By default the Domain Controller have a “Computer”
Organizational Unit, inside that folder you can find all computers installed on
your network. If you trying to apply some group policy in “Computers”
Organizational Unit, that folder no appears on GPO. Then, for apply group
policy on one computer or in all computers on your Domain you need create a new
Organizational Unit that content all computers. Also I suggest create another
organizational Unit that content all servers of your Domain because the servers
by default are in the same “Computer” Organizational Unit.
The Domain Controllers Server are in “Domain Controllers”
Organizational Units. Be careful don’t move that server or servers ………………………..
In this example I created:
·
“Domain name
_Computers” Organizational Unit
·
“Domain name
_Servers” Organizational Unit
·
“Local Admins” Group
·
“IT Test” User
Created a new
Organizational Units:
1.
Push “Win
+ R” keys at the same time, in the open “Run” window type “dsa.msc”
2.
In “Active
Directory Users and Computers” window, right click on the “Domain Name”, click to select “New”, then click on “Organizational Unit”
3.
On the “New
object – Organizational Unit” window type the Name of the new
Organizational Unit eg. (Domain name _Computers),
then click “OK” to save it.
4.
Expand your Active Directory Domain, click on “Computers” Organizational Unit
5.
In the right panel you see all computers and
servers that are in your domain, click to select the computers do you want to
apply Group Policy. *** Do Not Select the Servers6.
After you select the computers, right click on
your selection and click on “Move…”
7.
In the “Move”
window, click to select the Organizational Unit for do you want move your
selected computers. In my example to (Domain name
_Computers), then click “OK”
8.
Now your computers are in the (Domain name _Computers)
9.
Repeats steps 2 to 7 to create another
organizational Unit for your Server. Use another name eg. (Domain
name _Servers)
Now you have the Servers and
Computers in different Organizational Units
Create a New Group:
1.
In “Active
Directory Users and Computers” window, right click on the “Users” Organizational Unit, click to
select “New”, then click on “Group”
2.
In “New
Object – Group” type the name of the new group eg. (Local Admins),
then click “OK”
The new Group was created
Created a New User:
1.
In “Active
Directory Users and Computers” window, right click on the “Domain Users” Organizational Unit,
click to select “New”, then click on
“User”
2.
In “New
Object – User” type the name of the new User eg. (IT Test), fill all information
required and click next
3.
In the new window type the password, click to
uncheck “User must change password at the
next logon” and click to select “Password
never expires”
4.
In the new window click “OK” to closed windows
Add a user in the Local Admins group:
1.
Right click on the new user created (IT Test), then click to open “Properties”
2.
In “Properties”
window, click on “Member Of” tab,
then click on “Add” tab
3.
In the “Select
Groups” window type the group do you want “Add” in this example (Local Admins)
4.
Click “OK”
to select, and click “OK” to
finished
Now you are ready to apply Group Policy on the new
Organizational Units created before
Adding a Domain Group (Local Admins) into the Local Administrators Group
1.
Push “Win
+ R” keys at the same time, in the open “Run” window type “gpmc.msc”
2.
In “Group
Policy Management” window, click to expand Forest: Domain Name > Domains
> Domain Name
3.
Right click on (Domain name _Computers) Organizational Unit that I was created
above in this tutorial, click to select “Create
a GPO in this domain, and Link it here…”
4.
In “New
GPO” window type the name of the new Group Policy that I want to apply eg.
(Domain Name _ Local Admins GPO),
then click “OK”
5.
Click to expand (Domain
name _Computers) Organizational Unit, right click on the new GPO and
click to select “Edit…”
6.
In “Group
Policy Management Editor” window click to expand Computer Configuration > Policies
> Windows Settings > Security Settings
7.
Right click on “Restricted Groups” and click to select “Add Group…”
8.
In “Add
group” window click “Browser …”
button, and type the group do you want to apply the policy. In this example (Local Admins)
9.
Click “Check
Names” button, and click “OK”
button
10.
A new windows is open, in the “This group is a member of:” click “Add” and type “Administrators”, then click “Ok”
to apply
11.
Close all open windows
12.
Push “Win
+ R” keys at the same time, in the open “Run” window type “powershell.exe”
and type “gpupdate /force”
Now all users that you have inside (Local Admins) group in my
example (IT Test) user is a Local Administrators in that
Organizational Unit (Domain name
_Computers)
But that users now are Local Administrator and by default a
Local Administrator can Log On in the Servers too, that is not good.
We need deny the access of Local Administrator to Servers.
Deny the access of
Local Administrator to Servers:
1.
Push “Win
+ R” keys at the same time, in the open “Run” window type “gpmc.msc”
2.
In “Group
Policy Management” window, click to expand Forest: Domain Name > Domains
> Domain Name
3.
Right click on (Domain
name _Servers) Organizational Unit that I was created above in this
tutorial, click to select “Create a GPO
in this domain, and Link it here…”
4.
In “New
GPO” window type the name of the new Group Policy that I want to apply eg. (Deny Log On _Local Admins Group), then click “OK”
5.
Click to expand (Domain
name _Servers) Organizational Unit, right click on the new GPO and
click to select “Edit…”
6.
In “Group
Policy Management Editor” window click to expand Computer Configuration > Policies
> Windows Settings > Security Settings > Local Policies
7.
Click on “User
Rights Assignment” and in the right panel double click to open “Deny log on locally Properties”
8.
In “Deny
log on locally Properties” window click to check “Define these policy settings:”, click on “Add User or Group” and type the local Administrator group that you
created in my example (Local Admins)
9.
Click “OK”
twice time to apply
10.
Close all open windows
11.
Push “Win
+ R” keys at the same time, in the open “Run” window type “powershell.exe”
and type “gpupdate /force”
Now the Local Administrators can Log On in the users
computers but they cannot Log On in the servers on the Network. Local
Administrators now are restricted but they can Log On in the Domain Controllers
so we need create a GPO for restrict access into Domain Controllers too.
Deny the access of
Local Administrator to Domain Controllers:
1.
Push “Win
+ R” keys at the same time, in the open “Run” window type “gpmc.msc”
2.
In “Group
Policy Management” window, click to expand Forest: Domain Name > Domains
> Domain Name
3.
Right click on (Domain name) Organizational Unit, click to select “Create a GPO in this domain, and Link it
here…”
4.
In “New
GPO” window type the name of the new Group Policy that I want to apply eg. (Deny Log On _Local Admins Group), then click “OK”
5.
Right click on the new GPO and click to select “Edit…”
6.
In “Group
Policy Management Editor” window click to expand Computer Configuration
> Policies > Windows Settings > Security Settings > Local Policies
7.
Click on “User
Rights Assignment” and in the right panel double click to open “Deny log on locally Properties”
8.
In “Deny
log on locally Properties” window click to check “Define these policy settings:”, click on “Add User or Group” and type the local Administrator group that you
created in this example (Local Admins)
9.
Click “OK”
twice time to apply
10.
Close all open windows
11.
Push “Win
+ R” keys at the same time, in the open “Run” window type “powershell.exe”
and type “gpupdate /force”
Now the users on
Local Admins groups are Log On as Local Administrators for all computers on the Network
except Servers and Domain Controllers.
No comments:
Post a Comment