1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Local admin password via GPO/Hiding Startup script from RSOP question...

Discussion in 'Software' started by steveh2001, May 29, 2009.

  1. steveh2001

    steveh2001 Byte Poster

    204
    3
    22
    Hi guys

    Hope someone can help - this is ruining my friday morning!

    I have the task of setting the local admin password, via a GPO on our computers OU.

    So far I have done the following:

    1) Setup a test OU, blocked inheritance on this OU (shouldnt have done this I know but this was before it went wrong!), created a test GPO.
    2) Created a script on a test share which runs "NET USER Administrator %1"
    3) Set the startup script in the GPO to run to the batch file, with the parameters as "password" (the acutal test password should have hit the security requirements, it was in the form Password1)
    4) Set the Security filtering of the GPO to domain computers (we dont want it to hit all domain computers, just the computer accounts in this particualr OU that the GPO is linked too.)
    5) Removed authenticated users from the delegation rights of the GPO and added in domain comptuers with read permissions.

    Now my understanding is that this should hit all computers in the OU, and prevent a domain user from running RSOP.msc and viewing the startup scripts/parameters... It worked on my original test VM but then it didnt seem to work when I moved more computer accounts to the test OU on all the machines...

    When I ran rsop.msc on another test machine which I had run gpupdate /force on twice, and rebooted twice, I could view the script and parameters!

    I cannot get my head round why!!!!

    Should this setup work? i.e. hiding the GPO from domain users, but allowing it to be read by domain computers?

    Many thanks for any advice
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  2. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Click Me
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. steveh2001

    steveh2001 Byte Poster

    204
    3
    22
    Cheers for that Craig - i'll take a look.

    Also - I've just worked out where the rsop issue occoured - when i was initially testing - I had just a single computer account directly in the GPO delegation. I switched it to domain computers, so any new computers which get joined and moved to the OU would have this policy applied. I took it out and added the individual computers back in and it has now started working again!
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  4. steveh2001

    steveh2001 Byte Poster

    204
    3
    22
    Any further ideas about the domain computers group? It still works when I add the computers individually!
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  5. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I would personally, change how new computers are added to the domain so they go straight into the new OU.

    If you use the following command then test it:

    redircmp ou=LockedDown,dc=contoso,dc=com
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...