Hi,

I got the following setup of our OUs. Company with 200+ employees, starting integrating AD with Policies.
Every Employee Group (Workgroup) has her own Computers. We are using Windows-Server 2008.

OU Setup:

OU Computers
-- OU WorkgroupA
-- OU WorkgroupB

OU Users
-- OU WorkgroupA
-- OU WorkgroupB

OU Computers contains sup-ous with computers in there.
OU Users contains sup-ous with Users and Usergroups in there.

So i created a Folder-Redirection GPO and linked to the Main-Ou "OU Users", Security Filtering is on default "Authenticated Users". This is working fine. All Users get the Redirection Rule on all PCs. (Only User-Specific Settings)

Now i want to create an GPO which allows a specific group to have admin rights on their Computers.
For example:

User "User1" from sup OU "OU WorkgroupB" (Under "OU Users") should be able to gain admin-rights on computers located in sup-ou "OU WorkgroupB" (Under "OU Computers").

So, i thinked and created the GPO with the admin-rights and linked them to the "OU WorkgroupB" under Computers. That doesn't work. i also tried to link them additionally to the OU Users.

I also tried to create a security-global group containing "User1" and added this group under the Scope of the gpo.

How should i create those GPO?

I hope somebody can help me/us.

• Edited by Marcwa19197 Friday, June 19, 2015 5:42 PM

You do not need to target users, but computers' OU.  A Computer allows a user to gain access.

The only trouble is how do you identify someone's computer. How do you know James owns computer Comp1?  The only way I knot how to do this is to make them admins on their machines when the machines are build.

Hi

 You need to configure "Loopback processing mode" ,and  "merge"

Check details this article;

Loopback Processing Mode

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

Nosh is correct that you will link this GPO to an OU containing computers. You can setup your GPO a few ways - most people use Group Policy Restricted Groups. Here is a guide on setting that up:

http://deployhappiness.com/managing-restricted-groups-with-group-policy/

After you've configured it, remember to log the user out and log them back in (your computer will also need to do a gpupdate). A restart will do both items.

i tried this. but the gpo is not applied, so no admin rights for my testuser..

got the following gpo:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups > Added "Administrators" with Members: DOMAIN\Group1.

gpupdate on the testclient brings an error, that the new gpo cannot be found with an path locating to sysvol. but i can browse to this folder.

Hi

 You need to configure "Loopback processing mode" ,and  "merge"

Check details this article;

Loopback Processing Mode

If you can show the configuration of the GPO, someone can make sense, but I am not sure we can without much to work with.

Couple of things.

1. GPO Settings. How is this GPO configured

2. output from gpresult /h in .html?

3. Error message from gpoupdate

4. Anything from log files that address the error

is it possible to contact you private? because i cant post links/screenshots here..

thanks for your help!

I am sorry, I am just trying to help. I don't work for Microsoft Support or anything. If I was not about to head home, I would be glad to do that, But I am heading home for the weekend. you  can post screen shots by clicking this button, under your reply

Couple of things.

1. GPO Settings. How is this GPO configured

2. output from gpresult /h in .html?

3. Error message from gpoupdate

4. Anything from log files that address the

Hi

 seems id 1058 errors;

please check on this article;

http://social.technet.microsoft.com/wiki/contents/articles/1456.event-id-1058-group-policy-preprocessing-networking.aspx

and please run command on cmd "run as administrator",also reboot the computers which you already tested.And make for security filtering.

The strange thing is, all User-specific GPOs are applied. Only the Computer-Configuration GPOs aren't. Tested with different Test-VMs. 

With the Domain Administrator Account i'didnt get an Access Denied Error when trying gpresult /Scope Computer /v, but the GPO isn't applied..

Edit:
to verify it again, i tried to browse to the "failed" gpo, i can access it without problems.

• Edited by Marcwa19197 Saturday, June 20, 2015 12:09 PM

double check for security filtering;

Filtering is on "Authenticated Users", which should be all Computers and all Users, or not?

Edit:
Tried it with "Authenticated Users", "Domain-Computers", and the "Group" of my Testuser. Nothing resolves the error.

• Edited by Marcwa19197 Saturday, June 20, 2015 1:08 PM

Here more Screenshots of our OU-Structure and GPO-Structure.

