Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Making changes localy AGAINST GPOs


  • Please log in to reply
5 replies to this topic

#1 Stevepsu65

Stevepsu65

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:11:12 PM

Posted 08 June 2015 - 12:44 PM

Hello, long time lurker, first time poster here!

 

Tried googling this, but kind of hard to use keywords that generated results I need.

 

I am currently getting into group policy after getting my first job where I can actually utilize group policy/active directory to my liking, and I have an example which I believe best describes my concern.

 

Lets say I create a GPO that removes control panel to a number of users.  One of these users at one point is doing something that requires me to adjust a setting in their control panel.  Or if I have an OU set to not allow software installation, but then I need a piece of software on that machine.  The ways I could think of doing this are as follows:

 

1. Remove them from the OU with the policy, and put them in a "free for all" OU which I would create for situations like this, log onto their machine remotely as their username, make the changes, save them, then go back on the DC and put them back in the original OU

 

2. Log into their machine with admin rights, make the changes, then log them back in (Issue with this is for some circumstances, such as IE settings, I don't think they would stick when I logged back in as the user)

 

3. Say heck with locking people down and hope for the best =P

 

Thanks guys and sorry if this is a noob question, I pretty much spend first couple years in IT doing smaller tasks (Virus removal, hardware swapping, troubleshooting user issues)

 

-Steve
 



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:12 PM

Posted 09 June 2015 - 01:03 AM

This is why its important to understand Users and Computer OU's in GPO scripts.

Always seperate the Computer to the User, so above i would ahve a policy to install software on the Computer OU.

Or you can create GPO's where people can install the software they want with out admin privliages using the "Install program from a network" which is in programs & feautres.

I have this setup for common software which is safe abnd secure and users are allowed to install.

 

Oh i forgot to add that Domain GPO's will override most if not all local GPO's mate.


Edited by JohnnyJammer, 09 June 2015 - 01:05 AM.


#3 Stevepsu65

Stevepsu65
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:11:12 PM

Posted 09 June 2015 - 12:37 PM

JJ,

 

Thanks for the advice.  I will have to better associate myself with when to use computer OU's vs User OU's. 

Once I break down all the OU's and how I want them organized, I will just be adding simple GPO's to start (Considering there is no actual use of GP here, any added GP is a good thing). 

 

Until I learn how to make these "Administrative edits" to specific comoputers/users I think I might go with my "Free for all" OU to make changes necessary using the unlocked software and then throw them back in.

 

Like a carwash!!!  :thumbsup2:

 

-Steve

 

EDIT:  I just clicked the do not inherit box to single out the test OU.  And I checked out the "Default user" GPO and nothing is enforced


Edited by Stevepsu65, 09 June 2015 - 12:38 PM.


#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:12 PM

Posted 09 June 2015 - 06:35 PM

One bit of advice, never change the deaulty GPO setting mate, always leave that alone accept for things such as settign a NTP server.

If you want to remoteley administer a GPo run the command below (Also note you need the space after the /gpcomputer:    < one single space)

gpedit /gpcomputer: SomeserverorWorkStation

 

I always seperate the users from the computers and seperate all servers (Domain controllers default to their own OU).

this way you apply only what is needed to the target object mate, this is the neatest way of doing it and always create a new GPO policy for each GPO you create because when trouble shooting you dont want to find some settings buried inside of a proxy GPO for instance.



#5 Stevepsu65

Stevepsu65
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:11:12 PM

Posted 12 June 2015 - 10:11 AM

Thanks for the tip, and yea I am afraid of messing with any default GPOs.  Strangely,  when I made a test GPO on our 2k8 DC (Primary) it did not replicate those changes to our remote DC (2k12).

 

Going to try to erase all GPOs I made, make the GPO on the 2k12 server and see if it replicates back to the primary.  Unsure of exactly how GPO replications works between different server versions and authorizations.  Test time =)  Thanks for your help man!



#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 14 June 2015 - 10:39 AM

If you are worried about the sorts of changes users might make, then don't make them local admins, and require escalated privileges to do anything. That means you or another domain admin will have to provide credentials; if you can't be there physically, make sure you have good remote access software that won't lock you out when the UAC prompt comes up.

 

Another method is security filtering. If there is a user or small group of users, or a computer or small group of computers that you want to exempt from a GPO, place them in a security group, and in the delegation tab on the GPO, add that security group and set their permissions to Read-Allow and Apply group policy-Deny. We've got some computers we use to display dashboards that we've done this with, so that certain GPOs don't apply -- like the screensaver GPO. Or, if you do want to apply a GPO to just a small group, use the security filtering in the Scope tab of the GPO, remove Authenticated Users, and add the security group of just those who should receive the GPO.

 

As for the servers, I don't know that the versions should be an issue. Replication occurs every few minutes within a site, and by default, 180 minutes between sites. If the 2k8 server is in a different site from the 2k12, check to see what the intra-site replication interval is. If push comes to shove, you can always repadmin /syncall to force replication.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users