Hi,

I got the following setup of our OUs. Company with 200+ employees, starting integrating AD with Policies.
Every Employee Group (Workgroup) has her own Computers. We are using Windows-Server 2008.

OU Setup:

OU Computers
-- OU WorkgroupA
-- OU WorkgroupB

OU Users
-- OU WorkgroupA
-- OU WorkgroupB

OU Computers contains sup-ous with computers in there.
OU Users contains sup-ous with Users and Usergroups in there.

So i created a Folder-Redirection GPO and linked to the Main-Ou "OU Users", Security Filtering is on default "Authenticated Users". This is working fine. All Users get the Redirection Rule on all PCs. (Only User-Specific Settings)

Now i want to create an GPO which allows a specific group to have admin rights on their Computers.
For example:

User "User1" from sup OU "OU WorkgroupB" (Under "OU Users") should be able to gain admin-rights on computers located in sup-ou "OU WorkgroupB" (Under "OU Computers").

So, i thinked and created the GPO with the admin-rights and linked them to the "OU WorkgroupB" under Computers. That doesn't work. i also tried to link them additionally to the OU Users.

I also tried to create a security-global group containing "User1" and added this group under the Scope of the gpo.

How should i create those GPO?

I hope somebody can help me/us.

• Edited by Marcwa19197 13 hours 19 minutes ago

You do not need to target users, but computers' OU.  A Computer allows a user to gain access.

The only trouble is how do you identify someone's computer. How do you know James owns computer Comp1?  The only way I knot how to do this is to make them admins on their machines when the machines are build.

we want to have the following schema:

Group1 with all Users in there should be able to gain adminrights on every computergroup1. so if an employee in an office change his seat to an other workspace, he should be able to gain admin-rights aswell.

Ok then, that is an easy setup (everyone is admin on every computer). Simply add Group1 to Local administrators and apply the GPO to the Computers OU. 

Hi

 You need to configure "Loopback processing mode" ,and  "merge"

Check details this article;

Loopback Processing Mode

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

Nosh is correct that you will link this GPO to an OU containing computers. You can setup your GPO a few ways - most people use Group Policy Restricted Groups. Here is a guide on setting that up:

http://deployhappiness.com/managing-restricted-groups-with-group-policy/

After you've configured it, remember to log the user out and log them back in (your computer will also need to do a gpupdate). A restart will do both items.

i tried this. but the gpo is not applied, so no admin rights for my testuser..

got the following gpo:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups > Added "Administrators" with Members: DOMAIN\Group1.

gpupdate on the testclient brings an error, that the new gpo cannot be found with an path locating to sysvol. but i can browse to this folder.

Hi

 You need to configure "Loopback processing mode" ,and  "merge"

Check details this article;

Loopback Processing Mode

so, i simple have to enable this feature over all computers with an separated gpo?

You can use any GPO that applies to this OU and add the feature to it. No need for separate GPOs.

Okay, i added the feature, but still - no admin rights...

Did you log out and back in? Also do a "gpoupdate /force". User settings are loaded at login

i restartet the client.

gpupdate /force brings an error that he cant find the loppback-gpo..

loopback-gpo is linked to OU WorkgroupA under main OU Computers.

Ok so you need to fix the gpo then

but how? i dont know how that error can be fixed..

If you can show the configuration of the GPO, someone can make sense, but I am not sure we can without much to work with.

so, which information do you need?

output from gpresult /h in .html?

Couple of things.

1. GPO Settings. How is this GPO configured

2. output from gpresult /h in .html?

3. Error message from gpoupdate

4. Anything from log files that address the error

is it possible to contact you private? because i cant post links/screenshots here..

thanks for your help!

I am sorry, I am just trying to help. I don't work for Microsoft Support or anything. If I was not about to head home, I would be glad to do that, But I am heading home for the weekend. you  can post screen shots by clicking this button, under your reply