question

MuhammadUmer-8263 avatar image
0 Votes"
MuhammadUmer-8263 asked FanFan-MSFT commented

Windows Server 2016 Active Directory

Dear All
I had installed the Windows server 2016 Data Center on my HP Server. After that, I installed the role of AD DC and create the domain. Once this is done I created OUs and add users in specific OU for testing purposes. As soon as I joined the domain with the newly created user, I observed that there were many restrictions on my user by default (Ethernet properties were disabled, unable to install any software and some others).
Please guide how to disable these default Group policies'
Guide how to create my own group policy and implement it on a specific OU.
Secondly, I want some users (IT Members) who have all administrative rights after joining the domain, how is it possible?
Thirdly, I want some users (Managers) who have all the rights after joining the domain but those users shall not be administrators. How is it possible?

windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Welcome to ask here!

For your questions:
For software can't be installed, would you please tell what's the error message when you try to do that.
For the Ethernet properties were disabled, would you please share a screenshot of that?
It is not recommended to change or disable the default domain group policy or the default domain control group policy.

If you want to check what's the policy deployed on the computer, you can run the cmd as administrator and type command: gpresult /h c:\report.html
For the user settings, you can log in the user and run command: gpresult /h report.html
And check if there are any related policies was configured.

1, To create your own group policy on specific OU
Open the GPMC find the OU you want to deploy new GPO
Right click the OU and select create a new GPO
Then you can right click the GPO and edit the settings.
2, If you want some users (IT Members) to be members of the local administrators group on the domain joined computers, you can complete it through group policy.
To create a new Restricted Groups Group Policy, proceed like the following:
Create a new Group Policy, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups and then select Add Group… after doing a right click on Restricted Groups
Specify the name of the group to update its membership and then click on OK. In our situation is: administrators
88408-4151.jpg
88448-4162.jpg88409-4163.jpg
3, If you want some users (IT Members) have right to manage the users and computers, you can do that by delegation control through ADUC. This way, Managers don't need to be members of the administrators group.
Open ADUC,
Right click the domain name or OU name, select delegation control
Click Next.
Click the Add button and use the Object Picker to select the users or groups (Managers) you want to delegate control to.
Click Next. Following the wizard to customer the rights you want to assign.



4151.jpg (66.5 KiB)
4162.jpg (15.1 KiB)
4163.jpg (88.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer to end this thread.
If no, please reply and tell us the current situation in order to provide further help.

Best Regards,

0 Votes 0 ·