Restricted Groups will not want to do what you want them.
Whether the user is in the local administrators group on a domain computer
should have no bearing on if user configuration Group Policy applies to the
user or not as long as the user is logging on as a domain user. The problem
is a if local administrator wants to and knows how to they could create a
local user on the computer to logon to the local computer in the domain and
then bypass domain user configuration Group Policy.
If Group Policy is not applying to a domain user that way you expect you can
use the support tool Gpresult to see what Group Policies are being applied
to the user and the last time they were applied to the domain user. For
Windows 2003 and XP Pro you can also use the Resultant Set of Policy mmc
snapin to get detailed information about what Group Policy settings apply to
a computer or user and from what Group Policy. You should also be using
Group Policy Management Console to manage Group Policy if you are not yet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323276 --- RSOP
link
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
Try adding the domain user account to the power users group on the domain
computer to see if the application will work then. If it does you can then
modify permissions to folders and registry to make the application work as a
regular user. XP Pro has a security template called compatws.inf that will
change permissions on the computer where it is imported into via Local
Security Policy to give regular users the same permissions as the power
users group without the extra abilities of the power users such as creating
local users or creating shares.
If making the user a power user does not work then it can be more difficult
to impossible to get the application to work as a regular user. The first
place to start would be to contact the publisher of the software and ask
then what do I need to do to make your program work for a regular in the
operating system you have it installed on. Don't be surprised if you get the
run around but it is worth a try and imparting your disappointment if they
can not assist with the specific reasons why.
More advanced techniques to try to get an application to work for a regular
user would be to use free tools such as filemon and regmon from
SysInternals to track down "access denied" entries in the logs for filemon
and regmon when they are started with the runas command using administrator
credentials while logged on as a regular user tiring to run the application
then making permission adjustments and trying again in a trial and error
fashion. If the user lacks a user right then auditing privilege user for
failure only via Local Security Policy on the computer where the application
is trying to be run may show related failures in the security log for lack
of user rights. Having said all that it is sometimes not possible to get
some applications to run as a regular user because of the way the
application interacts with the operating system doing things that only a
administrator can do. --- Steve
Post by SherSteven,
OK I have not explained myself very well. The reason I was looking at
restricted groups was because I have a user who needs to use a program that
requires local administrator rights. I just am trying to make that program
work. I installed it and it will run under my administrator account but will
not run under the user account. (this program is a must to manage our phone
systems).
My goal is to give the user local administrator rights but still have the
user restricted by the group policies. In other words, an example is still
retricted from the run command, the start menu, and screensaver options and
not allowing saved data to the c: drive.
When I try to test it after giving local administrator rights, the user's
gp's are not applied.
Any suggestions on how to make this program work?
Thanks and sorry for all the posts.
Sher
Post by Steven L UmbachFirst off be sure to use Restricted Groups at the Organizational Unit level
and NOT at the domain level or you run the risk of adding users to the
administrators group for the domain. Then when you configure it at the OU
level the computer accounts that you want these users to be local
administrators on must be in the OU [or child OU] where you have the Group
Policy linked to. You will not be able to browse to a local
administrators
group. Simply type in administrators as the group name. From what you
describe you want to use the "member of" option for restricted groups. That
way you can add a global group to the administrators group without affecting
the current membership of the local administrators group on the computers
you want to enforce Restricted Groups assuming that you do not want to
strictly enforce membership of the local administrators group. I am not sure
what icon lock means offhand. When testing your Restricted Groups be sure
to reboot or use gpupdate to refresh computer configuration on your XP
computers as it can otherwise take up to two hours for changes in Group
Policy to propagate to domain computers. Hope some of this helps. --- Steve
Post by SherHi all,
2003 server using gp for windows xp workstations
My goal is to use restricted groups under gp to add several users to the
local workstation administrator group.
I have read several articles on how to do it but it is confusing to me.
can I use my current custom gp and just add the restricted group there or
will it override the other restrictions in the gp for the users that I
add
to
the restricted group?
Can you give me the steps to set this up. (when I tried the other articles
steps I couldn't browse to the local administrators group to add it as the
restriction point. In other words, I don't know how to tell the restricted
group to be related to the local admins group)
Also, under restricted gp the icon has a lock picture on it. What does this
mean?
Sorry, the restricted groups process hasn't clicked for me yet? I know I
could use this for other things also but just can't seem to understand the
process.
Thanks in advance for any help,
Sher