Sign in with
Sign up | Sign in
Your question

Adding a computer to a security group

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 20, 2005 12:29:18 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I added a computer to a security group.
When I run gpresult, the computer isn't part of the security group.

I know when you add a user to a security group you need to log off and log
back on for the changes to take affect.
When do these changes take effect for a computer? Do I need to reboot?
Anonymous
a b 8 Security
January 20, 2005 2:12:38 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Does the computer account object reside directly in the OU to which the GPO
was linked? When you create an OU and link a GPO to it only those account
objects that DIRECTLY reside in that OU fall under the Scope of Management
of that GPO. So, if you have an OU and there are 13 user account objects
and one security group ( with all 13 of those user account objects and the
one computer account object being a member of the security group ) only
those 13 user account objects will get the GPO. You would have to move the
computer account object directly into that OU....

Does this answer your question?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Eddie Clark" <eddie@coolclark.com> wrote in message
news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
>I added a computer to a security group.
> When I run gpresult, the computer isn't part of the security group.
>
> I know when you add a user to a security group you need to log off and log
> back on for the changes to take affect.
> When do these changes take effect for a computer? Do I need to reboot?
>
Anonymous
a b 8 Security
January 20, 2005 2:12:39 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes the computer and the security group are both under the same OU.


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
> Does the computer account object reside directly in the OU to which the
> GPO was linked? When you create an OU and link a GPO to it only those
> account objects that DIRECTLY reside in that OU fall under the Scope of
> Management of that GPO. So, if you have an OU and there are 13 user
> account objects and one security group ( with all 13 of those user account
> objects and the one computer account object being a member of the security
> group ) only those 13 user account objects will get the GPO. You would
> have to move the computer account object directly into that OU....
>
> Does this answer your question?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Eddie Clark" <eddie@coolclark.com> wrote in message
> news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
>>I added a computer to a security group.
>> When I run gpresult, the computer isn't part of the security group.
>>
>> I know when you add a user to a security group you need to log off and
>> log back on for the changes to take affect.
>> When do these changes take effect for a computer? Do I need to reboot?
>>
>
>
Related resources
Anonymous
a b 8 Security
January 20, 2005 2:36:23 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Did the machine reboot afterwards?

Security groups are not recalculated until the
"object" logs on again.

We are in the habit of noticing this for Users,
but it is true for Computers (must be) as well,
and the computer logs itself on when it boots.

--
Herb Martin


"Eddie Clark" <eddie@coolclark.com> wrote in message
news:uPtC8kq$EHA.612@TK2MSFTNGP09.phx.gbl...
> Yes the computer and the security group are both under the same OU.
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
> > Does the computer account object reside directly in the OU to which the
> > GPO was linked? When you create an OU and link a GPO to it only those
> > account objects that DIRECTLY reside in that OU fall under the Scope of
> > Management of that GPO. So, if you have an OU and there are 13 user
> > account objects and one security group ( with all 13 of those user
account
> > objects and the one computer account object being a member of the
security
> > group ) only those 13 user account objects will get the GPO. You would
> > have to move the computer account object directly into that OU....
> >
> > Does this answer your question?
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24014
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "Eddie Clark" <eddie@coolclark.com> wrote in message
> > news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
> >>I added a computer to a security group.
> >> When I run gpresult, the computer isn't part of the security group.
> >>
> >> I know when you add a user to a security group you need to log off and
> >> log back on for the changes to take affect.
> >> When do these changes take effect for a computer? Do I need to reboot?
> >>
> >
> >
>
>
Anonymous
a b 8 Security
January 20, 2005 2:47:27 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

But does the computer account object reside directly in the OU? Meaning, if
you click on the OU in the left pane of the ADUC what do you see in the
right pane? The user account objects, the computer account object(s) and
the security group, right?

And if you open up the security group you will see the computer account
object(s)?

