#155239 - 2006-01-13 01:14 PM
OT: Which accounts are used to apply computer policies?
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
I've got a problem with computer policies, and I think it's down to permissions - any help from AD Gurus would be appreciated.
It's a slightly complex scenario.
My users may log in either via a standard desktop, or via Citrix (Terminal Server). When they log into the Citrix environment and run published application their rights have to be restricted. To achieve this, the servers in the Citrix OU have GPO "loopback" processing enabled, which causes the USER policies in the computer OU to be applied.
To ensure that administrative accounts did not get the restrictions, I applied security settings so that domain administrators did not get the policy applied.
So far so good. Unfortunately some local admin account *did* get the restrictions, and this caused a problem.
I disabled the policy for local admin accounts and this appeared to be fine.
The problem that I have now is that I'm no longer getting computer policies applied. I'm assuming that these are applied by a local admin account or an account in the local administrators group, but I'm not sure and Googling/MSDNing hasn't turned anything up yet.
Does anyone know what account applies the computer policies? Is it the computer account? If so is the account in a local admin group?
The quick fix that I am going to try is to split the policy into seperate computer and user policies, but I'd really like to know the cause as I've been trying to keep the number of policies which need to be applied to an absolute minumum.
|
Top
|
|
|
|
#155243 - 2006-01-13 04:49 PM
Re: OT: Which accounts are used to apply computer policies?
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
http://www.samspublishing.com/content/images/0789728494/webresources/A010601.html
Quote:
Group Policy Processing
Administrators define the scope of a Group Policy by linking it to certain objects in Active Directory. The scope determines which objects are affected by the particular Group Policy. Group Policies can be linked to sites, domains, and organizational units (OUs). Any object within the scope of where the object is linked is potentially affected by the Group Policy. For example, by linking a Group Policy at the domain level, all objects (users and computers) in that domain potentially get the settings configured in that Group Policy.
Group Policies are processed in a very specific order. The order in which the polices are processed determines the net effect of all the polices on the computer or user. If multiple policies configure the same setting, the last policy to apply wins. Group policies are processed in the order of local group policy, site, domain, OU. If multiple OUs exist, policies are processed first at the top OUs and then down to the child OUs. So, any group polices applied to the OU in which the object resides gets processed last and thereby wins.
When a Windows 2000 or later machine boots up on the network, it queries Active Directory to determine which policies are applied to the computer account. The polices applied are based on the location of the computer account in Active Directory. For example, if the computer account is in the Sales OU which is in the North America OU in the braincore.net domain, it processes all the policies applied to the braincore.net domain, the North America OU, and the Sales OU. It then determines the computer configuration settings that are set by these group polices and applies them to the computer. It does all this before you even get the logon screen.
Eventually, a user logs on. When that happens, the system goes through the same process, but this time it processes user configuration policies based on the location of the user account. Once again, they are processed in the order of local, site, domain, OU, OU, OU, and so on.
This implies the local system account, which would make sense since has admin rights, is built-in, and cannot be removed from any Administrator group.
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 259 anonymous users online.
|
|
|