I thought so - it looked like you had understood how it worked... - honest :-))
/Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 24, 2005 5:25 PM To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain Guido, Many thanks, actually the step 5 was a typo, I did mean the server group....honest :-) Many thanks for the help Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Montag, 24. Januar 2005 17:16 To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain almost: in step 5 you'd restrict the application of that GPO to the _servers group_ created in step _2_ i.e. this would be a GPO applied to the machines - not to the admins. So you'll need to filter it for the server group, not the admin group. This _machine GPO_ will then ensure that the user-rights defined for a specific _user group_ is getting applied to the servers. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 24, 2005 5:07 PM To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain Guido, Thanks for such a comprehensive reply. But what I am not following is how to do what you suggest regarding grouping in security groups and then applying a GPO. I can create a new group object no problem and place all my computers into that group but then I miss the step which filters a GPO to that security group. Can you check to see if my approach is correct :- 1. Create a security group for the administrators of the new server 2. Create a security group for the servers to be administered 3. Define a new GPO defining local log on rights for the new admins group created in step 1. 4. Apply the GPO to an OU which is a parent of the OU in which the administered server sits 5. Restrict the application of that GPO to the admins group created in step 1. Would this achieve what I am looking for ? My confusion is where exactly I link the GPO. Many thanks, Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Montag, 24. Januar 2005 16:28 To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain both structures have their values - the functional groupings will allow you to better control other things (mostly security related) specific to the machines grouped into an OU, e.g. to ensure that IIS is disabled on all non-web machines etc (or that it is _enabled_ on all that need it). This can become even more important once you're running Win2k3 SP1 and leverage the FW feature - you'll want to apply the defined set of policies created with the SCW (Security Configuration Wizard) to a specific set of servers with the same role. This is more easily done when servers are grouped into functional OUs, even if it's not the coolest thing for assigning delegated admin rights. But whichever model you've implemented, there is nothing that keeps you from further grouping your machines into security groups (i.e. AD security groups) and then apply specific GPOs with group-filtering for those groups to reach your goal. I'm not a huge fan of group-filtering, but it certainly can help out in situation such as yours. It would allow you to either grant the logon locally Userright to whatever group of admins you need to grant it to, or to add that group to the local admin groups of the target servers using the "restricted groups" option in GPO. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 24, 2005 4:05 PM To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain Unfortunately, we have already imposed an OU structure which groups servers into functional groupings (as recommended by Microsoft consultants who heled us !) Thanks for the suggestion though -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabriel O. Zabal Sent: Montag, 24. Januar 2005 15:54 To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain You should consider placing those servers in a special OU (ie: Administered Servers) and then delegate the administrative rights to the sub-administrators. That would allow them to modify not only the "log on locally" but also other things that will help them on their duties. Gabriel Zabal MCSE 2003 -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abbiss, Mark Enviado el: Lunes, 24 de Enero de 2005 03:22 p.m. Para: [email protected] Asunto: [ActiveDir] Controlling log on locally in an AD domain I am having a real problem getting my head round setting the "log on locally" policy for a group of computers. What I am hoping to achieve is the ability to allow different groups of sub-administrators the rights to log on locally to the servers they are responsible for. Currently, log on locally is only allowed to the Enterprise admins but as the number of servers grows and we need to delegate responsibuility to other nominated administrators, we find they are blocked from logging on and we can't find a clean solution. Can someone please point me in the direction of a tidy solution to the problem. Many thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
