none
Inetorgperson and GPP to local Administrators

    Question

  • I am setting up a GPP to insert some users into the local Administrators group and when I browse for a regular user it puts it into the GPP no problem but when I select a inetorgperson account I get the following error "The object selected does not match the type of destination source. Select again."

    Can you not select a inetorgperson to include in the GPP for local Administrators?

    Tuesday, July 12, 2016 2:48 PM

Answers

  • > As inetOrgPerson is based on the user class it should simply be allowed
    > to work though shouldn't it? It is merely adding attributes to the user
    > class?
     
    Yes it should :-) Ok, workaround: Do not use the object picker ("..."),
    but type in the name directly (Netbios Notation should work).
     
    • Proposed as answer by Todd Heron Thursday, July 14, 2016 11:14 AM
    • Marked as answer by SirArion Thursday, July 14, 2016 3:16 PM
    Thursday, July 14, 2016 10:45 AM

All replies

  • Hi,

    Thanks for your post.

    According to my research, inetOrgPerson class is used by many LDAP and X.500 Directory Services to represent persons within an organization (As described in RFC2798).

    inetOrgPerson class in Active Directory

    http://social.technet.microsoft.com/wiki/contents/articles/20289.inetorgperson-class-in-active-directory.aspx

    Would you please tell me what's the purpose of adding inetorgperson user account into the local Administrators group?

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 13, 2016 5:47 AM
    Moderator
  • Our accounts are created as inetOrgPerson accounts (not user accounts) for compatibility with some of our LDAP and identity management systems.

    All our accounts are inetOrgPerson so to add myself for example I need to be able to add this class of account to the local admin.

    Wednesday, July 13, 2016 3:02 PM
  • Best practice would be "Add the user to a domain group, add the domain group to local admins". Does this work for you?

    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    • Proposed as answer by Todd Heron Thursday, July 14, 2016 11:14 AM
    Wednesday, July 13, 2016 4:37 PM
  • That works for most instances and is in fact what I normally do, there is always those exceptions though. Creating a group for a single user is sometimes simply overkill.

    As inetOrgPerson is based on the user class it should simply be allowed to work though shouldn't it? It is merely adding attributes to the user class?

    Wednesday, July 13, 2016 8:14 PM
  • > As inetOrgPerson is based on the user class it should simply be allowed
    > to work though shouldn't it? It is merely adding attributes to the user
    > class?
     
    Yes it should :-) Ok, workaround: Do not use the object picker ("..."),
    but type in the name directly (Netbios Notation should work).
     
    • Proposed as answer by Todd Heron Thursday, July 14, 2016 11:14 AM
    • Marked as answer by SirArion Thursday, July 14, 2016 3:16 PM
    Thursday, July 14, 2016 10:45 AM
  • That does work. :) Will there be any repercussions from not having the SID that you can think of?
    Thursday, July 14, 2016 3:16 PM
  • > That does work. :) Will there be any repercussions from not having the
    > SID that you can think of?
     
    No practical one... In theory, things can get confusing if the account
    is renamed and a new account with the old name is created. Practically,
    it is more reliable because it does what you see - it adds a named
    Prinicpal. The SID resolution adds the principal with that SID,
    regardless of his name :)
     
    Thursday, July 14, 2016 4:29 PM