none
Group Policy Appending

    Question

  • Is there anyway to have a GPO append another one?

    Example: 

    If I have account X with "Logon As A Service" right, at the Domain Level, and I want to have account X AND Y have that same right at the OU level (account Y being granted at the OU Level)..

    Is there a good way to handle that without having to manually update the OU GPO if I were to grant that same right to another account at the Domain Level?

    If not, any tips on handling stuff like this?

    Tuesday, April 7, 2015 5:26 PM

Answers

  • > Is there anyway to have a GPO append another one?
     
    Depends on the type of setting... Some can append, others overwrite.
     
    > If I have account X with "Logon As A Service" right, at the Domain
    > Level, and I want to have account X AND Y have that same right at the OU
    > level (account Y being granted at the OU Level)..
     
    Do not grant privileges directly to accounts, but use groups instead. If
    you wish, you can even use a local group of the computer. And in THIS
    case, you can use restricted groups - "is a member of" - to add your
    accounts on the fly. "is a member of" is cumulative, while "has members"
    is not.
     
    I don't know whether google can do a good a translation of my post on
    that topic - give it a try :)
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, April 8, 2015 8:03 AM

All replies

  • > Is there anyway to have a GPO append another one?
     
    Depends on the type of setting... Some can append, others overwrite.
     
    > If I have account X with "Logon As A Service" right, at the Domain
    > Level, and I want to have account X AND Y have that same right at the OU
    > level (account Y being granted at the OU Level)..
     
    Do not grant privileges directly to accounts, but use groups instead. If
    you wish, you can even use a local group of the computer. And in THIS
    case, you can use restricted groups - "is a member of" - to add your
    accounts on the fly. "is a member of" is cumulative, while "has members"
    is not.
     
    I don't know whether google can do a good a translation of my post on
    that topic - give it a try :)
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, April 8, 2015 8:03 AM
  • Hi,

    How is it going? I agree with Martin. If you need further help regarding the question, please don't hesitate to let us know.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 13, 2015 5:11 AM
    Moderator