Share via

Windows Server 2016 Active Directory

Muhammad Umer 1 Reputation point
2021-04-15T06:20:46.14+00:00

Dear All
I had installed the Windows server 2016 Data Center on my HP Server. After that, I installed the role of AD DC and create the domain. Once this is done I created OUs and add users in specific OU for testing purposes. As soon as I joined the domain with the newly created user, I observed that there were many restrictions on my user by default (Ethernet properties were disabled, unable to install any software and some others).
Please guide how to disable these default Group policies'
Guide how to create my own group policy and implement it on a specific OU.
Secondly, I want some users (IT Members) who have all administrative rights after joining the domain, how is it possible?
Thirdly, I want some users (Managers) who have all the rights after joining the domain but those users shall not be administrators. How is it possible?

Windows for business | Windows Client for IT Pros | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-04-16T07:04:47.973+00:00

    Hi,
    Welcome to ask here!

    For your questions:
    For software can't be installed, would you please tell what's the error message when you try to do that.
    For the Ethernet properties were disabled, would you please share a screenshot of that?
    It is not recommended to change or disable the default domain group policy or the default domain control group policy.

    If you want to check what's the policy deployed on the computer, you can run the cmd as administrator and type command: gpresult /h c:\report.html
    For the user settings, you can log in the user and run command: gpresult /h report.html
    And check if there are any related policies was configured.

    1, To create your own group policy on specific OU
    Open the GPMC find the OU you want to deploy new GPO
    Right click the OU and select create a new GPO
    Then you can right click the GPO and edit the settings.
    2, If you want some users (IT Members) to be members of the local administrators group on the domain joined computers, you can complete it through group policy.
    To create a new Restricted Groups Group Policy, proceed like the following:
    Create a new Group Policy, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups and then select Add Group… after doing a right click on Restricted Groups
    Specify the name of the group to update its membership and then click on OK. In our situation is: administrators
    88408-4151.jpg
    88448-4162.jpg88409-4163.jpg
    3, If you want some users (IT Members) have right to manage the users and computers, you can do that by delegation control through ADUC. This way, Managers don't need to be members of the administrators group.
    Open ADUC,
    Right click the domain name or OU name, select delegation control
    Click Next.
    Click the Add button and use the Object Picker to select the users or groups (Managers) you want to delegate control to.
    Click Next. Following the wizard to customer the rights you want to assign.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.