Re: restricted groups frustration!
- From: "Darren Mar-Elia" <dmanonymous@xxxxxxxxxxxxx>
- Date: Tue, 2 Oct 2007 08:10:15 -0700
Phillip-
Have you run GPMC Results wizard against one of the intended target servers to ensure they are actually processing that GPO and getting that particular setting. That would be the first step. Given that that is true, you could then enable security policy logging on one of the target servers to see what's up. Check out http://support.microsoft.com/kb/245422/en-us for that (it says it applies to Win2K but it works on newer versions as well).
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Script Group Policy Settings with the GPExpert Scripting Toolkit for PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Phillip Drummond" <w@xxxxx> wrote in message news:eQHVUWQBIHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
yes i am working on the DC... but why should this matter? and im applying this to the default domain policy. i cant do it at the OU level because there are hundreds of OU's with servers in them.
thanks
"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message news:uPid7RQBIHA.4656@xxxxxxxxxxxxxxxxxxxxxxxAre you perhaps working directly on the DC, instead of using the GP console from a workstation?
Also, as Tim said, the policy should apply to a distinct OU where the servers are.
Anthony, http://www.airdesk.co.uk
"Phillip Drummond" <w@xxxxx> wrote in message news:%23VB6cEQBIHA.1208@xxxxxxxxxxxxxxxxxxxxxxxnope. this isnt working. the ONLY place the group is being added to is the builtin\administrators group in AD (active directory users and computers) NONE of the domain machines are getting this group added.
does anyone have ANY idea what i can check?
"Tim Chin" <donotemail> wrote in message news:%23On0k5PBIHA.1212@xxxxxxxxxxxxxxxxxxxxxxxIt sounds like you're doing everything correct. I would just make sure that when you are in restricted groups, be sure to use the object picker to find the group you want added to the administrators group. Typing 'Administrators' in the second part should work fine. If you perform a gpupdate (no /force or reboot is required), you'll see the changes immediately (if the dc that provided logon has the latest version of the gpo you're working with).
Note: If you're putting this in the default domain policy, it will also apply to domain controllers. If this is not the desired RSOP, you'll most likely want to create a new gpo with these settings in it and security filter it to 'Domain Computers', which avoids domain controllers.
Tim
"Phillip Drummond" <w@xxxxx> wrote in message news:uY9DDJPBIHA.1212@xxxxxxxxxxxxxxxxxxxxxxxwhy doesnt this simply work??
i am trying to add an AD group to the local administrators group on all domain servers. i am using the default domain policy, computer configuration, windows settings, security settings, restricted groups.
i create a new group in here using the group that i want added to local admins and then configure the second box "this group is a member of" option. in here i am typing "Administrators".
24 hours has gone by. shouldnt i be able to log on to ANY domain machine and see this group in the local admins group? because i dont. can someone please tell me what the problem is?
.
- References:
- restricted groups frustration!
- From: Phillip Drummond
- Re: restricted groups frustration!
- From: Tim Chin
- Re: restricted groups frustration!
- From: Phillip Drummond
- Re: restricted groups frustration!
- From: Anthony
- Re: restricted groups frustration!
- From: Phillip Drummond
- restricted groups frustration!
- Prev by Date: Re: restricted groups frustration!
- Next by Date: Re: Unable map to domain controller
- Previous by thread: Re: restricted groups frustration!
- Next by thread: Re: restricted groups frustration!
- Index(es):
Relevant Pages
|