OU-Structure:

Every Workgroup has their own OUs, sperated by main ou "Computers" and "Users". In "Users" there are only sup-ous with Users and Usergroups, in "Computers" only sup-ous with Computers. (here my win7-testvm)

GPO-Structure:

Only GPO which are successfully applied are GPOs with User Configurations. (You see here the Folder Redirections GPO, which work as it should).

Over there you see the WSUS-GPO, which is not applied (Error from gpupdate shown posts below). If i delete the WSUS-GPO-Link, next error from gpoupdate is exactly the error shown below (Loopback-gpo not loaded.)

All of this GPOs use only Computer Configurations. So that is the problem i figured out: no GPO which is containing Computer Configurations are applied. ("WSUS", "cad local Admin" nor "Loopback")

Refer for Trobleshooting group policy loopback processing;

http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx

And also check that conf.loopback;(much clear)

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx

i think this problem is not loopback-processing related, because every gpo containing computer configurations are not applied. if i only use user configurations in gpos all is working..

You don't need Loopback processing at all for your scenario. (the earlier suggestion about Loopback, is wrong)

The setting you are trying to use, is a Computer Configuration setting, so, loopback is not necessary:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups

i think this problem is not loopback-processing related, because every gpo containing computer configurations are not applied. if i only use user configurations in gpos all is working..

Without some more detail, it's hard to confirm, but, it looks like your computers are having problems resolving/applying computer-targeted Domain GP.

Earlier, you mentioned:

gpupdate on the testclient brings an error, that the new gpo cannot be found with an path locating to sysvol. but i can browse to this folder.

This is abnormal. But, note that "you" can access because "you" are logged-in as "you". The computer does not log-in as "you", the computer logs in as "computer". Each domain computer has an account in the domain, and it is that computer account which is used to access the domain resources. Just as "UserDon" might not have access to a resource but "UserMarc" does have that access - it is also true that "CompDon" might have different access to "UserDon".

You should investigate and resolve why your computer accounts cannot access SYSVOL - until that problem is resolved, everything else is pointless.

i think this problem is not loopback-processing related, because every gpo containing computer configurations are not applied. if i only use user configurations in gpos all is working..

Without some more detail, it's hard to confirm, but, it looks like your computers are having problems resolving/applying computer-targeted Domain GP.

Earlier, you mentioned:

gpupdate on the testclient brings an error, that the new gpo cannot be found with an path locating to sysvol. but i can browse to this folder.

This is abnormal. But, note that "you" can access because "you" are logged-in as "you". The computer does not log-in as "you", the computer logs in as "computer". Each domain computer has an account in the domain, and it is that computer account which is used to access the domain resources. Just as "UserDon" might not have access to a resource but "UserMarc" does have that access - it is also true that "CompDon" might have different access to "UserDon".

You should investigate and resolve why your computer accounts cannot access SYSVOL - until that problem is resolved, everything else is poin

Does the "Computer" use the SYSTEM Account? Because the SYSTEM account doenst have the right to "aplly group policy" if i check the "advanced" under the delegation tab.

Here some screeshots of the sysvol share permissions:

so, as i understand right:
1. Computer Configuration policies should applied if the computer is in the domain even a local user is logged in?
2. Which detail do you need to debug this kind of failure?
3. How can i check, if the Computer can access Sysvol? (Possible to try it with a local user account, if 1. is true?)

Troubleshooting Group Policy Using Event Logs
http://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx

Group Policy Debug Log Settings
http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx

3. on the client computer, download psexec from Microsoft.
launch an elevated CMD console. inside that CMD console, launch: psexec CMD -s -i
[this opens a new CMD console which is running as LocalSystem]
in this new CMD console, try to access the SYSVOL or other network resources.

You should also check that the DNS settings etc are correct, and look for related errors in the Windows event logs on the client computer.

Does the "Computer" use the SYSTEM Account? Because the SYSTEM account doenst have the right to "aplly group policy" if i check the "advanced" under the delegation tab.

SYSTEM = it depends on where you run this check.

SYSTEM is not the same as LocalSystem (because LocalSystem is a local account and no other computers can reference some other computer's LocalSystem, because it's Local ;)

Here some screeshots of the sysvol share permissions:

Here some screeshots of the sysvol share permissions:

this looks correct. I assume the child-folders & files are inheriting pe