| Author | Messages | |
mdzikowski
Posts:71
 | | 01/28/2010 7:07 PM |
| I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
| KevinWornell
Posts:29
| | 01/28/2010 7:47 PM |
| You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| mdzikowski
Posts:71
| | 01/28/2010 7:50 PM |
| So, at logon the user will be added to that group? Ive never used that before...
How does it work
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
| KevinWornell
Posts:29
| | 01/28/2010 7:56 PM |
| My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| dougdelaney
Posts:43
| | 01/29/2010 2:50 AM |
| Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailto xxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image003.jpg@01CAA063.64E535B0]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| dougdelaney
Posts:43
| | 01/29/2010 4:40 AM |
| I remember February 17, 2000 very well. thought RIS would solve issues, - but I learned no. (routing, drivers, etc)
I would have hoped that GPOs would be a) enforceable, b) reportable, or c). actionable (add to group or otherwise). Disappointment abounds. GPOs are great, but seriously lacking for enterprises. They always have been.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image002.jpg@01CAA072.C451EDE0]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 9:47 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image003.jpg@01CAA06C.9618A4B0]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| mdzikowski
Posts:71
| | 01/29/2010 1:00 PM |
| RIS didn't solve lots of things, but MDT and OSD have 
I think Group Policy preferences might solve somethings, but I have got into those yet...
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 11:37 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
I remember February 17, 2000 very well. thought RIS would solve issues, - but I learned no. (routing, drivers, etc)
I would have hoped that GPOs would be a) enforceable, b) reportable, or c). actionable (add to group or otherwise). Disappointment abounds. GPOs are great, but seriously lacking for enterprises. They always have been.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0B8.A26BC980]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 9:47 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0B8.A26BC980]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
| dmarelia
Posts:394
| | 01/29/2010 2:50 PM |
| . Perhaps not surprisingly Doug, I agree with you 100%. Even though I've spent the last 10 years putting in more time that is natural on GP, I think that you are spot-on with your assessment that it really isn't ready for serious duties. Ironically, of course, most enterprises DO rely on them and end up being frustrated, as you. I don't know that Microsoft is going to fix this anytime soon, frankly. The problem, of course, is that GP is plumbing inside of Windows, instead of revenue-generating software. So, it seems that GP perennially gets short shrift when it comes to resources to make it better, faster, stronger. I had actually intended to post a blog series entitled something like, "What Wrong with GP and What Should MS do about it", but I haven't had the time to complete it . In any case, keep that feedback coming and be sure that every year that I go to the MVP Summit, I have a similar conversation with them about this.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 8:37 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
I remember February 17, 2000 very well. thought RIS would solve issues, - but I learned no. (routing, drivers, etc)
I would have hoped that GPOs would be a) enforceable, b) reportable, or c). actionable (add to group or otherwise). Disappointment abounds. GPOs are great, but seriously lacking for enterprises. They always have been.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0AE.69BA9670]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 9:47 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0AE.69BA9670]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| jeromelcruz
Posts:120
| | 01/29/2010 7:20 PM |
| Michael,
Back to your question. What you'll probably have to do is use a script to that same policy. The only real trick is ... what's in the script and what's the script's authority? Code to add an account to a group is easily found, so I'll not speak to that. Instead, let's talk about what behavioral issues you might need to consider.
The basic assumption here is that you are targeting membership in a domain-side security group.
How about a Computer Startup script? Well, how does the script 'know' who's about to logon? You could code in an assumption that the 'last logged on user' was the user to add, but that doesn't necessarily add the 'currently logging on' user. It might, it might not-depends on how your devices are used. Also, the change might also not replicate fast enough for the 'logging on' user to have the security group's membership added to his/her SID (this might be important if you also expect to use that membership for an immediate follow-on process-we have found that in a multi-site domain, the delay can be up to ~15 minutes and build our processes accordingly...yours might well be different).
Okay then, how about a User Logon script? There are several issues to be aware of. First, GPO based User Logon script runs under the authority of the user. Does that user have the authority to join their own account to that domain group? If you want the user (probably authenticated users here) to have modify permissions, then you need to add that to the security of the group. If you don't want them to have access and 'immediate' membership is not important, then you could have the script just add a log entry to a UNC based log file somewhere and then run a separate script (set it up on a scheduled task) to add the names in the log file to the group using a different account's authority.
Next, is it important for the user to have 'immediate' membership in the group? If not, then understand that they will NOT have that group SID membership until the 'next' logon/logoff cycle (or after up to seven days after logging on...based upon Kerberos ticket lifetimes of 10 hours with seven day ticket renewals... these are "Microsoft's defaults").
Of course, you'll probably also want the script to set a flag in the user's registry so that the 'add to group' process doesn't repeat-at least for that device. And if you use roaming user profiles, it may not ever repeat on another device (just something else to consider because then you might need to find another way to store the 'flag').
Fun stuff, eh?
Note: I should add that 'if' you are using a local group and 'if' you have deployed Group Policy Preferences, then you can use a user side preference setting to add the user to the local group. It'd still require a Logoff/Logon cycle for the user to get the SID added to their security token, but in comparison to a domain group? Easy! Done! Fin!
