Re: Lab Domain Layout - SOS

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 09/02/04 

Date: Thu, 2 Sep 2004 09:05:43 -0400

Hard to follow exactly, but in your situation there are no login scripts
assigned for the labadmin user, correct?

I can't think why you'd want to put the labadmin account in the workstations
OU. That doesn't make any sense at all (to me anyway).

I would think you might want to do something similar to the follow for OU
layout

domain context
|_Admins
|_Corp
    |_Servers
    |_Workstations
    |_Users
    |_Groups
|_Builtin
|_computers
|_Users

Etc...

That way you can attach user-specific and machine-specific GPOs to the
users. Your labadmin would reside in the corp/admins OU, while labuser
would be in corp/users OU. Assign the scripts appropriately remembering
that some settings are user-specific and some are worksation specific
meaning you may need a master script that checks which OU a user is in or
what groups etc and then making a decision as to which sub-functions to run
based on that information. Depends on what the scripts do.

"Adrian Marsh (NNTP)" <marsh_removeme_@lucent.com> wrote in message
news:es9PVsOkEHA.3536@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> I'm trying to sort out my domain structure before deployment, but I'm
> hitting some snags. Main problem is in sorting out where in the structure
> User accounts should exist, and what groups they should be a member of,
> and how that affects the logon scripts.
>
> Heres the current Layout:
> ---------------------------------
> uk-lab
> Builtin
> Computers
> Domain Controllers (OU)
> ForeignSecurityPrincipals
> Servers (OU) (Server Admins)
> Users (labadmin)
> Workstations (OU) (labuser, labusergroup)
> Desktops A (OU)
> Desktops B (OU)
> Desktops C (OU)
> laptops (OU)
> test machines (OU)
>
> here are the users:
> labuser - part of the Workstations OU. member of the "labusergroup". Also
> a member of Domain User.
> labadmin - part of the Users container. member of "server admins group".
> Also a member of Domain Admin.
>
> here are the groups:
> labusergroup - Part of the workstations OU
> Server admins - Part of the Servers OU
>
> I have 5 GPO policies:
>
> uk-lab domain policy (top level)
> DC policies
> Servers Policy
> Workstations Policy
> test machines policy
>
> (Workstation policy will be inherited into child-OUs : laptops, etc.
> Intended to be able to setup different Automatic Update schedules, and
> test different settings on test machines).
>
> Seperate logon scripts are defined for both the Server OU, and Workstation
> OU.
>
> labuser is a member of Restricted Group (Administrator) under the
> Workstation OU.
>
> labadmin is a memeber of the Domain Admins.
> -----------------------------------
> Heres my issue:
>
> I want labadmin to be able to logon anywhere (which is why I left it in
> the default users container). i only want labuser to be able to logon to
> computers held in the Workstations OU and below.
>
> At the moment, when labuser logs into Workstation PCs, all works well.
>
> But if labadmin logs into a machine on the Server OU, then none of the
> server logon scripts run. If i move the lab admin account into the
> Servers account, then will that account be able to log into the
> Workstation PCs??? Will the logon scripts for labadmin work?
>
> I want labadmin to be able to logon anywhere, but have the logon scripts
> run in reflection of the OU policy (i.e. Servers run "server" type
> scripts, Workstations run different sets).
>
> What am I missing about the setup of labadmin to be able to have it logon
> everywhere, and have appropriate scripts run?
>
> I've tried:
>
> - Moving the logon scripts for sever into the top-level OU (uk-lab), but
> then those scripts also run on any Computers in Workstation and below.
> - Moving the labadmin account into Servers. But then I'm unsure if
> labadmin is still able to logon to Workstation accounts. And how would
> logon scripts run?
>
> I just can't work out which OU to put labadmin in. Whichever OU I move him
> too i think he'll not be able to log into the other. obviously I've missed
> something simple ??
>
> Adrian

Relevant Pages

  • Re: Lab Domain Layout - SOS
    ... but in your situation there are no login scripts ... I can't think why you'd want to put the labadmin account in the workstations ... > Seperate logon scripts are defined for both the Server OU, ...
    (microsoft.public.win2000.group_policy)
  • Re: Lab Domain Layout - SOS
    ... So the Servers and Workstation GPOs DO have logon scripts assigned at ... But because the labadmin user is assigned ... >>Seperate logon scripts are defined for both the Server OU, and Workstation ...
    (microsoft.public.windows.server.active_directory)
  • Re: Lab Domain Layout - SOS
    ... So the Servers and Workstation GPOs DO have logon scripts assigned at ... But because the labadmin user is assigned ... >>Seperate logon scripts are defined for both the Server OU, and Workstation ...
    (microsoft.public.win2000.group_policy)
  • Re: Running Logoff Scripts
    ... server is managing the updates to the workstations. ... to date, but not at logoff. ... box] and it should show what the scripts are and the controlling GPO. ...
    (microsoft.public.windowsxp.network_web)
  • Re: [Full-disclosure] Howto Simulate a BotNet ?
    ... Many Vmware (workstations) over win32 ... Make a scripts to simulate many hosts ...
    (Full-Disclosure)