Adding a computer to a security group

  • Thread starter Thread starter Eddie Clark
  • Start date Start date
E

Eddie Clark

I added a computer to a security group.
When I run gpresult, the computer isn't part of the security group.

I know when you add a user to a security group you need to log off and log
back on for the changes to take affect.
When do these changes take effect for a computer? Do I need to reboot?
 
Does the computer account object reside directly in the OU to which the GPO
was linked? When you create an OU and link a GPO to it only those account
objects that DIRECTLY reside in that OU fall under the Scope of Management
of that GPO. So, if you have an OU and there are 13 user account objects
and one security group ( with all 13 of those user account objects and the
one computer account object being a member of the security group ) only
those 13 user account objects will get the GPO. You would have to move the
computer account object directly into that OU....

Does this answer your question?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
But does the computer account object reside directly in the OU? Meaning, if
you click on the OU in the left pane of the ADUC what do you see in the
right pane? The user account objects, the computer account object(s) and
the security group, right?

And if you open up the security group you will see the computer account
object(s)?

Just out of curiosity, why is the security group located in this OU? There
is nothing incorrect with this, I am just curious! And, have you rebooted
the computer? Users need to log of....right?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Yes, a computer added to a group must be rebooted to get the new security token.
Computers logon like users do when they boot up.

joe
 
Did the machine reboot afterwards?

Security groups are not recalculated until the
"object" logs on again.

We are in the habit of noticing this for Users,
but it is true for Computers (must be) as well,
and the computer logs itself on when it boots.
 
Hi Cary,

I'm still trying to get the Loopback working.

The computer account isn't directly under the PrimaryOU, it's buried about 3
OUs down.

PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer

The default domain policy is being applied at th PrimaryOU.

At the LocationOU there is a NoGPO Policy which is the loopback.

Under the LocationOU I've created a group called NoGPO. The reason for the
security group is I have several computers across multiple departments that
I want to prevent the default domain policy from being applied. I've change
the permissions on the NoGPO Policy and added the NoGPO group with
Read/Apply permissions. The computer is now showing that it is part of the
NoGPO group however the NoGPO Policy isn't running against the computer.
Any ideas or am I doing this completely wrong????
 
EC said:
Hi Cary,

I'm still trying to get the Loopback working.
Click to expand...

Are you really using Loopback? That actually
affect USERS (but based on the location of the
computer they are currently USING -- logged on
from.)
The computer account isn't directly under the PrimaryOU, it's buried about 3
OUs down.

PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer

The default domain policy is being applied at th PrimaryOU.
Click to expand...

That sounds wrong since the Default Domain policy is normally
linked to the DOMAIN, not to an OU.
At the LocationOU there is a NoGPO Policy which is the loopback.
Click to expand...

Huh?

What does NoGPO have to do specifically with "loopback"?
Under the LocationOU I've created a group called NoGPO. The reason for the
security group is I have several computers across multiple departments that
I want to prevent the default domain policy from being applied.
Click to expand...

Ok, if that is REALLY what you need.
I've change
the permissions on the NoGPO Policy and added the NoGPO group with
Read/Apply permissions.
Click to expand...

Why not just DENY that group (NoGPO) permissions
on all undesired GPOs?
The computer is now showing that it is part of the
NoGPO group however the NoGPO Policy isn't running against the computer.
Any ideas or am I doing this completely wrong????
Click to expand...

If you have given that group Read and Apply it should
be applied if it is linked to the Computers container
or parents, baring "block inheritance" and "disable" settings.

Did you allow it to replicate OR are you sure the same
DC is being used for authentication.
 
Eddie,

Again, from what you just wrote this is a loopback in replace mode
situation.....

So long as a user logs on to a system that is under the Scope of Management
of the loopback GPO - so long as it is in Replace Mode - then that user's
policies ( as defined by any GPOs that are linked to the OU in which that
user account object directly resides ) will not be processed!

What exactly have you done / not done?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Eddie Clark said:
Yes, I'm trying to prevent user policies from being applied to specific
computers.
Click to expand...

User policies are not applied to Computers.

If you are trying to prevent User policies from
being applied to (any) users when AT a particular
Computer you might try LoopBack-Replace mode
processing.
 
Back
Top