GPO OU on Servers won’t apply

August 8th, 2016

Hello,
I have a little problem with my group policy’s.
I want a group policy for a group of users on a group of computers/servers.
To understand the full request I will sketch our domain.
DC: Windows 2003 R2 X64
Servers/VMserver: variating between 2003 to 2008R2
Client pc/laptops: variating between XP and Win7
DOMAIN SKETCH
Domain Name
OU Servers
OU VMServers
OU Users
Sub OU Admins
Sub OU Project Managers
Sub OU Users
OU Computers
Now I want to give my project managers restricted local administrative rights on the VMservers.
So I added the group Project Managers (who’s in the OU PM) to the local administrator group on all of the VMServers.
I also want to restrict the permissions so they can’t shut down a VMServer and etc…
I made an new GPO under the OU Project Managers and restricted everything to my wish under user configuration. Then in the security filtering I’ve added the servers that I want the policy to apply to.
Now my GPO works only on my project managers but on all my pc & servers. Not only those I’ve added in the Security Filtering.
I’ve also tried making a GPO in the OU VMserver and adding the usergroup to the security filtering but then the GPO doesn’t work at all.
To explain why I want this, the firm I work for is an IT firm and our users may have full rights without restrictions on their personal pc/laptop. Our project managers can have restricted rights on the VMservers because these are development servers.
Can someone help my out with this one because I don’t know where to look further…
ps: after every change in the GPO and before I test something out, I did a gpupdate /force on my DC.
Thanks for the reply’s

Answer #1
Don’t add a GPO in AD.
Just add the PM group in the local admin group on the vmservers… and add the restrictions through GPO on the group in AD.
So don’t grant admin rights in the PM group..
That should solve the issue…
Answer #2
nope because then the restriction are also effective on their pc/laptop…
Answer #3
Give them another account to access the servers.. always safer anyway :p

 

| Sitemap |