Adding a computer to a security group

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I added a computer to a security group.
When I run gpresult, the computer isn't part of the security group.

I know when you add a user to a security group you need to log off and log
back on for the changes to take affect.
When do these changes take effect for a computer? Do I need to reboot?
10 answers Last reply
More about adding computer security group
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Does the computer account object reside directly in the OU to which the GPO
    was linked? When you create an OU and link a GPO to it only those account
    objects that DIRECTLY reside in that OU fall under the Scope of Management
    of that GPO. So, if you have an OU and there are 13 user account objects
    and one security group ( with all 13 of those user account objects and the
    one computer account object being a member of the security group ) only
    those 13 user account objects will get the GPO. You would have to move the
    computer account object directly into that OU....

    Does this answer your question?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Eddie Clark" <eddie@coolclark.com> wrote in message
    news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
    >I added a computer to a security group.
    > When I run gpresult, the computer isn't part of the security group.
    >
    > I know when you add a user to a security group you need to log off and log
    > back on for the changes to take affect.
    > When do these changes take effect for a computer? Do I need to reboot?
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes the computer and the security group are both under the same OU.


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
    > Does the computer account object reside directly in the OU to which the
    > GPO was linked? When you create an OU and link a GPO to it only those
    > account objects that DIRECTLY reside in that OU fall under the Scope of
    > Management of that GPO. So, if you have an OU and there are 13 user
    > account objects and one security group ( with all 13 of those user account
    > objects and the one computer account object being a member of the security
    > group ) only those 13 user account objects will get the GPO. You would
    > have to move the computer account object directly into that OU....
    >
    > Does this answer your question?
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Eddie Clark" <eddie@coolclark.com> wrote in message
    > news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
    >>I added a computer to a security group.
    >> When I run gpresult, the computer isn't part of the security group.
    >>
    >> I know when you add a user to a security group you need to log off and
    >> log back on for the changes to take affect.
    >> When do these changes take effect for a computer? Do I need to reboot?
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Did the machine reboot afterwards?

    Security groups are not recalculated until the
    "object" logs on again.

    We are in the habit of noticing this for Users,
    but it is true for Computers (must be) as well,
    and the computer logs itself on when it boots.

    --
    Herb Martin


    "Eddie Clark" <eddie@coolclark.com> wrote in message
    news:uPtC8kq$EHA.612@TK2MSFTNGP09.phx.gbl...
    > Yes the computer and the security group are both under the same OU.
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
    > > Does the computer account object reside directly in the OU to which the
    > > GPO was linked? When you create an OU and link a GPO to it only those
    > > account objects that DIRECTLY reside in that OU fall under the Scope of
    > > Management of that GPO. So, if you have an OU and there are 13 user
    > > account objects and one security group ( with all 13 of those user
    account
    > > objects and the one computer account object being a member of the
    security
    > > group ) only those 13 user account objects will get the GPO. You would
    > > have to move the computer account object directly into that OU....
    > >
    > > Does this answer your question?
    > >
    > > --
    > > Cary W. Shultz
    > > Roanoke, VA 24014
    > > Microsoft Active Directory MVP
    > >
    > > http://www.activedirectory-win2000.com
    > > http://www.grouppolicy-win2000.com
    > >
    > >
    > >
    > > "Eddie Clark" <eddie@coolclark.com> wrote in message
    > > news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
    > >>I added a computer to a security group.
    > >> When I run gpresult, the computer isn't part of the security group.
    > >>
    > >> I know when you add a user to a security group you need to log off and
    > >> log back on for the changes to take affect.
    > >> When do these changes take effect for a computer? Do I need to reboot?
    > >>
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    But does the computer account object reside directly in the OU? Meaning, if
    you click on the OU in the left pane of the ADUC what do you see in the
    right pane? The user account objects, the computer account object(s) and
    the security group, right?

    And if you open up the security group you will see the computer account
    object(s)?

