Local admin password via GPO/Hiding Startup script from RSOP question...

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi guys

Hope someone can help - this is ruining my friday morning!

I have the task of setting the local admin password, via a GPO on our computers OU.

So far I have done the following:

1) Setup a test OU, blocked inheritance on this OU (shouldnt have done this I know but this was before it went wrong!), created a test GPO.
2) Created a script on a test share which runs "NET USER Administrator %1"
3) Set the startup script in the GPO to run to the batch file, with the parameters as "password" (the acutal test password should have hit the security requirements, it was in the form Password1)
4) Set the Security filtering of the GPO to domain computers (we dont want it to hit all domain computers, just the computer accounts in this particualr OU that the GPO is linked too.)
5) Removed authenticated users from the delegation rights of the GPO and added in domain comptuers with read permissions.

Now my understanding is that this should hit all computers in the OU, and prevent a domain user from running RSOP.msc and viewing the startup scripts/parameters... It worked on my original test VM but then it didnt seem to work when I moved more computer accounts to the test OU on all the machines...

When I ran rsop.msc on another test machine which I had run gpupdate /force on twice, and rebooted twice, I could view the script and parameters!

I cannot get my head round why!!!!

Should this setup work? i.e. hiding the GPO from domain users, but allowing it to be read by domain computers?

Many thanks for any advice

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Click Me

 

Cheers for that Craig - i'll take a look.

Also - I've just worked out where the rsop issue occoured - when i was initially testing - I had just a single computer account directly in the GPO delegation. I switched it to domain computers, so any new computers which get joined and moved to the OU would have this policy applied. I took it out and added the individual computers back in and it has now started working again!

 

Any further ideas about the domain computers group? It still works when I add the computers individually!

 

I would personally, change how new computers are added to the domain so they go straight into the new OU.

If you use the following command then test it:

redircmp ou=LockedDown,dc=contoso,dc=com