The feature helps the administrator to maintain the computer object in a group based upon the chassis. The computer object can be added to a specified security group ex. “Domain Laptops” depending on the chassis type of the computer
This article provides instructions on testing the SYNERGIX AD Client Extensions software Account Attributes \ Computer Account Attributes \ Computer Object Group feature. The software requires the security principal Domain Computers or the security group ‘SYNERGIX ADCE Managed Computers’ is granted permission to ‘READ MEMBER’ and ‘WRITE MEMBER’ on the “chassis based” security groups
- Microsoft Windows 7.0 or
- Microsoft Windows 8.1 or
- Microsoft Windows 10 or
- Microsoft Windows Server 2008 & R2 or
- Microsoft Windows Server 2012 & R2 or
- Microsoft Windows Server 2016
- .NET Framework 4.0
Active Directory Domain Environment
- Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. SYNERGIX.WIN
- You can setup a more complex Active Directory Domain environment, if needed. For example, one forest SYNERGIX.WIN with child domains US.SYNERGIX.WIN, and GB.SYNERGIX.WIN and a trusted forest SYNERGIXLABS.WIN with child domains US.SYNERGIXLABS.WIN, GB.SYNERGIXLABS.WIN
- Security Group(s)
- Create a security group called “SYNERGIX ADCE Managed Computers”. The group type may be Domain Global Group or Domain Local Group ,similarly create security groups for Domain Desktop, Domain laptops, Domain other computers.
- Add the test domain computer(s) into the security group “SYNERGIX ADCE Managed Computers”
- Delegate Control
You must ensure that security principal Domain Computers or the security group ‘SYNERGIX ADCE Managed Computers’ is granted permission to ‘READ MEMBER’ and ‘WRITE MEMBER’ on the “chassis based” security groups(Domain laptops, Domain desktops, Domain other computers) .
- Configure domain Group Policy Object
- Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation ( must be Windows 7.0 )
- Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation ( must be Windows 7.0 )
- Using GPMC.MSC, edit existing or new Group Policy Object.
- In Group Policy Editor, expand COMPUTER CONFIGURATION
- Expand Administrative Templates
- Expand SYNERGIX AD Client Extensions
- Expand Account Attributes
- Expand Computer Account Attributes
- Select Computer Object Group
- Enable policy setting
- The run interval value determines the time interval before next update occurs. By default, it is 1440 minutes.
- Enter the group names in the box for example if you want the Domain laptops to be added into the security group Domain laptop then specify Domain laptops in the laptop box
- Log into a domain computer with local administrative privileges
- Install SYNERGIX AD Client Extensions software
- Ensure the SYNERGIX AD Client Extensions specific Group Policy settings were applied
- Launch RSOP.MSC or run GPRESULT.EXE /v to confirm
- Log into the same domain computer with a domain user account. This domain account represents a business user who does not have elevated privileges on his / her computer.
- Launch Active Directory Users and Computers ( dsa.msc ) Management Console
- If DSA.MSC is not installed, log into another workstation with Administrative Tools installed and then, launch DSA.MSC on it
- Search The security group Domain laptops
- The Test laptop computer will be added to the group Domain laptops
- If Yes, Test Results are successful. In the Test Result, write down PASS
- If No, re-run test
- Remove lastUpdate registry entry from HKEY_LOCAL_MACHINE\SOFTWARE\Synergix\ADCE\Account Attributes\Computer Account Attributes\Computer Object group. Did it work this time ?
- Try on another computer. Did it work this time?
- Review ServiceLogFile.txt. Do you see “Access Denied” exception? If yes, verify that the security principal Domain Computers or the security group ‘SYNERGIX ADCE Managed Computers’ is granted permission to ‘READ MEMBER’ and ‘WRITE MEMBER’ on the “chassis based” security groups
Test Results Submission
- Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit