I added a user to a security group for accessing moves in AD. I did a gpupdate /force /boot to force and reboot but its not picking up the addition to the group. if you look in ad it shows but not applying to the gp upon login. any ideas?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
AD security groups not updating
- Thread starter Ruckus
- Start date
charold
Limp Gawd
- Joined
- Sep 7, 2011
- Messages
- 314
Accessing moves in AD? Not applying to the GP upon login? I'm confused by those two statements.
If its a GP (group policy) setting that's not applying, your best friend is gpresult command. From the computer affected run
gpresult /H gpreport.html
or gpresult /? for more options.
If it's a security option that's not applying, my first guess would be implied/inherited permissions somewhere. The best tool there is going to be the Effective Permissions tab/tool in the Properites of said object.
Right-click object -> Properties -> Security -> Advanced -> Effective Permissions
Also under the Advanced dialog box that comes up, you will see the full permissions, including any inherited permissions. Remember, that the user will receive the MOST restrictive permissions.
So if Sally has Read permissions inherited from the parent folder, but you define Modify permissions for Sally, her effective permissions will still be Read.
If its a GP (group policy) setting that's not applying, your best friend is gpresult command. From the computer affected run
gpresult /H gpreport.html
or gpresult /? for more options.
If it's a security option that's not applying, my first guess would be implied/inherited permissions somewhere. The best tool there is going to be the Effective Permissions tab/tool in the Properites of said object.
Right-click object -> Properties -> Security -> Advanced -> Effective Permissions
Also under the Advanced dialog box that comes up, you will see the full permissions, including any inherited permissions. Remember, that the user will receive the MOST restrictive permissions.
So if Sally has Read permissions inherited from the parent folder, but you define Modify permissions for Sally, her effective permissions will still be Read.
ok lets say there is a group called xxxadadmin this is the group that can move computers from the "Computers" ou to another ou. the user is added to xxxdcadmin he opens command prompt and does a gpupdate /f. it logs him out he logs back in checks gpresult /r not there. runs a forced gpupdate again with a full reboot logs in gpresult still wont show the user is in that group. if you open AD and check his account he is listed as member of xxxadadmin but for some reason its not applying to his login. all other groups are showing just not the one he needs to access the computers in the computer folder.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,985
I have no clue what the OP is trying to do.
I can usually make whatever I need working in GP work in 1-2 tries.
This may help the OP: http://www.grouppolicy.biz
I can usually make whatever I need working in GP work in 1-2 tries.
This may help the OP: http://www.grouppolicy.biz
all im trying to do is add a user to a group but its not showing he is in the group even though i added him. whats so hard to understand? I just cant figure out why it would not update on the computer even with a forced gpupdate.
Being able to move computer objects from one OU to another OU doesn't have anything to do with group policy at all so I am not sure why you are running gpupdate and gpresult.
Did you grant the appropriate permissions to the xxxadamin group on the source and destination OUs? Have you checked the Effective Access of a computer object in the source OU and the destination OU to make sure the permissions are doing what you think they are?
Did you grant the appropriate permissions to the xxxadamin group on the source and destination OUs? Have you checked the Effective Access of a computer object in the source OU and the destination OU to make sure the permissions are doing what you think they are?
The AD permissions you're trying to apply has absolutely nothing to do with Group Policy.
You're not making a whole lot of sense...
So you added a user to Admin group.
User logs off and logs back in, and still does not have perms that Admin group provides.
Am I correct so far?
If so... how many domain controller do you have? Are they replicating properly? Other users in Admin group do have proper perms, correct?
Last edited:
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,985
I'm so confused here.
The OPs response makes it sounds like he wants:
Specific users
Logging into specific machine
to automatically be gifted specific permissions... which is NOT how GP usually works.
GP is used to automate tasks
Placing a user into a group is not a task I have ever seen GP perform.
You can create special permission groups using delegate controls:
I have special groups created in AD such as:
Local Admin: Users in this group have local administrator rights to all the OUs I specify, you make that choice when you create the group. In my example a user in the Local Admin group would not have administrator permissions logging when logging into development machines, production servers or Domain controllers...etc
This is a great tool when you need an contractor to provide remote support for a couple of hours.
