Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy applied to Administrator on Domain Controller

Status
Not open for further replies.
gasmask

gasmask

IS-IT--Management
Feb 3, 2003
8
0
0
CN
I've set up my server as the only Domain Controller on the network. I've been modifying the settings of the Default Domain Policy. These policies are being applied to the built-in Administrator account when I logon to the Domain Controller. Is this supposed to happen?

I would like these policy settings to NOT be applied to the built-in Administrator account. Or perhaps any user of type Administrator. Please advise!
 
Sort by date Sort by votes
You have to edit the properties of the group policy so that the GPO will not be applied to the Administrator's account. To do this right click on the domain from ADUsers and Computers,click on the Group Policy Tab,click properties , then click on security, highlight the administrator account and uncheck the "apply group policy" tick box.
 
Upvote 0 Downvote
Gasmask,

Also keep in mind that if the 'Everyone' group is in the DACL for the GPO...the policy will apply to Everyone, even Admins. If this is the case, just remove them.

Patty [ponytails2]
 
Upvote 0 Downvote
Thanks for your responses. The only objects I have under the security tab for the Default Group Policy are Authenticated User, Creator Owner, Domain Admins, Enterprise Admins, and System. Authenticated Users is the only one with "Apply Group Policy" checked.

I ran gpresult; Administrator is a member of NT Authority\Authenticated Users and \Everyone.

I'm not understanding this. I didn't make any modifications to the Administrator account or to the policies other than simple enabling and disabling settings. Shouldn't this account be exempt from the Default Group Policy as Win2K Server comes out-of-the-box? How can I make these policies not apply to the built-in Administrator?
 
Upvote 0 Downvote
Set the policy security to affect domain users only, this will stop the Admin account inheriting the policy.

Otherwise set an additional policy for your administrators giving them no restrictions.
 
Upvote 0 Downvote
Ok, i have the answer. By default, the group policy is applied to the Administrator because its a member of the security group Authenticated Users.

Under the Security tab of the Default Domain Policy Properties, you can remove the Apply Group Policy by clearing the "Allow" checkbox and then add individual security groups that should receive this policy. Alternatively you can set the Apply Group Policy for Domain Admins to "Deny", which takes precendence over "Allow".
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
189
goombawaho
goombawaho
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
122
fightaccording
fightaccording
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
165
fredmartinmaine
fredmartinmaine
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
92
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top