+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 R2 Thread, Privileges in Technical; Hi All, We run Windows Server 2008 R2 on our servers and Windows 7 Pro on our laptops/computers. I've recently ...
  1. #1

    Join Date
    Mar 2013
    Location
    South West England
    Posts
    15
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Privileges

    Hi All,

    We run Windows Server 2008 R2 on our servers and Windows 7 Pro on our laptops/computers.

    I've recently joined the school IT department and everything is in a bit of a shambles, and I'd like to ask for some help on an issue as I'm not having much luck with it.

    In Active Directory for Users and Computers, I have Teachers in one organisational unit within the managed users section, and have Teaching Assistants in another.
    Teachers are able to lock their computers, and use the "right-click" functionality to copy, paste, view properties etc however the Teaching Assistants cannot do any of this. I've tested all the accounts in this organisational unit and none of them can, so I assume its permissions assigned to that organisational unit that is stopping them.

    Does anyone know how I change these settings and could anyone give me some step-by-step instructions on how to go about this?

    Teachers have other privileges that I don't want Ta's to have, so I don't just want to move them all into their OU as they'll end up having more than I want them too.

    Look forward to hearing from you all!

  2. #2

    Join Date
    Apr 2011
    Posts
    67
    Thank Post
    14
    Thanked 7 Times in 7 Posts
    Rep Power
    9
    It's probably permissions assigned to the OU through Group Policy. Have a look in Group Policy Management on DC and compare what group policy objects are assigned to both OU's.

    If you click on the GPO and settings tab, it generates a report showing what is set.

  3. Thanks to jamesbrown from:

    TheScarfedOne (11th June 2013)

  4. #3
    markwilfan's Avatar
    Join Date
    Feb 2009
    Posts
    165
    Thank Post
    35
    Thanked 21 Times in 17 Posts
    Rep Power
    15
    I'd use a combo of group policy modelling and resultant set of policies to see what should be applying and what actually is

  5. #4
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 158 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    66
    http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

    GP result is better than RSOP nowadays, as its quicker to navigate and easier to see where GPO's clash or override each other.

  6. #5

    Join Date
    Mar 2013
    Location
    South West England
    Posts
    15
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by jamesbrown View Post
    It's probably permissions assigned to the OU through Group Policy. Have a look in Group Policy Management on DC and compare what group policy objects are assigned to both OU's.

    If you click on the GPO and settings tab, it generates a report showing what is set.
    James, see screenshot.
    I get this error when going to the TA OU to where you said, under security settings for user:


    An error has occurred while collecting data for Software Restriction Policies.

    This error impacts the following settings:
    Software Restriction Policies
    Software Restriction Policies/Security Levels
    Software Restriction Policies/Additional Rules
    The following errors apply to all of the above settings:
    An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Regist ry.UnknownType'.


    screen1.png

  7. #6
    markwilfan's Avatar
    Join Date
    Feb 2009
    Posts
    165
    Thank Post
    35
    Thanked 21 Times in 17 Posts
    Rep Power
    15
    Quote Originally Posted by Mr.Ben View Post
    http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

    GP result is better than RSOP nowadays, as its quicker to navigate and easier to see where GPO's clash or override each other.
    Sorry, always mix those up. Tis what I meant

  8. #7

    Join Date
    Mar 2013
    Location
    South West England
    Posts
    15
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi Everyone,

    This issue is still outstanding. I've spent ages looking in Group Policy Management but to no avail.

    Can anyone provide me with simple step by step instructions on how to allow one particular organisational unit the ability to allow them to lock their machines?

    Thanks

  9. #8

    Join Date
    Nov 2011
    Posts
    628
    Thank Post
    87
    Thanked 21 Times in 19 Posts
    Rep Power
    11
    Are there any wmi filters in the group policy?

    What are the registry edits in the group policy preferences section? It may have been done using registry edits with targetting.

    Are you now the main server person? I would consider creating some new OU's to make life simpler.

    Something like

    Managed Users
    -Pupils
    -Teaching Staff
    -Teaching Assistants
    -Admin

    Then if you want to change a setting on one OU you can create a new policy and just apply it to that OU. WMI filters and group policy preference targetting are ok but make it hard to tract things down.

  10. #9

    Join Date
    Mar 2013
    Location
    South West England
    Posts
    15
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by dany2010 View Post
    Are there any wmi filters in the group policy?

    What are the registry edits in the group policy preferences section? It may have been done using registry edits with targetting.

    Are you now the main server person? I would consider creating some new OU's to make life simpler.

    Something like

    Managed Users
    -Pupils
    -Teaching Staff
    -Teaching Assistants
    -Admin

    Then if you want to change a setting on one OU you can create a new policy and just apply it to that OU. WMI filters and group policy preference targetting are ok but make it hard to tract things down.
    Hi Dany2010,

    The only registry edits for that OU in the preferences section of GP is a default wallpaper we have for all users in that OU. There is nothing else there.

    In regards to WMI Filters, no there isn't any showing.

    Thanks

  11. #10

    Join Date
    Mar 2013
    Location
    South West England
    Posts
    15
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I have now solved this issue. Thanks for all your help



SHARE:
+ Post New Thread

Similar Threads

  1. Administrator account no longer has admin privileges
    By MattCowen in forum Windows Vista
    Replies: 12
    Last Post: 18th October 2009, 01:48 PM
  2. Privileged Users Permissions
    By mmoseley in forum General Chat
    Replies: 5
    Last Post: 13th November 2008, 03:43 PM
  3. Do you allow staff to have Local Admin privileges?
    By Ravening_Wolf in forum How do you do....it?
    Replies: 39
    Last Post: 8th March 2007, 01:50 PM
  4. Replies: 9
    Last Post: 14th December 2006, 09:07 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •