Richard H.
|
| (KiX Supporter) |
| 2005-08-16 02:45 PM |
AD GPO Gurus - Group Exceptions
|
We're migrating from NT to AD domains, and I have a minor issue I'd like the board AD gurus to offer advice on.
I have a number of servers in an OU to which I want to apply some restrictive policies, however I don't want the restrictions to apply to admin accounts. I only want to apply the policies when the users log into those specific machines, not when they are using their desktop machines.
In the past I've forced the restricted machines to use a specific NTCONFIG.POL with restrictions set for "domain users" and explicitly unset for "domain admins", however I want to get away from local administration.
We have Windows 2000 machines, so I can't use WMI filtering on the policies.
As an example of a policy, I don't want users to be able to run cmd.exe on the restricted servers but they are allowed to use it on their desktop machines. Admins should always be able to start it of course.
| Les |
| (KiX Master) |
| 2005-08-16 02:58 PM |
Re: AD GPO Gurus - Group Exceptions
|
Not sure I follow... no local administration required. Everything is done at the OU. GPOs have an ACL so you simply remove whoever you don't want it to apply to.
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-16 03:16 PM |
|
Re: AD GPO Gurus - Group Exceptions
|
Quote:
Not sure I follow... no local administration required. Everything is done at the OU. GPOs have an ACL so you simply remove whoever you don't want it to apply to.
Yeah, this is the way I thought of going, but I just don't know AD well enough to know if I'm likely to bugger things up.
What I'd need to do is add an ACL which explicitly denies access to admins. Would that deny access to manage the GPO as well? Or would it simply stop the GPO being applied?
I could just try it and see what happens, but I'd rather get a consensus on the best approach from you guys with AD experience first!
| masken |
| (MM club member) |
| 2005-08-16 04:54 PM |
|
|
Re: AD GPO Gurus - Group Exceptions
|
First of all, WMI filtering only works with WinXP/2003 servers (not sure about the 2003 part, but almost sure
). You make GPO's on a per-user or per-machine basis, applied through the OU's where the objects are contained.BUT, you can change the way GPO's are applied when a user logs on to a server by using something called GPO Loopback processing, which can be done in two different modes: Merge or Replace. Read about the concept here for example: http://www.microsoft.com/resources/docum...ec_pol_KCMB.asp
btw; not all things will work as you might wish when using loopback processing. For example, loginscripts. You'll have to read up on this yourself as I'm not the right person to give lectures on the subject
btw; you're running 2000 or 2003 servers there?
|
NTDOC
|
| (KiX Master) |
| 2005-08-16 06:54 PM |
|
|
Re: AD GPO Gurus - Group Exceptions
|
Well typically you would not have Servers in an OU with Workstations.
Apply ACL to whomever you wish to run or not run.
| masken |
| (MM club member) |
| 2005-08-17 09:38 AM |
|
|
|
Re: AD GPO Gurus - Group Exceptions
|
That's true doc. But what is wanted here is for a user in another container to inherit user-settings for the server-container, therefore loopback processing is required
|
NTDOC
|
| (KiX Master) |
| 2005-08-17 09:47 AM |
|
|
|
Re: AD GPO Gurus - Group Exceptions
|
Well the entire picture and reason was not posted. I'm sure he may have his reasons, but aside from a Terminal Server normal users shouldn't even be allowed to logon to a Server in the first place.
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-17 10:43 AM |
|
Re: AD GPO Gurus - Group Exceptions
|
Quote:
Well the entire picture and reason was not posted.
That's quite deliberate - the specifics are not at all relevant to the solution. There should be enough information in the post (including the fact that there are W2K servers!) to answer the question.
In fact I should have avoided mentioning servers at all - the working solution will be used for example with single purpose shop floor devices such as process management terminals.
I kept the information to a minumum as I'm after a general solution, not one specific to a limited situation. The technique of limiting the scope of the GPO should not be bound to equipment type.
I'll try the suggestions and let you know how I get on.
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-17 11:50 AM |
|
Re: AD GPO Gurus - Group Exceptions
|
OK, from reading the referenced documents it looks like I need a combination of Group Policy loopback to effect user GPOs specific to the computer OU and ACLs to restrict the settings to non-admins.
Piece of cake
| masken |
| (MM club member) |
| 2005-08-17 12:24 PM |
|
|
|
Re: AD GPO Gurus - Group Exceptions
|
Richard, have you migrated from NT4 to windows 2000 servers? I strongly suggest that you continue migration on the server-side up to 2003 before building any more solutions.... especially for situations as the one you described, but also for general stability and AD functionality.
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-17 12:53 PM |
|
Re: AD GPO Gurus - Group Exceptions
|
All the AD server components are Windows 2003. There are Windows 2000 desktops and application servers.
The migration is a site-by-site user (and computer) migration into an existing AD forest which is well established. This means that my environment needs to fit in to the existing structure.
The requirement for merged loopback processing already means that I need to get some changes made higher up the tree to reduce the number of policies that are applied - I assume that each policy is applied in order at the client rather than receiving a neatly summarised policy?
| masken |
| (MM club member) |
| 2005-08-17 01:17 PM |
|
|
|
Re: AD GPO Gurus - Group Exceptions
|
Yes. Policies are applied one after one. And it is generally recommended to have as few as possible, and disable unused User Configuration Settings or Computer Configuration Settings if there isn't any changes, for each GPO. A client shouldn't be hit by more than 5-10 GPO's in total (user + computer).
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-17 01:32 PM |
|
Re: AD GPO Gurus - Group Exceptions
|
Quote:
Yes. Policies are applied one after one. And it is generally recommended to have as few as possible, and disable unused User Configuration Settings or Computer Configuration Settings if there isn't any changes, for each GPO. A client shouldn't be hit by more than 5-10 GPO's in total (user + computer).
Do you mean set to "not defined" rather than "disabled"? I assume that "disabled" is an active setting, so will increase the processing.
| masken |
| (MM club member) |
| 2005-08-17 01:45 PM |
|
|
|
Re: AD GPO Gurus - Group Exceptions
|
yeah, just use the group policy management report function to see what GPO's have no user/computer settings defined, and set these sections to Disabled (must be done under the Group Policy Objects "folder", and not the OU hierarchy).
|
Shawn
|
| (KiX Supporter) |
| 2005-08-17 02:41 PM |
|
|
Re: AD GPO Gurus - Group Exceptions
|
Rich, some important tools when developing/testing GPO's are the gpupdate.exe and gpresult.exe utilities (you may already know). When run under the context of the user, gpupdate forces policies to be applied and gpresult -v >out.txt gives you a (somewhat) detailed listing of policies that have been applied. An fyi just in case.
btw - how was Venice ?
-Shawn
|
Richard H.
|
| (KiX Supporter) |
| 2005-08-17 02:54 PM |
|
Re: AD GPO Gurus - Group Exceptions
|
Quote:
btw - how was Venice ?
Hot, damned hot. Hotel food was so exceptionally good we didn't eat out in the evening which is very unusual for us - normally we only ever eat in the hotel on the first night even if we are half/full board. We were acutally in Jesolo di Lido which is about a half-hour drive from Venice. Beaches were excellent and I got a great tan.
GF has been telling everyone that it was "romantic", so I guess I must have got something right.