programming4us
         
 
 
Applications Server

Active Directory 2008 : Delegating the Support of Computers (part 2) - Delegating Administration Using Restricted Groups Policies with the Members Of This Group Setting

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
7/17/2013 8:08:02 PM

2. Delegating Administration Using Restricted Groups Policies with the Member Of Setting

You can use restricted groups policies with the Member Of setting to manage the delegation of administrative privileges for computers by following these steps:

  1. In Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

  2. Right-click Restricted Groups and click Add Group.

  3. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to the Administrators group (for example, CONTOSO\Help Desk) and click OK.

  4. Click OK to close the Add Group dialog box.

    A Properties dialog box appears.

  5. Click Add next to the This Group Is A Member Of section.

  6. Type Administrators and click OK.

    The Properties group policy setting should look something like the left side of Figure 2.

  7. Click OK again to close the Properties dialog box.

Delegating the membership of the local Administrators group in this manner adds the group specified in step 3 to that group. It does not remove any existing members of the Administrators group. The group policy simply tells the client, “Make sure this group is a member of the local Administrators group.” This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This Group Policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group.

3. Delegating Administration Using Restricted Groups Policies with the Members Of This Group Setting

To take complete control of the local Administrators group, follow these steps:

  1. In Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

  2. Right-click Restricted Groups and click Add Group.

  3. Type Administrators and click OK.

    A Properties dialog box appears.

  4. Click Add next to the Members Of This Group section.

  5. Click Browse, type the name of the group you want to make the sole member of the Administrators group (for example, CONTOSO\Help Desk), and click OK.

  6. Click OK again to close the Add Member dialog box.

    The group policy setting Properties should look something like the right side of Figure 2.

  7. Click OK again to close the Properties dialog box.

When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it adds all members specified by the GPO and removes all members not specified by the GPO, including Domain Admins. Only the local Administrator account is not removed from the Administrators group, because Administrator is a permanent and nonremovable member of Administrators.

If you use both Members and Member Of restricted groups policies, the highest-priority Members policy setting sets the authoritative baseline membership for the group, and then the cumulative memberships of Member Of policies augment that baseline. This complex interaction of the two policy settings is not something that you are likely to encounter on an exam, but you might see it in a production environment. Therefore, in your enterprise, be careful to design and test your restricted groups policies to ensure that they achieve the desired result.

Defining Group Membership with Group Policy Preferences

You can also use Group Policy Preferences to define the membership of groups. Local Group preferences are available in both Computer Configuration and User Configuration. The settings for a Local Group preference are shown in Figure 5.

Configuring a Local Group preference

Figure 5. Configuring a Local Group preference

The three options related to “current user” are available only in the Local Group preference in User Configuration, not in Computer Configuration.

You can create, delete, replace, or modify (update) a local group. As you can see in the previous screen shot, you can rename the group, change its description, or make modifications to the group’s membership.

Local Group preferences cannot remove members from a group if those members were added to a group by using a restricted groups policy setting. Additionally, if a restricted groups policy setting uses the Members method to define the authoritative membership of a group, preferences can neither add nor remove members.

The interactions between Members restricted groups policy settings, Member Of restricted groups policy settings, Local Group preferences scoped as computer settings, and Local Group preferences scoped as user settings can be complex and difficult to understand. Be sure to thoroughly test the results if you choose to implement multiple methods of managing group membership with Group Policy.

Practice Delegating the Support of Computers

In this practice, you use Group Policy to delegate the membership of the Administrators group. You first create a GPO with a restricted groups policy setting that ensures that the Help Desk group is a member of the Administrators group on all client systems. You then create a GPO that adds the NYC Support group to Administrators on clients in the NYC OU. Finally, you confirm that in the NYC OU, both the Help Desk and NYC Support groups are administrators.

To perform this practice, you need the following objects in the contoso.com domain:

  • A first-level OU named Admins

  • A global security group named Help Desk in the Admins OU

  • A global security group named NYC Support in the Admins OU

  • A first-level OU named Clients

  • An OU named NYC in the Clients OU

  • A computer object named DESKTOP101 in the NYC OU

If you have performed practices in earlier lessons, some of these objects might already exist in other OUs, in which case you can move the object to the OU specified above.

EXERCISE 1 Delegate the Administration of All Clients in the Domain

In this exercise, you create a GPO with a restricted groups policy setting that ensures that the Help Desk group is a member of the Administrators group on all client systems.

  1. Open Group Policy Management, and then expand Forest\Domains\contoso.com. Click the Group Policy Objects container in the console tree.

  2. Right-click the Group Policy Objects container and click New.

  3. In the Name box, type Corporate Help Desk and click OK.

  4. Right-click the GPO and click Edit.

  5. In Group Policy Management Editor, navigate to Computer Configuration\Policies \Windows Settings\Security Settings\Restricted Groups.

  6. Right-click Restricted Groups and click Add Group.

  7. Click Browse and, in the Select Groups dialog box, type CONTOSO\Help Desk and click OK.

  8. Click OK to close the Add Group dialog box.

  9. Click Add next to the This Group Is A Member Of section.

  10. Type Administrators and click OK.

    The group policy setting properties should look like the left side of Figure 2.