    Just out of curiosity, why is the security group located in this OU? There
    is nothing incorrect with this, I am just curious! And, have you rebooted
    the computer? Users need to log of....right?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Eddie Clark" <eddie@coolclark.com> wrote in message
    news:uPtC8kq$EHA.612@TK2MSFTNGP09.phx.gbl...
    > Yes the computer and the security group are both under the same OU.
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
    >> Does the computer account object reside directly in the OU to which the
    >> GPO was linked? When you create an OU and link a GPO to it only those
    >> account objects that DIRECTLY reside in that OU fall under the Scope of
    >> Management of that GPO. So, if you have an OU and there are 13 user
    >> account objects and one security group ( with all 13 of those user
    >> account objects and the one computer account object being a member of the
    >> security group ) only those 13 user account objects will get the GPO.
    >> You would have to move the computer account object directly into that
    >> OU....
    >>
    >> Does this answer your question?
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "Eddie Clark" <eddie@coolclark.com> wrote in message
    >> news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
    >>>I added a computer to a security group.
    >>> When I run gpresult, the computer isn't part of the security group.
    >>>
    >>> I know when you add a user to a security group you need to log off and
    >>> log back on for the changes to take affect.
    >>> When do these changes take effect for a computer? Do I need to reboot?
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes, a computer added to a group must be rebooted to get the new security token.
    Computers logon like users do when they boot up.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Eddie Clark wrote:
    > I added a computer to a security group.
    > When I run gpresult, the computer isn't part of the security group.
    >
    > I know when you add a user to a security group you need to log off and log
    > back on for the changes to take affect.
    > When do these changes take effect for a computer? Do I need to reboot?
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Cary,

    I'm still trying to get the Loopback working.

    The computer account isn't directly under the PrimaryOU, it's buried about 3
    OUs down.

    PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer

    The default domain policy is being applied at th PrimaryOU.

    At the LocationOU there is a NoGPO Policy which is the loopback.

    Under the LocationOU I've created a group called NoGPO. The reason for the
    security group is I have several computers across multiple departments that
    I want to prevent the default domain policy from being applied. I've change
    the permissions on the NoGPO Policy and added the NoGPO group with
    Read/Apply permissions. The computer is now showing that it is part of the
    NoGPO group however the NoGPO Policy isn't running against the computer.
    Any ideas or am I doing this completely wrong????


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:OsZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
    > But does the computer account object reside directly in the OU? Meaning,
    > if you click on the OU in the left pane of the ADUC what do you see in the
    > right pane? The user account objects, the computer account object(s) and
    > the security group, right?
    >
    > And if you open up the security group you will see the computer account
    > object(s)?
    >
    > Just out of curiosity, why is the security group located in this OU?
    > There is nothing incorrect with this, I am just curious! And, have you
    > rebooted the computer? Users need to log of....right?
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "EC" <X@x.x> wrote in message news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
    > Hi Cary,
    >
    > I'm still trying to get the Loopback working.

    Are you really using Loopback? That actually
    affect USERS (but based on the location of the
    computer they are currently USING -- logged on
    from.)

    > The computer account isn't directly under the PrimaryOU, it's buried about
    3
    > OUs down.
    >
    > PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
    >
    > The default domain policy is being applied at th PrimaryOU.

    That sounds wrong since the Default Domain policy is normally
    linked to the DOMAIN, not to an OU.

    > At the LocationOU there is a NoGPO Policy which is the loopback.

    Huh?

    What does NoGPO have to do specifically with "loopback"?

    > Under the LocationOU I've created a group called NoGPO. The reason for
    the
    > security group is I have several computers across multiple departments
    that
    > I want to prevent the default domain policy from being applied.

    Ok, if that is REALLY what you need.

    > I've change
    > the permissions on the NoGPO Policy and added the NoGPO group with
    > Read/Apply permissions.

    Why not just DENY that group (NoGPO) permissions
    on all undesired GPOs?

    > The computer is now showing that it is part of the
    > NoGPO group however the NoGPO Policy isn't running against the computer.
    > Any ideas or am I doing this completely wrong????

    If you have given that group Read and Apply it should
    be applied if it is linked to the Computers container
    or parents, baring "block inheritance" and "disable" settings.

    Did you allow it to replicate OR are you sure the same
    DC is being used for authentication.