Just out of curiosity, why is the security group located in this OU? There
is nothing incorrect with this, I am just curious! And, have you rebooted
the computer? Users need to log of....right?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Eddie Clark" <eddie@coolclark.com> wrote in message
news:uPtC8kq$EHA.612@TK2MSFTNGP09.phx.gbl...
> Yes the computer and the security group are both under the same OU.
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:uC%239IZq$EHA.3708@TK2MSFTNGP14.phx.gbl...
>> Does the computer account object reside directly in the OU to which the
>> GPO was linked? When you create an OU and link a GPO to it only those
>> account objects that DIRECTLY reside in that OU fall under the Scope of
>> Management of that GPO. So, if you have an OU and there are 13 user
>> account objects and one security group ( with all 13 of those user
>> account objects and the one computer account object being a member of the
>> security group ) only those 13 user account objects will get the GPO.
>> You would have to move the computer account object directly into that
>> OU....
>>
>> Does this answer your question?
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Eddie Clark" <eddie@coolclark.com> wrote in message
>> news:%23PIptBq$EHA.2156@TK2MSFTNGP10.phx.gbl...
>>>I added a computer to a security group.
>>> When I run gpresult, the computer isn't part of the security group.
>>>
>>> I know when you add a user to a security group you need to log off and
>>> log back on for the changes to take affect.
>>> When do these changes take effect for a computer? Do I need to reboot?
>>>
>>
>>
>
>
Anonymous
a b 8 Security
January 20, 2005 2:50:01 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, a computer added to a group must be rebooted to get the new security token.
Computers logon like users do when they boot up.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Eddie Clark wrote:
> I added a computer to a security group.
> When I run gpresult, the computer isn't part of the security group.
>
> I know when you add a user to a security group you need to log off and log
> back on for the changes to take affect.
> When do these changes take effect for a computer? Do I need to reboot?
>
>
January 20, 2005 2:58:05 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Cary,

I'm still trying to get the Loopback working.

The computer account isn't directly under the PrimaryOU, it's buried about 3
OUs down.

PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer

The default domain policy is being applied at th PrimaryOU.

At the LocationOU there is a NoGPO Policy which is the loopback.

Under the LocationOU I've created a group called NoGPO. The reason for the
security group is I have several computers across multiple departments that
I want to prevent the default domain policy from being applied. I've change
the permissions on the NoGPO Policy and added the NoGPO group with
Read/Apply permissions. The computer is now showing that it is part of the
NoGPO group however the NoGPO Policy isn't running against the computer.
Any ideas or am I doing this completely wrong????


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o sZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> But does the computer account object reside directly in the OU? Meaning,
> if you click on the OU in the left pane of the ADUC what do you see in the
> right pane? The user account objects, the computer account object(s) and
> the security group, right?
>
> And if you open up the security group you will see the computer account
> object(s)?
>
> Just out of curiosity, why is the security group located in this OU?
> There is nothing incorrect with this, I am just curious! And, have you
> rebooted the computer? Users need to log of....right?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
Anonymous
a b 8 Security
January 20, 2005 4:13:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"EC" <X@x.x> wrote in message news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
> Hi Cary,
>
> I'm still trying to get the Loopback working.

Are you really using Loopback? That actually
affect USERS (but based on the location of the
computer they are currently USING -- logged on
from.)

> The computer account isn't directly under the PrimaryOU, it's buried about
3
> OUs down.
>
> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
>
> The default domain policy is being applied at th PrimaryOU.

That sounds wrong since the Default Domain policy is normally
linked to the DOMAIN, not to an OU.

> At the LocationOU there is a NoGPO Policy which is the loopback.

Huh?

What does NoGPO have to do specifically with "loopback"?

> Under the LocationOU I've created a group called NoGPO. The reason for
the
> security group is I have several computers across multiple departments
that
> I want to prevent the default domain policy from being applied.

Ok, if that is REALLY what you need.

> I've change
> the permissions on the NoGPO Policy and added the NoGPO group with
> Read/Apply permissions.

Why not just DENY that group (NoGPO) permissions
on all undesired GPOs?

> The computer is now showing that it is part of the
> NoGPO group however the NoGPO Policy isn't running against the computer.
> Any ideas or am I doing this completely wrong????

If you have given that group Read and Apply it should
be applied if it is linked to the Computers container
or parents, baring "block inheritance" and "disable" settings.

Did you allow it to replicate OR are you sure the same
DC is being used for authentication.


--
Herb Martin


>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:o sZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> > But does the computer account object reside directly in the OU?
Meaning,
> > if you click on the OU in the left pane of the ADUC what do you see in
the
> > right pane? The user account objects, the computer account object(s)
and
> > the security group, right?
> >
> > And if you open up the security group you will see the computer account
> > object(s)?
> >
> > Just out of curiosity, why is the security group located in this OU?
> > There is nothing incorrect with this, I am just curious! And, have you
> > rebooted the computer? Users need to log of....right?
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24014
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
>
>
Anonymous
a b 8 Security
January 21, 2005 2:43:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, I'm trying to prevent user policies from being applied to specific
computers.