  11. Click OK again to close the Properties dialog box.

  12. Close Group Policy Management Editor.

  13. In the Group Policy Management console, right-click the Clients OU and click Link An Existing GPO.

  14. Select the Corporate Help Desk GPO and click OK.

EXERCISE 2 Delegate the Administration of a Subset of Clients in the Domain

In this exercise, you create a GPO with a restricted groups policy setting that adds the NYC Support group to the Administrators group on all client systems in the NYC OU.

  1. In the Group Policy Management console, expand Forest\Domains\Contoso.com. Click the Group Policy Objects container in the console tree.

  2. Right-click the Group Policy Objects container and click New.

  3. In the Name box, type New York Support and click OK.

  4. Right-click the GPO and click Edit.

  5. Repeat steps 5–12 of Exercise 1, “Delegate the Administration of All Clients in the Domain,” but type CONTOSO\NYC Support as the group name in step 7.

  6. In the Group Policy Management console, expand the Clients OU, right-click the NYC OU, and then click Link An Existing GPO.

  7. Select the New York Support GPO and click OK.

EXERCISE 3 Confirm the Cumulative Application of Member Of Policies

You can use Group Policy Modeling to produce a report of the effective policies applied to a computer or user. In this exercise, you use Group Policy Modeling to confirm that a computer in the NYC OU includes both the Help Desk and NYC Support groups in its Administrators group.

  1. In the Group Policy Management console, expand Forest and click the Group Policy Modeling node.

  2. Right-click the Group Policy Modeling node and click Group Policy Modeling Wizard.

  3. Click Next.

  4. On the Domain Controller Selection page, click Next.

  5. On the User And Computer Selection page, in the Computer Information section, click Browse.

  6. Expand the domain and the Clients OU, and then click the NYC OU.

  7. Click OK.

  8. Select the Skip To The Final Page Of This Wizard Without Collecting Additional Data check box.

  9. Click Next.

  10. On the Summary Of Selections page, click Next.

  11. Click Finish.

    The Group Policy Modeling report appears.

    If an Internet Explorer warning appears, it is because Internet Explorer Enhanced Security Configuration (IE ESC) is enabled. Open Server Manager. In the Security Information section, click the Configure IE ESC link. In the Administrators section, click Off. In the Users section, click Off. Click OK. Close Server Manager. In the GPME, click Close to close the Internet Explorer warning. If you continue to receive warnings, close and re-open Group Policy Management, and then repeat steps 1–11.

  12. On the Settings tab, click Security Settings.

  13. Click Restricted Groups.

    You should see both the Help Desk and NYC Support groups listed. Restricted groups policies using the This Group Is A Member Of setting are cumulative. Notice that the report does not specify that the listed groups are members of the Administrators group. The omission of the Member Of column is a limitation of the report.

OPTIONAL EXERCISE 4 Confirm the Membership of the Administrators Group

If your test environment includes a client computer that is a member of the contoso.com domain, move the computer object in Active Directory to the NYC OU. Restart the computer, log on as the domain’s Administrator, and then open the Computer Management console. In Computer Management, expand the Local Users And Groups node and, in the Groups folder, open the Administrators group. You should see the following members listed:

  • CONTOSO\Help Desk, applied by the Corporate Help Desk GPO

  • CONTOSO\NYC Support, applied by the New York Support GPO

  • Domain Admins, made a member of Administrators when the computer joined the domain

  • The local Administrator account, a default member that cannot be removed

Other -----------------
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 3) - Security for the Services Dedicated to BI
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 2) - Set Up Your Own VMs on Windows 2008 R2
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 1) - Set Up a Pre-configured VM
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Schema generation
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Overview of SAP RFCs and BAPIs
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 2) - Using Configuration Containers Instead of Administrative Groups
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 1) - How Site-Based Routing Works
- Exchange Server 2010 Administration Essentials : Validating the Exchange Server Licensing
- Installing Configuration Manager 2007 : ConfigMgr Service Manager
- Installing Configuration Manager 2007 : Transfer Site Settings Wizard, Copy Packages Wizard
- Microsoft Dynamic AX 2009 : The Batch Framework (part 6) - Managing the Batch Server Execution Process - Manage Batch Jobs, Debug a Batch Task
- Microsoft Dynamic AX 2009 : The Batch Framework (part 5) - Managing the Batch Server Execution Process - Set Up Server Configuration, Create a Batch Group
- Microsoft Dynamic AX 2009 : The Batch Framework (part 4) - Creating a Batch Job - Using the Batch API
- Microsoft Dynamic AX 2009 : The Batch Framework (part 3) - Creating a Batch Job - From the Batch Job Form
- Microsoft Dynamic AX 2009 : The Batch Framework (part 2) - Batch-Enabling a Class
- Microsoft Dynamic AX 2009 : The Batch Framework (part 1) - Batch Processing in Dynamics AX, Common Uses of Batch Processing
- Using Non-Windows Systems to Access Exchange Server 2007 : Terminal Server Client for Mac
- Using Non-Windows Systems to Access Exchange Server 2007 : Configuring and Implementing Entourage for the Mac
- Microsoft Lync Server 2010 : Planning for Deploying External Services - High Availability
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Firewall Configuration (part 2)
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.