    --
    Herb Martin


    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:OsZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
    > > But does the computer account object reside directly in the OU?
    Meaning,
    > > if you click on the OU in the left pane of the ADUC what do you see in
    the
    > > right pane? The user account objects, the computer account object(s)
    and
    > > the security group, right?
    > >
    > > And if you open up the security group you will see the computer account
    > > object(s)?
    > >
    > > Just out of curiosity, why is the security group located in this OU?
    > > There is nothing incorrect with this, I am just curious! And, have you
    > > rebooted the computer? Users need to log of....right?
    > >
    > > --
    > > Cary W. Shultz
    > > Roanoke, VA 24014
    > > Microsoft Active Directory MVP
    > >
    > > http://www.activedirectory-win2000.com
    > > http://www.grouppolicy-win2000.com
    >
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes, I'm trying to prevent user policies from being applied to specific
    computers.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
    > "EC" <X@x.x> wrote in message
    > news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
    >> Hi Cary,
    >>
    >> I'm still trying to get the Loopback working.
    >
    > Are you really using Loopback? That actually
    > affect USERS (but based on the location of the
    > computer they are currently USING -- logged on
    > from.)
    >
    >> The computer account isn't directly under the PrimaryOU, it's buried
    >> about
    > 3
    >> OUs down.
    >>
    >> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
    >>
    >> The default domain policy is being applied at th PrimaryOU.
    >
    > That sounds wrong since the Default Domain policy is normally
    > linked to the DOMAIN, not to an OU.
    >
    >> At the LocationOU there is a NoGPO Policy which is the loopback.
    >
    > Huh?
    >
    > What does NoGPO have to do specifically with "loopback"?
    >
    >> Under the LocationOU I've created a group called NoGPO. The reason for
    > the
    >> security group is I have several computers across multiple departments
    > that
    >> I want to prevent the default domain policy from being applied.
    >
    > Ok, if that is REALLY what you need.
    >
    >> I've change
    >> the permissions on the NoGPO Policy and added the NoGPO group with
    >> Read/Apply permissions.
    >
    > Why not just DENY that group (NoGPO) permissions
    > on all undesired GPOs?
    >
    >> The computer is now showing that it is part of the
    >> NoGPO group however the NoGPO Policy isn't running against the computer.
    >> Any ideas or am I doing this completely wrong????
    >
    > If you have given that group Read and Apply it should
    > be applied if it is linked to the Computers container
    > or parents, baring "block inheritance" and "disable" settings.
    >
    > Did you allow it to replicate OR are you sure the same
    > DC is being used for authentication.
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >>
    >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    >> news:OsZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
    >> > But does the computer account object reside directly in the OU?
    > Meaning,
    >> > if you click on the OU in the left pane of the ADUC what do you see in
    > the
    >> > right pane? The user account objects, the computer account object(s)
    > and
    >> > the security group, right?
    >> >
    >> > And if you open up the security group you will see the computer account
    >> > object(s)?
    >> >
    >> > Just out of curiosity, why is the security group located in this OU?
    >> > There is nothing incorrect with this, I am just curious! And, have you
    >> > rebooted the computer? Users need to log of....right?
    >> >
    >> > --
    >> > Cary W. Shultz
    >> > Roanoke, VA 24014
    >> > Microsoft Active Directory MVP
    >> >
    >> > http://www.activedirectory-win2000.com
    >> > http://www.grouppolicy-win2000.com
    >>
    >>
    >
    >
    >
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Eddie,

    Again, from what you just wrote this is a loopback in replace mode
    situation.....

    So long as a user logs on to a system that is under the Scope of Management
    of the loopback GPO - so long as it is in Replace Mode - then that user's
    policies ( as defined by any GPOs that are linked to the OU in which that
    user account object directly resides ) will not be processed!

    What exactly have you done / not done?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Eddie Clark" <eddie@coolclark.com> wrote in message
    news:e9HXLx3$EHA.1452@TK2MSFTNGP11.phx.gbl...
    > Yes, I'm trying to prevent user policies from being applied to specific
    > computers.
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
    >> "EC" <X@x.x> wrote in message
    >> news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
    >>> Hi Cary,
    >>>
    >>> I'm still trying to get the Loopback working.
    >>
    >> Are you really using Loopback? That actually
    >> affect USERS (but based on the location of the
    >> computer they are currently USING -- logged on
    >> from.)
    >>
    >>> The computer account isn't directly under the PrimaryOU, it's buried
    >>> about
    >> 3
    >>> OUs down.
    >>>
    >>> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
    >>>
    >>> The default domain policy is being applied at th PrimaryOU.
    >>
    >> That sounds wrong since the Default Domain policy is normally
    >> linked to the DOMAIN, not to an OU.
    >>
    >>> At the LocationOU there is a NoGPO Policy which is the loopback.
    >>
    >> Huh?
    >>
    >> What does NoGPO have to do specifically with "loopback"?
    >>
    >>> Under the LocationOU I've created a group called NoGPO. The reason for
    >> the
    >>> security group is I have several computers across multiple departments
    >> that
    >>> I want to prevent the default domain policy from being applied.
    >>
    >> Ok, if that is REALLY what you need.
    >>
    >>> I've change
    >>> the permissions on the NoGPO Policy and added the NoGPO group with
    >>> Read/Apply permissions.
    >>
    >> Why not just DENY that group (NoGPO) permissions
    >> on all undesired GPOs?
    >>
    >>> The computer is now showing that it is part of the
    >>> NoGPO group however the NoGPO Policy isn't running against the computer.
    >>> Any ideas or am I doing this completely wrong????
    >>
    >> If you have given that group Read and Apply it should
    >> be applied if it is linked to the Computers container
    >> or parents, baring "block inheritance" and "disable" settings.
    >>
    >> Did you allow it to replicate OR are you sure the same
    >> DC is being used for authentication.
    >>
    >>
    >> --
    >> Herb Martin
    >>
    >>
    >>>
    >>>
    >>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    >>> news:OsZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
    >>> > But does the computer account object reside directly in the OU?
    >> Meaning,
    >>> > if you click on the OU in the left pane of the ADUC what do you see in
    >> the
    >>> > right pane? The user account objects, the computer account object(s)
    >> and
    >>> > the security group, right?
    >>> >
    >>> > And if you open up the security group you will see the computer
    >>> > account
    >>> > object(s)?
    >>> >
    >>> > Just out of curiosity, why is the security group located in this OU?
    >>> > There is nothing incorrect with this, I am just curious! And, have
    >>> > you
    >>> > rebooted the computer? Users need to log of....right?
    >>> >
    >>> > --
    >>> > Cary W. Shultz
    >>> > Roanoke, VA 24014
    >>> > Microsoft Active Directory MVP
    >>> >
    >>> > http://www.activedirectory-win2000.com
    >>> > http://www.grouppolicy-win2000.com
    >>>
    >>>
    >>
    >>
    >>
    >
    >
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Eddie Clark" <eddie@coolclark.com> wrote in message
    news:e9HXLx3$EHA.1452@TK2MSFTNGP11.phx.gbl...
    > Yes, I'm trying to prevent user policies from being applied to specific
    > computers.
    >

