# Solved: Apply GPO per user?



## Tony414 (Nov 21, 2006)

Hello,
I'm not even sure where to start with this. I am the admin on a work network connected to Server 2003 AD. I have a piece of software that requires me to have the "network service" account in the local admin group. Here is the command I used.

net localgroup Administrators "Network Service" /add

What happens is when my machine is refreshed (rebooted) the default domain policy removes the account. I tried putting myself in it's own OU called admin and created a new policy. But that didn't work. I'm not sure the best way to accomplish this. Any help would be great!!

Thanks,
Tony


----------



## Squashman (Apr 4, 2003)

Domain Policy always takes precedence over local policy.

Sometimes you just need to force the policy to update using *gpupdate /force* when pushing down a new domain policy.


----------



## Tony414 (Nov 21, 2006)

"Domain Policy always takes precedence over local policy"

With that being said. How can I accomplish this? The gpupdate /force will remove the network service from local admin group.


----------



## Squashman (Apr 4, 2003)

Create a Domain Policy that pushes down.


----------



## Tony414 (Nov 21, 2006)

I already have a domain policy that gets applied to everyone. I need to make this change just to my account. It's not recommended to add the "network service" account to the local admin, to all users. That's why I just want to apply it to myself. That's where I'm getting stuck at....


----------



## TheOutcaste (Aug 8, 2007)

You must have the *Restricted Groups* policy setup in the *Default Domain Policy*. That adds all listed users to the specified groups and removes all others.
It's located here:
*Computer Configuration/Windows Settings/Security Settings/Restricted Groups*
You need to remove that policy from the *Default Domain Policy* and create a new GPO that applies to all users except yourself.

If needed, create a new OU named *Default Restricted Groups* and put everybody but yourself in it, and create a GPO with the current *Restricted Groups *settings.
Then you can create a GPO for your account only that includes the *Network Service* account, or use a logon script and the *Net User* command.


----------



## Tony414 (Nov 21, 2006)

Hi,
I just checked my default domain policy. The restricted groups is not being used in there. I did what you suggested. I created an OU for myself called "Admin". I'm the only user in there. Then I created a Restricted Groups policy with the network service account in there. But for some reason that change is not being applied to my account. It's confusing the hell out of me!! I think I might do what you mentioned at the end of your post. Add it to my logon script. But if I do that, when the policy gets refreshed during my work day. Would it get removed? Thanks for the help.

Tony


----------



## Tony414 (Nov 21, 2006)

I tried again and now I'm pretty sure I got it working using a policy. Thanks again for the help!!


----------



## TheOutcaste (Aug 8, 2007)

Tony414 said:


> ...I think I might do what you mentioned at the end of your post. Add it to my logon script. But if I do that, when the policy gets refreshed during my work day. Would it get removed? Thanks for the help.
> 
> Tony


I didn't try using a logon script to add it at the same time as the Restricted Groups policy was set to remove it. I wouldn't think the script would work in that case, as the policy should trump a logon script. I think you are right though, if it did work, it would probably get removed at the first refresh.

Glad you got it working though, and you're welcome!


----------

