Re: Does user have to be a member of domain admins? Surely not!

The user(s) does not have to be a member of the domain/local administrators
group to have a group policy applied to them. What I suspect after reading
the other post is that something is screwy with the access/apply rights on
the gpo.

What I would do is run the Group Policy Management snap-in and review the
scope & delegation tabs. (Scope is where you set where & who it applies to.
The delegation is who should modify/delete the gpo.)


<jonathan.elkins@xxxxxxxxx> wrote in message
news:1174184874.228857.179240@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello.

I have created a group policy object (gpo) that I would like to apply
to most of the users in my active directory (ad). My problem is the
gpo will only apply if the test user is a member of the Domain Admins
(DA) security group. I definitely don't want my users to be in Domain
Admins. I'm trying to restrict access. I don't think putting people in
DA is a good way to do this. I have tried all kinds of things
including ensureing that delagation access has been set for the gpo
and the oganizational units that the test user is a member of. I've
even removed all gpo on the domain (except for the Default Domain
Controller gpo). I'm scared to remove that one. But no matter what
I've tried so far the gpo will not appl to the user unless the user is
a member of Domain Admins.

Please Help. I'll take you out for dinner. Really I will.

Jonathan Elkins
Systems Manager
VTT Group.

P.S. This is a restating of the same question in another very long
post. I thought it preferable for some to have a short succint
question. If you would like background and detail look at a longer
version of this post here:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/161d5f7daafb1541/a9138e797a1b9461?lnk=gst&q=domain+admins&rnum=1#a9138e797a1b9461



.

Relevant Pages

  • Re: applying group policy
    ... I cannot get the settings for group policy to ... Machine or user must be a domain member and authenticate with the domain ... User or machine is not in the container to which the GPO is linked. ... Kerberos authentication may not work if user is a member of many groups: ...
    (microsoft.public.windows.server.active_directory)
  • Do Not Execute Group Policy for Admins Group
    ... so that the group policy will only apply to a certain group of users ... domain admins that logon to a computer in that OU). ... In this case the GPO would not ... it's intent is to change the user settings ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy on a remote computer
    ... By default, members of Domain Admins are administrators on member computers, but not Enterprise Admins. ... The domain controller is Windows Server 2003 R2 SP2; the target computer is XP Professional SP2. ... The usual process is to create a Group Policy Object in the Domains Active Directory and link it to the OU with the target computer accounts or user accounts. ...
    (microsoft.public.windows.group_policy)
  • Re: Using Group Policy to give install permission
    ... Group Policy is simply (well, ... Active Directory there is only one Organizational Unit: ... Your user account objects or computer account objects must directly reside ... in the Organizational Unit to which you linked the GPO. ...
    (microsoft.public.win2000.group_policy)
  • Re: Terminal Server GPO Issue
    ... The name of the OU where the GPOs should not be applied is: Citrix XP ... They both sit at the same level under an OU called Servers. ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ...
    (microsoft.public.windows.server.active_directory)
Quantcast