"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
> "EC" <X@x.x> wrote in message
> news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
>> Hi Cary,
>>
>> I'm still trying to get the Loopback working.
>
> Are you really using Loopback? That actually
> affect USERS (but based on the location of the
> computer they are currently USING -- logged on
> from.)
>
>> The computer account isn't directly under the PrimaryOU, it's buried
>> about
> 3
>> OUs down.
>>
>> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
>>
>> The default domain policy is being applied at th PrimaryOU.
>
> That sounds wrong since the Default Domain policy is normally
> linked to the DOMAIN, not to an OU.
>
>> At the LocationOU there is a NoGPO Policy which is the loopback.
>
> Huh?
>
> What does NoGPO have to do specifically with "loopback"?
>
>> Under the LocationOU I've created a group called NoGPO. The reason for
> the
>> security group is I have several computers across multiple departments
> that
>> I want to prevent the default domain policy from being applied.
>
> Ok, if that is REALLY what you need.
>
>> I've change
>> the permissions on the NoGPO Policy and added the NoGPO group with
>> Read/Apply permissions.
>
> Why not just DENY that group (NoGPO) permissions
> on all undesired GPOs?
>
>> The computer is now showing that it is part of the
>> NoGPO group however the NoGPO Policy isn't running against the computer.
>> Any ideas or am I doing this completely wrong????
>
> If you have given that group Read and Apply it should
> be applied if it is linked to the Computers container
> or parents, baring "block inheritance" and "disable" settings.
>
> Did you allow it to replicate OR are you sure the same
> DC is being used for authentication.
>
>
> --
> Herb Martin
>
>
>>
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> news:o sZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
>> > But does the computer account object reside directly in the OU?
> Meaning,
>> > if you click on the OU in the left pane of the ADUC what do you see in
> the
>> > right pane? The user account objects, the computer account object(s)
> and
>> > the security group, right?
>> >
>> > And if you open up the security group you will see the computer account
>> > object(s)?
>> >
>> > Just out of curiosity, why is the security group located in this OU?
>> > There is nothing incorrect with this, I am just curious! And, have you
>> > rebooted the computer? Users need to log of....right?
>> >
>> > --
>> > Cary W. Shultz
>> > Roanoke, VA 24014
>> > Microsoft Active Directory MVP
>> >
>> > http://www.activedirectory-win2000.com
>> > http://www.grouppolicy-win2000.com
>>
>>
>
>
>
Anonymous
a b 8 Security
January 21, 2005 5:11:28 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Eddie,

Again, from what you just wrote this is a loopback in replace mode
situation.....

So long as a user logs on to a system that is under the Scope of Management
of the loopback GPO - so long as it is in Replace Mode - then that user's
policies ( as defined by any GPOs that are linked to the OU in which that
user account object directly resides ) will not be processed!

What exactly have you done / not done?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Eddie Clark" <eddie@coolclark.com> wrote in message
news:e9HXLx3$EHA.1452@TK2MSFTNGP11.phx.gbl...
> Yes, I'm trying to prevent user policies from being applied to specific
> computers.
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
>> "EC" <X@x.x> wrote in message
>> news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
>>> Hi Cary,
>>>
>>> I'm still trying to get the Loopback working.
>>
>> Are you really using Loopback? That actually
>> affect USERS (but based on the location of the
>> computer they are currently USING -- logged on
>> from.)
>>
>>> The computer account isn't directly under the PrimaryOU, it's buried
>>> about
>> 3
>>> OUs down.
>>>
>>> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
>>>
>>> The default domain policy is being applied at th PrimaryOU.
>>
>> That sounds wrong since the Default Domain policy is normally
>> linked to the DOMAIN, not to an OU.
>>
>>> At the LocationOU there is a NoGPO Policy which is the loopback.
>>
>> Huh?
>>
>> What does NoGPO have to do specifically with "loopback"?
>>
>>> Under the LocationOU I've created a group called NoGPO. The reason for
>> the
>>> security group is I have several computers across multiple departments
>> that
>>> I want to prevent the default domain policy from being applied.
>>
>> Ok, if that is REALLY what you need.
>>
>>> I've change
>>> the permissions on the NoGPO Policy and added the NoGPO group with
>>> Read/Apply permissions.
>>
>> Why not just DENY that group (NoGPO) permissions
>> on all undesired GPOs?
>>
>>> The computer is now showing that it is part of the
>>> NoGPO group however the NoGPO Policy isn't running against the computer.
>>> Any ideas or am I doing this completely wrong????
>>
>> If you have given that group Read and Apply it should
>> be applied if it is linked to the Computers container
>> or parents, baring "block inheritance" and "disable" settings.
>>
>> Did you allow it to replicate OR are you sure the same
>> DC is being used for authentication.
>>
>>
>> --
>> Herb Martin
>>
>>
>>>
>>>
>>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>>> news:o sZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
>>> > But does the computer account object reside directly in the OU?
>> Meaning,
>>> > if you click on the OU in the left pane of the ADUC what do you see in
>> the
>>> > right pane? The user account objects, the computer account object(s)
>> and
>>> > the security group, right?
>>> >
>>> > And if you open up the security group you will see the computer
>>> > account
>>> > object(s)?
>>> >
>>> > Just out of curiosity, why is the security group located in this OU?
>>> > There is nothing incorrect with this, I am just curious! And, have
>>> > you
>>> > rebooted the computer? Users need to log of....right?
>>> >
>>> > --
>>> > Cary W. Shultz
>>> > Roanoke, VA 24014
>>> > Microsoft Active Directory MVP
>>> >
>>> > http://www.activedirectory-win2000.com
>>> > http://www.grouppolicy-win2000.com
>>>
>>>
>>
>>
>>
>
>
Anonymous
a b 8 Security
January 21, 2005 1:07:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Eddie Clark" <eddie@coolclark.com> wrote in message
news:e9HXLx3$EHA.1452@TK2MSFTNGP11.phx.gbl...
> Yes, I'm trying to prevent user policies from being applied to specific
> computers.
>

