Page 1 of 1 1
Topic Options
#145662 - 2005-08-16 02:45 PM AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
We're migrating from NT to AD domains, and I have a minor issue I'd like the board AD gurus to offer advice on.

I have a number of servers in an OU to which I want to apply some restrictive policies, however I don't want the restrictions to apply to admin accounts. I only want to apply the policies when the users log into those specific machines, not when they are using their desktop machines.

In the past I've forced the restricted machines to use a specific NTCONFIG.POL with restrictions set for "domain users" and explicitly unset for "domain admins", however I want to get away from local administration.

We have Windows 2000 machines, so I can't use WMI filtering on the policies.

As an example of a policy, I don't want users to be able to run cmd.exe on the restricted servers but they are allowed to use it on their desktop machines. Admins should always be able to start it of course.

Top
#145663 - 2005-08-16 02:58 PM Re: AD GPO Gurus - Group Exceptions
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Not sure I follow... no local administration required. Everything is done at the OU. GPOs have an ACL so you simply remove whoever you don't want it to apply to.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#145664 - 2005-08-16 03:16 PM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

Not sure I follow... no local administration required. Everything is done at the OU. GPOs have an ACL so you simply remove whoever you don't want it to apply to.




Yeah, this is the way I thought of going, but I just don't know AD well enough to know if I'm likely to bugger things up.

What I'd need to do is add an ACL which explicitly denies access to admins. Would that deny access to manage the GPO as well? Or would it simply stop the GPO being applied?

I could just try it and see what happens, but I'd rather get a consensus on the best approach from you guys with AD experience first!

Top
#145665 - 2005-08-16 04:54 PM Re: AD GPO Gurus - Group Exceptions
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
First of all, WMI filtering only works with WinXP/2003 servers (not sure about the 2003 part, but almost sure ). You make GPO's on a per-user or per-machine basis, applied through the OU's where the objects are contained.

BUT, you can change the way GPO's are applied when a user logs on to a server by using something called GPO Loopback processing, which can be done in two different modes: Merge or Replace. Read about the concept here for example: http://www.microsoft.com/resources/docum...ec_pol_KCMB.asp

btw; not all things will work as you might wish when using loopback processing. For example, loginscripts. You'll have to read up on this yourself as I'm not the right person to give lectures on the subject

btw; you're running 2000 or 2003 servers there?


Edited by masken (2005-08-16 04:54 PM)
_________________________
The tart is out there

Top
#145666 - 2005-08-16 06:54 PM Re: AD GPO Gurus - Group Exceptions
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Well typically you would not have Servers in an OU with Workstations.

Apply ACL to whomever you wish to run or not run.

Top
#145667 - 2005-08-17 09:38 AM Re: AD GPO Gurus - Group Exceptions
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
That's true doc. But what is wanted here is for a user in another container to inherit user-settings for the server-container, therefore loopback processing is required
_________________________
The tart is out there

Top
#145668 - 2005-08-17 09:47 AM Re: AD GPO Gurus - Group Exceptions
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Well the entire picture and reason was not posted. I'm sure he may have his reasons, but aside from a Terminal Server normal users shouldn't even be allowed to logon to a Server in the first place.
Top
#145669 - 2005-08-17 10:43 AM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

Well the entire picture and reason was not posted.




That's quite deliberate - the specifics are not at all relevant to the solution. There should be enough information in the post (including the fact that there are W2K servers!) to answer the question.

In fact I should have avoided mentioning servers at all - the working solution will be used for example with single purpose shop floor devices such as process management terminals.

I kept the information to a minumum as I'm after a general solution, not one specific to a limited situation. The technique of limiting the scope of the GPO should not be bound to equipment type.

I'll try the suggestions and let you know how I get on.

Top
#145670 - 2005-08-17 11:50 AM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
OK, from reading the referenced documents it looks like I need a combination of Group Policy loopback to effect user GPOs specific to the computer OU and ACLs to restrict the settings to non-admins.

Piece of cake

Top
#145671 - 2005-08-17 12:24 PM Re: AD GPO Gurus - Group Exceptions
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
Richard, have you migrated from NT4 to windows 2000 servers? I strongly suggest that you continue migration on the server-side up to 2003 before building any more solutions.... especially for situations as the one you described, but also for general stability and AD functionality.

Edited by masken (2005-08-17 12:24 PM)
_________________________
The tart is out there

Top
#145672 - 2005-08-17 12:53 PM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
All the AD server components are Windows 2003. There are Windows 2000 desktops and application servers.

The migration is a site-by-site user (and computer) migration into an existing AD forest which is well established. This means that my environment needs to fit in to the existing structure.

The requirement for merged loopback processing already means that I need to get some changes made higher up the tree to reduce the number of policies that are applied - I assume that each policy is applied in order at the client rather than receiving a neatly summarised policy?

Top
#145673 - 2005-08-17 01:17 PM Re: AD GPO Gurus - Group Exceptions
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
Yes. Policies are applied one after one. And it is generally recommended to have as few as possible, and disable unused User Configuration Settings or Computer Configuration Settings if there isn't any changes, for each GPO. A client shouldn't be hit by more than 5-10 GPO's in total (user + computer).
_________________________
The tart is out there

Top
#145674 - 2005-08-17 01:32 PM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

Yes. Policies are applied one after one. And it is generally recommended to have as few as possible, and disable unused User Configuration Settings or Computer Configuration Settings if there isn't any changes, for each GPO. A client shouldn't be hit by more than 5-10 GPO's in total (user + computer).




Do you mean set to "not defined" rather than "disabled"? I assume that "disabled" is an active setting, so will increase the processing.

Top
#145675 - 2005-08-17 01:45 PM Re: AD GPO Gurus - Group Exceptions
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
yeah, just use the group policy management report function to see what GPO's have no user/computer settings defined, and set these sections to Disabled (must be done under the Group Policy Objects "folder", and not the OU hierarchy).
_________________________
The tart is out there

Top
#145676 - 2005-08-17 02:41 PM Re: AD GPO Gurus - Group Exceptions
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Rich, some important tools when developing/testing GPO's are the gpupdate.exe and gpresult.exe utilities (you may already know). When run under the context of the user, gpupdate forces policies to be applied and gpresult -v >out.txt gives you a (somewhat) detailed listing of policies that have been applied. An fyi just in case.

btw - how was Venice ?

-Shawn

Top
#145677 - 2005-08-17 02:54 PM Re: AD GPO Gurus - Group Exceptions
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

btw - how was Venice ?




Hot, damned hot. Hotel food was so exceptionally good we didn't eat out in the evening which is very unusual for us - normally we only ever eat in the hotel on the first night even if we are half/full board. We were acutally in Jesolo di Lido which is about a half-hour drive from Venice. Beaches were excellent and I got a great tan.

GF has been telling everyone that it was "romantic", so I guess I must have got something right.

Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 84 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.062 seconds in which 0.021 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org