# Group Policy help



## captainpie (Apr 15, 2008)

Hi all, I'm wondering if there is a way to set a few certain things in group policy on Server 2008 R2:

1. How to restrict a user from making themselves a local admin, and how to force a user as local admin, if they haven't logged into the machine before (we use roaming profiles so everyone can theoretically use any PC).

2. How to create a specific folder when they first log onto the PC. one of our bits of propriety software requires a certain folder to exist under the users account, I know that I could create a logical logon script but once again I don't know how to do this .

3. I had added a website into trusted sites through group policy already but hadn't figured out how to automatically download the active-x controls from the site. I don't think this is possible but a firm answer either way would be excellent!

Thanks!


----------



## Rockn (Jul 29, 2001)

1. They can never make themselves a local admin without domain administrative rights. Why would you ever want to make someone a local admin. There really is no need for them to be. Give them the rights they need to do their job, nothing more.

2. You could create a batch script using the MD (make directory command), but you will probably also need to assign rights to that folder in the GPO as well.

3. I am not sure about the active-x controls, but if they are signed they should install. http://dontpokebadgers.com/axaa/


----------



## captainpie (Apr 15, 2008)

thanks for the reply, to answer questions / querys:

1. local admin would only have been added to users (such as the boss because he likes to have control) and any tech support to allow them to get on quicker without prompts

2. yeah maybe a script to check if the directory exists and if not create it . . . would the directory need to have been created before GPO can add perms to it?

3. reading link now, hopefully should clear this one up!

thanks again


----------



## valis (Sep 24, 2004)

the local admin rights will populate for individual users; i.e., once they log-on, they will have admin rights.

Just to toss my nickel's worth in, I'd NOT have the boss be an admin. I've had a few cases where they mucked up stuff worse than the ordinary users.


----------



## Rockn (Jul 29, 2001)

I would also advise against giving the boss local admin rights, delegate stuff to him that he thinks he needs access to if he really thinks he needs it.

The startup script can create the directory and does not have to be there first. Just use if exist to test if the folder is already there.


----------



## captainpie (Apr 15, 2008)

ok cool cheers, is there a way to stop a user from setting themselves as local admin even if they know the domain admin credentials (eg the boss!) through group policy


----------



## valis (Sep 24, 2004)

change the domain admin credentials.........ONLY the DA should have those. Those are, quite literally, the keys to the kingdom.


----------



## Rockn (Jul 29, 2001)

No, if they know the domain admin rights/password or are a member of the domain admins group they can pretty much do anything they like with any of the local accounts.


----------



## peterh40 (Apr 15, 2007)

You can use the Restricted Groups feature in Group Policy and define which users (incl the local 'Administrator' user) can be a member of the local Administrators group. Ideallly create security group in AD in which you add the users you want to have local admins and add that group to the Restricted Groups policy.


----------



## captainpie (Apr 15, 2008)

sadly the boss will go apoplectic if i change the domain admin credentials without telling him! will have a fiddle with restricted groups though.


----------



## valis (Sep 24, 2004)

I guarantee you that will come back to haunt you.....do they do any admin functions? If not, just toss them in power users group and go about your merry way.....


----------



## captainpie (Apr 15, 2008)

maybe . . . . the boss is controlling though!


----------



## valis (Sep 24, 2004)

obviously I don't want to get you in trouble, but every time I've run into that issue I very nicely explained that the cost of fixing what they have the ability to break as a DA is extremely prohibitive; they generally understand the cost part of the equation.


----------



## captainpie (Apr 15, 2008)

heh try explaining to a very stubborn boss who believes they are always right and is a bit of a control freak!! will try again though


----------



## valis (Sep 24, 2004)

I have.......

Again, if they absolutely don't want to give it up, sometimes they need to learn from their mistakes. I had a VP who had insisted he have DA access a few years back......this meant he had edit ability on the drive I kept all the VP .pst archives on, and sure enough, he dumped a few of them. I had them all backed up, obviously, but still let him sweat for a week or so until I 'discovered' them again. 

After hearing from the other suits in his dept whose archives ALSO got tanked, that solved that little matter.


----------



## Rockn (Jul 29, 2001)

Those are the companies that usually don't last long if the boss is a complete control freak and doesn't trust their employees to do their jobs. I had one that thought he was smarter than he was and he did backups of his accounting system religiously. Until the day he decided to blow out the server running the accounting software and tried to restore it from a backup that never ran. He had never verified that any of his backups were good so he had to recreate everything from paper records.


----------