The above group you create in AD, but to get it onto the PCs you use GP to add the above security group to the machines.
That is found in GP under Computer Configuration-->Preferences--> Control Panel Settings--> Local Users and Groups-->Add Administrator (built-in)/ flag it apply once/ Action Update/ Add the security group as a member
Set the Scope to the machines you want it to effect and wait 45 minutes.
Tada...
These above are just examples of what you can do...
I'm going to take a second guess that this....
OP said he wants a user to be able to move computer objects from one OU to another.
So...he's just said that he MUST give this user access to active directory.
Lets break this down:
Physical Requirements:
AD Requirements
The user will have to have membership in the (special access group)
Note: This permissions for moving content in AD resides in AD.
By chance what syntax as you user for GPresult?
I always use GPresult -R
Capital/Lower case matters in the above example.
The OPs response makes it sounds like he wants:
Specific users
Logging into specific machine
to automatically be gifted specific permissions... which is NOT how GP usually works.
GP is used to automate tasks
Placing a user into a group is not a task I have ever seen GP perform.
You can create special permission groups using delegate controls:
I have special groups created in AD such as:
Local Admin: Users in this group have local administrator rights to all the OUs I specify, you make that choice when you create the group. In my example a user in the Local Admin group would not have administrator permissions logging when logging into development machines, production servers or Domain controllers...etc
This is a great tool when you need an contractor to provide remote support for a couple of hours.
The above group you create in AD, but to get it onto the PCs you use GP to add the above security group to the machines.
That is found in GP under Computer Configuration-->Preferences--> Control Panel Settings--> Local Users and Groups-->Add Administrator (built-in)/ flag it apply once/ Action Update/ Add the security group as a member
Set the Scope to the machines you want it to effect and wait 45 minutes.
Tada...
These above are just examples of what you can do...
I'm going to take a second guess that this....
OP said he wants a user to be able to move computer objects from one OU to another.
So...he's just said that he MUST give this user access to active directory.
Lets break this down:
Physical Requirements:
- User will need access to a Server OS in order to access the Active Directory Users and Computers Tool.... You can use a different tool later on. But this is the easiest to verify what is, or is not working.
AD Requirements
- Defined AD access (to Connect)
- Defined Ability to see X,Y,Z inside AD
- Defined Ability to Move a Computer from Location X to Location Y inside AD
- Creation of the (special group) using the Delegation Wizard or Delegation Tool
The user will have to have membership in the (special access group)
Note: This permissions for moving content in AD resides in AD.
By chance what syntax as you user for GPresult?
I always use GPresult -R
Capital/Lower case matters in the above example.
it just doesnt add him to the group period forget what the group does. Im trying to add him to a group through the AD MMC. I was added no problems to this group, for some reason this user is not picking up that he is part of the group but i add him to other groups just now and he is showing up in those groups. just not the one group. any ideas as to why a person who is added to a group by the domain admin would not show as part of the group? i never seen this happen before.
JayteeBates
[H]ard|Poof
- Joined
- Jul 21, 2007
- Messages
- 5,104
Just a guess but sounds like you may have a GPO with Restricted Groups used and may be blocking him from being in that group on that machine. I ran into that once by having a GPO do Restricted Groups on an AD group called ISSO. When I was out a station got a new ISSO and my assistant tried to add him in AD just like you are doing and while it showed him in the group in the AD - on any machine he was supposed to audit he was not in the ISSO group. Confused my assistant a bit.
Sounds like it could be an AD replication issue; depending on whether or not the group membership modification always occurs on the same DC or not
well he is still not in the group so i am thinking maybe it is one of the other groups is causing a block of that group. Im gonna have to see what group he is in that im not.
btw Im new to the company( about a month) so Im trying to figure out what my predecessor did.
btw Im new to the company( about a month) so Im trying to figure out what my predecessor did.
So when you look at his AD User object under the group membership tab, you don't see it listed? Are you able to add him to any other groups, or create a new group and add him to that as a test?
JayteeBates
[H]ard|Poof
- Joined
- Jul 21, 2007
- Messages
- 5,104
Did you get it fixed? If so what was the hang up?