سوال در مورد Domian - Restricted Groups

[Deibedyn]

سلام
من يه ويندوز 2003 كه اكتيو دايركتوري روش نصبه دارم. هدفم اينه كه كاربر خاصي در Domian.. مثلا User1 به هر دستگاهي كه Login*كنه براي اون دستگاه مدير سيستم باشه.. اما براي اين كار نه مجبور باشم كه User1 رو به صورت Domian Admins در بيارم و نه اينكه مجبور باشم روي تك تك سيستمها برم و User1 رو به صورت Local Admin در بيارم.

يه سرچ كه كردم گفته شده بود با Restricted Groups ميشه اينكار رو كرد.. اما من كار با Restricted Groups رو بلد نيستم.. هر چي هم اين مقالات انگليسي رو خوندم نفهميدم... كسي ميتونه كمك كنه؟

پس سوالم شد دو تا! اول اينكه براي Admin*كردن كاربر خاصي روي كلاينتها (بدون Domain Admin كردن يا تك تك روي كلاينتها رفتن) راهي وجود داره؟

و دوم اينكه آيا اگه Restricted Groups اينكار رو ميكنه، كسي ميتونه با ذكر يه مثال به من كمك كنه؟

---

موضوعات مشابه:

• آموزش: استفاده از Restricted Groups در Domain Controller
• مشکل در ریموت به کاربران گروه restricted user
• How to use Restricted Groups
• Groups, Groups and More Groups
• isa server و مشكل Authentication Required در domian

---

[mohsen3k]

اکه از دوستان کسی میتونه کمک کنه خوب میشه!
من هم علاقه مند هستم که در این مورد اطلاعات کسب کنم!
دوستان اکه میشه اطلاعاتشون رو به اشتراک بگذارند

[ARM]

سلام از این راهنما استفاده نمایید.

Using Restricted Groups

[Hakimi]

اگر منظورتان این است که یک کاربر خاص یا مجموعه ای از کاربران روی همه Client ها Admin باشند، به سادگی می توانید با Restricted Group این کار را انجام دهید.

ولی اگر می خواهید روی هر کامپیوتر یک کاربر خاص Admin باشد، برای اعمال این تنظیم باید به تعداد Client هایتان OU و GPO ایجاد کنید و هر کامپیوتر در یک OU باشد و یک Policy خاص را به او اختصاص دهید.

[Deibedyn]

سلام
مرسي از دوستان..
armashali عزيز.. من اين لينك رو ديده بودم اما راستش ازش سر در نياوردم با اينكه شل هم كشيده .. ميشه خودت با يك مثال ساده برام توضيح بدي برام؟

koorosh عزيز ، من دقيقا ميخوام همون كار اول رو انجام بدم يعني "يک کاربر خاص یا مجموعه ای از کاربران روی همه Client ها Admin باشند" ولي كار با Restricted Group رو ببد نيستم.. ميشه با يك مثال برام توضي بدي؟

[patris1]

Default Domain Policy را باز می کنی بعد Computer Configuration->Windows Settings->Security Settings->Restricted Group
گروه را تعریف می کنی

Restricted Groups

This security setting allows an administrator to define two properties for security-sensitive groups (or restricted groups). The two properties are Members and Member Of.
The Members list defines exactly who belongs and who does not belong to the restricted group. Both inclusion on the list and exclusion from the list, are enforced.
The Member Of list specifies groups in which the restricted group is included. Only inclusion in the Member Of list is enforced, not exclusion: If you remove a group from the Member Of list, the restricted group is allowed to remain a member of the removed group.

Note

* Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.

Location

GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Default Values

Server Type or GPO Default Value

Default Domain Policy Not defined

Default Domain Controller Policy Not defined

Stand-Alone Server Default Settings Not defined

DC Effective Default Settings Not defined

Member Server Effective Default Settings Not defined

Discussion
The Restricted Groups folder is available only in Group Policy objects associated with domains, organizational units, and sites. The Restricted Groups folder does not appear in the local Group Policy object.

If a restricted group is defined so that it has no members (that is, the Members list is empty), all members of the group are removed when the policy is enforced on the computer. If the Member Of list is empty, no changes are made to any groups to which the restricted group belongs.

