
So?
A preference can be applied only once if desired; policies are always periodically refreshed.
This is a benefit
Right-click Group Policy Objects and select new policy
Name the policy appropriately
Right-click and edit the new policy
Browse to Computer Configuration > Windows Settings > Security Settings and right-click on the "Restricted Groups" node; select "Add Group"
In the "Add Group" dialog, click "Browse" and enter a group name (I used a group named CORP\Helpdesk), then click click OK and then OK again
The CORP\Helpdesk Properties dialog should open automatically when you clicked OK (if not, just double-click on it in the Restricted Groups node of GPMC)
In the CORP\Helpdesk Properties dialog, under "This group is a member of:", click "Add..." and enter "Administrators" (do not use the browse dialog here or you risk adding it to the builtin DOMAIN\Administrators" group. We only want the Administrators group in the context of the local SAM on machines where this is applied. Click OK and OK again to complete and exit the dialogs
Double-check your work:
Click the Restricted Groups node again. You should see the right-side of GPMC shows "CORP\Helpdesk" is a member of "Administrators"
Create the WMI filter:
Right-Click the WMI FIlters container and select "New...", then provide it a clear name.
Click "Add" under the "Queries:" section and add the following WQL query:
Open in new window
This will select ONLY Windows Server (any version) and NO Domain Controllers. Save the query by clicking OK to all dialogs.
Scope and filter the policy and filter:
Back in GPMC, right-click the domain root in GPMC and select "Link an Existing GPO...", selecting the policy we just created (alternately you could link this to one or more OUs depending on your needs)
Now, select the policy in GPMC and use the "Scope" tab to edit the filter settings...
Under security filtering, add "Authenticated Users"
At the bottom, use the pulldown to select your WMI filter.
That should be it... You can log on to any domain member server and run "gpupdate /force" in an ADMINISTRATOR powershell to force policy evaluation. Once that completes, the local Administrators group should include the new membersip.