|
|
|||||||
I've got a problem with computer policies, and I think it's down to permissions - any help from AD Gurus would be appreciated. It's a slightly complex scenario. My users may log in either via a standard desktop, or via Citrix (Terminal Server). When they log into the Citrix environment and run published application their rights have to be restricted. To achieve this, the servers in the Citrix OU have GPO "loopback" processing enabled, which causes the USER policies in the computer OU to be applied. To ensure that administrative accounts did not get the restrictions, I applied security settings so that domain administrators did not get the policy applied. So far so good. Unfortunately some local admin account *did* get the restrictions, and this caused a problem. I disabled the policy for local admin accounts and this appeared to be fine. The problem that I have now is that I'm no longer getting computer policies applied. I'm assuming that these are applied by a local admin account or an account in the local administrators group, but I'm not sure and Googling/MSDNing hasn't turned anything up yet. Does anyone know what account applies the computer policies? Is it the computer account? If so is the account in a local admin group? The quick fix that I am going to try is to split the policy into seperate computer and user policies, but I'd really like to know the cause as I've been trying to keep the number of policies which need to be applied to an absolute minumum. |
||||||||
|
|
|||||||
I don't know for certain, but I would venture a guess and say that once the computer recieves the policy it is processed by the local system account. |
||||||||
|
|
|||||||
Not so sure about local accounts. I do create DGGs with computer accounts as members and apply the deny ACE to policies and it seems to work for me. You really need to be careful though and make sure the computer has rebooted or else the deny ACE will not apply and the computer will get the policy. |
||||||||
|
|
|||||||
Thanks for the responses. I've split the policy into seperate COMPUTER and USER policies and applied the security to only the USER policy, so this has got me out of my immediate problem. If anyone reading this post does know the answer please update the thread - I'd like to know for future planning. A pointer to some relevant documentation would be even better. |
||||||||
|
|
|||||||
http://www.samspublishing.com/content/images/0789728494/webresources/A010601.html Quote: This implies the local system account, which would make sense since has admin rights, is built-in, and cannot be removed from any Administrator group. |
||||||||
|
|
|||||||
Richard, What permission changes did you make to keep the local admin accounts from receiving the Computer GPO settings? You have a good question there. "What accounts apply computer GPO settings?" I could guess at this and say it may be the actual computer account itself %computername% + '$' or the local "SYSTEM" security group, which seems to be the most logical choices. AD GPOs being domain centric, I would think the object that applies these settings would have to reside in AD. As you probably know, the last GPO to apply is the computer's local GPOs. I'm wondering if the "loopback" setting may have something to do with this. I remember reading about the GPO applying process in great detail a few months ago. I'll have to search for the documents and see if I can post them for you. It is a good idea to seperate the Computer and User GPO settings, for simplicity sake, but I understand about wanting to keep your GPO count at a minimum. |
||||||||
|
|
|||||||
Sorry, leaving for the w/e - will update Monday. |