Restricted Groups Policy Settings: Security Policy

[Deibedyn]

سلام
من خیلی ممنونما!!! اما بابا یکی سوال منو بخونه!
من این مستندات رو قبلا خوندم.. عمل هم کردم و نشده.... حالا بذارین فرض کنیم من یه گروه داره به نام LocalAdmin این یه گروه معمولی در اکتیو دایرکتوری هست. حالا من میخوام این گروه ( که خودش ممکنه 4 تا هم عضو داشته باشه) ، برای کلاینتهایی که در OU تحت نام OU1 هستند مدیر سیستم باشه، اما برای اینکار لازم نباشه این گروه رو Domain Admins کنم.
لطفا کمک کنید در این مثال مرحله به مرحله چه باید بکنم..
مرسی

[patris1]

You don't mention a word about which versions of clients/servers and active directory you use. The following assumes that you are using a Windows 2003 level domain and Windows 2003 or Windows XP members. Some applies to other versions too but there may be differences.

1 I suppose you mean AD users. That can be delegated to any user or group by setting permissions on the OU where the users should be created. You can use the Delegate control wizard in Active Directory Users and Computers by right clicking the Ou you wish to delegate permissions on and choose Delegate control...
You can also specify permissions manually from the security tab on the properties window of your OU (You need to have advanced features turned on in Active Directory Users and Computers.

2 is a local right on a client or server usually only granted to members of the Administrators group on the system.
You can add selected domain users or domain groups to the administrators group so that certain users can perform these tasks on all systems but they will also become administrators so that they can do pretty much what they want in the system. This is the most common way to do it.
However, If you want a group of users to be able to perform those tasks without having full administrative rights on the system you will have to configure User Rights Assignments in the local security policy. The right you need to change is Load and unload device drivers. Assign this right to the users that should be able to install the drivers.
When it comes to software installation that is more cmplex. Some software might be able to install as a Power User since power users has permissions on the file system but to be sure that a user can install all software he/she needs full administrative rights on the system.

3 Is also a local right on the client or server. This can be done by members of the local Power Users group.

You can adjust both the security policy of the local systems and the power users/administrators group members using AD Group Policies if you want this to be managed centrally.
For restricted groups see http://support.microsoft.com/default.aspx/kb/279301

4 Is a combination of rights on the computer and permissions in active directory.
To my knowledge there is no way to let a user without local administrative rights change domain membership of a client. I might be wrong but I've never seen a way to configure this.
And if a user has the rights to change domain membership on a client (being an administrator) there is no way of stopping the user from unjoining the domain by specifying permissions in the AD. You can only prevent the user from deleting the computer account in the domain.

There are several ways to set up your AD to allow or limit which users can join computers to the domain.

By default authenticated users can join but up to 10 computers to the domain (but not delete the accounts again). These accounts end up in the default Computers OU. To disallow this configure the Add workstations to domain group policy setting in the Default Domain Controller Policy.

Precreated computer accounts in the right OUs with join permissions for specific users or groups. If you chose to create a computer account manually in the AD you can specify who should be able to join the computer to the domain. You can also specify these rights on the OU that holds the computer accounts.

Adjust permissions on the default Computers OU in your domain so that specific users/groups can create computer accounts there and move the accounts to the right OU after joining the domain.

Use some script or other tool to join the domain under a specific OU automatically creating a computer account if it doesn't exist. For example netdom.exe from the Windows XP and Windows 2003 support tools can do this


یا

شما احتیاج به ساختن یک ( DL(Domain Local و Delegating برای OU1 دارید.

Managing Contoso’s Active Directory Environment
Step 1 — Create the Contoso Service Management Administrative Delegation Model
Step 2 — Implement the Administrative Delegation Model for Contoso Service Management
Step 3 — Hand Off Data Management to Contoso Data Administrators
Step 4 — Create the Contoso Data Management Administrative Delegation Model
Step 5 – Implement the Contoso Data Management Administrative Delegation Model

Best Practices for Delegating Active Directory Administration: Appendices