    User policies are not applied to Computers.

    If you are trying to prevent User policies from
    being applied to (any) users when AT a particular
    Computer you might try LoopBack-Replace mode
    processing.

    --
    Herb Martin


    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
    > > "EC" <X@x.x> wrote in message
    > > news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
    > >> Hi Cary,
    > >>
    > >> I'm still trying to get the Loopback working.
    > >
    > > Are you really using Loopback? That actually
    > > affect USERS (but based on the location of the
    > > computer they are currently USING -- logged on
    > > from.)
    > >
    > >> The computer account isn't directly under the PrimaryOU, it's buried
    > >> about
    > > 3
    > >> OUs down.
    > >>
    > >> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
    > >>
    > >> The default domain policy is being applied at th PrimaryOU.
    > >
    > > That sounds wrong since the Default Domain policy is normally
    > > linked to the DOMAIN, not to an OU.
    > >
    > >> At the LocationOU there is a NoGPO Policy which is the loopback.
    > >
    > > Huh?
    > >
    > > What does NoGPO have to do specifically with "loopback"?
    > >
    > >> Under the LocationOU I've created a group called NoGPO. The reason for
    > > the
    > >> security group is I have several computers across multiple departments
    > > that
    > >> I want to prevent the default domain policy from being applied.
    > >
    > > Ok, if that is REALLY what you need.
    > >
    > >> I've change
    > >> the permissions on the NoGPO Policy and added the NoGPO group with
    > >> Read/Apply permissions.
    > >
    > > Why not just DENY that group (NoGPO) permissions
    > > on all undesired GPOs?
    > >
    > >> The computer is now showing that it is part of the
    > >> NoGPO group however the NoGPO Policy isn't running against the
    computer.
    > >> Any ideas or am I doing this completely wrong????
    > >
    > > If you have given that group Read and Apply it should
    > > be applied if it is linked to the Computers container
    > > or parents, baring "block inheritance" and "disable" settings.
    > >
    > > Did you allow it to replicate OR are you sure the same
    > > DC is being used for authentication.
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >>
    > >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > >> news:OsZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
    > >> > But does the computer account object reside directly in the OU?
    > > Meaning,
    > >> > if you click on the OU in the left pane of the ADUC what do you see
    in
    > > the
    > >> > right pane? The user account objects, the computer account object(s)
    > > and
    > >> > the security group, right?
    > >> >
    > >> > And if you open up the security group you will see the computer
    account
    > >> > object(s)?
    > >> >
    > >> > Just out of curiosity, why is the security group located in this OU?
    > >> > There is nothing incorrect with this, I am just curious! And, have
    you
    > >> > rebooted the computer? Users need to log of....right?
    > >> >
    > >> > --
    > >> > Cary W. Shultz
    > >> > Roanoke, VA 24014
    > >> > Microsoft Active Directory MVP
    > >> >
    > >> > http://www.activedirectory-win2000.com
    > >> > http://www.grouppolicy-win2000.com
    > >>
    > >>
    > >
    > >
    > >
    >
    >
Ask a new question

Read More

Security Computers Active Directory Windows