Re: [ActiveDir] AD Question for your peers-GPO

[Mark Parris]

This my default is a container not an OU, so the GPO does not apply.

Mark
-----Original Message-----
From: Frank Abagnale <[EMAIL PROTECTED]>
Date: Wed, 5 Oct 2005 00:46:53 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO

I have exactly that, a Servers OU and a Clients OU which I put my 
Workstations/Servers into. 
 
But the default OU I am talking about is where all the computers go to when 
they are first added to the domain. They are then manually moved to the 
respective OU once a week. 
 
thanks anyway 

[EMAIL PROTECTED] wrote: Easiest way: put the servers in one OU and the 
non-servers in another OU.
Then create one policy for each OU.

There are other ways, like adding the servers to a security group and
filtering your policy by group membership. The separate OU formula is easier
- IMO.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


What would I do in this situation

One OU which all Computers join when they are added to the  domain

I have two Global Groups 1=WSAdmins and 2=SVRAdmins. These two groups do not
contain the same users.

Now, I want to ensure that when I set a Restricted Policy, only the WSAdmins
are listed in the Local Admins group on the Workstations and SVRAdmins is
only a member of the local Administrators group on the Servers in the default
OU

Is this possible? From how I see it, if a restricted group is set on an OU,
then any computer which is a member of this OU receives this setting.

Sorry, this has always confused me, which is why I went for the scripted
option on startup.

thanks

Frank

[EMAIL PROTECTED] wrote:

Correct.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 12:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


Deji,

I may sound real stupid asking this, but if I add Administrators to
the
Member Of attribute, how can I make sure this is only "local
Administrators"
e.g Local Workstations or Local member servers and not the builtin
Administrators group (the one with Domain Admin permissions)

Is this because the restricted groups GPO is only applied to the
ClientsOU?
and not at DDP level?

thanks

frank





[EMAIL PROTECTED] wrote:

Brian,

the "wipe and load" behavior is a thing of the past with the
introduction of
the new "MemberOf" attribute. Here's a short reply I posted on
another list a
while back.

Another option is to use the  "MemberOf" option in a "Restricted
Groups" GPO.
Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create
and apply
a group policy to ClientsOU. In that policy, you will create a
restricted
group object, by adding GrpA. Then in the properties, you will choose
the
"this group is a member of:" and type in "administrators".

By doing the above, the existing members of the "administrators"
group are
not removed. The process will simply append GrpA to the membership
list on
"administrators".

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Brian  Desmond
Sent: Mon 10/3/2005 4:14 PM
To: ActiveDir@mail.activedir.org
Cc: '# Jose Medeiros-IBM (E-mail)'
Subject: RE: [ActiveDir] AD Question for your peers-GPO



Yes. You want to use the Restricted Groups function in the computer
config
area. Be aware it is a replacement not a merge, so, things already in
there
will get blasted


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros,
Jose
Sent: Monday, October 03, 2005 4:12 PM
To: activedir@mail.activedir.org
Cc: # Jose Medeiros-IBM (E-mail)
Subject: [ActiveDir] AD Question for your peers-GPO


We have three child domains off our root domain and basically we want
to add
a global or universal group ( We are in Native mode on AD 2003) to
the local
admin group on member servers  & workstations in a child domain, every
time a
new computer account is to AD. Is this possible using a GPO?
( Please read the message below )

Jose :-)

> -----Original Message-----
> From: Ebias, Danilo 
> Sent: Monday, October 03, 2005 11:57 AM
> To: Medeiros, Jose
> Subject: AD Question for your peers
>
> Jose,
> Could you check with your peers about how we could define a group
policy that would add a universal group or global group automatically
into
the local admin group of computers into a specific OU? I remember
reading
that this is possible, but I can't find any documentation about it.
>
>
> Thanks,
> dan
>
> Danilo Ebias, Jr.
> ADP | National Account Services
> ProBusiness Division | Information Services
> 925.737.7035
>

List info : http://www.activedir.org/List.aspx
List FAQ :  http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


________________________________

Yahoo! for Good
Click here to donate to the
Hurricane Katrina relief effort. 
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


________________________________

Yahoo! for Good
Click here to donate to the
Hurricane Katrina relief effort. 
List  info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

                Yahoo! for Good
 Click here to donate to the Hurricane Katrina relief effort. [EMAIL PROTECTED] 
šŠV«r¯yÊ&ý§-Š÷�Š¾4™¨¥iËb½çb®Šà