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, January 29, 2010 6:46 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
. Perhaps not surprisingly Doug, I agree with you 100%. Even though I've spent the last 10 years putting in more time that is natural on GP, I think that you are spot-on with your assessment that it really isn't ready for serious duties. Ironically, of course, most enterprises DO rely on them and end up being frustrated, as you. I don't know that Microsoft is going to fix this anytime soon, frankly. The problem, of course, is that GP is plumbing inside of Windows, instead of revenue-generating software. So, it seems that GP perennially gets short shrift when it comes to resources to make it better, faster, stronger. I had actually intended to post a blog series entitled something like, "What Wrong with GP and What Should MS do about it", but I haven't had the time to complete it . In any case, keep that feedback coming and be sure that every year that I go to the MVP Summit, I have a similar conversation with them about this.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 8:37 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
I remember February 17, 2000 very well. thought RIS would solve issues, - but I learned no. (routing, drivers, etc)
I would have hoped that GPOs would be a) enforceable, b) reportable, or c). actionable (add to group or otherwise). Disappointment abounds. GPOs are great, but seriously lacking for enterprises. They always have been.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0D0.D4665B40]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 9:47 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0D0.D4665B40]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
| | | |
| mdzikowski
Posts:71
| | 01/29/2010 7:35 PM |
| Jerry-
Great email. I'm seeing this is going to be a little more difficult that I originally thought...I'm seeing a few "weird" things in my lab,etc.
My brain is melting at the moment and I plan on doing more after the weekend.
TGIF!
Mike-
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, January 29, 2010 2:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Michael,
Back to your question. What you'll probably have to do is use a script to that same policy. The only real trick is ... what's in the script and what's the script's authority? Code to add an account to a group is easily found, so I'll not speak to that. Instead, let's talk about what behavioral issues you might need to consider.
The basic assumption here is that you are targeting membership in a domain-side security group.
How about a Computer Startup script? Well, how does the script 'know' who's about to logon? You could code in an assumption that the 'last logged on user' was the user to add, but that doesn't necessarily add the 'currently logging on' user. It might, it might not-depends on how your devices are used. Also, the change might also not replicate fast enough for the 'logging on' user to have the security group's membership added to his/her SID (this might be important if you also expect to use that membership for an immediate follow-on process-we have found that in a multi-site domain, the delay can be up to ~15 minutes and build our processes accordingly...yours might well be different).
Okay then, how about a User Logon script? There are several issues to be aware of. First, GPO based User Logon script runs under the authority of the user. Does that user have the authority to join their own account to that domain group? If you want the user (probably authenticated users here) to have modify permissions, then you need to add that to the security of the group. If you don't want them to have access and 'immediate' membership is not important, then you could have the script just add a log entry to a UNC based log file somewhere and then run a separate script (set it up on a scheduled task) to add the names in the log file to the group using a different account's authority.
Next, is it important for the user to have 'immediate' membership in the group? If not, then understand that they will NOT have that group SID membership until the 'next' logon/logoff cycle (or after up to seven days after logging on...based upon Kerberos ticket lifetimes of 10 hours with seven day ticket renewals... these are "Microsoft's defaults").
Of course, you'll probably also want the script to set a flag in the user's registry so that the 'add to group' process doesn't repeat-at least for that device. And if you use roaming user profiles, it may not ever repeat on another device (just something else to consider because then you might need to find another way to store the 'flag').
Fun stuff, eh?
Note: I should add that 'if' you are using a local group and 'if' you have deployed Group Policy Preferences, then you can use a user side preference setting to add the user to the local group. It'd still require a Logoff/Logon cycle for the user to get the SID added to their security token, but in comparison to a domain group? Easy! Done! Fin!
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, January 29, 2010 6:46 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
. Perhaps not surprisingly Doug, I agree with you 100%. Even though I've spent the last 10 years putting in more time that is natural on GP, I think that you are spot-on with your assessment that it really isn't ready for serious duties. Ironically, of course, most enterprises DO rely on them and end up being frustrated, as you. I don't know that Microsoft is going to fix this anytime soon, frankly. The problem, of course, is that GP is plumbing inside of Windows, instead of revenue-generating software. So, it seems that GP perennially gets short shrift when it comes to resources to make it better, faster, stronger. I had actually intended to post a blog series entitled something like, "What Wrong with GP and What Should MS do about it", but I haven't had the time to complete it . In any case, keep that feedback coming and be sure that every year that I go to the MVP Summit, I have a similar conversation with them about this.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 8:37 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
I remember February 17, 2000 very well. thought RIS would solve issues, - but I learned no. (routing, drivers, etc)
I would have hoped that GPOs would be a) enforceable, b) reportable, or c). actionable (add to group or otherwise). Disappointment abounds. GPOs are great, but seriously lacking for enterprises. They always have been.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0EF.E11F4030]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Thursday, January 28, 2010 9:47 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Wouldn't it be nice to know though that users/computers actually received GPOs? That would be true enforcement... better yet, add they must receive it by X date? The post office sends me junk mail by X date, but I can't enforce a GPO by X date. Should have been built in from day 1.
Doug Delaney
Technology Consultant III
Americas Regional Delivery Engineering
HP Enterprise Services
Telephone +1 248.365.9187
Mobile +1 248.210.4973
Email xxxxxxxxxxxxxxxx<mailtoxxxxxxxxxxxxxxxx>
985 W. Entrance Dr., 2A / Auburn Hills, MI 48326
[cid:image001.jpg@01CAA0EF.E11F4030]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
My mistake. I was looking at from the wrong direction. I do not know how to do it in the manner you are seeking via policy
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 1:50 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
Doesn't sound like this will help out too much.
What I'd like to do is
If a user gets a certain GPO, then automatically add them to an AD group...sounds like I need a script...I want to automate adding these users to an AD group based on GPO/Script.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, January 28, 2010 2:45 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPO - Add user to group
You can use the restricted Group settings under the Computer --> Windows Settings
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Thursday, January 28, 2010 12:57 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPO - Add user to group
I want to add a user to an AD group, if they receive a certain GPO...
How can I do this?
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company, a Towers Watson company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
|
|