1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GPO Application

Discussion in 'Active Directory Exams' started by Fergal1982, Jun 11, 2011.

  1. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Hey guys, I created a new OU in my (newly created) domain, called: Servers. I went into GPO management and modified the Default Domain Policy, adding the HOME\TFS_Admins group to the Administrators group via the Restricted Groups option in the Computer Policies section.

    I know bugger all about GPO, I have to be honest, but my understanding from googling around was that this should cause the local Administrators group on the servers in this OU to populate with the HOME\TFS_Admins group.

    However this doesnt appear to be the case, even with multiple logins. Its not a replication issue as there's only one DC. Can anyone suggest what I'm missing?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Is the GPO at least being applied to the servers? On the server open up command line and type gpresult. The GPO should be listed there.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Opps, just realised you have modified the default domain policy. Perhaps create a new GPO and link it to the OU that has your server computer accounts in it.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Actually sorry, Thats a lie. I had originally written something else (I had added Home\Administrator to the default domain policy, but when I realised I'd added the user rather than the group, I removed that portion of the text).

    I have a new Policy containing the addition to the restricted group. I did try gpresult, but I think I had issues with it to be honest, let me fire it up again and see.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  5. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Ah yes, fired up "gpresult /scope computer /v" as the normal user, I get access denied, trying the same in a cmd prompt running as home\administrator gives me an error about home\administrator not having RSOP data.

    Got it working when I logged in directly to the machine using home\administrator. The GPO is applying, but it turns out that its a PEBKAC error: I mistyped the group name as "Administrator" not "Administrators". Oops.

    I am right in thinking that if I create a GPO with this in it, and also add Domain Admins to the same in the default GPO, they should complement each other, shouldn't they - rather than overwriting each other?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    I believe so mate as the old membership of the loacl admin group should be intact anyways.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...