Re: Need advice: GPO practice for member servers
- From: boomboom999@xxxxxxxxx
- Date: 19 Apr 2006 14:13:55 -0700
Here is an exemple.
We want to control the following rights
Allow logon locally
Allow logon via TS
Deny logon from network
Manage security Log
Backup/Restore files
Take ownership
Shutdown from network
moreover we want to control the local groups like
Administrators
Backup Operators
Power Users
Suppose that I make one basic GPO for all member servers that works as
following:
Allow logon locally = Administrators, Backup Operators
Now application and service accounts that wants to have this privilege
are not working.
Same thing if I assign a restricted group like this:
Administrators=Administrator, Domain Admins
All services that wanted to be here are not working any more.
The problem is that on 100 servers I may have 10 servers with services
that requires local admin rights, other 10 that require the "logon
locally" right, and 10 other that require both of them.
Now think of number of combination that I can have with 100 servers, 8
rights and 3 local groups that I want to control -> a pretty big
number
So, is creating one GPO per server the only possiblity to get job done?
How others manage this nightmare?
.
- Follow-Ups:
- Re: Need advice: GPO practice for member servers
- From: Scott Lowe
- Re: Need advice: GPO practice for member servers
- References:
- Need advice: GPO practice for member servers
- From: boomboom999
- Re: Need advice: GPO practice for member servers
- From: Herb Martin
- Need advice: GPO practice for member servers
- Prev by Date: Re: Query for accounts that will expire
- Next by Date: Re: Deleting old Exchange server in AD - Confusing message encount
- Previous by thread: Re: Need advice: GPO practice for member servers
- Next by thread: Re: Need advice: GPO practice for member servers
- Index(es):
Relevant Pages
|