User policies are not applied to Computers.

If you are trying to prevent User policies from
being applied to (any) users when AT a particular
Computer you might try LoopBack-Replace mode
processing.

--
Herb Martin


>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23K31$Wy$EHA.2584@TK2MSFTNGP09.phx.gbl...
> > "EC" <X@x.x> wrote in message
> > news:eBsgOnx$EHA.3504@TK2MSFTNGP12.phx.gbl...
> >> Hi Cary,
> >>
> >> I'm still trying to get the Loopback working.
> >
> > Are you really using Loopback? That actually
> > affect USERS (but based on the location of the
> > computer they are currently USING -- logged on
> > from.)
> >
> >> The computer account isn't directly under the PrimaryOU, it's buried
> >> about
> > 3
> >> OUs down.
> >>
> >> PrimaryOU->LocationOU->ComputersOU->DeptOU->MyComputer
> >>
> >> The default domain policy is being applied at th PrimaryOU.
> >
> > That sounds wrong since the Default Domain policy is normally
> > linked to the DOMAIN, not to an OU.
> >
> >> At the LocationOU there is a NoGPO Policy which is the loopback.
> >
> > Huh?
> >
> > What does NoGPO have to do specifically with "loopback"?
> >
> >> Under the LocationOU I've created a group called NoGPO. The reason for
> > the
> >> security group is I have several computers across multiple departments
> > that
> >> I want to prevent the default domain policy from being applied.
> >
> > Ok, if that is REALLY what you need.
> >
> >> I've change
> >> the permissions on the NoGPO Policy and added the NoGPO group with
> >> Read/Apply permissions.
> >
> > Why not just DENY that group (NoGPO) permissions
> > on all undesired GPOs?
> >
> >> The computer is now showing that it is part of the
> >> NoGPO group however the NoGPO Policy isn't running against the
computer.
> >> Any ideas or am I doing this completely wrong????
> >
> > If you have given that group Read and Apply it should
> > be applied if it is linked to the Computers container
> > or parents, baring "block inheritance" and "disable" settings.
> >
> > Did you allow it to replicate OR are you sure the same
> > DC is being used for authentication.
> >
> >
> > --
> > Herb Martin
> >
> >
> >>
> >>
> >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> >> news:o sZolsq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> >> > But does the computer account object reside directly in the OU?
> > Meaning,
> >> > if you click on the OU in the left pane of the ADUC what do you see
in
> > the
> >> > right pane? The user account objects, the computer account object(s)
> > and
> >> > the security group, right?
> >> >
> >> > And if you open up the security group you will see the computer
account
> >> > object(s)?
> >> >
> >> > Just out of curiosity, why is the security group located in this OU?
> >> > There is nothing incorrect with this, I am just curious! And, have
you
> >> > rebooted the computer? Users need to log of....right?
> >> >
> >> > --
> >> > Cary W. Shultz
> >> > Roanoke, VA 24014
> >> > Microsoft Active Directory MVP
> >> >
> >> > http://www.activedirectory-win2000.com
> >> > http://www.grouppolicy-win2000.com
> >>
> >>
> >
> >
> >
>
>
!